SEQ Legal

Free Privacy Policy Template

Last updated 1 March 2026 Reviewed by SEQ Legal Editorial Team

Download a free privacy policy template for your website. Covers data collection, cookies, user rights, retention, and international transfers. GDPR compliant. No signup required.

No signup required 100% free to use Instant download

Generate a custom privacy policy

Answer a few questions and we'll create a tailored document for your business - free and instant. Takes about 2 minutes.

Start questionnaire

Quick customise

Fill in your details and the template updates in real time.

Your Template Document

Privacy Policy

1. Introduction

1.1 This privacy policy sets out how [Insert your company/business name] ("[we/us/our]") collects, uses, stores, shares and protects information about individuals ("personal data") in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection legislation.

1.2 [Insert your company/business name] is a [company incorporated in England and Wales / limited liability partnership / sole trader] (registration number [Company Number]) with its registered office at [Registered Address].

1.3 For the purposes of the UK GDPR, the data controller is [Insert your company/business name] (contact details are set out in Section 15 below).

1.4 This privacy policy applies to [our website at [insert website URL] / our mobile application / our services] and governs our data collection and processing practices. By using our services, you acknowledge that you have read and understood this privacy policy.

2. What data we collect

2.1 We may collect and process the following categories of personal data about you:

2.2 Identity data: first name, last name, title, date of birth, gender, and [other identity data].

2.3 Contact data: email address, telephone number(s), postal address, and [other contact data].

2.4 Financial data: bank account details, payment card details, and [other financial data].

2.5 Transaction data: details about payments to and from you, and details of products and services you have purchased from us.

2.6 Technical data: internet protocol (IP) address, browser type and version, operating system and platform, time zone setting, and other technology on the devices you use to access our website.

2.7 Usage data: information about how you use our website, products and services, including browsing actions and patterns.

2.8 Marketing and communications data: your preferences in receiving marketing from us and your communication preferences.

2.9 We may also collect special category data about you where you have given your explicit consent, or where another lawful basis under Article 9 of the UK GDPR applies. This includes [details of any special category data collected, if applicable].

3. How we collect your data

3.1 We collect personal data through the following methods:

3.2 Direct interactions: you may provide us with your personal data by filling in forms, corresponding with us by post, phone, email, or otherwise. This includes data you provide when you [register for an account / subscribe to our services / request marketing materials / enter a competition or survey / report a problem / give us feedback].

3.3 Automated technologies: as you interact with our website, we may automatically collect technical data and usage data through cookies, server logs, and similar technologies. Please see our cookie policy in Section 10 below for further details.

3.4 Third parties: we may receive personal data about you from third parties, including [analytics providers such as Google / advertising networks / search information providers / credit reference agencies / data brokers].

4. How we use your data

4.1 We will only use your personal data when the law allows us to. We use your personal data for the following purposes:

4.2 To register you as a new customer and manage your account.

4.3 To process and deliver orders, including managing payments, fees, and charges.

4.4 To manage our relationship with you, including notifying you about changes to our terms or privacy policy.

4.5 To administer and protect our business and our website, including troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting of data.

4.6 To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you.

4.7 To use data analytics to improve our website, products, services, marketing, customer relationships, and experiences.

4.8 To make suggestions and recommendations to you about goods or services that may be of interest to you.

4.9 To comply with legal and regulatory obligations.

5. Legal basis for processing (UK GDPR Article 6)

5.1 We rely on the following legal bases for processing your personal data under Article 6(1) of the UK GDPR:

5.2 Consent (Article 6(1)(a)): where you have given clear consent for us to process your personal data for a specific purpose, including [marketing communications / use of non-essential cookies].

5.3 Contract (Article 6(1)(b)): where the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract.

5.4 Legal obligation (Article 6(1)(c)): where the processing is necessary for compliance with a legal obligation to which we are subject.

