Quick answer: A GDPR-compliant privacy policy must disclose what data you collect, why, who you share it with, where it's stored, and what rights users have. Below is a section-by-section guide with a checklist of exactly what regulators look for when they audit your policy.
Why Your Privacy Policy Matters More Than Ever
In 2025 alone, data protection authorities issued fines for incomplete or misleading privacy policies in over 120 cases. The most common violations:
- Not listing all third-party data processors
- Missing or vague information about data retention periods
- No mention of cross-border data transfers
- Failing to explain users' rights clearly
- Using legal jargon instead of plain language
Your privacy policy isn't just a legal document — it's atrust signal that directly affects conversions.
The 12 Sections Every GDPR Privacy Policy Must Include
1. Identity and Contact Details
GDPR Articles 13(1)(a) and 14(1)(a) — You must state who you are:
- Company name and legal entity type
- Registered address
- Contact email for privacy inquiries
- DPO contact details (if you have one)
2. What Data You Collect
Article 13(1)(d) — List every category of personal data:
- Identity data: name, email, phone number
- Technical data: IP address, browser type, device information
- Usage data: pages visited, time on site, click patterns
- Cookie data: tracking cookies, session cookies, preference cookies
- Payment data: if applicable, specify what you store vs. what your payment processor handles
- Communication data: emails, support tickets, chat messages
Tip: Use PrivacyChecker to scan your website and discover all data collection happening on your site — including third-party trackers you didn't know about.
3. How You Collect Data
Article 14 — Explain collection methods:
- Directly from the user (forms, account creation, purchases)
- Automatically (cookies, analytics scripts, server logs)
- From third parties (advertising partners, social media logins, data brokers)
4. Legal Basis for Processing
Article 13(1)(c) — For EACH type of processing, state the legal basis:
| Processing Activity | Typical Legal Basis |
|---|---|
| Essential cookies | Legitimate interest (site functionality) |
| Analytics (GA4, Hotjar) | Consent |
| Marketing emails | Consent |
| Fraud prevention | Legitimate interest |
| Order fulfillment | Contract performance |
| Legal obligations | Legal obligation (tax records, etc.) |
| AI chatbots | Consent + AI Act disclosure |
5. Who You Share Data With
Article 13(1)(e) — List categories of recipients:
- Analytics providers (e.g., Google Analytics, Hotjar)
- Email marketing platforms (e.g., Mailchimp, Brevo)
- Payment processors (e.g., Stripe, PayPal)
- Hosting providers (e.g., Vercel, AWS, Hetzner)
- Customer support tools (e.g., Intercom, Zendesk)
- Advertising networks (e.g., Google Ads, Meta)
Scan your site with PrivacyChecker to find allthird-party scripts loading on your pages — these are all potential data recipients.
6. Cross-Border Data Transfers
Article 13(1)(f) — If data leaves the EU/EEA, disclose:
- Which countries data is transferred to
- Transfer mechanism (adequacy decision, SCCs, DPF, BCRs)
- How users can obtain a copy of the safeguards
See our cross-border transfer guide for details.
7. Data Retention Periods
Article 13(2)(a) — Specify how long you keep each type of data:
| Data Type | Typical Retention |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Analytics data | 14–26 months (GA4 default: 14 months) |
| Marketing consent records | Duration of consent + 3 years |
| Transaction records | 7 years (legal obligation — tax) |
| Support tickets | 2 years after resolution |
| Server logs | 30–90 days |
8. User Rights
Articles 15–22 — You MUST explain these rights:
- Right of access (Article 15) — Obtain a copy of their data
- Right to rectification (Article 16) — Correct inaccurate data
- Right to erasure (Article 17) — Request deletion
- Right to restrict processing (Article 18)
- Right to data portability (Article 20) — Download in machine-readable format
- Right to object (Article 21) — Object to legitimate interest processing
- Right not to be subject to automated decisions (Article 22)
Provide a clear way to exercise these rights (email, form, or dedicated portal).
9. Cookie Policy
Link to or include a detailed cookie policy listing:
- Each cookie name, purpose, provider, type, and expiration
- How to manage or withdraw cookie consent
- Whether you use browser fingerprinting
10. Automated Decision-Making & AI
Article 13(2)(f) — If you use AI or automated decision-making:
- Disclose the existence of automated processing
- Explain the logic involved (in meaningful terms)
- State the significance and consequences for the user
- Reference EU AI Act obligations if applicable
11. Right to Withdraw Consent
Article 13(2)(c) — Explain that consent can be withdrawn at any time, and how to do it (e.g., cookie settings, unsubscribe link, account settings).
12. Right to Complain
Article 13(2)(d) — Inform users of their right to lodge a complaint with their national Data Protection Authority. Link to the relevant DPA website.
Privacy Policy Compliance Checklist
| Check | Required By | Status |
|---|---|---|
| Company identity and contact details | Art. 13(1)(a) | Required |
| DPO contact (if applicable) | Art. 13(1)(b) | If DPO appointed |
| Categories of data collected | Art. 13(1)(d) | Required |
| Legal basis for each processing activity | Art. 13(1)(c) | Required |
| Recipients / categories of recipients | Art. 13(1)(e) | Required |
| Cross-border transfers & safeguards | Art. 13(1)(f) | If applicable |
| Retention periods | Art. 13(2)(a) | Required |
| All 7 data subject rights listed | Art. 13(2)(b-f) | Required |
| Right to withdraw consent | Art. 13(2)(c) | Required |
| Right to complain to DPA | Art. 13(2)(d) | Required |
| Automated decision-making & profiling | Art. 13(2)(f) | If applicable |
| Cookie policy (detailed) | ePrivacy + GDPR | Required |
| Written in plain language | Art. 12(1) | Required |
| Easily accessible from every page | Best practice | Recommended |
| Last updated date visible | Best practice | Recommended |
Frequently Asked Questions
Can I use a privacy policy generator?
Generators are a starting point but rarely cover all GDPR requirements. See our comparison ofgenerators vs custom policies. At minimum, customize the generated policy to list your actual third-party vendors and specific data practices.
How often should I update my privacy policy?
Review it quarterly and update whenever you add a new tool, change a data processor, or modify data collection practices. Use PrivacyChecker to detect when new third-party scripts appear on your site — each one may require a policy update.
Does my privacy policy need to be in multiple languages?
If you target users in specific countries, you should provide the policy in their language. GDPR Article 12 requires information to be provided in a concise, transparent, and easily understandable manner.
How do I know if my current policy is compliant?
PrivacyChecker analyzes your privacy policy and flags missing sections, vague language, and undisclosed third-party data processors. Scan your site for a complete compliance report.