Website privacy policy

This is a standard privacy policy template that can be easily edited for any UK hosted website. It is designed to reassure your website visitors that you take their privacy seriously and to help you comply with data protection legislation, including the General Data Protection Regulation or GDPR and the Data Protection Act 2018 or DPA.

We provide this document for download and use completely free of charge.

Suitable for use in: England & Wales and Scotland
  • Solicitor approved
  • Plain English makes editing easy
  • Guidance notes included
  • Money back guarantee
Why from us
Ask a question
Customer reviews

Specific versions of this document

We have other versions of this document for accountants and book-keepers, legal services providers and for estate agents and lettings agents.

About this privacy statement template

Most modern websites collect data about the people who visit them. Often it might be clear to visitors when this happens, for example, when they buy from you or sign up for your services, but sometimes it might be less obvious, such as when you track their browsing behaviour.

From May 2018, new law comes into force that strengthens the rights of individuals to know what data about them is collected, used and managed. This template helps you set out your privacy policy in a way such that you can show that you comply with every aspect of the General Data Protection Regulation (or GDPR) and the law that enacts it, the Data Protection Act 2018.

Editing the template

Your privacy statement should reflect the way your organisation collects and uses data. This will change between organisations enough to make each notice unique, but there are common elements that can be covered with standardised statements.

By giving you the wording for different common situations, we hope that we have done as much of the work for you as we can.

However, you will need to spend time editing this policy template. There are advantages to this.

The first is that while considering how data is collected, used, and managed, the task of editing should prompt you to think about how other parts of your organisation might need to change. For example, you might need to put in place more secure data transfer processes between two teams.

The second is that a well written privacy notice is likely to demonstrate willingness to comply with the law, even if your organisation falls short in some areas.

One aspect of the GDPR that has caught the headlines is the ability of a supervisory body (the Information Commissioner’s Office or ICO in the UK) to hand out large fines for non-compliance.

Based on how the ICO has acted in the past, our opinion is that it is unlikely to use its full powers against SMEs from day one. More likely, it will issue a warning before a fine, especially if the business can show that it has attempted to comply with the law – unless, of course, a very serious data breach has occurred.

Your privacy statement is likely to be the first thing that the ICO will consider when judging whether you have made an attempt to comply with the GDPR and other regulations. A well written notice is therefore likely to reduce the likelihood of immediate punitive action.

Free to use

We provide this template completely free of charge.

We don't ask you to acknowledge our copyright in it, mention us in any way or link to our site in return for using it.

Features and contents

The template is written in plain language that is visitor friendly, and structured so that it is both easy to read and easy to edit.

The first part of the notice explains the legal bases you have chosen for processing different types of information and how these types are used.

The second part deals with specific uses – less designed to comply with the GDPR and more for the purposes of reassuring customers and protecting you under different law (for example, regarding copyright).

The third part sets out requirements under the GDPR and DPA once again: whether data is shared with other organisations; how it can be reviewed; and other miscellaneous matters.

In places we have provided a number of options, where you choose the most appropriate and delete the others. In other places, we have provided ideas and the most common scenarios. The notice may require a little customisation to reflect fully your policy, but because it is written in plain English, editing it is easy.

This notice can be used by a wide range of types of business. Examples of those currently using it include:

  • solicitors and other business consultants
  • ecommerce sites
  • service providers such as career development coaches and fitness trainers
  • blogs and information sites
  • web hosting providers
  • hotels
  • community projects
  • not for profit organisations and charities

The contents of the document cover:

  • Categories of information collected and used, organised by the legal basis for use
  • Visitor contributed content
  • Payment and other financial information
  • Cookies
  • Other personal identifiers from browsing activity
  • Advertising, including use of remarketing
  • Data transfers and processing outside the EU
  • Access to personal information
  • Removal of personal information
  • Data retention
  • Complaints

The bases for processing data covered in this template

GDPR requires you to choose and communicate (such as in a privacy notice) under what legitimate basis you process personal data. There are six possible bases. Of these, most businesses and organisations are likely to choose one of four, so this privacy policy template gives you the options to use those.

Some data could be processed under one basis, and other data under another. Additionally, a basis might change over time.


For marketing purposes, Consent is likely to be the basis used.

For example, a website visitor could enter his or her e-mail address on your website in order to receive monthly newsletters, or a member of a club could tick a box on a paper membership form. If Consent is the basis you use, then you should provide some means, clearly displayed, for the subject to withdraw it, such as an unsubscribe link in the newsletter.

The advantage of Consent is that you can clearly demonstrate in any disagreement that consent has been given – it requires the data subject to take specific action to allow you to use data about him or her.


Contract as a basis can be used where processing the data is necessary to carry out a contract that the data subject has requested, or where a subject has asked you to do something before entering into a contract (for example, providing a quote) that requires you to process data. A contract has the same definition as under contract law.

Importantly, the processing must be a reasonable way to deliver your side of the agreement and the basis no longer can apply once the contract is complete. That means, for example, that marketing messages to previous customers cannot be sent under this basis.

Legal Obligation

Legal Obligation can be used as a basis where there is statutory law that requires you to store or use data. For example, HMRC requires all businesses to store records of transactions. Whether other obligations for you to process data exist largely depend on the industry in which you operate or the type of organisation.

Legitimate Interests

Legitimate Interests is the most flexible basis, in that it is most subjective. However, it is not always most appropriate.For it to be used there needs to be a good reason to process the data (beneficial to either the organisation or the individual or both) where processing under this basis is necessary to achieve it. The rights of the data subject not to have the data processed must also have been considered. If the individual might not expect the processing to take place, or if processing might cause harm, then Legitimate Interests cannot be used as a basis.

Examples of where Legitimate Interests might be used include:

  • to obtain insurance for the business
  • to protect against a fraudulent claim
  • to notify members of an organisation of a change of which if they were not aware, might cause harm

Cookie policy

This template includes a section that allows you to comply with your legal obligations to disclose use of cookies.

You should not need a separate cookie policy, although there is scope in this document to link to one.

You may wish to read more about disclosure requirements for cookies before deciding whether you need a separate notice or policy for them. We would argue that this document alone is sufficient for compliance.


This document was written by a solicitor for Net Lawman. It complies with current English law.

What Our Clients Say
  • "I was really pleased with my recent experience of using Net Lawman. I was able to obtain important legal documents, needed to support my small business. Net Lawman understood my needs and provided fast and efficient service without incurring the significant costs of a traditional law firm. I would both recommend and use Net lawman again"

    Shireen Arthur
  • "Net Lawman has helped me through several procedures. The documents in plain English, the drafting service and the delightful customer service means I can get the job done properly, at a price that doesn't affect a small businesses bottom line. Thank you!"

    Dan White
  • "Easy to find use. Plain English. Good precedent."

    Diane Bantten