GDPR Privacy Policy Generator
Generate a GDPR-compliant privacy policy for your website in minutes. Customise and download instantly โ no signup required.
Company details
Data Protection Officer (optional)
What your privacy policy must cover under GDPR
Data controller identity
You must identify who is responsible for the data. This includes the company name, address, and contact details โ and if required, your Data Protection Officer (DPO).
What data you collect
List all categories of personal data you process: names, emails, IP addresses, payment info, location data, behavioural data from analytics, and cookie identifiers.
Legal basis for each purpose
GDPR requires you to identify the legal basis for each processing activity. The six bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
Retention periods
You must state how long you keep personal data. "We keep it until you ask us to delete it" is not sufficient โ you need a genuine business or legal justification for the retention period.
International transfers
If any data leaves the EEA (e.g. US-based cloud services, Google Analytics, Stripe), you must disclose this and explain the safeguards (Standard Contractual Clauses, adequacy decisions).
User rights
Must explain all eight GDPR rights: access, rectification, erasure, restriction, portability, objection, and rights related to automated decisions. And how to exercise them.
Frequently Asked Questions
Who needs a GDPR privacy policy?
Any business or website that processes personal data of people in the European Union or UK must comply with GDPR โ regardless of where the business is based. If you have a website accessible to EU/UK residents, collect email addresses, use Google Analytics, or run a newsletter, you need a privacy policy.
Does GDPR apply if my business is outside the EU?
Yes โ GDPR has extraterritorial scope (Article 3). It applies to any organisation that processes personal data of EU residents, even if the organisation is based in the US, UK (post-Brexit UK GDPR mirrors EU GDPR), Australia, or elsewhere. The key trigger is the target audience, not the company location.
Do I need a DPO (Data Protection Officer)?
A DPO is mandatory for: public authorities, organisations that carry out large-scale systematic monitoring of individuals (e.g. behavioural advertising), and organisations that process special category data (health, biometrics, etc.) at scale. Most small-to-medium websites do not require a DPO, but appointing one voluntarily is good practice and can be the same person as a data privacy contact.
What is the difference between a privacy policy and a cookie policy?
A privacy policy covers all personal data processing โ who, what, why, how long. A cookie policy specifically explains what cookies and trackers you use, categorised by type (essential, analytics, marketing), and gives users meaningful choice to accept or reject non-essential cookies. Under GDPR and the ePrivacy Directive, you typically need both, though they can be combined in a single document or linked.
Understanding GDPR Compliance
The General Data Protection Regulation (GDPR) is the European Union's data protection law, in force since May 2018. It governs how any organisation collects, stores, and uses the personal data of people in the EU โ and because it applies based on whose data you process rather than where your business is located, it reaches websites worldwide. A clear, accurate privacy policy is the most visible part of compliance, but it is only the surface of what the law requires.
Who GDPR actually applies to
GDPR's reach is extraterritorial (Article 3). If you offer goods or services to people in the EU or UK, or monitor their behaviour โ through analytics, advertising, or a newsletter โ you fall under it regardless of being based in the US, Australia, or anywhere else. The UK retained its own near-identical UK GDPR after Brexit. In practice, almost any website with EU or UK visitors that collects an email address, runs Google Analytics, or sets cookies needs a compliant privacy policy.
The six lawful bases
Every piece of processing must rest on one of six lawful bases: consent, performance of a contract, legal obligation, vital interests, public task, or legitimate interests. Many businesses over-rely on consent when another basis fits better โ for example, processing an order uses โcontract,โ not consent. Identifying the correct basis for each activity, and stating it in your policy, is a core GDPR requirement that a generic template alone cannot decide for you.
The eight data subject rights
GDPR grants individuals eight rights: access, rectification, erasure (โright to be forgottenโ), restriction of processing, data portability, objection, rights related to automated decision-making, and the right to be informed. Your privacy policy must explain these and how to exercise them, and you must be able to actually honour a request โ usually within one month. Having a policy that promises these rights but no process to fulfil them is a common compliance gap.
Cookies and the ePrivacy rules
Cookies sit under both GDPR and the ePrivacy Directive. Non-essential cookies โ analytics, advertising, embedded third-party content โ require prior, informed, opt-in consent before they are set; pre-ticked boxes and โby using this site you agreeโ banners do not meet the standard. Essential cookies needed for the site to function are exempt. A compliant cookie policy categorises each cookie by purpose and gives users a genuine choice to accept or reject the non-essential ones.
A policy is necessary but not sufficient
A privacy policy documents your practices, but compliance is about the practices themselves: minimising the data you collect, securing it, deleting it when no longer needed, handling international transfers with proper safeguards, and reporting breaches within 72 hours. Penalties reach up to โฌ20 million or 4% of global annual turnover. A generated policy is an excellent, fast starting point โ but for anything beyond a simple site, have a qualified data protection professional review it against what your business actually does.