Privacy policy
This website privacy policy template has been designed to help website owners comply with European Union and United Kingdom data protection legislation, including the General Data Protection Regulation (GDPR).
The policy covers all the usual ground: the categories of personal data that are collected, the purposes for which that personal data may be used, the legal bases for processing, the persons to whom the personal data may be disclosed, international transfers of personal data, the security measures used to protect the personal data, individual rights and website cookies.
First published in 2008, this policy and its antecedents have been used on hundreds of thousands of websites. It was updated during 2017 and 2018 to reflect the GDPR and the developing regulatory guidance from the EU and UK data protection authorities. This template was last updated on 25 April 2018.
If you're new to data protection law, then before downloading the policy you might want to review the questions and answers below, which provide a introduction to both the legal and practical issues around the use of privacy policies.

Why do I need a privacy policy?
The law probably requires that you publish a privacy policy (or similar document) on your website.
Ask yourself this: do I collect or use personal data for non-personal / non-household activities in relation to my website?
If you do, EU and UK data protection law require that you provide information to individuals about how you use their data. The usual way of providing that information is via a privacy policy.
The key pieces of legislation include the GDPR and, in the UK, the Data Protection Act 2018. But these legislative requirements are not the only considerations in play. There are at least three other reasons to publish a privacy policy on your website.
- First, your contracts with services providers may require that you publish an appropriate privacy policy. For example, the Google Analytics terms and conditions require that you "have and abide by an appropriate Privacy Policy ... You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data."
- Second, a clear and open privacy policy will help you to build trust with some of your users. Users may refuse to register with a website if they aren't confident that their personal data will be protected. Just as bad, they may provide unreliable information when doing so.
- Third, one of the key functions of many websites is the projection of a serious and professional image. A website without the necessary legal documentation may have a negative effect on the image of the business behind it.
This website privacy policy template has been drafted with all of these goals in mind, although the legal compliance requirements are overriding.
Should I use a template or ask a lawyer to prepare a policy for me?
Data protection law is not straightforward. Indeed, since the coming into force of the GDPR, it is difficult for many organisations to be confident that they comply.
Ideally, all privacy policies would be prepared by, or under the supervision of, experts in data protection law. But data protection expertise can be expensive: you might pay anything from £500 to £5,000 or more for a UK data protection lawyer to prepare a privacy policy.
As with many business investments in legal services, you will need to balance the risks of a DIY approach against the costs of using a professional. In general, you should always use a professional if there are significant amounts of money at stake or material risks of liability.
Is this the right template privacy policy for me?
A legal template is both never and always potentially suitable for a particular job. Never suitable because adaptation is always needed; always potentially suitable because, with enough adaptation, one document can be transformed into any other document.
That said, some jobs will require more adaptation than others, and sometimes the adaptations will require specialist legal knowledge.
You should only use this template in relation to the following purposes if you are confident that you can make the necessary adaptations:
- the personal data of minors;
- sensitive personal data / special categories of personal data;
- large-scale processing of personal data;
- any complex or unusual personal data processing; and
- any personal data processing that is likely to have a significant impact on individuals' rights and freedoms.
What information should I provide in my privacy policy?
The core disclosures required by the GDPR are set out in Articles 13 and 14.
Article 13 sets out the information that must be provided where personal data are collected from the individual. Article 14 sets out the information that must be provided where personal data are collected from some other source.
The main categories of information are:
- identity and contact information of the controller;
- where personal data is not collected from the individual, the source and nature of that data;
- the purposes of the processing;
- the legal bases for the processing, including details of applicable legitimate interests;
- the recipients or categories of recipients of the personal data;
- details of international transfers of personal data that require legal protections, and details of those protections;
- the periods for which the personal data will be stored, or at least the criteria used to determine those periods;
- individuals' legal rights with respect to their personal data;
- whether the provision of personal data is a legal requirement;
- the existence of automated decision-making, including profiling.
Our privacy policy template has been designed to help you to disclose the necessary information.
Should information about cookies be included in the privacy policy or elsewhere?
There's a degree of overlap between the laws relating to cookies and those relating to the processing of personal data: cookies may themselves contain personal data; and even where cookies don't themselves contain personal data, the reading of cookies will often result in the linking of cookie data to other personal data held by the operator.
Because of this overlap, it is common to include cookie disclosures in a privacy policy, and this template does include relevant disclosures – although not in so much detail as in our premium privacy and cookie policy templates.
