Privacy Policy Generator
Generate a complete, jurisdiction-aware privacy policy for your website or app. GDPR, UK GDPR, and CCPA clauses. Download as TXT, Markdown, or HTML. No watermark, no signup.
Where are your users? (Select all that apply)
Audience
Data you collect
Third-party services you use (0 selected)
Analytics
Payments
Authentication
Email / Marketing
Customer support
Advertising
Infrastructure
What is a privacy policy?
A privacy policy is a legal document that discloses how a website or application collects, uses, stores, protects, and shares user data. It's a legal requirement in most jurisdictions (GDPR in the EU, UK GDPR, CCPA in California, LGPD in Brazil, PIPL in China, PIPEDA in Canada, and many more), and it's also a baseline trust signal — users increasingly check before handing over an email address. A complete privacy policy covers what data you collect, why you collect it, who you share it with, how long you keep it, what rights users have, and how to contact you about data concerns.
When does your website need a privacy policy?
If your website or app collects any personal information from visitors, you legally need a privacy policy in most jurisdictions. This includes:
- Contact forms that collect names and email addresses
- User accounts with login credentials
- Analytics tools like Google Analytics, Plausible, Mixpanel (collect IP, browsing data)
- Cookies of any kind, including session cookies
- Payment processing (Stripe, PayPal, Paddle, etc.)
- Email marketing tools (Mailchimp, SendGrid, ConvertKit)
- Live chat tools (Intercom, Crisp, Drift)
- Newsletter sign-up forms
- Comments, reviews, or any user-generated content
- Advertising / tracking pixels (Meta Pixel, Google Ads conversion)
In practice, this means nearly every modern website needs a privacy policy. Even a static portfolio site usually has Google Analytics — which alone triggers the requirement.
Privacy laws by jurisdiction (and which clauses you need)
| Law | Region | Triggered when |
|---|---|---|
| GDPR | EU + EEA | Any EU/EEA resident accesses your site |
| UK GDPR + DPA 2018 | United Kingdom | UK residents access your site |
| CCPA / CPRA | California, USA | You do business in California with $25M+ revenue OR 100k+ CA residents/year |
| LGPD | Brazil | You target Brazilian users or process their data |
| PIPEDA | Canada | You collect data on Canadian residents in a commercial activity |
| PIPL | China | You target Chinese users |
| COPPA | USA | You knowingly collect data from children under 13 |
This generator produces clauses for GDPR, UK GDPR, and CCPA — the three most-cited laws affecting English-language websites. Select "Global" in the jurisdictions section above to include all three.
GDPR essentials (for EU users)
The General Data Protection Regulation (GDPR) is the EU's data protection law. Key principles:
- Lawful basis — you must have a legal reason to process personal data (consent, contract, legitimate interest, legal obligation, vital interest, or public task).
- Data subject rights — users have rights to access, correct, delete, port, and object to processing of their data.
- Breach notification — you must notify the supervisory authority within 72 hours of becoming aware of a personal data breach.
- Privacy by design — privacy considerations must be built into systems from the start.
- DPO requirement — public bodies and certain types of organizations must appoint a Data Protection Officer.
- Penalties — up to 4% of global annual revenue or €20M, whichever is higher.
CCPA / CPRA essentials (for California users)
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants California residents specific rights:
- Right to know — what personal info you collect, sources, purposes, and third parties
- Right to delete — request deletion of personal info you hold
- Right to opt-out — refuse the sale or sharing of personal info
- Right to correct — fix inaccurate personal info
- Right to limit use of sensitive data — restrict use of certain sensitive categories
- Right to non-discrimination — equal service whether or not you exercise your rights
CCPA applies to for-profit businesses doing business in California that either: have annual gross revenue over $25M; buy, sell, or share personal info of 100k+ Californians; or derive 50%+ revenue from selling/sharing personal info.
Frequently Asked Questions
Is this privacy policy legally binding?
This generator produces a comprehensive starting template — but every business is unique. We strongly recommend having a lawyer review the final document before posting publicly, especially if you process sensitive data (health, financial, children's, biometric), sell to multiple jurisdictions, or operate in regulated industries. For small personal sites with minimal data collection, the template is usable as-is with your contact info filled in.
Where should I publish my privacy policy?
Industry standard: link to it from the footer of every page, link from any signup form or data-collection form, and link from email footers if you send marketing emails. The footer link should be visible without scrolling on most pages.
How often should I update my privacy policy?
Update whenever you materially change how you handle data — adding a new vendor (analytics tool, email service), changing what data you collect, expanding to a new jurisdiction, or in response to new laws. Even without changes, review annually. Always update the "Last Updated" date at the top.
Does this generator add a watermark to the policy?
No. The generated policy contains no Quillly branding, attribution lines, or watermarks. You can paste it directly into your CMS without editing. It's yours.
What about the cookie consent banner?
A privacy policy is one half of GDPR compliance — the other half is a cookie consent banner that actually controls cookie loading (not just informs). The banner must let users opt out of non-essential cookies before they load. Common implementations: Cookiebot, OneTrust, Osano, or simple homegrown banners with cookie-aware analytics tools (Plausible doesn't need consent in most jurisdictions; GA4 does).
Do I need a separate Terms of Service?
Yes — they serve different purposes. Privacy Policy = how you handle user data. Terms of Service = the contractual agreement governing the use of your service (acceptable use, IP ownership, dispute resolution, liability limitations). Most production sites have both linked from the footer.
What if I don't collect any data?
If your site is truly static (no analytics, no forms, no cookies, no third-party scripts), you technically don't need a privacy policy under most laws. But this is rare — even server logs collect IP addresses, which is personal data under GDPR. Safer to publish a minimal policy stating "we don't collect personal info beyond standard server logs".