Privacy Policy Template


Sep 15, 2022

A privacy policy explains how your company collects, uses, stores, transfers, and secures personal data. It is a public facing document directed at a defined group of recipients (for example, the recipients may be the people who use your company's service or people that you target for marketing). It is typically made available on the company’s website but it is also common to include a link to the company’s privacy policy in the email footer of the company’s employees.

When should you use a Privacy Policy?

Adopting a privacy policy is an important part of complying with the requirements of the UK General Data Protection Regulation (UK GDPR). The policy should outline what personal information you store (for example, name and other contact information), how you store it (duration and location), how you obtained it, and whether it is sent to any third parties or countries. It also needs to contain information about the individual’s rights, such as the right to data erasure and the right to access any data your company holds about them. 

For websites, your privacy policy should disclose how data is collected from or about users accessing the website. In particular, details of any personal data collected from third parties should be included. If you use cookies to track users of your website, you will additionally need a cookie policy. A cookie policy is specific to how cookies and other trackers are used to collect personal data. 

As well as helping to ensure your company is legally compliant, a well-drafted privacy policy also:

  1. puts your customers at ease by helping your customers understand how you use data when they access your product(s) and/or service(s); and

  2. sets standards for how your company makes decisions about/processes data.

Why is a Privacy Policy important and why should you use a Privacy Policy?

In the UK, companies must process personal data in compliance with privacy laws, including the UK GDPR. Almost all companies will process personal data as they will collect details such as names, addresses and contact details of customers, service providers or visitors to their website. Some examples of how you might be processing personal data as a SMB include: 

  • collection of personal data from prospective customers through your website, social media platforms, and other forms of communication; 

  • storage of customer contact details in any CRM systems; and

  • login details for users of your app or website. 

There are large potential fines for failing to comply with the UK GDPR - the most serious violations can results in fines of up to 4% of global turnover of the preceding financial year or £17.5 million (whichever is greater) and other violations can result in fines of up to 2% of annual worldwide turnover of the preceding financial year or £8.75  million (whichever is greater). 

What are the common pitfalls of a Privacy Policy?

The policy should be drafted in plain English. Avoid legal jargon altogether and write text which is concise, accessible, and transparent. Companies and their customers mutually benefit from being on the same page in relation to data processing, as this means dealing with fewer questions about how rights can be exercised by individuals in relation to their data. The policy also serves as guidance for practical steps taken in relation to how your company handles data. For example, the policy can guide how data access requests ought to be handled. You should clearly disclose your company-specific data collection, storage and processing practices. 

You may only process data where it is necessary for a specific purpose. This requirement does not mean you must have a remarkable or otherwise out of the ordinary purpose for data, but any data processing purpose should be clearly defined and explained to the individuals concerned. This is linked to your legal obligations in clearly defining your so-called ‘legal basis’ for processing under the GDPR framework.

A privacy policy is only applicable to the company that drafted it. Therefore, copying another company’s privacy policy is not a good idea. The policy should clarify the specific practices applicable to your company and how it handles the rights of data subjects and the processing of data.

Please note: Pocketlaw is not a substitute for an attorney or law firm. So, should you have any legal questions on the content of this page, please get in touch with a qualified legal professional.

Book a personalized demo

Enterprise ready.

ISO 27001 certified and GDPR compliant. Data encrypted at rest with AES 256 and in transit with TLS 1.2+.

For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.