5.5 Legitimate interests (Article 6(1)(f)): where the processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms. Our legitimate interests include [running our business / network and information security / preventing fraud / direct marketing to existing customers].

6. Sharing your data

6.1 We may share your personal data with the following categories of third parties:

6.2 Service providers who provide IT and system administration services, including [hosting provider(s) / payment processor(s) / email service provider(s)].

6.3 Professional advisers, including lawyers, bankers, auditors, and insurers, who provide consultancy, banking, legal, insurance, and accounting services.

6.4 HM Revenue & Customs, regulators, and other authorities who require reporting of processing activities in certain circumstances.

6.5 Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them.

6.6 We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

7. International transfers

7.1 We [do / do not] transfer your personal data outside the United Kingdom.

7.2 Where we transfer your personal data outside the UK, we ensure that it is protected by ensuring that at least one of the following safeguards is in place:

7.3 The transfer is to a country that has been deemed to provide an adequate level of protection for personal data by the Secretary of State under Section 17A of the Data Protection Act 2018.

7.4 We use specific contracts approved for use in the UK which give personal data the same protection it has in the UK (international data transfer agreements or addendums to EU standard contractual clauses).

7.5 Where we use providers based in the US, we may transfer data to them if they [are subject to binding corporate rules / have entered into an international data transfer agreement with us].

8. Data retention

8.1 We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements.

8.2 To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.

8.3 In some circumstances you can ask us to delete your data; see Section 9 below for further information.

8.4 In some circumstances we will anonymise your personal data (so that it can no longer be associated with you), in which case we may use this information indefinitely without further notice to you.

8.5 [Details of specific retention periods: e.g., customer account data is retained for [number] years after account closure; financial transaction data is retained for [number] years in accordance with tax legislation; marketing data is retained until you opt out.]

9. Your rights

9.1 Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

9.2 Right of access (Article 15): you have the right to request a copy of the personal data we hold about you, together with information about how and why we process it. This is known as a "subject access request".

9.3 Right to rectification (Article 16): you have the right to request correction of the personal data we hold about you where it is inaccurate or incomplete.

9.4 Right to erasure (Article 17): you have the right to request deletion or removal of personal data where there is no compelling reason for its continued processing. This is also known as the "right to be forgotten".

9.5 Right to restriction of processing (Article 18): you have the right to request that we restrict the processing of your personal data in certain circumstances, for example if you contest the accuracy of the data or object to our processing of it.

9.6 Right to data portability (Article 20): you have the right to request a transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format, where the processing is based on consent or contract and is carried out by automated means.

9.7 Right to object (Article 21): you have the right to object to the processing of your personal data where we are relying on a legitimate interest, and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.

9.8 Rights in relation to automated decision-making (Article 22): you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

9.9 Right to withdraw consent: where we are relying on consent to process your personal data, you have the right to withdraw that consent at any time. This does not affect the lawfulness of any processing carried out before you withdraw your consent.

9.10 If you wish to exercise any of these rights, please contact us using the details set out in Section 15 below. We will respond to your request within one month. There is no fee for making a request unless your request is clearly unfounded, repetitive, or excessive.

10. Cookies

10.1 Our website uses cookies and similar technologies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our website.

10.2 A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer. We only use cookies with your consent, except for cookies that are strictly necessary for the operation of our website.

10.3 We use the following types of cookies:

10.4 Strictly necessary cookies: these are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website.

10.5 Analytical or performance cookies: these allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works.

10.6 Functionality cookies: these are used to recognise you when you return to our website. This enables us to personalise our content for you and remember your preferences.

10.7 Targeting cookies: these record your visit to our website, the pages you have visited, and the links you have followed. We use this information to make our website and the advertising displayed on it more relevant to your interests.

10.8 You can set your browser to refuse all or some cookies, or to alert you when cookies are being sent. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly.

10.9 [For more information about the cookies we use, please see our Cookie Policy at [Cookie Policy URL].]

