Website privacy policy template

629 Reviews
Select support levelCompare
Recommended

Document overview

This is a 'boilerplate' privacy policy template that can be easily edited for any UK hosted website. We provide this document for download and use completely free of charge.

It can also be used for web and mobile apps and by businesses that operate offline.

As well as complying with data protection legislation, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), it will help reassure your customers and website visitors that you protect their personal data and take privacy seriously.

Compliant
Compliant with the latest law in
  • England & Wales
  • Scotland
Document propertied
Document properties
  • Length:16 pages (3500 words)
  • Available in:
    MsWordMicrosoft Word DOCXApple pagesApple PagesRTFRTF
watertight guarantee
Backed by our watertight guarantee

If the document isn’t right for your circumstances for any reason, just tell us and we’ll refund you in full immediately.

writing in plain english
Written in plain English

We avoid legal terminology unless necessary. Plain English makes our documents easy to understand, easy to edit and more likely to be accepted.

Notes
Guidance notes included

You don’t need legal knowledge to use our documents. We explain what to edit and how in the guidance notes included at the end of the document.

email
Support from our legal team

Email us with questions about editing your document. Use our Lawyer Assist service if you’d like our legal team to check your document will do as you intend.

Update
Up to date with the latest law

Our documents comply with the latest relevant law. Our lawyers regularly review how new law affects each document in our library.

Why you need a privacy notice

In May 2018, enhanced data protection law came into force. It strengthens the rights of individuals to know what personal information about them is collected, used and managed (or otherwise 'processed').

The DPA applies widely: to small businesses and sole traders as well as large multinationals, and whether you have an online business or work completely offline. The key deciding factors as to whether you need a compliant privacy policy are:

  • whether you process personally identifable information that could be linked to a private individual (known as a 'data subject'); and

  • whether data subjects are citizens or residents of the UK or European Union member states.

The requirements of the DPA are not just that you protect personally identifiable information but that you also inform users about how your business collects and processes personal information and data subject rights.

Technically, a privacy notice is the means by which you communicate your privacy policy. However, because it is common to do so, we use the two terms interchangeably to mean the method of disclosure.

One of the core functions of many websites is to present a professional image of the business. Simply put, one of the main reasons to publish a privacy notice is because the general public expects you to do so. Not having one can put off potential customers from buying from you.

A sound template for your app or website privacy notice

This privacy policy template provides you with the wording you need to create a notice for your website or mobile or desktop app.

Most websites and apps collect personal data about the people who use them.

While it might be clear to visitors or users when this happens, for example, when they provide credit card details to buy from you or otherwise sign up for your services, sometimes it might be less obvious, such as when you track their browsing behaviour or transfer data to third parties.

It meets the requirements for disclosure for app stores including Facebook Apps, Google Play and the Apple App Store, and for advertising platforms including Google Adsense.

Alternative templates for specific industries

If you work in one of the following specific professional service providers, you'll be able to download a version specifically for your business:

Features and contents

Free to download and use

This is a completely free privacy policy template.

We don't ask you to acknowledge our copyright in it, mention us in any way or link to our site in return for using it.

Easy to understand & fast to edit

The template is written in clear and plain language that is visitor friendly, easy to read and easy to edit.

It is structured so that you can disclose all the necessary information legally required for GDPR compliance.

The introduction gives information about your business: the name and address and, if you have appointed a data protection officer, the name and contact details of the DPO.

The first part of the notice explains the legal bases you have chosen for processing different types information collected by you and how these types are used.

The second part deals with specific uses – less designed to comply with the General Data Protection Regulation and data protection law, and more for the purposes of reassuring customers and protecting you under different laws (for example, regarding copyright). In this part, you can describe

The third part sets out requirements under the General Data Protection Regulation and data protection law once again: whether the information is shared with other organisations; how it can be reviewed; and other miscellaneous matters.

In places, we have provided a number of options, where you choose the most appropriate and delete the others. In other places, we have provided ideas and the most common scenarios. The notice may need a little customisation to reflect fully your policy, but because it is written in plain English, editing it is easy.

Contents

The contents of the document cover:

  • Categories of collected personal information and how it is used, organised by the legal basis for use
  • Visitor contributed content
  • Payment information, whether debit and credit card information or other financial data
  • Cookies
  • Other personal identifiers from browsing activity
  • Advertising, including use of remarketing
  • Data transfers and processing outside the EU
  • Access to personal information
  • Removal of personal information
  • Data retention
  • Complaints

Suitable for many types of business

This notice can be used by a wide range of types of business. Examples of those currently using it include:

  • solicitors, accountants and other business consultants
  • e-commerce sites
  • service providers such as career development coaches and fitness trainers
  • blogs and information sites
  • web hosting providers
  • hotels
  • community projects
  • not for profit organisations and charities

Why do I need a privacy policy?

