Home
Blog
GDPR Privacy Policy Template

GDPR Privacy Policy Template

GDPR Privacy Policy Template

Written by

Robert Bateman

Post-graduate law degree, CIPP/E from the International Association of Privacy Professionals (IAPP). Privacy and Data Protection Research Writer at TermsFeed.

Robert Bateman

The EU General Data Protection Regulation (GDPR) is all about transparency, and thus it requires a Privacy Policy. This Privacy Policy must meet GDPR requirements with its content, its display, and how consent it obtained.

In this article, we will take a look at what the GDPR requires, and how you can adapt your Privacy Policy to suit the context of your business. We've also put together a Sample GDPR Privacy Policy Template that you can use to help you write your own.

1. What is the GDPR?
1.1. What is a GDPR Privacy Policy?
1.2. Why is a GDPR Privacy Policy Important?
2. Important Sections of a GDPR Privacy Policy
2.1. Introduction
2.2. Definitions
2.3. Principles for Processing Personal Data
2.4. Types of Personal Data You Process
2.5. How You Process Personal Data
2.6. Legal Basis
2.7. Retention of Personal Data
2.8. Who You Share Personal Data With
2.9. International Transfers of Personal Data
2.10. Data Rights
2.11. Changes to Your Privacy Policy
3. Displaying Your GDPR Privacy Policy
3.1. On Your Website
3.2. On Your Mobile App
3.3. In Your Communications
4. FAQs about GDPR Privacy Policies
5. Summary of Your GDPR Privacy Policy
6. Download Sample GDPR Privacy Policy Template
6.1. Sample GDPR Privacy Policy Template (HTML Text Download)
6.2. Sample GDPR Privacy Policy Template (PDF Download)
6.3. Sample GDPR Privacy Policy Template (Word DOCX Download)
6.4. Sample GDPR Privacy Policy Template (Google Docs Download)
6.5. More Privacy Policy Templates

What is the GDPR?

The GDPR is an EU privacy law that requires businesses to disclose their policies regarding the collection, use, storage and deletion of user data while also providing privacy rights to EU consumers.

What is a GDPR Privacy Policy?

A GDPR Privacy Policy is the policy that describes your policies on user data collection and usage in accordance with the GDPR requirements.

A GDPR Privacy Policy is sometimes called a GDPR Privacy Statement or a GDPR Privacy Notice.

A Privacy Policy is mandatory under many privacy laws. And under the GDPR, it's one of the most important documents your company needs to have. It's the only way to demonstrate to your customers, and to the authorities, that you take data protection seriously.

Why is a GDPR Privacy Policy Important?

A Privacy Policy is your company's opportunity to show your customers that you can be trusted with their personal data. It's also a chance to really get to grips with how much personal data your company controls, and whether your data protection practices are legally compliant.

Personal data is big business. Companies like Google and Facebook have revenues larger than some countries. They made their fortunes by processing people's personal data.

The GDPR sets the rules about how personal data should be processed in the EU. It also provides rights to individuals regarding their personal data. Without privacy laws like the GDPR, people would lose control over the information that businesses and governments have collected about them.

Your company may have already produced a Privacy Policy to comply with one of the many other laws that require one, for example:

The California Online Privacy Protection Act (CalOPPA)
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
Australia's Privacy Act
The GDPR's predecessor, the Data Protection Directive

The GDPR is different. Its requirements are more rigorous than any of the above laws, and anything you produced to comply with these will likely not be sufficient under the GDPR.

GDPR Privacy Policy from termsfeed

GDPR Privacy Policy from termsfeed

Important Sections of a GDPR Privacy Policy

The GDPR lays down specific requirements about the information you must provide in your Privacy Policy. These are mostly set out at Articles 13 and 14.

An important thing to bear in mind is that this is a public-facing document, and is not written just for your customers. It should be aimed at anyone whose personal data you might process - including potential customers and visitors to your website.

Let's take a look at what you'll need to include.

Introduction

You should start your Privacy Policy with a brief explanation of who your company is, and what your Privacy Policy is.

Include the date from which the Privacy Policy takes effect (the "effective date").

Here's how Visa Global starts its Privacy Policy by letting users know what the company does, and what the Privacy Notice seeks to accomplish:

Visa Global Privacy Notice: Introduction clause

You should include the legal name and business address of your company in the introduction.

Here's how MembersFirst does this:

MembersFirst Privacy Policy: Introduction section with business legal name and address

If you have a Data Protection Officer (DPO) and/or an EU Representative, you must also include their contact details.

