MAKE YOUR FREE Privacy Policy
What we'll cover
What is a Privacy Policy?
A Privacy Policy is a legal document used on a website, which sets out how you handle website users’ personal information. This helps your business comply with its data protection and privacy obligations and helps you carry out e-commerce activities without being exposed to unnecessary legal risks.
This document is GDPR compliant.
When should I use a Privacy Policy?
Use this Privacy Policy template:
-
if you or your business operate a website in the UK
-
if you collect personal data on your website, for example, if your website (eg an e-commerce site or blog) asks users to disclose personal information
-
to comply with data privacy legislation
Sample Privacy Policy
The terms in your document will update based on the information you provide
PRIVACY POLICY
This Privacy Policy applies between you, the User of this Website, and , the owner and provider of this Website. takes the privacy of your information very seriously. This Privacy Policy applies to our use of any and all Data collected by us or provided by you in relation to your use of the Website.
Please read this Privacy Policy carefully.
Definitions and Interpretation
- In this Privacy Policy, the following definitions are used:
Data collectively all information that you submit to via the Website. This definition incorporates, where applicable, the definitions provided in the Data Protection Laws; Data Protection Laws any applicable law relating to the processing of personal Data, including but not limited to the GDPR, and any national implementing and supplementary laws, regulations and secondary legislation;
GDPR the UK General Data Protection Regulation;
,
we or usUser or you any third party that accesses the Website and is not either (i) employed by and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing services to and accessing the Website in connection with the provision of such services; and Website the website that you are currently using, , and any sub-domains of this site unless expressly excluded by their own terms and conditions. - In this Privacy Policy, unless the context requires a different interpretation:
- the singular includes the plural and vice versa;
- references to sub-clauses, clauses, schedules or appendices are to sub-clauses, clauses, schedules or appendices of this Privacy Policy;
- a reference to a person includes firms, companies, government entities, trusts and partnerships;
- "including" is understood to mean "including without limitation";
- reference to any statutory provision includes any modification or amendment of it;
- the headings and sub-headings do not form part of this Privacy Policy.
Scope of this Privacy Policy
- This Privacy Policy applies only to the actions of and Users with respect to this Website. It does not extend to any websites that can be accessed from this Website including, but not limited to, any links we may provide to social media websites.
- For purposes of the applicable Data Protection Laws, is the "data controller". This means that determines the purposes for which, and the manner in which, your Data is processed.
How We Collect Data
- We collect Data in the following ways:
- data is given to us by you; and
- data is collected automatically.
Data That is Given to Us by You
- will collect your Data in a number of ways, for example:
- when you contact us through the Website, by telephone, post, e-mail or through any other means;
in each case, in accordance with this Privacy Policy.
Data That is Collected Automatically
- To the extent that you access the Website, we will collect your Data automatically, for example:
- we automatically collect some information about your visit to the Website. This information helps us to make improvements to Website content and navigation, and includes your IP address, the date, times and frequency with which you access the Website and the way you use and interact with its content.
Keeping Data Secure
- We will use technical and organisational measures to safeguard your Data, for example:
- access to your account is controlled by a password and a user name that is unique to you.
- we store your Data on secure servers.
- Technical and organisational measures include measures to deal with any suspected data breach. If you suspect any misuse or loss or unauthorised access to your Data, please let us know immediately by contacting us via this e-mail address: .
- If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
Data Retention
- Unless a longer retention period is required or permitted by law, we will only hold your Data on our systems for the period necessary to fulfil the purposes outlined in this Privacy Policy or until you request that the Data be deleted.
- Even if we delete your Data, it may persist on backup or archival media for legal, tax or regulatory purposes.
Your Rights
- You have the following rights in relation to your Data:
- Right to access - the right to request (i) copies of the information we hold about you at any time, or (ii) that we modify, update or delete such information. If we provide you with access to the information we hold about you, we will not charge you for this, unless your request is "manifestly unfounded or excessive." Where we are legally permitted to do so, we may refuse your request. If we refuse your request, we will tell you the reasons why.
- Right to correct - the right to have your Data rectified if it is inaccurate or incomplete.
- Right to erase - the right to request that we delete or remove your Data from our systems.
- Right to restrict our use of your Data - the right to "block" us from using your Data or limit the way in which we can use it.
- Right to data portability - the right to request that we move, copy or transfer your Data.
- Right to object - the right to object to our use of your Data including where we use it for our legitimate interests.
- To make enquiries, exercise any of your rights set out above, or withdraw your consent to the processing of your Data (where consent is our legal basis for processing your Data), please contact us via this e-mail address: .
- If you are not satisfied with the way a complaint you make in relation to your Data is handled by us, you may be able to refer your complaint to the relevant data protection authority. For the UK, this is the Information Commissioner's Office (ICO). The ICO's contact details can be found on their website at https://ico.org.uk/.