If you collect personal data or use or store personal information for non-personal use, then UK law requires that you tell that person what data you 'process' and how.

Personal information is any data that identifies an individual. It commonly includes first and last names, contact information such as an email address or delivery address and payment information such as credit card information or credit card details. Personal data may also include data that you may not have considered such as an IP addresses logged by your web server or video footage taken by a security camera on your premises.

The usual way to disclose the required information is to publish a privacy policy on your website, particularly if you collect personal data through use of your website.

In addition to legal compliance, there are other good reasons to publish a privacy policy:

Most of the third party services used by businesses to improve their user experience or deliver targeted advertising, require them to publish their website privacy policy. So if you want to use such third party services, you may be required to publish your website privacy policy as part of your contract with them. Some of the most popular third party services including: Google AdSense, Google Analytics, and Google.

A well-written privacy policy will help you build trust with customers who may not know your business and who may be wary to buy from you. By disclosing your privacy practices, you'll reassure your customers that their personal information is in safe hands. A website that clearly links to its legal policies (for example, in the website footer) is likely to present a professional image.

If you don't have a website

Because it is easy to post a privacy policy online, we associate a privacy statement with a website.

However, the law requires you to disclose how you collect,use and store personal information even if you don't have a website or if you collect personal data by other means (for example, a mobile app).

Whether you need a privacy policy is not determined by what technology you use, whether you are in business in a particular industry.

If you publish a mobile app, you can (and should) use the same privacy policy on your website and on your app. Apple, Google and Facebook will all reject your mobile app at review if you don't have a privacy statement, or if it is not clearly labeled. So if you are app developer, whether you develop for iOS, Android or Facebook (or even desktop), you can and should publish a privacy policy.

If you process information offline, the law also still applies. A good example is if you're a landlord letting a house to tenants. In dealing with the tenants you collect personal information. The tenants will have privacy rights if you're 'in business' as a landlord. Whether you're 'in business' and therefore whether you need a privacy policy or not depends on the circumstances. However, it's often safest to provide information than not.

Writing your privacy policy

Your privacy statement should reflect the way your organisation collects and uses personal information. This will change between organisations enough to make each notice unique, but there are common elements that can be covered with standardised statements.

By giving you the wording for different common situations, we hope that we have done as much of the work for you as we can. We also include our guidance notes, which explain how to edit the privacy policy for your website.

However, you will need to spend time editing this privacy policy template. There are advantages to this.

Your obligation under UK law is not just to publish a statement about personal information you collect,  but also to put in place  security measures, policies and procedures that your website visitors and users never see. While considering how personal information is collected, used, and managed, the task of editing should prompt you to think about your privacy practices overall and how other parts of your organisation might need to change.

For example, you might need to put in place more secure personal data transfer processes between two teams or you may be able to reduce the personal data you collect.

Additionally, a well-written privacy notice is likely to demonstrate your willingness to comply with the law, even if your organisation falls short in some areas.

One aspect of the GDPR that has caught the headlines is the ability of a supervisory body (the Information Commissioner’s Office or ICO in the UK) to hand out large fines for non-compliance.

Based on how the ICO has acted in the past, our opinion is that it is unlikely to use its full powers against SMEs from day one. More likely, it will issue a warning before a fine, especially if the business can show that it has attempted to comply with the law – unless, of course, a very serious data breach has occurred.

Your privacy statement is likely to be the first thing that the ICO will consider when judging whether you have made an attempt to comply with the GDPR and other regulations. A well-written notice is therefore likely to reduce the likelihood of immediate punitive action.

The steps you should follow

Download the sample privacy policy template. It is in Microsoft Word DocX format, which can be edited in most word processing software.

Read the guidance notes at the end of the sample privacy policy template. You'll need to refer back to them as you edit, but having read them first, you'll have a better idea as to how to edit.

Make a list of the types of people about whom you are collecting personal information: site visitors, users, customers, employees, contractors and suppliers, business partners, other third parties.

For each of the types of people, make a list of the users personal information you collect, use or store. It may be information they provide to you themselves, or it may be  a third party provider (such as a credit reference agency) provides, or it may be personal data that you collect from your interaction with them.

Be aware that some user data needs to be treated more carefully than other information. 'Special Category Data' is defined by the law as information about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions and trade union membership. It also includes health, genetic and biometric data. If you do process Special Category Data, you need to make sure that you disclose that you do.