You'll notice above that MembersFirst refers to itself as a "data controller." For the purposes of the GDPR, your company is probably a "data controller," too - if it makes decisions about how and why personal data is processed.

Definitions

To help make your Privacy Policy more readable and digestable by your average reader, make sure to define any terms that may be confusing or that have very specific legal meanings that might not be inherently or widely known.

Under Article 12 of the GDPR, your Privacy Policy must be written in clear and accessible language. Therefore, you should do your best to avoid using legal terminology where possible.

In some cases, however, it might be unavoidable. So you should include a section in your Privacy Policy where you give the definitions of key terms.

Some companies give their definitions directly from Article 4 of the GDPR. This is the approach of AEG:

AEG Privacy Policy: Excerpt of Definitions clause

This isn't actually all that helpful for a reader. Arguably, defining a "data subject" as "an identifiable natural person [...] who can be identified, directly or indirectly, in particular by reference to an identifier" does little to clarify what the term actually means to a layperson.

Here's another example from Edgbaston Park Hotel. Its definitions are more accessible and easy to understand.

Edgbaston Park Hotel Privacy Policy: Excerpt of Definitions clause

You can see the differences here between writing in legalese versus writing in a common voice that is far easier to understand.

Principles for Processing Personal Data

Article 5 of the GDPR contains six principles by which all personal data must be processed.

They are:

Lawfulness, fairness, and transparency: Obey the law, only process personal data in a way that people would reasonably expect, and always be open about your data protection practices.
Purpose limitation: You must normally only process personal data for the specific reason you collected it and nothing else.
Data minimization: don't process any more data than you need.
Accuracy: Make sure that any personal data you hold is adequate and accurate.
Storage limitation: Don't store personal data for longer than you need to.
Integrity and confidentiality: Always process personal data securely.

Some companies choose to set these principles out in their Privacy Policy simply by listing them and declaring their compliance with them.

This is the approach taken by CRG:

CRG Privacy Policy: GDPR Principles clause

Others take a more personalized approach, listing their company's specific principles and relating these to the GDPR's principles.

Here's an example from the International Institute for Environment and Development:

IIED Privacy Policy: Principles regarding user privacy and data protection clause

Types of Personal Data You Process

In your Privacy Policy, let your users know the specific types of personal data that you process.

The GDPR's definition of "personal data" is very broad. The chances are that your company processes a lot of it.

Because everything from IP addresses to cookie data constitutes personal data, your website might process personal data from people who will never even contact your company. In your Privacy Policy, you must be absolutely clear about every type of personal data you deal with, and why you need to do this.

Many companies break this part of their Privacy Policy down into sub-sections, such as "data you provide to us," "data collected by our website," etc.

Here's an example from Clearcast:

Clearcast Privacy Policy: How Clearcast collects personal data clause

You can then further break down this information into more detailed categories.

Here's an example of how to do his:

Synthorx Privacy Policy: Excerpt of Information Collected via Technology clause

Be as detailed and specific as possible when disclosing the types of personal data you collect and process. Try to disclose this information in a way that's as easy for your users to understand as possible.

How You Process Personal Data

Under the principles of "purpose limitation" and "data minimization," you must always have a good reason for processing any of the personal data in your possession. And, you must set our your purposes for processing personal data in your Privacy Policy.

Here's an excerpt from the relevant part of The Independent's Privacy Policy:

Independent Privacy Notice: What do we use this data for clause excerpt

This can also be a clause that describes "how" and "why" the data is used, so long as users are informed about what exactly you're doing with the data you collect.

Legal Basis

The GDPR only allows you to process personal data on one of six legal (or "lawful") bases. You aren't allowed to process personal data unless you've established a good, legal justification for doing so. Disclose what this legal basis is within your Privacy Policy.

The legal bases for processing a person's personal data are:

Consent: You have earned their permission in a GDPR-compliant way
Contract: You need to process their personal data to fulfill a contract
Legal obligation: You'd be breaking the law if you didn't process their personal data
Vital interests: Their life (or someone else's life) depends on you processing their personal data
Public task: You need to process their personal data to carry out a task that's in the public interest
Legitimate interests: Processing their personal data is in your interests, and you've carried out a Legitimate Interests Assessment

Your Privacy Policy must provide details of your legal bases for processing.

Some companies relate their legal bases to the types of personal data they process and their reasons for processing personal data.

