Can I use a free privacy policy generator?

Yes, for a standard small business website. Our free generator creates a GDPR-compliant policy based on your answers. If you process sensitive data or operate in regulated industries, get legal review.

What must a privacy policy contain under GDPR?

Your identity and contact details, what data you collect and why, your legal basis, who you share data with, retention periods, visitor rights (access, deletion, portability), and how to complain to the data protection authority.

Do I need a different privacy policy for each country?

One policy can cover multiple countries if it addresses all applicable requirements. For the UK post-Brexit, mention the ICO. For Germany, reference the DSGVO. The core GDPR requirements are the same across the EU.

GDPR & Privacy

How to Create a Privacy Policy (Free Generator + Guide)

6 April 2026

Your website needs a privacy policy. Not because it looks professional, but because EU law requires it. If your site collects any personal data at all, and almost every site does, GDPR Article 13 says you must inform visitors about what happens with their data.

The good news: you don't need a lawyer to create one. A privacy policy for a standard small business website is straightforward. You need to cover specific elements, write them clearly, and keep the document current.

This guide walks through what your privacy policy must contain, how to create one using our free privacy policy generator, and how to write one from scratch if you prefer. We also cover the mistakes that trip up most small businesses and when you actually do need professional legal help.

Why every website needs a privacy policy

The requirement comes from two directions.

GDPR Article 13 applies whenever you collect personal data directly from someone. That happens when a visitor fills in a contact form, subscribes to a newsletter, creates an account, or places an order. But it also happens when your website logs IP addresses, sets cookies, or loads third-party resources like Google Fonts or an embedded YouTube video.

The ePrivacy Directive adds requirements around cookies and electronic communications. If your site sets any non-essential cookies, visitors must be informed and give consent.

Between these two, virtually every website falls under the scope. A static one-page site with no forms but with Google Analytics still processes personal data. A WordPress site with a contact form and a few plugins is almost certainly sending data to multiple third parties.

The penalty for not having one is a transparency violation under GDPR. Maximum fines reach 20 million euros or 4% of annual turnover. In practice, small business fines are much lower, but a missing privacy policy is the first thing a data protection authority checks during any complaint.

Article 13 lists specific information you must provide when collecting personal data directly from visitors. Here is the full list.

Identity and contact details of the controller. Your business name, address, and a way to contact you. An email address or phone number at minimum.
DPO contact details. If you have a data protection officer. Most small businesses don't need one.
Purposes of processing. What you do with the data. Be specific: "to respond to your contact form inquiry" rather than "to improve our services."
Legal basis for each purpose. Which of the six GDPR legal bases applies to each processing activity: consent, contract, legal obligation, vital interests, public task, or legitimate interest.
Recipients or categories of recipients. Who else gets the data. Your hosting provider, email service, payment processor, analytics provider.
International transfers. If data goes outside the EEA, explain the legal mechanism. Standard Contractual Clauses and the EU-US Data Privacy Framework are the main ones.
Retention periods. How long you keep each type of data. Specific timeframes, not "as long as necessary."
Data subject rights. The rights visitors have: access, rectification, erasure, restriction, portability, objection.
Right to withdraw consent. If any processing is consent-based, explain how to withdraw it.
Right to complain to a supervisory authority. Name and link to the relevant data protection authority.
Whether providing data is required. Is it voluntary or necessary? What happens if they don't provide it?
Automated decision-making. If you use profiling or automated decisions that affect people, disclose it.

For a detailed breakdown of each element, see our privacy policy requirements guide.

Use the free privacy policy generator

The fastest way to create a compliant privacy policy is to use our free privacy policy generator. It asks you a series of questions about your website and business, then produces a policy that covers all twelve Article 13 requirements.

Here is how it works:

Step 1: Enter your business details. Company name, address, contact email, and country of establishment. This populates the data controller section and determines which supervisory authority to reference.

Step 2: Describe your data processing. The generator asks what your website does: contact forms, newsletter signups, online orders, user accounts. For each activity, it assigns the correct legal basis and generates purpose-specific language.

Step 3: Identify your third parties. Select the services your website uses: Google Analytics, Mailchimp, Stripe, Cloudflare, and others. The generator adds the right disclosures for each, including international transfer information where relevant.

Step 4: Set retention periods. For each data category, choose how long you keep it. The generator suggests sensible defaults, but you should adjust them to match your actual practice.

Step 5: Review and publish. Read through the generated policy. Make sure every statement is accurate for your specific situation. Then add it to your website.

The generator covers standard small business scenarios. If your situation is unusual, like processing health data or operating in a regulated industry, use the generated policy as a starting point and get it reviewed by a professional.

Create your free privacy policy now

Writing your own: section by section

If you prefer to write your privacy policy yourself, work through these sections in order. This structure covers all Article 13 requirements and keeps the document readable.

Who we are

Start with your identity. Business name, legal form, registration number (such as your KVK number in the Netherlands), address, and contact details. If you have a DPO, list their contact information here.

What data we collect and why

Create a table or list with three columns: what data, why, and the legal basis. For example:

Contact form submissions (name, email, message) -- to respond to inquiries -- legitimate interest
Newsletter subscribers (email address) -- to send monthly updates -- consent
Order data (name, address, payment details) -- to process and deliver orders -- contract performance
Analytics data (anonymised IP, pages visited) -- to understand site usage -- legitimate interest

If you're not sure what your site collects, run a scan to identify third-party services. Many site owners are surprised by how many services load in the background.