The key legal instruments currently applicable to cookies are:
- across the EU, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications); and
- in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended).
The latter is the UK's implementing legislation for the former. The consolidated version of the UK regulations is not available on the legislation.gov.uk website and the text of the relevant Regulation (No 6) has been updated since 2003 – so use with care.
New legislation on cookies is currently going through the EU legislative process, but this is not expected to become law until 2020 at the earliest.
In addition to the information disclosure requirements, you may need to get user consent to cookies. This privacy policy template includes an optional statement to the effect that users consent to the use of cookies. However, this will not alone satisfy the cookies consent requirement under the cookie laws.
How do I edit the privacy policy?
After you have downloaded the policy, you will need to open it in your word processing software for editing.
The first thing you should decide is how to categorise the personal data that you process. Your categorisation should reflect how data is handled in practice. For example, you might differentiate between analytics data, enquiry data, customer relationship data and transaction data. The template privacy policy includes a suggested categorisation.
With respect to each of your categories of personal data, you will need to determine the purposes for which the data is processed and - this is often the hard bit - the legal basis for processing. Possible legal bases are individual consent, the performance of a contract, and your legitimate interests.
You will also need to identify recipients or categories of recipients, as well as relevant data retention periods.
Guidance notes are included in the template to help with the editing process.
After editing, you should add the privacy policy text to your website, either via your content management system or directly after converting it to HTML.
Why is your privacy policy is longer / more complicated than some other policy templates?
This policy is intended to be easy to use, but data protection law in general and the GDPR in particular are difficult to use.
Data protection law is necessarily built of abstractions, but some of the abstractions at the heart of the GDPR do not map easily onto the real world. The European Data Protection Board (EDPB) has produced voluminous guidance on the application of the GDPR, but the very existence of this guidance highlights the problem. If the law was clear, the guidance wouldn't be needed. In many cases, the guidance either overreaches or dodges the difficult issues.
Another reason for the length of our templates is that … they are templates. They are intended to be edited before use, and it is much easier to delete unwanted provisions from a template than to add novel provisions. After you have finished editing our template, it should be materially shorter than when you started.
If you do plan to use a simpler template from another website, you should take care to ensure that it covers all the necessary ground. If you can create a privacy policy from a template in a few minutes, there may well be something wrong with the template.
Do I also need a data protection or GDPR policy?
"Privacy policy" is not a term of art.
Documents with the same function will sometimes be called "privacy notices", "data protection statements", "personal data processing policies", "GDPR policies" - or something different entirely.
Worse, there is a different type of document that shares the same pool of possible names.
Whilst our free privacy policy is concerned with the disclosure of information about personal data handling, this other type of document is concerned with specifying the policies and procedures that regulate how employees and non-employed personnel conduct themselves in relation to personal data handled by the organisation. This other type of document will typically form part of a staff handbook and/or the set of policies provided to freelances and other subcontractors engaged by the organisation to provide services.
I usually refer to this other type of document as a "data protection policy" – but don't assume that other professionals will do so.
In most cases, you will want to keep these documents separate.
Do I need a data processing agreement?
A privacy policy is concerned with an organisation's role as a controller of personal data; whereas a data processing agreement is concerned with an organisation's role as a processor of personal data.
This distinction can be confusing and tricky to apply.
Both controllers and processors process personal data. Just because you are processing personal data, that doesn’t make you a processor. You might be a processor, but equally, you might be a controller. Confused yet?
The distinction is tricky to apply because the definitions are highly abstract. A controller is defined as a person who determines the purposes and means of processing personal data. A processor is a person who processes personal data on behalf of a controller. In practice, the determination of purposes is more significant than the determination of means.
An example might help. A business providing website hosting services would usually be a processor with respect to personal data contained in the website databases of its customers. It would, however, usually be a controller with respect to personal data contained in its customer relationship management system. For some classes of data – for example, data collected when providing support services to customers – the correct classification may not be clear.
In any case, if you are a processor, then the GDPR requires that you enter into a specific set of contractual clauses with your controller. A data processing agreement is a document that contains those clauses, sometimes elaborating and/or supplementing them. Processors should not produce privacy policies with respect to that data because the production of a privacy policy is the responsibility of the controller.
Our full range of privacy and cookies policies
We supply a range of privacy and cookie documents on our ecommerce websites, Website Contracts and Docular.
