- Is this Privacy Policy legally valid?
- It's a strong, modern template — not legal advice. Every privacy policy that ships on a real website should be reviewed by a lawyer qualified in your jurisdiction before you publish it. A template can cover the structural pieces (what you collect, why, the user's rights, how to contact you) but it can't anticipate sector-specific rules (HIPAA, COPPA, FERPA, financial-services rules), the exact list of third-party processors you use, the data-broker registration rules in some US states, or the privacy notices required for specific product features. Use this as the starting point. Then get a lawyer to look at it. Privacy law violations carry real penalties (up to 4% of global revenue under GDPR), so this is the wrong place to cut a corner.
- Do I need a Privacy Policy if my site doesn't collect anything?
- Probably yes. If you use analytics (Google Analytics, Plausible, Fathom), an ad network, embedded YouTube videos, or any third-party script, you're effectively collecting visitor data — even if you don't store anything yourself. Most app stores (Apple, Google), most ad networks (AdSense), and most analytics providers (Google) require a Privacy Policy as a condition of using their service. The pragmatic rule: if your site has any third-party JavaScript, generate a policy.
- When should I check the GDPR box?
- Check it if any of your visitors could reasonably be in the European Economic Area, the UK, or Switzerland. On the open web, that's effectively every site — GDPR applies to processing of data of people physically in the EU, regardless of where your business is registered. The penalty for non-compliance is up to €20 million or 4% of global annual turnover, whichever is higher, and supervisory authorities do hand out fines to non-EU companies. If you're unsure, check it.
- When should I check the CCPA box?
- Check it if you do business in California or if any of your users are California residents AND your business meets one of these thresholds: annual gross revenue over $25 million, or you buy/sell/share personal information of 100,000+ California residents per year, or you derive 50% or more of your annual revenue from selling/sharing personal information. If you're a small site with US users and don't sell data, the strict requirements may not apply — but the section is harmless to include and signals good-faith effort.
- Where do I put the policy once I generate it?
- On a public page on your site, typically /privacy or /privacy-policy. Link to it from your footer (so it's reachable from every page) and from any signup form where the user enters personal information. If you have a mobile app, also link to it from the app's settings page and from the app-store listing. For ad-network compliance (AdSense, Meta), the policy needs to be in English and reachable from the homepage; a buried policy won't satisfy their crawler.
- Does the generator save anything I type?
- No. Everything runs in your browser. Nothing is uploaded, logged, or stored. The form is in-memory only — if you refresh the page, you start over. Copy your generated policy somewhere safe (a draft on your CMS, a Google Doc, a text file) before you close the tab.
- What's the difference between the plain-text and HTML output?
- The plain-text version is best for pasting into a Markdown editor (Notion, Ghost, Substack), a CMS that handles Markdown (Astro, Hugo, 11ty), or a Word document you'll style yourself. The HTML version is ready to paste into a raw HTML page — it has <h1>, <h2>, <p>, and <ul>/<li> tags but no inline styles, so it inherits your site's typography. Pick whichever fits your platform.
- Should I update the policy when I change something on my site?
- Yes — and this is the part most websites get wrong. If you add a new analytics provider, integrate a new payment processor, start using a new email tool, or change what data you collect, the policy needs to reflect that. Update the effective date so users can see something changed. Under GDPR, material changes may require re-notifying users. Treat the policy like product documentation: review it every time you ship a feature that touches user data.
- Can I use this for a mobile app or just for a website?
- The template is written for websites but the core sections (what you collect, why, user rights, contact) apply equally to mobile apps. For apps, you'll also want to add disclosure for app-specific data categories (precise location, contacts, photos, microphone access) that the website template doesn't cover — Apple's App Store Connect and Google Play both require a structured 'data safety' disclosure separately from the prose policy. Use this as the base, then layer the app-specific disclosures on top.
- Do I need a separate Cookie Policy?
- Not necessarily — most websites fold cookies into the main Privacy Policy, which is what this template does. A separate Cookie Policy is more common in the EU, where ePrivacy rules require explicit cookie disclosures distinct from general privacy notices. If you serve a primarily European audience and use non-essential cookies, you may want a dedicated Cookie Policy plus a cookie consent banner (which this tool does NOT generate — you'll need a separate consent-management solution).