Here's how Pint of Science does this:

Pint of Science Privacy Policy: Excerpt of lawful basis for processing clause

Where you're relying on "legitimate interests," you need to specify what your legitimate interests are.

Where you're using "consent" as a legal basis, you must include reference to your users' right to withdraw consent. Here's how Sharp does this:

Sharp UK Privacy Policy: Your Rights clause with Withdraw Consent section highlighted

If your legal basis is "contract," you need to let people know what will happen if they fail to provide you with the personal data you need to carry out a contract.

Here's how Budget does this:

Budget UK Privacy Policy: Clause for required personal information needed to process a contract

Make sure you know what your legal basis is (or are) and disclose this.

Retention of Personal Data

The principle of "storage limitation" requires that you don't retain personal data any longer than you need it. Your Privacy Policy needs to give details of how long you'll be keeping the different types of personal data you collect.

This won't always be a particular period (i.e. one week, two months, etc.). It may be determined by the length of time for which you need the data (e.g. until the person closes their account).

Here's part of the relevant section in Big Yellow Storage's Privacy Policy:

Big Yellow Privacy Policy: excerpt of data retention clause

If you keep different types of data for different periods of time, disclose this as specifically as possible.

Who You Share Personal Data With

You're allowed to share personal data under the GDPR so long as you're transparent about this, and you have a valid legal basis for doing so. Your Privacy Policy needs to provide details about who you share personal data with.

Note that the GDPR doesn't require you to list the names of every company with whom you share data, only the broad types of company (e.g. payment processors, mail carriers, etc.).

However, make sure you check the Terms and Conditions of companies with whom you have a Data Processing Agreement. Some of them, like Google, require you to name them specifically.

Here's an example of a clause that fulfills Google's disclosure requirements:

Discover France Privacy Policy: Information we collect through Google Analytics clause

The clause explicitly states that "Google Analytics data is shared with Google" which lets users know that a third party (Google) is receiving some of their personal data.

International Transfers of Personal Data

If you transfer personal data from the EU a non-EU country (for example, if your web server is located in the U.S., or you use a data processor based in Australia), you need to explain this in your Privacy Policy.

Under the GDPR, there are only certain reasons that you can transfer personal data out of the EU. This section of your Privacy Policy must explain which mechanisms you use for international transfers.

Belmond takes a different approach, covering all bases in its Privacy Policy:

Belmond Privacy Policy: Data Transfers clause updated

Data Rights

The GDPR grants individuals eight rights over their personal data. Subject to certain conditions, you're required to facilitate these rights when requested to do so, and should describe how users can exercise their rights within your Privacy Policy.

These rights are:

The right to be informed
The right of access
The right to rectification
The right to erasure (known as "the right to be forgotten")
The right to restrict processing
The right to data portability
The to object
Rights in relation to automated decision-making

Not all the rights are likely to apply to your company, but you need to be familiar with them regardless.

Your Privacy Policy needs to provide information about these individual rights, and also provide a method by which people can exercise them. This might be a web form, or simply an email address.

Here's how the University of Oxford provides information about some of these rights:

University of Oxford Privacy Policy: Excerpt of GDPR legal rights clause

And here's how people can contact the University in connection with these rights:

University of Oxford Privacy Policy: Excerpt of how to exercise GDPR legal rights clause

The University of Cambridge, on the other hand, facilitates the right of access via an online form:

University of Cambridge: Subject access requests clause

Requests relating to the other rights can be fulfilled via email:

University of Cambridge: Exercising other data protection rights clause

You must also inform your users of their right to make a complaint to a Data Protection Authority, such as the Information Commissioner's Office (ICO) in the UK, or the Data Protection Commission (DPC) in Ireland.

Here's how charity Make-A-Wish does this:

Make-a-Wish Privacy Policy: Complaints clause

Changes to Your Privacy Policy

You should let people know that you might need to make changes to your Privacy Policy, and tell them how you'll inform them about this.

Here's an example from Power to Change:

Power to Change UK Privacy Policy: Changes to this policy clause

It's a good idea to let users know they should regularly review your Privacy Policy to stay up to date with any changes that aren't material and to see the current ways their information is being processed.

Displaying Your GDPR Privacy Policy

Your Privacy Policy must be conspicuous and accessible to anyone who interacts with your business.

A Privacy Policy isn't a contract. You might carry out some data processing under a contract, or subject to your users' consent. But they don't really have any choice as to whether they agree to the Privacy Policy itself.