Summary of free document licensing terms
By downloading a free legal document available on this website, you accept and agree to our terms and conditions. The main terms of the licence in the terms and conditions are as follows.
- Unless you have paid for the right to use the relevant document without the included credit (attribution) text, you must retain the credit in the free legal document.
- Subject to this point, you may edit and amend the documents to render them suitable for your purposes.
- You must not sell or re-distribute the free legal documents or derivatives thereof.
- We give no warranties or representations concerning the free legal documents, and accept no liability in relation to the use of the free legal documents.
Comments
Privacy document website
Thanks.
Business Website
I am starting a patient consultant (advocate) service. What disclaimer, privacy policy and terms and conditions would I need to put on my blog?
More information needed
I'd need to know a little more about the blog before commenting on this. Can you give me an idea of the type of content that would be included in the blog, and also whether there is any non-blog functionality on the website?
Privacy policy for website
Hello,
I am quite confused with the privacy thing in general. We are lettings agency and we just had our website created and I believe we need a privacy policy license. How do we obtain it? And how do I put it on our website?
Thanks.
Privacy policy options
There are various options.
1. You can download this document (click the button above) and use it free of charge, providing you retain the section in the document that credits us as the source of the document ("This policy is based on a template published by SEQ Legal...").
2. If you want to project a more professional image, you can buy a licence to use this template without the credit text, here:
https://www.website-contracts.co.uk/privacy-policy.html
3. If you want to edit the document online with our online editor, which makes teh job easier, use:
https://docular.net/documents/template/12/privacy-policy
4. Finally, you could ask a lawyer to produce the document for you.
The method of getting the text on to the website depends upon the technology used to create the website. NB Docular allows you to export in HTML format which can make this process quicker.
Privacy Policy for website
Thank you for your response. So just to clarify, as long as we have this document dispayed on our website and we a registered with Information
Commisioners office, we are compliant with the privacy policy act? What about cookies? Do we need that poping up in our website too? Many thanks for your help!
A template cannot ensure compliance
No, a template will never guarantee compliance. It's merely a tool. To ensure compliance you or a professional adviser needs to understand both the legislation and your business and then make the relevant disclosures and handle any other compliance points, including the best way to get consent for the use of cookies.
Privacy policy for mobile game
Hello, I am developing a good game for Android that integrates some Facebook plugins and ask for some permissions (user profile, name, picture and publish permissions). Facebook requires that my app have a web page and in that web page should be the privacy policy (this web page is created via wix.com).
Would your privacy policy template be good enough for my needs?
Thanks in advance for the help.
Good enough privacy policy?
I can never say that a template will alone be good enough. In legal terms, a privacy policy being "good enough" means enabling the business in question to comply with all relevant data protection / privacy disclosure laws. The information that needs to be disclosed by a business will vary from case to case. For example, the geographical location of your service providers might affect this. A template cannot know anything about your business, so cannot ensure compliance. You should take legal advice if you want to ensure compliance and you don't know how to do this yourself.
Privacy Policy Licence cost
How much will it cost us exactly to purchase this Privacy Policy licence without SEQ Legal author credit?
Ten pounds
It's GBP 10 inc VAT (if applicable), and available for purchase here: https://www.website-contracts.co.uk/privacy-policy.html
Basic mobile app
I have an Android mobile app that accesses the camera and so as such Googles terms require that I have a privacy policy. I store no information from the camera between sessions so this is just a requirement of compliance with Google as I don't store or use any personal information. Would you have a template to cover such situations? I think this would be very useful to many.
App-specific privacy policy
Thanks for your comment Chris.
I'm hoping to do some mobile app-specific legal templates at some point, but it won't be soon I'm afraid.
GDPR compliance
Are your Privacy Notices GDPR compliant?
Not yet
We don't generally update our templates until shortly before relevant legal changes take effect.
GDPR
The template has now been updated for GDPR, with an choice of DPA and GDPR compliant "your rights" clauses.
Not sure which policy to download
Hello, i just launched the website of my record label, a net label. Mainly I'll be offerening music distribution, remix and mastering and a promotion blog where people and artists will submit their music, photos, links of their social media, links to videos, biography, information about the artist like name, country, age.
I'm not registered as an offical company as I'm just starting and maybe in a future I will start as self employed. So basically I'm like a sole trader where I will be in charge of all the website management and deciding which artists I will be promoting. I download the privacy policy but in some points I dont have the information like:
15.2 We are registered in [England and Wales] under registration number [number], and our registered office is at [address].
