Privacy Policy

A privacy policy is legally required in most jurisdictions if you collect any personal data from users — including through analytics, cookies, contact forms, or user accounts. Laws like GDPR (EU), CCPA (California), and PIPEDA (Canada) mandate that websites disclose what data they collect, how they use it, and how users can exercise their rights.

The General Data Protection Regulation (GDPR) requires your privacy policy to clearly state: what personal data you collect, the legal basis for processing it, how long you retain data, the rights of data subjects (access, rectification, erasure, portability, objection), your contact information, and whether you transfer data outside the EU. The policy must be written in clear, plain language.

The California Consumer Privacy Act (CCPA) requires businesses to disclose: what categories of personal information they collect, the purposes for collection, whether they sell personal information, and the rights of California consumers (right to know, right to delete, right to opt out of sale, and right to non-discrimination). You must also provide at least two methods for consumers to submit requests.

If you use cookies (especially for analytics, advertising, or tracking) and serve users in the EU/EEA, you need a cookie consent mechanism under the ePrivacy Directive. Users must be informed about which cookies you use and give consent before non-essential cookies are placed. This generator includes a cookies section in your privacy policy, but you will also need a separate consent banner on your site.

You should update your privacy policy whenever you change how you collect, use, or share personal data — for example, when you add a new analytics tool, start processing payments, or expand to new regions. At minimum, review your policy annually. Always update the "Last updated" date and notify users of significant changes.