Privacy Policy Drafting

Usage

Describe your business, what data you collect, and which jurisdictions your users are in. Include technical details about cookies, analytics tools, and third-party integrations.

Example prompt:

Draft a privacy policy for my SaaS app "TaskFlow" — a project management tool. We collect email, name, and usage analytics via Mixpanel. Users are in the US and EU. We use Stripe for payments and Google OAuth for login.

Examples

Example 1: SaaS App with Email and Usage Data

Input: TaskFlow, a project management SaaS. Collects email, name, profile photo, usage analytics (Mixpanel), payment info (Stripe), Google OAuth login. Users in US and EU.

Output (key sections):

Information We Collect

Information you provide: When you create an account, we collect your name, email address, and profile photo (if provided via Google OAuth). When you subscribe to a paid plan, our payment processor Stripe collects your payment card details — we do not store full card numbers on our servers.

Information collected automatically: We collect usage data including features accessed, session duration, and interaction patterns through Mixpanel. We collect device information (browser type, operating system, screen resolution), IP address, and approximate location derived from IP. We use cookies and similar technologies as described in our Cookie Policy section below.

Information from third parties: If you sign in via Google OAuth, we receive your name, email, and profile photo from Google per your Google account settings.

Legal Basis for Processing (EEA/UK Users)

Your Rights

Under GDPR (EEA/UK users): access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Under CCPA (California residents): right to know, right to delete, right to opt-out of sale (we do not sell personal information), and right to non-discrimination.

Example 2: Mobile App with Location Tracking

Input: FitRoute, a fitness tracking mobile app. Collects GPS location (continuous during workouts), health data (heart rate from wearables), email, age, weight. Users are global.

Output (additional sections):

Location Data

FitRoute collects precise GPS location data during active workout sessions to map your route and calculate distance. Location tracking begins only when you start a workout and stops when you end it. We do not track your location in the background. You can revoke location permissions at any time through your device settings, though this will prevent route mapping features from functioning.

Health and Sensitive Data

We collect health-related data including heart rate (synced from connected wearables), workout duration, calories burned, and body metrics you voluntarily provide (age, weight, height). Under GDPR, health data is a special category requiring explicit consent — we obtain this consent during onboarding. Under California law, this constitutes sensitive personal information subject to additional protections. This data is encrypted at rest using AES-256 and in transit using TLS 1.3.

Consent Requirements

Given the sensitive nature of location and health data, we implement layered consent: (1) initial consent during onboarding covering core data processing, (2) separate granular consent for location tracking activated at first workout, (3) separate consent for wearable data syncing, and (4) optional consent for anonymized data contribution to aggregate fitness research.

Best Practices

• Use plain language alongside legal terms — define jargon on first use and write at an 8th-grade reading level where possible.
• Be specific about third-party services by name (Mixpanel, Stripe, Google Analytics) rather than vague references to "service providers."
• Include a "last updated" date and describe how users will be notified of material changes (email, in-app banner, etc.).
• Provide a data retention schedule with specific timeframes rather than "as long as necessary."
• Address cookie consent with granular categories (strictly necessary, functional, analytics, advertising) per ePrivacy Directive requirements.
• Include a direct contact method (email, form) for privacy inquiries with a stated response timeframe (e.g., 30 days for GDPR requests).

Edge Cases

• Apps targeting children or mixed-age audiences — COPPA (under 13, US) and Age Appropriate Design Code (UK) impose strict requirements including verifiable parental consent and data minimization. If age-gating isn't enforced, assume the policy must address child users.
• Businesses that share data with affiliates or ad networks — CCPA considers this "selling" or "sharing" personal information even without monetary exchange. The policy must include a "Do Not Sell or Share" link and honor Global Privacy Control signals.
• International data transfers post-Schrems II — If transferring EU data to the US, reference the EU-US Data Privacy Framework or Standard Contractual Clauses. Vague statements about "appropriate safeguards" are insufficient.
• AI/ML model training on user data — If user data feeds into machine learning models, disclose this as a processing purpose with its own legal basis. Users may object under GDPR Article 22 to automated decision-making.
• Acquisitions and data portability — The policy should state what happens to user data if the business is sold, merged, or goes bankrupt, as this is a required CCPA disclosure.