So whilst you may not need your customers to "agree" to your Privacy Policy in the same way they might agree to your Terms and Conditions or Returns and Refunds Policy, you should try to make sure that they've read it. You can also ask them to confirm that they have done so.

Here are some ways you can make sure it gets noticed

On Your Website

You should place a link to your Privacy Policy on a footer that persists across each page of your website. You can place it alongside other policies, such as your Terms and Conditions or Acceptable Use Policy.

Here's how The Times does this:

The Times UK website footer with Privacy and Cookie Policy link highlighted

If you run an ecommerce store, you should make sure your customers are able to read your Privacy Policy at the point where they make a purchase. Here's an example from Amazon UK:

Amazon UK checkout screen showing Privacy Policy link

Whenever you ask your users for consent, you should also draw their attention to your Privacy Policy.

Here's how Profile Editions does this when requesting direct marketing consent:

Make sure your Privacy Policy is consistently available so your users can view it any time. Include it at points where you're collecting personal information (like email addresses or payment information) as a reminder that your users can check to see how you'll be using that personal information.

On Your Mobile App

If your company has a mobile app, it's important that your users can access your Privacy Policy from inside the app.

For example, the Just Eat app provides a link to its Privacy Policy in the Help menu:

The Settings menu or Legal menu are other areas users know to look for a Privacy Policy.

If your users can create an account in your app, it's important to present your Privacy Policy at the moment you collect their information.

Here's how Facebook does this (note that Facebook calls its Privacy Policy its "Data Policy"):

In Your Communications

Whenever you send an automated email, you should link to your Privacy Policy in the footer. This is particularly important where you're sending direct marketing communications.

Here's an example from Waitrose:

Waitrose email footer with Privacy Policy link highlighted

FAQs about GDPR Privacy Policies

Here is a list of frequently asked questions that you may find useful.

1. Do I need to have a GDPR-compliant Privacy Policy?

If you fall under the jurisdiction of the GDPR, you must have a GDPR-compliant Privacy Policy.

The GDPR applies to you if you:

Are located in the EU, or
Offer goods and services to individuals located in the EU, or
Monitor the behavior of individuals located in the EU

Even if you don't fall under the GDPR's scope, making your Privacy Policy be GDPR-compliant is a smart idea. The GDPR is currently the strictest privacy law in the world and other laws are starting to mirror it.

As new privacy laws are legislated and existing laws get stricter, you'll be ahead of the curve with compliance if you make your Privacy Policy compliant with the GDPR now.

2. What does the GDPR require for a Privacy Policy?

Aside from standard Privacy Policy clauses, the GDPR has some specific requirements including the following:

Your Privacy Policy must be written in clear, easy to understand language
You must include your legal basis for processing personal information
You must disclose the GDPR-granted user rights
You must let users know how long you retain their personal information for
International data transfers must be addressed in detail, with safeguards listed

3. If I already have a Privacy Policy, how do I update it for the GDPR?

Typical Privacy Policy updates to satisfy GDPR requirements include the following:

Simplifying the language and formatting of your Privacy Policy to make it easier to read and understand
Getting GDPR-compliant consent for your Privacy Policy if you haven't been doing so
Including additional clauses and information such as the GDPR user rights, your legal basis for processing personal information, how you safeguard any international transfers of data you engage in, and contact information for your Data Protection Officer and EU Representative, if applicable

4. Where do I display my GDPR Privacy Policy?

Add a link to your GDPR Privacy Policy in your website footer. This satisfies the GDPR's requirement that your Privacy Policy be easily and freely accessible.

You'll also need to add a link to your GDPR Privacy Policy wherever you collect personal information. For example:

Account sign-up forms
Email newsletter sign-up forms
Email communications
Contact forms
Ecommerce payment/checkout screens
App store listings for mobile apps
Within mobile apps in a menu, such as an "About" or "Legal" menu

5. How do I get consent to my GDPR Privacy Policy?

Get users to consent to your GDPR Privacy Policy by using an unticked checkbox next to a statement that says something similar to "By checking this box, you confirm you have read and are agreeing to the terms of the Privacy Policy."

When a user clicks the box and proceeds with your website or mobile app, you will have obtained GDPR-compliant consent to your Privacy Policy.

