Generate your Terms & Conditions for free — Get started now →

to navigate to select ESC to close

Free legal document generator

Free Privacy Policy Generator — GDPR, CCPA & UK GDPR Compliant

Legally required in most countries. Lawyer-drafted, jurisdiction-aware. Compliant with GDPR, UK GDPR, CCPA/CPRA, CalOPPA, COPPA, PIPEDA, LGPD, Australian Privacy Act 1988, and global data-protection laws. Free with a quick sign-up.

  • Covers 12+ privacy laws including GDPR, CCPA, UK GDPR, LGPD and POPIA
  • Includes 'Do Not Sell or Share' link, GPC honouring and CPRA sensitive-data disclosures
  • Hosted page, HTML embed, DOCX or plain text — free to generate
Generate Your Privacy Policy Free Free to generate. Takes about 3 minutes.
Generated by 50,000+ businesses — free to use, free signup required
Abstract Privacy Policy generator illustration

What is a privacy policy?

A privacy policy is a legal document that explains what personal data your website or app collects from users, why you collect it, how it is stored and protected, who it is shared with, and what rights users have over their data. A privacy policy is legally required under GDPR, UK GDPR, CCPA/CPRA, CalOPPA, COPPA, PIPEDA, LGPD, the Australian Privacy Act 1988 and other global laws — for any website or app that collects personal data, including via cookies, contact forms, analytics tools or payment processors.

How it works

No legal background needed. Free account required to save your document.

1

Answer a few questions

Tell us about your business — what you do, where your users are based, and what data you collect.

2

Preview your document

Your Privacy Policy is generated instantly, customised to your answers. Takes about 3 minutes total.

3

Publish or download

Hosted page, HTML embed, DOCX or plain text. Free with a quick sign-up.

Is a Privacy Policy legally required?

Yes — a privacy policy is a legal requirement, not optional, for any website or app that collects personal data. Below is every major law that may apply to your business and the maximum penalty for non-compliance.

European Union
GDPR (Regulation (EU) 2016/679)

Applies to any organisation processing personal data of EU residents, regardless of where the organisation is based. Privacy notice required under Articles 13–14. Cumulative GDPR fines exceeded €5.88 billion through January 2025 (CMS Enforcement Tracker).

Max fine:
Up to €20M or 4% of global annual turnover
Enforced by:
National data-protection authorities (DPC, CNIL, ICO, Garante, BfDI, etc.)
United Kingdom
UK GDPR + Data Protection Act 2018

Post-Brexit equivalent of EU GDPR; in force since 1 January 2021. EU adequacy decision currently allows free data flow EU↔UK (subject to review).

Max fine:
Up to £17.5M or 4% of global turnover
Enforced by:
ICO (Information Commissioner's Office)
California, USA
CCPA + CPRA amendments (effective 1 Jan 2023)

Applies to for-profit businesses that meet one of: $25M+ annual revenue; data on 100,000+ consumers/households; or 50%+ of revenue from selling personal information. Must honour Global Privacy Control (GPC) signals and provide a 'Do Not Sell or Share My Personal Information' link.

Max fine:
$2,500 per unintentional / $7,500 per intentional violation
Enforced by:
California Privacy Protection Agency (CPPA), California AG
California (broader)
CalOPPA (Cal. Bus. & Prof. Code §22575–22579)

Applies to any commercial website that collects PII from California residents — regardless of business size. Requires conspicuous privacy policy and Do-Not-Track disclosure.

USA — children
COPPA (15 U.S.C. §§6501–6506)

Verifiable parental consent required before collecting personal information from under-13s. FTC has issued fines exceeding US$170M against YouTube/Google (2019).

Enforced by:
FTC
Canada
PIPEDA + Quebec Law 25

Quebec Law 25 in full effect since September 2023: Privacy Impact Assessments, privacy officer appointment, 72-hour breach notification to CAI.

Brazil
LGPD (Law 13,709/2018)

Enforcement since August 2021. Applies to any processing of personal data of individuals located in Brazil.

Max fine:
Up to 2% of Brazil revenue, capped at R$50M per infraction
Enforced by:
ANPD
South Africa
POPIA (Act 4 of 2013)

Full enforcement since 1 July 2021. Eight conditions for lawful processing including accountability, purpose specification and security safeguards.

Enforced by:
Information Regulator
Australia
Privacy Act 1988 (+ 2024 amendments)

Applies to organisations with annual turnover >AU$3M plus smaller orgs in specified sectors. 2024 amendments add a direct right of action and significantly higher penalties.

Max fine:
Up to AU$50M or 30% of adjusted turnover for serious breaches
Enforced by:
OAIC

Privacy Policy vs other legal documents

A privacy policy is one piece of a complete privacy stack. Other documents you may also need:

Document Purpose Who needs it Required?
Privacy Policy Discloses what personal data you collect, why, how and with whom shared Any business collecting personal data Yes — GDPR, CCPA, UK GDPR and global privacy laws
Cookie Policy Discloses cookies and tracking technologies in detail Any site using non-essential cookies in the EU/UK Yes under ePrivacy Directive + GDPR
Data Processing Agreement (DPA) Contract between data controller and processor under GDPR Art. 28 B2B SaaS and any vendor processing customer personal data Yes for GDPR/UK GDPR processors
GDPR Privacy Notice (Art. 13/14) Specific just-in-time notice when collecting data directly or indirectly Any GDPR controller Yes

What is included in your Privacy Policy

A compliant privacy policy must address every category below. Our generator selects the right disclosures for the laws that apply to you.