- It is important that the Data we hold about you is accurate and current. Please keep us informed if your Data changes during the period for which we hold it.
Links to Other Websites
- This Website may, from time to time, provide links to other websites. We have no control over such websites and are not responsible for the content of these websites. This Privacy Policy does not extend to your use of such websites. You are advised to read the Privacy Policy or statement of other websites prior to using them.
Changes of Business Ownership and Control
- may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of . Data provided by Users will, where it is relevant to any part of our business so transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this Privacy Policy, be permitted to use the Data for the purposes for which it was originally supplied to us.
- We may also disclose Data to a prospective purchaser of our business or any part of it.
- In the above instances, we will take steps with the aim of ensuring your privacy is protected.
General
- You may not transfer any of your rights under this Privacy Policy to any other person. We may transfer our rights under this Privacy Policy where we reasonably believe your rights will not be affected.
- If any court or competent authority finds that any provision of this Privacy Policy (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this Privacy Policy will not be affected.
- Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
- This Agreement will be governed by and interpreted according to the law of England and Wales. All disputes arising under the Agreement will be subject to the exclusive jurisdiction of the English and Welsh courts.
Changes to This Privacy Policy
- reserves the right to change this Privacy Policy as we may deem necessary from time to time or as may be required by law. Any changes will be immediately posted on the Website and you are deemed to have accepted the terms of the Privacy Policy on your first use of the Website following the alterations.
You may contact by email at .
Attribution
- This Privacy Policy was created using a document from Rocket Lawyer (https://www.rocketlawyer.com/gb/en).
This Privacy Policy was created on .
About Privacy Policies
Learn more about making your Privacy Policy
-
How to make a Privacy Policy
Making your Privacy Policy online is simple. Just answer a few questions and Rocket Lawyer will build your document for you. When you have all the information about your data protection and privacy practices prepared in advance, creating your document is a quick and easy process.
You’ll need the following information:
Your business’ details
-
Your business’ details (including its legal structure, website address, contact details, and address).
-
A URL for your terms and conditions (if your website has some in place).
-
Does your website sell goods, services, or both?
Information about the data you’ll collect from website users
-
Which data will you collect about your users?
-
How will you collect this information? For example, when users make payments?
-
Will you obtain data from third parties (eg when users follow you on social media websites)?
Information about how you’ll use users’ data
-
What will users’ data be used for (eg for internal records or for market research)?
-
Will you share users’ information with anyone (eg your employees, affiliate companies, or other businesses who process data for you)? If so, why do you share information with these parties?
-
Do you comply with any ISMSs?
-
Will you transfer personal data outside of the UK?
Cookies
-
Does your website use cookies? If so:
-
What types of cookies does your website use?
-
Describe the cookies that your website uses and explain their purpose.
-
Does your website have a cookie preference centre (ie a section of your website where users can change the cookie consents that they’ve given you)? What is its URL?
-
-
-
Common terms in a Privacy Policy
Privacy Policies explain how your website and your business safely and securely process users’ personal information, in order to help you comply with data protection laws. To do this, this Privacy Policy template includes terms and sections covering:
-
definitions and interpretation - this section sets out exactly what is meant by key terms such as ‘Data’, ‘User’, and ‘Website’. This helps to provide clarity for website users. Having this information clearly set out may also help your business to demonstrate your data protection compliance if you’re involved in any privacy-related disputes down the line
-
scope - this section limits your Privacy Policy so that it doesn’t cover data processing performed by other websites that your website may link to
-
‘data collected’ and ‘how we collect data’ - these sections set out which data your website collects from users, and how this is collected. The following sections, if relevant, explain how you collect data in more depth (eg how you collect data automatically via cookies)
-
our use of data - this section explains how your business uses users’ data. It also explains when certain types of consent are required to allow these uses and when a user is considered to have given this consent (eg when the user is required to make a positive action (eg by ticking a box) to consent, versus when other activity may be enough)
-
lawful bases (or grounds) for processing data - the ‘Our use of data’ section also covers various legal grounds for processing personal data, which may apply to your business based on the information you’ve provided in the interview so far. These include the bases of legitimate interests, consent, and taking steps to enter into a contract at the user’s request. For more information on lawful bases, read Processing personal data
-
who we share data with - this section explains who your business shares users’ personal data with, for example, group companies or relevant authorities (eg a police force). You must also set out in this section why you share data with each category of other party
-
keeping data secure - this section explains some of the measures your business complies with to make sure users’ data is secure. It also sets out any ISMSs you comply with and things that users can do if they have concerns about their data’s security (eg how to contact you if they suspect a security issue)