11. Children's privacy

11.1 Our [website / services / products] are not intended for children under the age of [13 / 16 / 18], and we do not knowingly collect personal data from children under that age.

11.2 If we learn that we have collected personal data from a child under the relevant age without verification of parental consent, we will take steps to delete that information as quickly as possible.

11.3 If you become aware that a child has provided us with personal data, please contact us using the details in Section 15 below.

12. Third-party links

12.1 Our website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.

12.2 We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

13. Data security

13.1 We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed.

13.2 We have put in place procedures to deal with any suspected personal data breach and will notify you and the Information Commissioner's Office (ICO) of a breach where we are legally required to do so.

13.3 [Details of specific security measures, e.g., encryption, access controls, regular security testing.]

14. Changes to this privacy policy

14.1 We may update this privacy policy from time to time by publishing a new version on our website.

14.2 You should check this page occasionally to ensure you are happy with any changes to this privacy policy.

14.3 [We may / will] notify you of [significant] changes to this privacy policy [by email / through a notice on our website].

14.4 This privacy policy was last updated on [Date].

15. How to contact us

15.1 If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact us using the details set out below:

15.2 Data protection contact: [Data Protection Officer / Privacy Manager name]

15.3 Email address: [Email Address]

15.4 Postal address: [Postal Address]

15.5 Telephone number: [Telephone Number]

16. Supervisory authority

16.1 You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

16.2 The ICO's contact details are as follows: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 0303 123 1113. Website: https://ico.org.uk.

This document was created using a free template from SEQ Legal.

This template is provided for general information purposes only and does not constitute legal advice. You should adapt it to suit your specific circumstances. Consider seeking professional legal advice before relying upon this document.

Why do I need a privacy policy?

The law probably requires that you publish a privacy policy (or similar document) on your website.

Ask yourself this: do I collect or use personal data for non-personal / non-household activities in relation to my website?

If you do and your activities relate to the EU or UK, then data protection law requires that you provide information to individuals about how you use their data. The best way of providing that information is via a privacy policy.

The GDPR and, in the UK, the Data Protection Act 2018 are the key pieces of legislation – but these legislative requirements are not the only considerations in play. There are at least three other reasons to publish a privacy policy on your website.

  • First, your contracts with services providers may require that you publish an appropriate privacy policy.  For example, the Google Analytics terms and conditions require that you “have and abide by an appropriate Privacy Policy … You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect data. You must disclose the use of Google Analytics, and how it collects and processes data.”
  • Second, a clear and open privacy policy will help you to build trust with some of your users. Users may refuse to register with a website if they aren’t confident that their personal data will be protected. Just as bad, they may provide unreliable information when doing so.
  • Third, one of the key functions of many websites is the projection of a serious and professional image.  A website without the necessary legal documentation may have a negative effect on the image of the business behind it.

We drafted this website privacy policy template with all of these goals in mind, although the legal compliance requirements are overriding.

Should I use a template or ask a lawyer to prepare a policy for me?

Data protection law is not straightforward. Indeed, since the GDPR came into force in 2018, it is difficult for many organisations to be confident that they comply.

Ideally, all privacy policies would be prepared by, or under the supervision of, experts in data protection law. However, data protection expertise can be expensive: you might pay anything from £500 to £5,000 or more for a UK data protection lawyer to prepare a privacy policy.

As with many business investments in legal services, you will need to balance the risks of a DIY approach against the costs of using a professional. In general, you should always use a professional if there are significant amounts of money at stake or material risks of liability.

Is this the right template privacy policy for me?

A legal template is both never and always potentially suitable for a particular job: never suitable because adaptation is always needed; always potentially suitable because, with enough adaptation, one document can be transformed into any other document.

That said, some jobs will require more adaptation than others, and sometimes the adaptations will require specialist legal knowledge.

