Free GDPR privacy policy template to download — includes the mandatory disclosures under Article 13 GDPR, a step-by-step guide to customizing it, and answers to common questions.
This template is for general information only. It is neither legal advice nor a substitute for independent legal advice that meets your specific requirements. By accessing this template, you agree to these terms and agree that use is at your own risk. top.legal is not responsible for reliance on this template.
Almost every company that runs a website or processes customer data needs a privacy policy. Under the EU's General Data Protection Regulation (GDPR) it's mandatory, and the same is true under most other privacy laws. It tells users transparently what personal data you collect, why you use it, and how you protect it. If it's missing or incomplete, you risk complaints, legal action, and fines.
Writing a privacy policy from scratch is difficult and error-prone without legal know-how. Using our free template as your starting point, you reliably cover the mandatory disclosures under Article 13 and 14 GDPR and then tailor each section to how your business actually handles data — without spending a lot of time, effort, and resources.
What is a Privacy Policy?
A privacy policy is an informational document that tells anyone whose personal data you process how you handle it. It clearly states what data you collect, the purpose and legal basis for using it, and how long you store it. It also discloses the circumstances under which you share data with third parties. This is how you provide the transparency the GDPR requires and build trust with your users.
The personal data that may be collected includes the following:
- Names
- Addresses (physical or email)
- IP addresses
- telephone numbers
- Date of birth
- Financial information, such as debit or credit card details
- browsing behavior
- Political leanings
- Biometric information
- Medical records
- face recognition
- Other relevant information
Please note that this list is not exhaustive and that, depending on the type of service or product offered, other types of personal data may also be collected.
Is a Privacy Policy Required?
Yes. As soon as you process personal data — and that begins with something as basic as your server logging visitors' IP addresses — Article 13 GDPR requires a privacy policy. It applies to websites, online shops, apps, and internal processing alike. Beyond the legal obligation, there are several good reasons to get it right.
It builds trust with your customers
When customers visit your site or use your services, they want to know their data is safe. A clear privacy policy shows you take privacy seriously — and sets you apart from competitors who treat it as an afterthought.
It is required by law
If the privacy policy is missing or incomplete, you risk complaints, legal action, and fines from supervisory authorities — up to €20 million or 4% of annual global turnover under Article 83 GDPR.
It protects your business
By documenting your rules for handling personal data, you can demonstrate — in the event of a data breach — that you took the necessary precautions. That limits your liability and protects your reputation.
It's good business practice
Transparency about how you use data is now an expectation, not a bonus. A clear privacy policy signals that your users' privacy is a priority.
What Goes Into a Privacy Policy? (GDPR-Mandatory Disclosures)
Article 13 GDPR sets out what you must inform users about. Every privacy policy should include these sections:
- Controller and contact: Your company's name and address, plus the contact details of your data protection officer if you have one, so users know who to reach out to.
- Data you collect: Which personal data you collect (e.g. names, addresses, email addresses, IP addresses, payment details) and how — via forms, cookies, or other means.
- Purpose and legal basis: Why you process the data (for example to fulfil a contract, ship an order, or measure reach) and the legal basis for doing so under Article 6 GDPR.
- Sharing with third parties: Which recipients — service providers, payment processors, advertising partners — you share data with, and why. If you transfer data to countries outside the EU, say so.
- Retention period: How long you keep the data, or the criteria used to determine that period.
- Data security: The technical and organizational measures (e.g. encryption, access controls) you take to protect the data.
- Data subjects' rights: A statement of the rights to access, rectification, erasure, restriction, data portability, and objection — plus the right to lodge a complaint with a supervisory authority.
- Changes to the privacy policy: How you notify users of updates and when a revised version takes effect.
How to Customize the Privacy Policy Template: 5 Steps
1. Review the template in detail
Read the template carefully and check which sections apply to your business. It's deliberately comprehensive — not every building block is relevant to every company.
2. Understand the legal requirements
Familiarize yourself with your GDPR obligations before you start. The exact scope depends on what data you collect and why. In practice, you always need to:
- disclose the types of personal data you collect,
- explain the purpose and legal basis for processing,
- be transparent about sharing with third parties,
- tell data subjects how to exercise their rights (access, rectification, erasure),
- and describe how you protect the data.
For a deeper dive, see our definitive guide to GDPR compliance.
3. Customize the template
Adapt the document to how your business actually processes data: add the sections that apply, remove the ones that don't, and fill in your company and website details.
4. Have a legal professional review it
Where you're unsure, have the finished privacy policy reviewed by a legal professional. This confirms it complies with all applicable regulations and heads off legal problems down the line.
5. Publish it and keep it current
Make the privacy policy easy to find — typically linked from your footer and navigation menu. Update it whenever your data processing changes, for instance when you add new tools or service providers.
Frequently Asked Questions
Is the template free?
Yes. You get the privacy policy template free to download — just enter your contact details above and we'll email it to you.
Is a template enough to be GDPR-compliant?
A template covers the mandatory disclosures and gives you a solid starting point. It only becomes GDPR-compliant once you tailor it to how your business actually processes data. For more complex setups, a legal review is worthwhile.
How is a privacy policy different from a data processing agreement?
A privacy policy informs data subjects about how you process their data. A data processing agreement (DPA), by contrast, governs the relationship between you and a service provider that processes data on your behalf — the two documents complement each other.
How often should I update the privacy policy?
Whenever your data processing changes — for example when you add new tools, service providers, or processing purposes. Review it periodically as well to keep it current.
Ready for the next step?
Book a demo with our team and see top.legal in action