October 3, 2023

Free Privacy Policy Template to Comply with the GDPR

Create a compliant privacy policy for your website with our free GDPR privacy policy template. Learn why a privacy policy is essential and how to customize it to meet your needs.

You have a new website and you know that it must comply with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Personal Information Protection and Electronic Documents Act (PIPEDA), and other data privacy laws worldwide. You can always rely on the Secure Privacy privacy policy generator to generate one, but if you're keen to go the DIY way, we'll provide you with a free privacy policy template that you can use on your website or app. We will also explain to you how to fill it out so that it complies with the laws.

We'll delve into the following:

  • What is a privacy policy and why is it required
  • Privacy policy v. privacy notice
  • What are the essential elements of a privacy policy
  • The free website privacy policy template and guidance on how to tailor it to your website
  • How to create a robust privacy policy in minutes

What is a Privacy Policy and Why Is It Required?

A privacy policy is a legal document with which you inform your users about your privacy practices. Its sole purpose is to inform. That's why it is essential to be up-to-date and to reflect your current privacy practices.

Data protection laws, including the GDPR, CCPA, VCDPA, LGPD, PIPEDA, and many others, rely on the transparency principle. It means that you have to tell your visitors exactly what your website collects and what you do with their personal information. This means that all websites and mobile apps usually need a privacy policy. The best way to do so is to post a privacy policy that explains everything about it.

Remember, to comply with data privacy laws around the world, you need to use a privacy policy no matter where you work from, so you definitely must have a privacy policy for your website or app.

Privacy Policy v. Privacy Notice v. Privacy Statement

The GDPR requires data controllers to provide certain information at the moment of data collection. The CCPA requires presenting consumers with privacy notices, including one on data collection. For the California Online Privacy Protection Act (COPPA), a comprehensive privacy policy is required.

Some people in conversations call it a privacy statement, privacy page, or a policy page. 

It is all different wording for the same thing. It is the document that informs users on how you handle their personal information. The most common name for it is privacy policy. But you won't be wrong if you call it another way.

What Are the Essential Elements of a Privacy Policy

Every data protection law explicitly requires businesses to present users with a specific set of information about their data processing activities.

In practice, this means essential elements of a privacy policy.

The GDPR standard privacy policy requires the following:

  • The categories of personal data you collect
  • How you collect data
  • Why do you collect data
  • With whom do you share data and the purposes for sharing
  • Data subject rights and how to exercise them
  • Data retention information
  • Data transfer information
  • Information on children’s data, if applicable
  • Changes to the privacy policy
  • Information about the Data Protection Officer, if any
  • Your contact information

If you want to comply with both laws at once, you need to include everything required for all the laws. In many cases, the information overlaps.

Free Website Privacy Policy Template and How to Fill It Out

Now we'll get into the sample privacy policy template that we at Secure Privacy developed for our privacy policy generator. We'll take each element one by one and explain to you how to adjust it and use a privacy policy template for your business. You may also follow this privacy policy example and use our free privacy policy generator.

Data Controller Details

We value your privacy and are dedicated to safeguarding it. This policy outlines how we process any personal information you provide via our website (http://secureprivacy.ai). We, Secure Privacy, are the data controller of your personal information. We recommend that you read through the details set out in this Privacy Policy thoroughly to gain a clear understanding of our privacy practices.

Explanation: This is the introductory part where we include the details about us, the data controller who presents the company's privacy policy. You may also include information about you as the website owner, or mobile app developer. 

Legal basis for collecting and processing your personal information

Our legal basis for obtaining and utilizing your personal information, as this policy outlines, depends on the context in which it is collected.

We may collect your personal data because:

  • [legal basis 1]
  • [legal basis 2]
  • [legal basis 3]

Explanation: You must inform users on what legal bases you rely on to process their data. Legal bases include consent, legitimate interests, execution of a contract, vital interests, public interests, or compliance with the laws. List all the lawful bases applicable to you.

Why we process personal data

We process personal data for the following purposes:

  • [purpose 1]
  • [purpose 2]
  • [purpose 3]

When you subscribe to our services, third-party providers will be authorized to process your payment information. In these situations, we do not have access to your payment details. Instead, Stripe, the third-party processor responsible for your payment, will have access to your data.

Explanation: List all your processing purposes, such as providing products or services, providing customer support, marketing, website analytics, or whatever other processing purpose you have.

Categories of personal data we collect

We process the following categories of personal data:

  • [Data category 1]
  • [Data category 2]
  • [Data category 3]
  • [Data category 4]
  • [Data category 5]

Explanation: Personal names, email addresses, home addresses, browsing behavior, IP addresses, financial data - these are all data categories. Include every single personal data category that you collect.

How we collect your personal data

There are two ways in which we collect data:

  1. Data provided directly by you
  2. Data collected through third-party services

We collect data directly from you during your communication with us regarding our services, such as technical support threads. This is the data that you provide to us.

In addition to the data that you provide, we also use third-party tools to facilitate, operate, and manage our website. These tools use cookies and other tracking technologies. However, the third-party tools that we use will only insert cookies and other tracking technologies with your explicit consent. You can provide your consent by clicking 'Accept' on our Privacy Center, and we will keep track of it.

You can manage your permissions by clicking our Trust Badge below:


Explanation: Here we explain how we collect the data. In general, either we use cookies upon your explicit consent, or you provide us with the data voluntarily. Unlike Secure Privacy, some organizations may obtain the data from third parties, such as lead generation services. Make sure you include whatever methods are applicable to you.