Summary of Your GDPR Privacy Policy

Writing a Privacy Policy is one of the most important legal obligations under the GDPR. To ensure it's up to the EU's strict standards, make sure you include:

An introduction that explains the purpose of the document
The date that the Privacy Policy takes effect (or the date of its last update)
Your company's name and contact details
Name and contact details for important roles (DPO, EU Rep, etc.)
Your data protection principles
The types of personal data you process
How and why you process personal data
Your legal bases for each act of processing
How long you retain personal data
The types of third parties with whom you share personal data
Details of any transfers to non-EU countries
Notification of how changes to the Privacy Policy will be communicated

Download Sample GDPR Privacy Policy Template

Generate a Privacy Policy in just a few minutes

Our free GDPR Privacy Policy downloadable template includes the following sections:

Definitions
Collecting and Using Personal Information
Usage Data
Use of Personal Information
Transfer of Personal Information
Disclosure of Personal Information
Security of Personal Information
GDPR Privacy
Links to Other Websites
Changes to Privacy Policy
Contact Information

Sample GDPR Privacy Policy Template (HTML Text Download)

You can download the Sample GDPR Privacy Policy Template as HTML code below. Copy it from the box field below (right-click > Select All and then Copy-paste) and then paste it on your website pages.

<p><strong>GDPR Privacy Policy</strong></p>
<p>Our Privacy Policy was last updated on [___DATE___].</p>
<p>This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You.</p>
<p>We use Your Personal data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy. This Privacy Policy was generated by <a href="https://www.termsfeed.com/blog/sample-gdpr-privacy-policy-template/">TermsFeed GDPR Privacy Policy Template</a>.</p>
<p><strong>Interpretation and Definitions</strong></p>
<p><strong>Interpretation</strong></p>
<p>The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.</p>
<p><strong>Definitions</strong></p>
<p>For the purposes of this Privacy Policy:</p>
<ul>
<li>
<p><strong>"Account"</strong> means a unique account created for You to access our Service or parts of our Service.</p>
</li>
<li>
<p><strong>"Company"</strong> (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to [___COMPANY INFORMATION___]</p>
<p>For the purpose of the GDPR, the Company is the Data Controller.</p>
</li>
<li>
<p><strong>"Country"</strong> refers to [___COMPANY_COUNTRY___].</p>
</li>
<li>
<p><strong>"Cookies"</strong> are small files that are placed on Your computer, mobile device or any other device by a website, containing the details of Your browsing history on that website among its many uses.</p>
</li>
<li>
<p><strong>"Data Controller"</strong>, for the purposes of the GDPR (General Data Protection Regulation), refers to the Company as the legal person which alone or jointly with others determines the purposes and means of the processing of Personal Data.</p>
</li>
<li>
<p><strong>"Device"</strong> means any device that can access the Service such as a computer, a cellphone or a digital tablet.</p>
</li>
<li>
<p><strong>"Personal Data"</strong> is any information that relates to an identified or identifiable individual.</p>
<p>For the purposes of GDPR, Personal Data means any information relating to You such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.</p>
</li>
<li>
<p><strong>"Service"</strong> refers to the Website.</p>
</li>
<li>
<p><strong>"Service Provider"</strong> means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.<br/>
For the purpose of the GDPR, Service Providers are considered Data Processors.</p>
</li>
<li>
<p><strong>"Usage Data"</strong> refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).</p>
</li>
<li>
<p><strong>"Website"</strong> refers to [___WEBSITE NAME___], accessible from [___WEBSITE_URL___]</p>
</li>
<li>
<p><strong>"You"</strong> means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.</p>
<p>Under GDPR (General Data Protection Regulation), You can be referred to as the Data Subject or as the User as you are the individual using the Service.</p>
</li>
</ul>
<p><strong>Collecting and Using Your Personal Data</strong></p>
<p><strong>Types of Data Collected</strong></p>
<p><strong>Personal Data</strong></p>
<p>While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:</p>
<ul>
<li>
<p>Email address</p>
</li>
<li>
<p>First name and last name</p>
</li>
<li>
<p>Phone number</p>
</li>
<li>
<p>Address, State, Province, ZIP/Postal code, City</p>
</li>
<li>
<p>Usage Data</p>
</li>
</ul>
<p><strong>Usage Data</strong></p>
<p>Usage Data is collected automatically when using the Service.</p>
<p>Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.</p>
<p>When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.</p>
<p>We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.</p>
<p><strong>Tracking Technologies and Cookies</strong></p>
<p>We use Cookies and similar tracking technologies to track the activity on Our Service and store certain information. Tracking technologies used are beacons, tags, and scripts to collect and track information and to improve and analyze Our Service. The technologies We use may include:</p>
<ul>
<li><strong>Cookies or Browser Cookies.</strong> A cookie is a small file placed on Your Device. You can instruct Your browser to refuse all Cookies or to indicate when a Cookie is being sent. However, if You do not accept Cookies, You may not be able to use some parts of our Service. Unless you have adjusted Your browser setting so that it will refuse Cookies, our Service may use Cookies.</li>
<li><strong>Web Beacons.</strong> Certain sections of our Service and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of a certain section and verifying system and server integrity).</li>