15.3 Our principal place of business is at [address].
Details for sole trader
Section 15.2 can be removed as you do not have a company.
Section 15.3 however should be retained. You presumably however still have an address from which you conduct the business, even if this is your home address. You should also include your name "Joe Bloggs trading as XYZ" in the legal docs, so that users and customers can identify who they are dealing with.
I'm assuming English law applies.
Policy to download
SA law
Our documents are all designed to help compliance with English law (including EU law as applicable/implemented in the UK). As your business is based in SA, you should start with documents designed to help with SA law.
(However, in some circumstances you may also need to comply with foreign law.)
Privacy policy document
I would like to know if I can use your template for my website even if I need to translate in French.
My organisation is a limited registered in the UK, my website will be provided information about sports in France. do you think your document can support my requirement.
Translation
The SEQ licence allows you to do this, but you may need to ensure that the translated document is compliant with applicable French law. (Although data protection law is in theory harmonised across the EU, in practice there are differences.)
Fees
Useful template thanks. I notice your templates says people can access their data subject to "(a) the payment of a fee (currently fixed at GBP 10)".
I thought GDPR made it illegal to request a fee unless the request was unduly onerous or made repeatedly. Could you clarify?
Thanks
Fees for SARs
There are two alternative sections in the privacy policy dealing with data subject rights. The first is designed to help with compliance under the Data Protection Act 1998 (DPA), and should be used until the General Data Protection Regulation (GDRP) comes into force. The second is designed to help with the compliance under hte GDPR, and should be used after the GDPR comes into force. See the sections numbered 8.
The reason for including both sections is that a GDPR-compliant section would be non-compliant under the DPA, while a DPA-compliant section would be non-compliant under the GDPR. We will remove the DPA section from the template in mid-May.
Freelance Writer/Researcher
My website promotes and advertises my range of services.
I am not a registered company, just a freelancer. There is no data collection. People can contact me directly should they have use of my services.
Am I obliged to include the privacy policy and if so which one?
Thank you
Privacy policy questions
If you didn't collect personal data and if you don't use cookies on your website, then you will have nothing to say in a privacy policy. However, as people can contact you, you do in fact collect personal data (which includes names, email addresses and so on). The website may also collect personal information (which can include IP addresses).
With the GDPR, privacy policy templates almost always need heavy adaptation to fit with the particular way in which a business (acting as data controller) processes personal information. I can't really give a sensible answer to the question of "which one" without knowing much more about the website, and what you do with personal data - in practice I would need to take you on as a client to give useful guidance here.
Basic website
Thank you for all the great templates and free stuff you have on your site. You have answered lots of my questions just on this blog here. Very helpful. I will need the website privacy policy when I upgrade later in the year but for now I just need a basic privacy policy which covers the collection of contact details for written records and email newsletters. I've been to the ICO website to find a template but its a very complicated site and haven't managed to locate one on there. Your information is so much clearer and easier to navigate.
Privacy Policy compliant with GDPR for an affiliate site
Hello,
I was wondering if the template would serve for my purposes. I will only collect very basic personal information (name, email address) and use that information for follow-up purposes, etcetera. Obviously I will use cookies. I would appreciate any advice. Thank you!
Only a template
Templates are merely tools, and always and to be adapted. So, if you adapt the document appropriately, it will serve your purposes. I appreciate that this isn't very useful guidance. However, in order to assess whether a document is helping a business to comply with the law I would need to: (i) know a good deal about the business; and (ii) see the final version of the document, post editing. This is not a service I can provide alongside the templates.
Online store
Hello,
Can I use this template for online store?
Thank you
Online store privacy policy
It could be adapted for this purpose, but for a more suitable document see the "online shop" variant of this document:
https://www.website-contracts.co.uk/privacy-and-cookies-policy.html
Starting a new business
Hi, I had started a book promo business, but deleted it, when I heard about the privacy policy. I don't have any money (long story) and it's the only way for me to make any. It will be awhile before I can afford a business license. I'm only collecting emails and using PayPal for payment. Do I really need a privacy policy? Is a free template enough? Thanks, I miss the old days ... lolsighs.
Privacy policy requirement
To the extent that the business will operate under English or other EU law, then yes you do need a privacy policy or similar notice. However templates - free or otherwise - cannot guarantee compliance, and always need some level of adaptation.