You should only use this template in relation to the following purposes if you are confident that you understand the applicable law can make the necessary adaptations:

  • the personal data of minors;
  • sensitive personal data / special categories of personal data;
  • large-scale processing of personal data;
  • any complex or unusual personal data processing; and
  • any personal data processing that is likely to have a significant impact on individuals’ rights and freedoms.

What information should I provide in my privacy policy?

Articles 13 and 14 of the GDPR set out the core disclosures required by the regulation.

Article 13 sets out the information that must be provided where personal data are collected from the individual.  Article 14 sets out the information that must be provided where personal data are collected from some other source.

The main categories of information are:

  • identity and contact information of the controller;
  • where personal data is not collected from the individual, the source and nature of that data;
  • the purposes of the processing;
  • the legal bases for the processing, including details of applicable legitimate interests;
  • the recipients or categories of recipients of the personal data;
  • details of international transfers of personal data that require legal protections, and details of those protections;
  • the periods for which the personal data will be stored, or at least the criteria used to determine those periods;
  • individuals’ legal rights with respect to their personal data;
  • whether the provision of personal data is a legal requirement;
  • the existence of automated decision-making, including profiling.

Should information about cookies be included in the privacy policy or elsewhere?

There’s a degree of overlap between the laws relating to cookies and those relating to the processing of personal data: cookies may themselves contain personal data; and even where cookies don’t themselves contain personal data, the reading of cookies will often result in the linking of cookie data to other personal data held by the operator.

Because of this overlap, it is common to include cookie disclosures in a privacy policy, and this template does include relevant disclosures – although not in so much detail as in our premium privacy and cookie policy templates.

The key legal instruments currently applicable to cookies are:

The latter is the UK’s implementing legislation for the former. The consolidated version of the UK regulations is not available on the legislation.gov.uk website and the text of the relevant Regulation (No 6) has been updated since 2003 – so use with care.

The EU has been considering a new ePrivacy Regulation to replace the existing ePrivacy Directive, but this has not yet been adopted. Following Brexit, any future EU ePrivacy Regulation would not directly apply in the UK, though the UK may adopt equivalent measures.

In addition to the information disclosure requirements, you may need to get user consent to cookies. This privacy policy template includes an optional statement to the effect that users consent to the use of cookies. However, this will not alone satisfy the cookies consent requirement under the cookie laws.

How do I edit the privacy policy?

After you have downloaded the policy, you will need to open it in your word processing software for editing.

The first thing you should decide is how to categorise the personal data that you process. Your categorisation should reflect how data is handled in practice. For example, you might differentiate between analytics data, enquiry data, customer relationship data and transaction data. The template privacy policy includes a suggested categorisation.

With respect to each of your categories of personal data, you will need to determine the purposes for which the data is processed and – this is often the hard bit – the legal basis for processing. Possible legal bases are individual consent, the performance of a contract, and your legitimate interests.

You will also need to identify recipients or categories of recipients, as well as relevant data retention periods.

Guidance notes are included in the template to help with the editing process.

After editing, you should add the privacy policy text to your website, either via your content management system or directly after converting it to HTML.

Why is your privacy policy longer / more complicated than some other policy templates?

This policy is intended to be easy to use, but data protection law in general and the GDPR in particular are difficult to use.

Data protection law is necessarily built of abstractions, but some of the abstractions at the heart of the GDPR do not map easily onto the real world. The European Data Protection Board (EDPB) has produced voluminous guidance on the application of the GDPR, but the very existence of this guidance highlights the problem. If the law was clear, the guidance wouldn’t be needed.  In many cases, the guidance either overreaches or dodges the difficult issues.

Another reason for the length of our templates is that … they are templates.  They are intended to be edited before use, and it is much easier to delete unwanted provisions from a template than to add novel provisions. After you have finished editing our template, it should be materially shorter than when you started.

If you do plan to use a simpler template from another website, you should take care to ensure that it covers all the necessary ground. If you can create a privacy policy from a template in a few minutes, there may well be something wrong with the template.

