About

A missing or deficient privacy policy exposes your organization to regulatory fines that can reach 4% of annual global turnover under GDPR (Regulation (EU) 2016/679, Article 83) or up to $7,500 per intentional violation under CCPA (Cal. Civ. Code §1798.155). Beyond penalties, inadequate disclosure erodes user trust and may disqualify you from app store listings or payment processor agreements. This generator constructs a structured privacy policy document parameterized by your actual data practices: what personal data categories you collect (D), which third-party processors receive it, what legal bases apply, and which jurisdictional frameworks govern your operations. The output follows the Article 13/14 disclosure checklist required by most data protection authorities.

This tool approximates a legally structured document. It does not constitute legal advice. Jurisdiction-specific nuances, sector regulations (HIPAA, FERPA, PCI-DSS), or novel data processing activities require review by qualified legal counsel. The generated text uses placeholder clauses for retention periods and specific data sub-processor names that you must verify against your actual infrastructure.

Formulas

The policy document is assembled through conditional clause composition. Each section S_i is included based on a boolean selection function:

Policy = n∑i=1 S_i ⋅ f(config_i)

Where S_i represents each policy section (e.g., Data Collection, Cookies, GDPR Rights), f(config_i) is a boolean function returning TRUE if the user's configuration enables that section, and n is the total number of available clause templates. User-supplied values (company name C, contact email E, effective date T) are interpolated into parameterized template strings after HTML entity sanitization to prevent injection.

The sanitization function replaces characters: < → <, > → >, & → &, " → ". This prevents cross-site scripting when the policy is exported as HTML.

Reference Data

Regulation	Jurisdiction	Effective Date	Key Requirement	Max Fine	Applies To
GDPR	EU / EEA	May 25, 2018	Lawful basis for processing, data subject rights, DPO appointment	€20M or 4% global turnover	Any entity processing EU residents' data
CCPA / CPRA	California, USA	Jan 1, 2020 / Jan 1, 2023	Right to know, delete, opt-out of sale/sharing	$7,500 per intentional violation	Businesses meeting revenue/data thresholds
LGPD	Brazil	Sep 18, 2020	Legal basis, data subject rights, DPO	2% of revenue (max R$50M)	Any entity processing Brazilian residents' data
PIPEDA	Canada	Apr 13, 2000	Consent, purpose limitation, access rights	CAD $100,000 per violation	Private-sector organizations
POPIA	South Africa	Jul 1, 2021	Conditions for lawful processing, data subject rights	ZAR 10M or imprisonment	Any entity processing SA residents' data
COPPA	USA (Children)	Apr 21, 2000	Parental consent for under-13 data collection	$50,120 per violation	Sites/apps directed at children under 13
PDPA	Singapore	Jul 2, 2014	Consent, purpose, access, correction obligations	SGD $1M per breach	Organizations in Singapore
PDPA	Thailand	Jun 1, 2022	Consent, data subject rights, cross-border transfer	THB 5M criminal / 5M administrative	Any entity processing Thai residents' data
Privacy Act	Australia	Mar 12, 2014 (amended)	APPs, transparency, cross-border disclosure	AUD $50M or 30% turnover	Organizations with >AUD 3M revenue
UK GDPR	United Kingdom	Jan 1, 2021	Mirrors EU GDPR post-Brexit	£17.5M or 4% global turnover	Any entity processing UK residents' data
ePrivacy Directive	EU / EEA	Jul 12, 2002	Cookie consent, electronic communications privacy	Set by member states	Any entity using cookies/tracking in EU
APPI	Japan	Apr 1, 2022 (amended)	Consent for sensitive data, cross-border transfers	¥100M per violation	Business operators handling personal info
DPDP Act	India	Aug 11, 2023	Consent, data fiduciary obligations, children's data	$30M (INR 250Cr) per violation	Any entity processing Indian residents' data
FERPA	USA (Education)	Aug 21, 1974	Student education records protection	Loss of federal funding	Educational institutions receiving federal funds
HIPAA	USA (Health)	Apr 14, 2003	PHI safeguards, breach notification	$1.5M per violation category/year	Covered entities and business associates

Frequently Asked Questions

No. This tool produces a structured template based on common regulatory disclosure requirements (GDPR Article 13/14, CCPA §1798.100). The output covers standard clauses but cannot account for sector-specific regulations (HIPAA, PCI-DSS), unique data flows, or jurisdictional nuances. You should have the generated document reviewed by qualified legal counsel before publishing.

The generator includes conditional clause blocks for GDPR (EU/EEA), CCPA/CPRA (California), COPPA (US children's data), LGPD (Brazil), PIPEDA (Canada), and the UK GDPR. Selecting a framework activates the corresponding rights disclosure sections, lawful basis language, and jurisdiction-specific contact requirements.

Audit your actual data collection points: registration forms, analytics scripts, payment processors, cookies, and server logs. Common categories include identifiers (name, email), device data (IP, user agent), financial data (card details via processor), and usage data (pages visited, click events). If you use Google Analytics, you collect device identifiers and browsing behavior. If you accept payments via Stripe, you process financial data through a third-party processor.

You must regenerate or manually update the policy whenever you add new data collection categories, integrate new third-party processors, expand to new jurisdictions, or change your data retention periods. GDPR Article 13(3) requires notification of purpose changes. Store the generation date - the tool includes an effective date field - and maintain a version history.

Yes. Enabling the COPPA toggle adds a Children's Privacy section that declares your policy on collecting data from users under 13 years of age, the requirement for verifiable parental consent, and the parent's right to review or delete their child's information. If your site is not directed at children and you do not knowingly collect data from minors, the clause states this explicitly.

Yes. The generator includes clauses covering both websites and mobile applications. When you specify your platform type, the language adapts to reference "application" or "service" rather than "website" where appropriate. Both Apple App Store and Google Play require a published privacy policy URL for app listings - this generator produces HTML output suitable for hosting at that URL.

When you enable cookies in the data collection step, the generator adds a dedicated Cookies section that categorizes cookies into essential, analytics, and marketing types. It lists common third-party cookie providers you select (Google Analytics, Facebook Pixel, etc.) and includes language about consent mechanisms required under the ePrivacy Directive. You must still implement an actual cookie consent banner on your site - the policy only describes your cookie practices.