</ul>
<p>Cookies can be "Persistent" or "Session" Cookies. Persistent Cookies remain on Your personal computer or mobile device when You go offline, while Session Cookies are deleted as soon as You close Your web browser.</p>
<p>We use both Session and Persistent Cookies for the purposes set out below:</p>
<ul>
<li>
<p><strong>Necessary / Essential Cookies</strong></p>
<p>Type: Session Cookies</p>
<p>Administered by: Us</p>
<p>Purpose: These Cookies are essential to provide You with services available through the Website and to enable You to use some of its features. They help to authenticate users and prevent fraudulent use of user accounts. Without these Cookies, the services that You have asked for cannot be provided, and We only use these Cookies to provide You with those services.</p>
</li>
<li>
<p><strong>Cookies Policy / Notice Acceptance Cookies</strong></p>
<p>Type: Persistent Cookies</p>
<p>Administered by: Us</p>
<p>Purpose: These Cookies identify if users have accepted the use of cookies on the Website.</p>
</li>
<li>
<p><strong>Functionality Cookies</strong></p>
<p>Type: Persistent Cookies</p>
<p>Administered by: Us</p>
<p>Purpose: These Cookies allow us to remember choices You make when You use the Website, such as remembering your login details or language preference. The purpose of these Cookies is to provide You with a more personal experience and to avoid You having to re-enter your preferences every time You use the Website.</p>
</li>
<li>
<p><strong>Tracking and Performance Cookies</strong></p>
<p>Type: Persistent Cookies</p>
<p>Administered by: Third-Parties</p>
<p>Purpose: These Cookies are used to track information about traffic to the Website and how users use the Website. The information gathered via these Cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access the Website. We may also use these Cookies to test new pages, features or new functionality of the Website to see how our users react to them.</p>
</li>
</ul>
<p>For more information about the cookies we use and your choices regarding cookies, please visit our Cookies Policy or the Cookies section of our Privacy Policy.</p>
<p><strong>Use of Your Personal Data</strong></p>
<p>The Company may use Personal Data for the following purposes:</p>
<ul>
<li>
<p><strong>To provide and maintain our Service</strong>, including to monitor the usage of our Service.</p>
</li>
<li>
<p><strong>To manage Your Account:</strong> to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.</p>
</li>
<li>
<p><strong>For the performance of a contract:</strong> the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.</p>
</li>
<li>
<p><strong>To contact You:</strong> To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application's push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.</p>
</li>
<li>
<p><strong>To provide You</strong> with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless You have opted not to receive such information.</p>
</li>
<li>
<p><strong>To manage Your requests:</strong> To attend and manage Your requests to Us.</p>
</li>
<li>
<p><strong>For business transfers:</strong> We may use Your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by Us about our Service users is among the assets transferred.</p>
</li>
<li>
<p><strong>For other purposes</strong>: We may use Your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, products, services, marketing and your experience.</p>
</li>
</ul>
<p>We may share Your personal information in the following situations:</p>
<ul>
<li><strong>With Service Providers:</strong> We may share Your personal information with Service Providers to monitor and analyze the use of our Service, for payment processing, to contact You.</li>
<li><strong>For business transfers:</strong> We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of Our business to another company.</li>
<li><strong>With Affiliates:</strong> We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.</li>
<li><strong>With business partners:</strong> We may share Your information with Our business partners to offer You certain products, services or promotions.</li>
<li><strong>With other users:</strong> when You share personal information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside.</li>
<li><strong>With Your consent</strong>: We may disclose Your personal information for any other purpose with Your consent.</li>
</ul>
<p><strong>Retention of Your Personal Data</strong></p>
<p>The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.</p>
<p>The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.</p>
<p><strong>Transfer of Your Personal Data</strong></p>
<p>Your information, including Personal Data, is processed at the Company's operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.</p>
<p>Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.</p>
<p>The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of Your data and other personal information.</p>
<p><strong>Disclosure of Your Personal Data</strong></p>
<p><strong>Business Transactions</strong></p>
<p>If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.</p>
<p><strong>Law enforcement</strong></p>
<p>Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).</p>
<p><strong>Other legal requirements</strong></p>
<p>The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:</p>
<ul>
<li>Comply with a legal obligation</li>
<li>Protect and defend the rights or property of the Company</li>
<li>Prevent or investigate possible wrongdoing in connection with the Service</li>
<li>Protect the personal safety of Users of the Service or the public</li>
<li>Protect against legal liability</li>
</ul>
<p><strong>Security of Your Personal Data</strong></p>
<p>The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.</p>
<p><strong>Detailed Information on the Processing of Your Personal Data</strong></p>
