Iubenda logo
Start generating


Table of Contents

What Should Be in a Privacy Policy

Putting together a privacy policy yourself is not always easy. What are the right contents, what are the basic elements needed? We’ll tell you on this page.

The exact required contents of a privacy policy depend upon the applicable law and may need to address requirements across geographical boundaries and legal jurisdictions.

Generally, data and privacy laws apply to any service targeting residents of a region, which effectively means that a law may apply to your business whether it’s located in the region or not.

For this reason, it’s always advisable that you approach your (legally mandated) privacy policy with the strictest applicable regulations in mind. You can read more about determining your law of reference here or read our in-depth Legal Overview Guide here.

These are the most basic elements that a privacy policy should include:

  • Who is the site/app owner?
  • What data is being collected? How is that data being collected?
  • What is the Legal basis for the collection? (e.g consent, necessary for your service, legal obligation etc.) -This is more specifically related to the GDPR and EU Law, however, even if you fall outside of GDPR obligations, it’s likely that under many other legislations, you’ll still need to say why you’re processing the personal data of users.
  • For which specific purposes are the data collected? Analytics? Email Marketing?
  • The categories of sources from which you collect consumers’ personal information. -This is more specifically related to the USA’s upcoming CCPA. You can read more about that here.
  • Which third parties will have access to the information? Will any third party collect data through widgets (e.g. social buttons) and integrations (e.g. facebook connect)?
  • Where applicable, details relating to cross-border/ overseas data transfer and which measures were put into place to facilitate this in a safe and compliant way. (This disclosure is explicitly required under EU and Australian Laws in particular. Furthermore, there are additional requirements to be met for cross-border transfers in regards to both the EU’s GDPR and Australia’s APPs)
  • What rights do users have? Can they request to see the data you have on them, can they request to rectify, erase or block their data? (under European regulations most of this is mandatory)
  • Description of process for notifying users and visitors of changes or updates to the privacy policy
  • Effective date of the privacy policy

See our own policy here for an example of how these elements come together.

How iubenda helps you with this

iubenda generates privacy policies that work within the best-practices of various jurisdictions. With hundreds of available clauses, our privacy policies contain the all elements commonly required across many regions and services, while applying the strictest standards by default – giving you the option to fully customize as needed.

Our policies are created by lawyers, monitored by our lawyers and hosted on our servers to ensure that they are always up-to-date with the latest legal and third-party requirements. Our privacy policies are easily customizable and also come with the option to include a cookie policy (which is necessary if your website or app is using cookies).

You can read full policy generator features here or simply start generating your policy now.

See also