What other privacy and cookies documents are available?

We publish a range of privacy and cookie templates.

Do I also need a data protection or GDPR policy?

“Privacy policy” is not a term of art.

Documents with the same function will sometimes be called “privacy notices”, “data protection statements”, “personal data processing policies”, “GDPR policies” – or something different entirely.

Worse, there is a different type of document that shares the same pool of possible names.

Whilst our free privacy policy is concerned with the disclosure of information about personal data handling, this other type of document is concerned with specifying the policies and procedures that regulate how employees and non-employed personnel conduct themselves in relation to personal data handled by the organisation. This other type of document will typically form part of a staff handbook and/or the set of policies provided to freelances and other subcontractors engaged by the organisation to provide services.

This other type of document is usually referred to as a “data protection policy” – but don’t assume that other professionals will do so.

In most cases, you will want to keep these documents separate.

Do I need a data processing agreement?

A privacy policy is concerned with an organisation’s role as a controller of personal data; whereas a data processing agreement is concerned with an organisation’s role as a processor of personal data.

This distinction can be confusing and tricky to apply.

Both controllers and processors process personal data. Just because you are processing personal data, that doesn’t make you a processor. You might be a processor, but equally, you might be a controller. Confused yet?

The distinction is tricky to apply because the definitions are highly abstract. A controller is defined as a person who determines the purposes and means of processing personal data. A processor is a person who processes personal data on behalf of a controller. In practice, the determination of purposes is more significant than the determination of means.

An example might help.  A business providing website hosting services would usually be a processor with respect to personal data contained in the website databases of its customers. It would, however, usually be a controller with respect to personal data contained in its customer relationship management system. For some classes of data – for example, data collected when providing support services to customers – the correct classification may not be clear.

In any case, if you are a processor, then the GDPR requires that you enter into a specific set of contractual clauses with your controller. A data processing agreement is a document that contains those clauses, sometimes elaborating and/or supplementing them.  Processors should not produce privacy policies with respect to that data because the production of a privacy policy is the responsibility of the controller.

You may also need

Cookies policy

Free cookies policy template for GDPR and PECR compliance. Covers cookie types, consent mechanisms, and third-party tracking disclosures.
Website terms and conditions

Free website terms and conditions template. Comprehensive T&Cs covering acceptable use, intellectual property, limitations of liability, and more.

Frequently asked questions

This template has been drafted with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 in mind. It covers the key requirements including lawful bases for processing, data subject rights, data retention, and international transfers. However, you should customise it to accurately reflect your specific data processing activities, and consider taking professional legal advice if your processing is complex.
If your website collects or processes personal data — including through contact forms, analytics tools like Google Analytics, cookies, or user accounts — then yes, data protection law almost certainly requires you to publish a privacy policy. Beyond legal compliance, a clear privacy policy helps build trust with your users and may be required by third-party services you use.
Yes, this template is free to use and modify. The square brackets indicate sections that should be customised for your specific circumstances. You should tailor the policy to accurately describe your data collection and processing activities. We recommend taking legal advice before making significant changes to ensure ongoing compliance.
You should review and update your privacy policy whenever there are material changes to your data processing activities, the services you offer, or applicable data protection law. As a general guide, review it at least annually. Changes to third-party services you use, new features that collect additional data, or updates to regulations like the GDPR may all necessitate revisions.

Related templates

Cookies policy

Free cookies policy template for GDPR and PECR compliance. Covers cookie types, consent mechanisms, and third-party tracking disclosures.

View template

Website terms and conditions

Free website terms and conditions template. Comprehensive T&Cs covering acceptable use, intellectual property, limitations of liability, and more.

View template

Legal disclaimer

Free legal disclaimer template for websites. Limit liability for information published on your website with this professional disclaimer.

View template

Website disclaimer

Free website disclaimer template. Limit liability for your website content with provisions covering warranties, representations, and third-party links.

View template