<p>The Service Providers We use may have access to Your Personal Data. These third-party vendors collect, store, use, process and transfer information about Your activity on Our Service in accordance with their Privacy Policies.</p>
<p><strong>Analytics</strong></p>
<p>We may use third-party Service providers to monitor and analyze the use of our Service.</p>
<p>[___LIST___]</p>
<p><strong>Email Marketing</strong></p>
<p>We may use Your Personal Data to contact You with newsletters, marketing or promotional materials and other information that may be of interest to You. You may opt-out of receiving any, or all, of these communications from Us by following the unsubscribe link or instructions provided in any email We send or by contacting Us.</p>
<p>[___LIST___]</p>
<p><strong>GDPR Privacy</strong></p>
<p><strong>Legal Basis for Processing Personal Data under GDPR</strong></p>
<p>We may process Personal Data under the following conditions:</p>
<ul>
<li><strong>Consent:</strong> You have given Your consent for processing Personal Data for one or more specific purposes.</li>
<li><strong>Performance of a contract:</strong> Provision of Personal Data is necessary for the performance of an agreement with You and/or for any pre-contractual obligations thereof.</li>
<li><strong>Legal obligations:</strong> Processing Personal Data is necessary for compliance with a legal obligation to which the Company is subject.</li>
<li><strong>Vital interests:</strong> Processing Personal Data is necessary in order to protect Your vital interests or of another natural person.</li>
<li><strong>Public interests:</strong> Processing Personal Data is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Company.</li>
<li><strong>Legitimate interests:</strong> Processing Personal Data is necessary for the purposes of the legitimate interests pursued by the Company.</li>
</ul>
<p>In any case, the Company will gladly help to clarify the specific legal basis that applies to the processing, and in particular whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.</p>
<p><strong>Your Rights under the GDPR</strong></p>
<p>The Company undertakes to respect the confidentiality of Your Personal Data and to guarantee You can exercise Your rights.</p>
<p>You have the right under this Privacy Policy, and by law if You are within the EU, to:</p>
<ul>
<li><strong>Request access to Your Personal Data.</strong> The right to access, update or delete the information We have on You. Whenever made possible, you can access, update or request deletion of Your Personal Data directly within Your account settings section. If you are unable to perform these actions yourself, please contact Us to assist You. This also enables You to receive a copy of the Personal Data We hold about You.</li>
<li><strong>Request correction of the Personal Data that We hold about You.</strong> You have the right to have any incomplete or inaccurate information We hold about You corrected.</li>
<li><strong>Object to processing of Your Personal Data.</strong> This right exists where We are relying on a legitimate interest as the legal basis for Our processing and there is something about Your particular situation, which makes You want to object to our processing of Your Personal Data on this ground. You also have the right to object where We are processing Your Personal Data for direct marketing purposes.</li>
<li><strong>Request erasure of Your Personal Data.</strong> You have the right to ask Us to delete or remove Personal Data when there is no good reason for Us to continue processing it.</li>
<li><strong>Request the transfer of Your Personal Data.</strong> We will provide to You, or to a third-party You have chosen, Your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which You initially provided consent for Us to use or where We used the information to perform a contract with You.</li>
<li><strong>Withdraw Your consent.</strong> You have the right to withdraw Your consent on using your Personal Data. If You withdraw Your consent, We may not be able to provide You with access to certain specific functionalities of the Service.</li>
</ul>
<p><strong>Exercising of Your GDPR Data Protection Rights</strong></p>
<p>You may exercise Your rights of access, rectification, cancellation and opposition by contacting Us. Please note that we may ask You to verify Your identity before responding to such requests. If You make a request, We will try our best to respond to You as soon as possible.</p>
<p>You have the right to complain to a Data Protection Authority about Our collection and use of Your Personal Data. For more information, if You are in the European Economic Area (EEA), please contact Your local data protection authority in the EEA.</p>
<p><strong>Children's Privacy</strong></p>
<p>Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 13 without verification of parental consent, We take steps to remove that information from Our servers.</p>
<p>If We need to rely on consent as a legal basis for processing Your information and Your country requires consent from a parent, We may require Your parent's consent before We collect and use that information.</p>
<p><strong>Links to Other Websites</strong></p>
<p>Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You visit.</p>
<p>We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.</p>
<p><strong>Changes to this Privacy Policy</strong></p>
<p>We may update Our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.</p>
<p>We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy.</p>
<p>You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.</p>
<p><strong>Contact Us</strong></p>
<p>If you have any questions about this Privacy Policy, You can contact us:</p>
<ul>
<li>By visiting this page on our website: [___WEBSITE_CONTACT_PAGE_URL___]</li>
<li>By sending us an email: [___WEBSITE_CONTACT_EMAIL___]</li>
</ul>
<p></p>