List every third party that receives personal data from your website. Name the companies or at least describe the categories:

Hosting provider (e.g., Vercel, TransIP)
Email service (e.g., Mailchimp, Resend)
Payment processor (e.g., Stripe, Mollie)
Analytics (e.g., Google Analytics, Plausible)
Advertising (e.g., Google Ads, Meta)

For each, note whether data leaves the EEA and what safeguards are in place.

How long we keep data

Set clear retention periods for each data category:

Contact form messages: 12 months after last communication
Customer order data: 7 years (tax obligation)
Newsletter subscribers: until unsubscribe
Analytics data: 14 months (or whatever your analytics tool is set to)
Server logs: 30 days

These should match what you actually do. Don't write "6 months" if you never delete anything.

Your rights

List the GDPR rights: access, rectification, erasure, restriction, portability, objection. Explain how to exercise them. An email address is enough.

Include the right to withdraw consent for any consent-based processing. And include the right to complain to the supervisory authority, with the name and website of your national authority.

Cookies

While technically a separate requirement under the ePrivacy Directive, most businesses include cookie information in the privacy policy or link to a separate cookie policy. If your site uses cookies, describe what types and point visitors to your cookie banner for managing preferences.

Changes to this policy

State that you may update the policy and how visitors will be notified. Include a "last updated" date at the top or bottom.

Common mistakes to avoid

The policy is too long. GDPR Article 12 requires information to be "concise, transparent, intelligible and easily accessible." A 15-page policy packed with legal jargon fails this test. Aim for clarity over comprehensiveness. If a section doesn't apply to you, leave it out rather than adding boilerplate about it.

It was copied from another website. A restaurant and an online shop process different data. A copied policy either describes things you don't do or misses things you do. Both are problems.

Third-party processors are missing. Your site loads Google Fonts, an embedded map, a YouTube video, a chat widget, and analytics. Each is a data transfer to a third party. If they're not in your privacy policy, it's incomplete. A scan can identify what your site actually connects to.

The policy is outdated. You switched from Mailchimp to Brevo. You added Hotjar. You installed a new booking plugin. Each change means your privacy policy needs updating. Review it whenever you change any tool that handles personal data. Our GDPR compliance checklist covers what else to check.

Missing retention periods. This is the single most commonly missing element we find. "We keep your data as long as necessary" is not a retention period. Regulators expect specific timeframes for each data category.

No mention of the supervisory authority. The second most common omission. You must tell visitors they can complain to a data protection authority and provide the name and contact details.

When a generator is enough vs. when you need a lawyer

A privacy policy generator works well when:

You run a standard small business website (brochure site, simple shop, portfolio)
You collect common types of data (contact forms, orders, newsletter signups)
You use well-known third-party services (Google Analytics, Stripe, Mailchimp)
You don't process sensitive data (health, biometric, criminal records, children's data)

You should get legal review when:

You process special category data under GDPR Article 9 (health, genetics, biometrics, political opinions, religious beliefs)
You operate a platform where users create accounts and interact with each other
You process children's data (under 16 in most EU countries, under 13 in some)
You do large-scale profiling or automated decision-making
You operate in a heavily regulated sector (healthcare, finance, insurance)
You've received a complaint or inquiry from a data protection authority

For most small businesses, the generator covers what you need. If you're uncertain, generate the policy first, then have a lawyer review it. Cheaper than having one written from scratch.

Country-specific additions

The core GDPR requirements are the same across the EU, but a few countries have specifics worth noting.

Netherlands (Autoriteit Persoonsgegevens)

The Dutch supervisory authority is the Autoriteit Persoonsgegevens (AP). Your privacy policy should reference them by name and include a link to their website (autoriteitpersoonsgegevens.nl). The AP has been active in enforcement, particularly around cookie consent. If your business is registered in the Netherlands, you should also include your KVK number in the data controller section, as explained in our KVK number guide.

Germany (DSGVO / Datenschutz-Grundverordnung)

Germany calls GDPR the "Datenschutz-Grundverordnung" (DSGVO). Enforcement is handled by state-level authorities (Landesdatenschutzbeauftragte), not a single national body. If you target German customers, reference the DSGVO and name the relevant state authority. German regulators are strict about cookie consent, international transfers, and completeness. Germany also requires a separate Impressum.

United Kingdom (ICO)

Post-Brexit, the UK operates under the UK GDPR and the Data Protection Act 2018. The supervisory authority is the Information Commissioner's Office (ICO). If you serve UK customers, mention the ICO and reference UK GDPR alongside EU GDPR. The requirements are nearly identical, but using the correct terminology shows you've considered your UK audience. Include a link to ico.org.uk.

Belgium (GBA)

The Belgian supervisory authority is the Gegevensbeschermingsautoriteit (GBA). If you serve both Dutch-speaking and French-speaking Belgian customers, provide the policy in both languages.

Keep it current

A privacy policy is not a one-time document. Every time you add a tool, switch providers, or change how you handle data, it needs updating. Review it at least once a year, and run a scan periodically to catch third-party services you might have missed.

Create your privacy policy now Answer a few questions about your website and get a GDPR-compliant privacy policy in minutes. Use the free generator

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Scan your site free

Website Guides

Best Cookiebot Alternatives in 2026 (Cheaper + More Checks)

Cookiebot doubled its prices. Looking for an alternative? Compare cookie consent tools and multi-category website scanners. Free scan available.

Complete GDPR Website Audit: Step-by-Step Checklist

A step-by-step GDPR audit checklist for your website. Check cookies, tracking, privacy policy, forms, third-party services, and security in one pass.

Do I Need a Cookie Banner? A Simple Decision Guide

Not sure if your website needs a cookie banner? This simple guide helps you decide based on what your website actually does.