Email template for GDPR policy
The privacy policy template that you have is really very well written. But is there any email template that we send it to customers informing them about the update in our privacy policy?
Email template
Sorry, I don't currently have any template text for this.
Can we use your privacy policy on a non-commerical site?
I'm looking for a privacy policy to put on a radio club website. Can we use one from yours, without paying, and without having the atribution? Spending £10 for a business is nothing, but for us, it would be around 12% of our annual income.
In that case ...
... why not use it with attribution?
Translate the attibution version
Hi, my websites are all in portuguese language. Can I use your free version and translate it into portuguese? Also want to make some changes. Do you allow me to do the changes. thank you
Yes
Yes, you are welcome to translate the document, although assuming Portuguese law applies remember to account for any differences between English law and Portuguese law.
Online system
Hi, i have a new online system which requires users to register with name/email address, company and phone number.
I have looked at your template, but this seems to be overly complicated for my scenario. There is no marketing, cookies or onward distribution or transfer of any details.
The data stored is for internal purposes only. The only time the email address is used is for signon and to update software changes.
Do you have a less comprehensive template.
Thanks, Alex
Shorter version not yet available
I don't have anything shorter right now, although it is on the list. If you go over to https://docular.net you can get access to this template through the Docular online editor, which makes removing unwanted material very easy.
useable for usa?
Hi there, are your documents for use in the united states of america?
Not for USA
Unfortunately, no: these documents are not designed to help with US legal compliance.
Privacy policy
Thanks so much for this policy! I’ve updated it for my business and have now published it on my website, which I’d dreaded doing as I didn’t know where to even start. The notes were a huge help too, so clear and informative - I’m not a lawyer but I was able to follow them easily.
Hello, I am starting an on
Hello, I am starting an on-line store selling food supplement products based in the UK but selling in other EU countries as well. Which policy documents available here do I need to put on my website? There are quite a few versions so I am a bit confused. Thank you!
Legal documents for online store
Typically, an online store will need at a minimum: (i) T&Cs of sale, to govern the contract of sale itself; (ii) T&Cs of use, to govern the relationship between the website operator and users, who may or may not be purchasing goods; and (iii) a privacy and cookies policy, to help with disclosures relating to data protection law.
Whilst we don't currently have a free version of (i) on this website, you can find free versions of all three documents on our Docular website: https://docular.net
On-line store
I understand. However, I would appreciate if you gave me a link to specific versions, especially of (i) as there are a few I can see on docular.net with different prices. Which one would be the most suitable for my on-line store? I assume the food supplements do not require any specific clauses that other products don't have? Thanks so much again!
Links
I suggest you look at these documents:
https://docular.net/documents/template/173/free-website-terms-and-condit...
https://docular.net/documents/template/5194/free-terms-and-conditions-of...
https://docular.net/documents/template/174/free-privacy-policy
These are all free, but there are paid versions if you want to remove the Docular credit/link.
This may also prove useful:
https://docular.net/documents/template/5578/consumer-contracts-model-ins...
These do not contain any special terms regarding food supplements. If I were preparing the documents, I would expect to add some special disclaimers for the product type.
Re: Free documents
Hi, I went through your suggested documents, however, there are quite a few things that are unclear there for a non-expert like myself. Are there any explanatory notes for these doucments at all? For example, in Website Terms & Conditions par. 6.1 specifies that a visitor should be a resident in the UK whereas my website is targetting other countries in the EU so how is this relevant to anyone who is a resident in other such countries? Par. 19.2 gives you a choice between "exclusive" and "non-exclusive". What is the difference and which option to choose? The Privacy Policy doc is full of the unclear choices and "specify basis" "identify URL" and "sources" to fill in.... Could you explain perhaps how to fill in these as I have no idea what basis or sources I should quote.... :-( Thanks so much in advance!
Notes icon
If you click on the little notes / document icons in Docular, then notes corresponding to the relevant provisions will appear in the right-hand column.
The templates tend to include lots of optional / removable provisions, because it is easier to remove an unwanted clause than to write a missing one. The residency clause in the T&Cs can for most websites be removed.
Regarding exclusive / non-exclusive jurisdiction: the former should be used where you want ONLY the identified courts to adjudicate disputes; the latter where you want the identified courts PLUS any others who may have jurisdiction under the applicable rules of private international law. Even where you choose exclusive jurisdictions, the courts in a different country may sometimes ignore this (e.g. to apply their own consumer protection law).
Add new comment