-
data retention - explains how long your business stores data for before deleting it, to comply with the law
-
your rights - this section communicates users’ data protection rights to them. This includes their rights to access, correct, or erase their data held by you. It also sets out how users can solve any issues they have with your use of data, including the email address for somebody within your business that users can use to resolve issues before they get to the stage of reporting you to the ICO
-
international transfers of personal data - this section deals with any transfers of users’ personal data that your business makes to parties outside of the UK. It explains that such transfers may be made, but only in a manner which is compliant with data protection legislation. This means that either an adequacy regulation is in place for the place you’re transferring data to (eg the EEA), or you have sufficient safeguards in place to ensure data is transferred and used safely. For more information, read International transfers of personal data
-
links to other websites - this section explains that, although your website may contain links to other websites (eg social media sites), your Privacy Policy doesn’t cover these websites. This helps ensure that you’re not responsible for any non-compliant data processing that these other websites carry out
-
changes of business ownership and control - explains that users’ data may be transferred to a new controlling party (eg new business owners) if your business (or part of your business) is sold. It explains how data may also be disclosed during the sale process (eg to a prospective purchaser)
-
cookies - this section explains which cookies your business uses, how it does so, and how users will be asked for their consent to this. It sets out the measures that your business takes to ensure it uses cookies in a legally compliant manner, for example providing information on cookies and a way to delete them. Greater detail on exactly which cookies you use can be inserted at the bottom of the Privacy Policy
-
general - this section makes explanations about your Privacy Policy’s enforceability. For example, it explains that if one part of the Policy is found to be unenforceable (eg by a court), the rest will remain enforceable. It notes that a delay in either a user’s or the business’ exercise of their rights under this Policy shouldn’t affect their rights and access to remedies (eg via litigation)
-
changes to your Privacy Policy - sets out the business’ right to update their Privacy Policy (eg to comply with new laws) and when a user is deemed to have accepted an updated version (ie the first time they use your website after the new version of your Policy has been published)
If you want your Privacy Policy to include further or more detailed provisions, you can edit your document. However, if you do this, you may want a lawyer to review the document for you (or to make the changes for you) to make sure that your modified Privacy Policy complies with all relevant laws and meets your specific needs. Use Rocket Lawyer’s Ask a lawyer service for assistance.
-
-
Legal tips for businesses
Ensure that your business complies with the commitments you’ve made in your Privacy Policy
Setting out in writing what your business will do to meet its data protection and privacy obligations is an important first step towards compliance. However, to ensure you do meet your legal obligations, make sure you actually carry out the practices and procedures that you’ve committed to. For example, if you’ve committed to only storing data on secure servers or to meeting the standards set out in an ISMS, make sure you and your employees always do this. If you need help with data protection compliance, you can use Rocket Lawyer’s GDPR compliance advice service.
Consider what other data protection documents you may need
Data protection is a complex area of law. As well as a Privacy Policy, you may need to have further data protection documents in place to ensure your business’ GDPR compliance. These include, but are not limited to:
-
a Data protection impact assessment (DPIA) - if you’re processing data in a way that’s likely to pose a high risk to individuals’ data protection rights, for example processing on a large scale
-
a Legitimate interest assessment (LIA) - when you’re relying on the legitimate interest ground to process personal data
-
a Data processing agreement (DPA) - if you’re transferring personal data to another party so they can process it for you (eg by storing it)
For more information, read How to make a business GDPR-compliant checklist.
Make sure you collect consent from users when you need it
Different types of consent are required for different data processing activities. For example, to store cookies on a user’s device or to send certain types of email marketing, explicit consent is required (eg by affirmative action such as checking a tick box). For other activities (eg email marketing after a user has already engaged with your business), less is usually required of the user for them to be considered to have given consent. Make sure you know exactly when to collect what kind of consent from your website’s users, to ensure you don’t breach their data protection rights. For more information, read your completed Privacy Policy in its entirety, and read Consent for GDPR, Data privacy and cookies, and the ICO’s guidance on consent.
Understand when to seek advice from a lawyer
In some circumstances, it’s good practice to Ask a lawyer for advice to ensure you’re complying with the law and that your business is well protected from risk. You should ask for advice if:
-
your website collects sensitive personal data (which is known as ‘special category’ personal data. It includes information about racial or ethnic origin, political opinions, and physical health)
-
you want to carry out data processing on very large scale
-
you share the data your website collects with lots of other businesses that are group companies or affiliates
-
Privacy Policy FAQs
-
What should a Privacy Policy include?
Privacy Policies explain the purpose of data collection on a website, the types of information collected, and the scope and limitations of the data processing.