With whom we share the collected personal information

To facilitate and make our website accessible to visitors, we engage third-party companies and individuals ('Data Processors') who may require access to your personal information. These tools may use cookies and other tracking technologies.

Please note that these service providers only have access to your personal information to perform the tasks we have assigned to them, and they are obligated not to disclose or use it for any other purpose.

Some of these third-party service providers may track your online behavior over time and across different internet websites or online services. However, we do not have control over their data collection practices or the use of your personal information. Therefore, we encourage you to review their privacy policies before consenting to the use of their services on our website.

We share or disclose your personal information with the following third-party service providers:


We use a 3rd party analytical software to gather statistical information about our website visitors. The services we use include:

  • Google Analytics
  • Dynatrace
  • Hotjar


We use third-party services to personalize content and serve you with relevant ads. These services may share content you provide to 3rd party. These include:

  • Google Ads

Explanation: Almost all businesses share data with third parties. This includes, but is not limited to servers and software tools. The GDPR, and some other laws, explicitly require you to tell data subjects who else can access their data.

Data Retention

The duration for which we retain each specific category of personal data depends on the processing purpose for which it was collected. We will store your personal data only for as long as it is necessary to fulfill the specific processing purpose for that category of data.

Explanation: For how long do you store users' personal data? The GDPR requires you to delete it as soon as you don't need it anymore. Make sure you explain it to your website visitors here. The privacy policy must describe how long the website keeps personally identifiable information before it is deleted from storage.

What are your rights as the owner of personal information

You have the following data protection rights:

  • The right to access your data
  • The right to update or correct your data
  • The right to object to the use of your data
  • The right to restrict the use of your data
  • The right to transfer your data to another data controller
  • The right to the erasure of your data
  • The right to withdraw consent
  • The right to lodge a complaint to the relevant data protection authority

How can you exercise your rights as the owner of personal information

If you would like to exercise your rights under the GDPR, you may submit your requests to us through the following channels:

  • Email: [where to send requests over email]

Please note that we may ask you to verify your identity before responding to your request to protect the security of your personal information.

You also have the right to file a complaint with a Data Protection Authority regarding our collection and use of your personal information. For more information on this, please contact your local data protection authority.

Explanation: We have listed all the GDPR rules above, except one - not to be subject to automated decision-making. Make sure you list all the GDPR rights your users have and inform them how they can exercise the rights.

Location and transfer of your personal information

We utilize several third-party service providers, including Google Ads, Google Analytics, Dynatrace, and Hotjar. These providers are considered our data processors and are contractually bound to keep your personal information secure and confidential. They may only use your data for the purposes outlined in our agreement with them.

We store your data in the European Union. However, some of these third-party service providers may be located in third countries outside of the European Union. In such cases, we ensure that your data is transferred based on appropriate safeguards, such as adequacy decisions, standard contract clauses, or another transfer tool.

We take all reasonable steps to ensure that your data is treated securely and that no transfer of your personal data will take place to an organization or a country unless adequate controls are in place to safeguard your data and other personal information. We are committed to maintaining the security of your personal information and protecting your privacy rights.

Explanation: The section above informs users that the data may be transferred to third countries. In some cases that may pose a risk to their rights and freedoms, therefore whenever you transfer their data outside of the EU, you must tell them about that.

Security of your personal information

We understand how important it is to keep your personal information secure. To protect your data, we implement appropriate technical measures to prevent unauthorized access, loss, or destruction. We also ensure that our sub-contractors are aware of our privacy policy and receive regular updates on our security practices. 

We recommend that you use a strong and unique password, keep it confidential, and log out of your account on shared computers to safeguard the security of your personal information. At our company, we take the security and privacy of your data seriously and work hard to keep it safe.

Explanation: Data security is an essential part of GDPR compliance and you need to give at least some basic information to users about it. You don't have to go too much into details or be too technical about it, but ensure to give some information on how you secure their personal data.

Protecting your child’s privacy

Our Service does not address anyone under 16 ('Children'). We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your Children have provided us with personal data, please contact us. If we become aware that we have collected personal data from children without verification of parental consent, we take steps to remove that information from our servers.

Explanation: If you run a website that collects children's data, be transparent about it. If your website does not collect such data, add this section to clarify how you handle children's online privacy.

Changes to this privacy policy

From time to time we may update this Privacy Policy. If we do, we will update the “last updated” sections at the top of the Privacy Policy. If we make material changes to this policy, we may notify you on our website, by a blog post, by email, or by any method we determine. Your continued use of this website or our service and/or continued provision of information to us will be subject to the terms of the then-current Privacy Policy.

Explanation: Actually, this is not a required element to include in your privacy policy, but it may be a good practice to set expectations with users and inform them that your privacy practices may change over time and that will result in updating your privacy policy.

Contact us

If you have any questions about our Privacy Practices or this Policy, please contact us at

Explanation: Finally, provide users with your contact information. This may be included in the introductory part, too.

How to Create a Privacy Policy in Minutes

You need to publish a privacy policy on your website because many third-party services require you to have one. Of course, you can go the DIY route and create a privacy policy from scratch by filling out the privacy policy template for websites and apps we provided above. 

But, if you don't want to learn the ins and outs of privacy regulations and want to save time, you can do so using a privacy policy generator by Secure Privacy. You'll answer a few questions and you'll have a good privacy policy ready for publishing on your website.

Start your Free Trial