Sample GDPR Privacy Policy Template (PDF Download)

Download the Sample GDPR Privacy Policy Template as a PDF file

Sample GDPR Privacy Policy Template (Word DOCX Download)

Download the Sample GDPR Privacy Policy Template as a Word DOCX file

Sample GDPR Privacy Policy Template (Google Docs Download)

Download the Sample GDPR Privacy Policy Template as a Google Docs document

Screenshot of the Sample GDPR Privacy Policy Template

More Privacy Policy Templates

More specific Privacy Templates are available on our blog.

Sample Privacy Policy Template	A Privacy Policy Template for all sorts of websites, apps and businesses.
Sample Mobile App Privacy Policy Template	A Privacy Policy Template for mobile apps on Apple App Store or Google Play Store.
Sample GDPR Privacy Policy Template	A Privacy Policy Template for businesses that need to comply with GDPR.
Sample CCPA Privacy Policy Template	A Privacy Policy Template for businesses that need to comply with CCPA.
Sample California Privacy Policy Template	A Privacy Policy Template for businesses that need to comply with California's privacy requirements (CalOPPA & CCPA).
Sample Virginia VCDPA Privacy Policy Template	A Privacy Policy Template for businesses that need to comply with Virginia's VCDPA.
Sample PIPEDA Privacy Policy Template	A Privacy Policy Template for businesses that need to comply with Canada's PIPEDA.
Sample Ecommerce Privacy Policy Template	A Privacy Policy Template for ecommerce businesses.
Small Business Privacy Policy Template	A Privacy Policy Template for small businesses.
Privacy Policy for Google Analytics (Sample)	A Privacy Policy Template for businesses that use Google Analytics.
Sample CalOPPA Privacy Policy Template	A Privacy Policy Template for businesses that need to comply with California's CalOPPA.
Sample SaaS Privacy Policy Template	A Privacy Policy Template for SaaS businesses.
Sample COPPA Privacy Policy Template	A Privacy Policy Template for businesses that need to comply with California's COPPA.
Sample CPRA Privacy Policy Template	A Privacy Policy Template for businesses that need to comply with California's CPRA.
Blog Privacy Policy Sample	A Privacy Policy Template for blogs.
Sample Email Marketing Privacy Policy Template	A Privacy Policy Template for businesses that use email marketing.

Disclaimer

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.

Last updated on

12 May 2024

Appears in

Related articles

Where to Host Terms of Service & Privacy Policy

Where to Host Terms of Service & Privacy Policy

Here's what you need to consider about hosting your Terms of Service (also known as Terms and Conditions or Terms of Use) and/or Privacy Policy: while you're not specifically required to host the legal agreements on your company website, you must keep the agreements available online so your users can...

AI Generated Privacy Policy

AI Generated Privacy Policy

When it comes to crafting your Privacy Policy, should AI be your go-to tool? The answer is no, and here's why. While ChatGPT is undoubtedly advanced, it's a machine-learning system. It doesn't possess the human judgment and understanding required to interpret legal principles and precedents accurately. This becomes especially critical when your...

Ecommerce Privacy Policy Template

Ecommerce Privacy Policy Template

If you sell products or services to people online, your ecommerce store must include a Privacy Policy that discloses relevant information to your shoppers and website visitors. This article will explain why your ecommerce store needs a Privacy Policy and show you how to create a clear and transparent one. We've...