Decide on the granularity of your disclosure. It may seem right to disclose every item of data. But that may give users more information than perhaps is useful to them. We suggest you group information into types, such as 'contact information' and 'payment information' and give examples of the types of data in each group. For example, 'Contact Information' is information that we use for the purposes of communicating with you and may include your postal address, your telephone numbers and your email address."

Decide on the basis or bases on which you process personal information. As described further down this page, there are six bases and you are required by law to tell users which ones you use. Most organisations will use at least three of the six ('Consent', 'Legitimate Interests' and 'Legal Obligation'), and possibly four or five. Again, you can give detailed information about which basis is used for each item of data, but it may be more practical to give examples of which groups are processed under each basis.

Work your way through the remaining paragraphs in the privacy policy template. You'll need to make sure that each is relevant for your organisation. Most just require light editing.

When the privacy policy reflects your business practices you should publish the text to your website (clearly linking to it at prominent place such as website footer), through your content management system or directly after converting it to HTML.

The bases for processing data covered in this template

GDPR requires you to choose and communicate (such as in a privacy notice) under what legitimate basis you collect data. There are six possible bases to collect personal data. Of these, most businesses and organisations are likely to choose one of four, so this privacy policy template gives you the options to use those.

Some personal information could be processed under one basis, and other personal information under another. Additionally, a basis might change over time.

Consent

For marketing purposes, Consent is likely to be the basis used.

For example, a website visitor could enter his or her email address on your website in order to receive monthly newsletters, or a member of a club could tick a box on a paper membership form. If Consent is the basis you use, then you should provide some means, clearly displayed, for the subject to withdraw it, such as an unsubscribe link in the newsletter.

The advantage of Consent is that you can clearly demonstrate in any disagreement that consent has been given – it requires the data subject to take specific action to allow you to use personal information you collect about him or her.

Contract

Contract as a basis can be used where processing the personal information is necessary to carry out a contract that the data subject has requested, or where a subject has asked you to do something before entering into a contract (for example, providing a quote) that requires you to process personal information. A contract has the same definition as under contract law.

Importantly, the processing must be a reasonable way to deliver your side of the agreement and the basis no longer can apply once the contract is complete. That means, for example, that marketing messages to previous customers cannot be sent under this basis.

Legal Obligation

Legal Obligation can be used as a basis where there is statutory law that requires you to store or use personal information. For example, HMRC requires all businesses to store records of transactions. Whether other obligations for you to process data exist largely depend on the industry in which you operate or the type of organisation.

Legitimate Interests

Legitimate Interests ('LI') is the most flexible basis, in that it is most subjective. However, it is not always most appropriate.

For it to be used there needs to be a good reason to process the data (beneficial to either the organisation or the individual or both) where processing under this basis is necessary to achieve it. The rights of the data subject not to have the data processed must also have been considered. If the individual might not expect the processing to take place, or if processing might cause harm to an interest, then LI cannot be used as a basis.

Examples of where LI might be used include:

  • to obtain insurance for the business to protect against a fraudulent claim

  • to notify members of an organisation of a change of which if they were not aware, might cause harm

Do I need a separate cookie policy?

Cookies are often used to provide website functionality across multiple pages. A cookie is a file that is placed on the user's device that records information collected or generated from a previous page.

Whether you do so within your website's privacy policy or whether you have a separate cookie policy is a question of presentation.

The law doesn't regulate use of cookies specifically, but technology that places information on users' devices is.

In addition, cookies may contain personal data, and even if they don't, their purpose may be linked to processing personal data.

This privacy policy template allows you to comply with your legal obligations to disclose whether you use cookies.

You may wish to read more about disclosure requirements for cookies before deciding how much information about them to disclose.

To summarise that article:

The law only requires you to disclose information and obtain consent to the use of cookies that are non-essential for the operation of your website or app.

You should tell your website users sufficient information for them to understand the implications of consenting to use cookies. However, what is sufficient is subjective and it can be impractical to provide and maintain detailed information.

Do I need to comply with privacy laws outside the UK?

Other legal jurisdictions have similar privacy laws to the Data Protection Act.

You may have been told that if you are collecting personal information, you need to comply with the privacy laws of those jurisdiction such as the Privacy Act; the Personal Information Protection and Electronic Documents Act ('PIPEDA') or the California Online Privacy Protection Act ('CalOPPA').

While every enforcement authority would like the reach of their legislation to be global, enforcing privacy laws outside their jurisdiction is very difficult unless your business or organisation has some assets in that jurisdiction.

So while it may be a good idea to comply with Californian law if many of your website visitors are from California (for non-legal reasons), your obligations to comply with UK law do not require you to make your privacy policy compliant with the law of any other country. In fact, CalOPPA only applies to California residents.