Core disclosures (GDPR Art. 13)

  • Identity and contact details of the data controller
  • Contact details of the Data Protection Officer (where required)
  • Categories of personal data collected (identifiers, behavioural, sensitive)
  • Purposes of processing and the legal basis for each (Art. 6 + Art. 9 for special categories)
  • Recipients or categories of recipients of personal data
  • International transfers, safeguards and adequacy decisions (SCCs, BCRs)
  • Retention period for each data category

Data subject rights

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure / 'right to be forgotten' (Art. 17)
  • Right to restrict processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object and rights related to automated decision-making (Art. 21–22)
  • Right to lodge a complaint with a supervisory authority

CCPA / CPRA disclosures (California)

  • Categories of personal information collected, sold or shared in the last 12 months
  • Sources of personal information
  • Business or commercial purposes for collection
  • Right to know, delete, correct, opt out of sale/share, and limit use of sensitive PI
  • Honouring of Global Privacy Control (GPC) signals
  • Conspicuous 'Do Not Sell or Share My Personal Information' link in the website footer

Cookies, tracking & analytics

  • Disclosure of all cookies, pixels and SDKs in use
  • Linkage to a separate Cookie Policy where applicable
  • Disclosure of Google Analytics (consent required for EU users)
  • Advertising and remarketing pixels (Meta, TikTok, LinkedIn, Google Ads)

Children & sensitive categories

  • COPPA-specific disclosures for under-13s in the US
  • GDPR Art. 8 digital consent age (13–16 by member state)
  • Special-category data: biometric, health, sexual orientation, political views (GDPR Art. 9)

Security & breach

  • Description of technical and organisational security measures
  • Breach notification commitments and contact channel
  • Data retention schedule and deletion practices

Built for your business type

The generator adjusts clauses based on your industry — so you only get the language you actually need.

Ecommerce

Payment-processor data sharing, marketing-cookie disclosures, GDPR-compliant abandoned-cart tracking, CCPA opt-out for ad targeting.

SaaS / B2B

Sub-processor list, DPA reference, cross-border data-transfer mechanisms (SCCs / DPF), customer-data vs end-user-data distinction.

Mobile apps

Apple App Tracking Transparency, IDFA/AAID handling, Google Play Data Safety form alignment, push-notification consent.

AI / ML products

Training-data disclosure, model-input retention, opt-out from training, GDPR Art. 22 automated-decision rights.

Trusted by 50,000+ businesses

"We were using a generic template that didn't even mention CCPA. The new policy passed our enterprise customer's vendor security review on the first attempt."
Sarah K.
Head of Privacy, B2B SaaS
"GDPR-ready and the Brazilian LGPD section was a pleasant surprise. We sell into LATAM and most generators ignore that completely."
Diego R.
Founder, ecommerce platform
"Replaced our $399/year privacy-policy subscription. Output is more thorough and includes the CCPA opt-out link our previous one was missing."
James W.
Co-founder, fintech

Frequently asked questions

Questions about Privacy Policy before you get started?

What is a Privacy Policy?

A Privacy Policy is a legal document that explains how your business collects, uses, stores, and shares personal data from users. It discloses what information you collect, why you collect it, how you protect it, how long you retain it, and what rights users have regarding their data.

Is a Privacy Policy required by law?

Yes, in most cases. GDPR (EU), CCPA/CPRA (California), PIPEDA (Canada), Australian Privacy Act, and many other laws require a Privacy Policy when you collect personal data. This includes basic analytics (Google Analytics), contact forms, email subscriptions, and login functionality.

What does GDPR require in a Privacy Policy?

Under GDPR, your Privacy Policy must identify your lawful basis for processing each type of data, explain users' rights (access, deletion, portability, restriction), name data processors and third parties, state your data retention periods, and provide contact details — including a Data Protection Officer if required.

Do I need a Privacy Policy if I only use Google Analytics?

Yes. Google Analytics collects IP addresses and behavioral data. Google's own terms of service require a Privacy Policy for any site using their analytics products, and most privacy laws require disclosure of any data collection, including analytics.

What is the difference between a Privacy Policy and a Cookie Policy?

A Privacy Policy covers all personal data your site collects and processes. A Cookie Policy is more specific — it explains what cookies and tracking technologies your site uses, what data they collect, their purpose, and how users can control them. Under GDPR you typically need both.

Where should I display my Privacy Policy?

Link your Privacy Policy in your website footer, in signup and account creation forms, during checkout flows, in cookie consent banners, in your app's settings menu, and anywhere you collect personal data. App stores require a direct link before app approval.

Generate your Privacy Policy free — right now

GDPR, CCPA, UK GDPR, LGPD, PIPEDA and Australian Privacy Act 1988 compliant. Customised to the data you actually collect.

Generate My Privacy Policy Free

Free to generate. Takes about 3 minutes. Free account required.

Other generators you might need

Terms & Conditions

Set the rules for using your website or app. Protect your business and manage user expectations with a professionally crafted T&C.

Cookie Policy

Explain how your site uses cookies and comply with ePrivacy and GDPR cookie regulations across the EU and beyond.

EULA

End-User License Agreements for software and apps. Required on the Apple App Store, Google Play, and for SaaS products.
See All 6 Generators