This Website Privacy Policy template covers:
-
the nature of data collected by the site
-
how your website collects, stores, and uses data
-
the legal justifications for your data processing (the ‘lawful grounds’ or ‘lawful bases’)
-
website users’ data protection and privacy rights
-
links to other websites
-
passwords, security, and access
-
cookie use
-
transfers of data outside of the UK and the European Economic Area (EEA)
-
-
Do you need a Privacy Policy on your website?
A Website Privacy Policy is a legal document that communicates your business’ data protection practices to your customers and other visitors to your website. Any e-commerce website will collect personal data about its customers in order to process sales, for example, customers’ names, dates of birth, contact details, and credit card details. Therefore, compliance with data protection laws (which dictate how personal data can be used) is essential.
Making a Privacy Policy can help your business to do this. It can:
-
help your business (ie the website operator) to comply with its obligation to process data fairly
-
help your business comply with the legal requirement to obtain users’ consent to the processing of their personal data.
-
reassure online customers and website users that their data is protected
-
ensure that you have their permission to store cookies on customers’ computers
-
-
What are personal data and data processing?
‘Personal data’ is information from which an individual (known as a ‘data subject’) may be identified (from the data on its own, or in conjunction with other data). Personal data includes, but is not limited to, names, contact details, and IP addresses.
The UK data protection regime, contained primarily in the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018, requires that personal data is processed by businesses in accordance with the ‘data protection principles’, for example fairly and only for a specified purpose.
‘Data processing’ refers to any use of personal data other than for personal reasons (eg any use by a business). Key types of processing include collecting, using, and storing data.
To lawfully process personal data, you should ensure that one or more of the lawful bases for processing are met, to justify your data processing.
For more information, read Data protection and Processing personal data.
-
What are the lawful bases for processing?
The lawful grounds for processing are a set of conditions which, if met, allow an organisation to process personal data. Only one ground needs to be met for a given processing activity. The grounds include, for example, that the processing is necessary to perform or take steps to enter into a contract, or it’s necessary for your business’ legitimate interests (eg commercial reasons). For more information, read Processing personal data.
-
What is a Data Protection Officer?
A Data Protection Officer (DPO) is a person who assists your business with data protection compliance. DPOs can inform or advise you regarding your data protection obligations, provide recommendations regarding any data protection impact assessments, and act as a contact point for data subjects and the Information Commissioner's Office (ICO).
You only have to have a DPO if you undertake certain types of data processing (eg large-scale processing or systematic online monitoring). You may choose to voluntarily appoint a DPO.
For more information, read Data protection officers (DPOs).
-
What are cookies?
Cookies are small text files placed on a user's computer when they access a website. Most website operators place cookies on the browser or hard drive of a user's computer. They are commonly used to collect personal data. Cookies can gather information about a user's use of the website (eg their preferences), or they can enable the website to recognise the user as an existing customer when they return to the website at a later date.
The law protects users of your website and requires that they give their consent for you to use cookies on their website browser. Users must use ‘affirmative action’ to consent. This means that they must actually do something to consent (eg click a checkbox). Users are not held to have consented to your storing cookies on their devices just because they, for example, saw a message about cookies and did not indicate that they didn’t consent.
This document allows you to specify the types of cookies your website collects, their purpose, and how consent will be obtained for the use of these cookies. Depending on the specifics of your situation, you could consider creating a separate Website cookie policy in addition to your Privacy Policy.
For more information, read Data privacy and cookies and Different types of internet cookies.
-
Do I need to display my personal details?
The Electronic Commerce (EC Directive) Regulations 2002 and the Consumer Contracts (Information, Cancellation, and Additional Charges) Regulations 2013 impose informational requirements on businesses that operate online, in order to protect customers. If you are a UK-registered business that does business online (including if you only advertise your products online), you need to disclose certain information about your business on your website. Some of this information can be provided in your Website Privacy Policy. You can also provide this information in your Terms and conditions.
You must usually display information including your business’:
-
name
-
registration number (if it’s a company)
-
registered address (if it’s a company)
-
Geographical address (eg the principal place of business if you’re an individual or sole trader)
-
contact details, including an email address
-
information about payment and delivery processes and consumers’ rights (eg cancellation rights)
For more information, read Online business regulations.
-
-
What's an Information Security Management System (ISMS)?
An ISMS is a set of principles and procedures used to systematically manage an organisation's data. Using an ISMS minimises the chances and potential impact of a security breach occurring, to reduce a business’ data protection-related risk. An example of an ISMS is the PCI Security Standards Council (PCI SSC), which provides a set of data security standards that businesses in the payments industry should abide by.
Our quality guarantee
We guarantee our service is safe and secure, and that properly signed Rocket Lawyer documents are legally enforceable under UK laws.
Need help? No problem!
Ask a question for free or get affordable legal advice from our lawyer.