In any case, because the DPA sets such a high standard for disclosure, if you comply with UK law, particularly in respect of 'openness', you're likely to meet most of the requirements of other countries around the world by default.

How do I make my privacy policy enforceable?

Your privacy policy is not technically 'enforceable' in the same way that contracts are. Your users don't need to agree to the terms as they would your website terms of use or conditions for sale.

A privacy policy is a disclosure statement or a notice, not a 'privacy policy agreement'.

However, you do need to make sure that users have an opportunity to read it. So it is a good idea to follow common practice and link to it from an expected location such as your website's footer.

You can also provide links to it whenever a user gives personal information. This should remind the user that you take data privacy seriously and that he or she can trust you. As examples, you might do so on email newsletter sign-up forms, 'contact us' forms, account creation forms and e-commerce checkout pages.

On mobile apps, you might link to your privacy policy page within your menu (perhaps within a 'Legal' or 'About' menu item.

Do I also need a data protection statement, GDPR policy or data processing agreement?

Privacy policies are also known as privacy statements or privacy notices. The statement discloses the policy of the organisation in so far as it is a 'controller' of personal information.

You may also hear about 'data protection statements' or 'GDPR policies'. These are usually documents with a different purpose and audience - to tell employees or third party contractors of the internal business processes that protect the customer's privacy and rights. They are usually appended as a schedule to a contract for services or form part of the staff handbook.

In addition, your business may use a 'data processing agreement' to make sure that if a third party processes data, it complies with the law. Doing so is a requirement of the GDPR. Certain clauses are mandatory, others expand on them for specific personal data or circumstances.

For your website or app, you just need a (website) privacy policy. If you enter into other types of arrangements, as part of your obligation to protect privacy, you may need one of these other documents as well.

Sample website privacy policy templateSample page from the website privacy notice
Click to View Sample

CallTalk to us about this document

We are happy to answer any questions you have. Arrange for us to call you.

Recent reviews

Great Service
05 February 2024
No concerns, It was very helpful. yes, I would.
Taha S.
Great Service
05 January 2024
I was setting up a website and wanted an off the shelf privacy policy. Netlawman made this easy and stress free and saved me a lot of time. I would recommend it for sure.
John Preston
Great Service
05 February 2023
I rarely write reviews, but I’ve been trying to work out how to write a Privacy Policy for my small company for months, without success. Templates on the Internet were useless for the most part, as it’s a long-winded statement that had me tied up in knots – I’d no idea how to legally rewrite the template to satisfy my business requirements, and a lot of companies expected you to sign up or pay for the download.

I can’t thank Net Lawman enough, as they not only provided a FREE download without asking for payment or credit card details (just email address), but they also provided 15 pages of explanatory notes, which are worth their weight in gold. Each paragraph is broken down and explained in such a way that even someone like me, with no real business acumen, can understand. They even offer a discounted service (£80) to have it checked by them after you’ve done it, which had I the finances, I would have gratefully accepted. As it is, after months of pulling my hair out, I now have an acceptable Privacy Policy.

You have absolutely nothing to lose, as it’s genuinely free with no catches, so I definitely endorse.
Jac Smith
Read all 629 reviews

Choose the level of support you need

Document Only

Complete the document template yourself using our guidance notes
Free
  • ok This document
  • okDetailed guidance notes explaining how to edit each paragraph
Recommended

Lawyer Assist

Support from our legal team during and after editing
193 Reviews
£120.00
(incl VAT)
  • ok This document
  • okDetailed guidance notes explaining how to edit each paragraph
  • okUnlimited email support - ask our legal team any question related to completing the document
  • ok
    Review of your edited document by our legal team including:
    • reporting on whether your changes comply with the law
    • answering your questions about how to word a new clause or achieve an outcome
    • checking that your use of defined terms is correct and consistent
    • correcting spelling mistakes
    • reformatting the document ready to sign

Bespoke

Drafted for you, to your precise requirements
from
£400.00
(incl VAT)
  • okA document drawn just for you to your exact requirements
  • okPersonalised service provided by an experienced solicitor
  • okFree discussion before we provide an estimate, for you to ask questions and for us to understand your requirements
  • okTransparent fees - a fixed fee for the basic work, a fixed hourly rate for new or changed instructions, and no charge for office overheads or third party disbursements
  • okCareful and thorough consideration of your circumstances and your consequent likely practical and legal requirements
  • okProvision of options that you may not have considered with availability for discussion
  • okHelp and advice woven into the fabric of our service so that you can make the best decisions
© 2000 - 2024 Net Lawman Limited.
All rights reserved