A privacy policy explains what a website collects, why it collects it, who receives it, and how a visitor can ask questions or exercise rights over that data. It is also one of the first trust checks customers, clients, advertising platforms, payment providers, and regulators use when a site collects information through forms, analytics, accounts, checkout, or tracking tags.
For a webmaster, the page is a maintained record of the site's real data flows rather than a legal afterthought. It needs to match the live form fields, cookies, analytics tags, ad code, embedded tools, email systems, payment processors, and support workflows that actually handle visitor data, then turn that inventory into plain sections on collection, use, sharing, retention, transfers, and requests.
The strongest policy is specific, easy to reach, and updated whenever the site changes. Current regulator and platform guidance still expects clear explanations of what is collected, why it is used, who it is shared with, how long it is kept, and how consent or objection works where those choices apply, so the finished text should be reviewed by the site's legal owner before publication and again whenever new vendors, markets, or tracking tools are added.
Contact form Checkout or booking flow Account registration and login Newsletter signup Analytics and tag manager Advertising tags Embedded video, map, chat, or scheduling widgets Security logs and error monitoring
Include both data a visitor types and data created automatically by the stack, such as IP-derived logs, device information, or tracking identifiers set by scripts and embeds.
Collection point | Personal data | Purpose | Recipient or processor | Retention Contact form | name, email, message | reply to enquiries | shared inbox or help desk | 12 months after last reply Checkout | name, billing data, payment token | fulfil orders and prevent fraud | payment processor, accounting system | tax and fraud schedule Analytics | IP-derived usage data, page views, device/browser data | measure site use | analytics provider | provider setting or internal review period
If a regulated privacy regime applies to the site, add the lawful basis or equivalent internal justification to the same worksheet so the published wording can be reviewed against something concrete.
Web host or CDN Email delivery provider CRM or help desk Payment processor Analytics platform Ad network or remarketing platform Fraud or security service Cloud storage or backup provider
Current regulator guidance still allows categories of recipients, but the safer editorial habit is to be as specific as the site's vendor list allows, especially for processors that a visitor would not otherwise expect.
Who operates the site What information is collected How the information is used Who it is shared with Cookies and similar technologies How long information is kept International transfers Choices and rights How to contact the site owner How policy changes will be announced
Do not publish borrowed text that names rights, vendors, retention periods, or processing activities the site does not actually use.
Privacy contact email or form How identity is checked when a request affects account or payment data How to unsubscribe from marketing email How to change cookie choices How to request access, correction, or deletion What cannot be erased immediately because of billing, fraud, or legal retention duties
If the site sells or shares personal information in jurisdictions that honor browser opt-out preference signals, explain how those signals are recognized and give the same opt-out path to visitors who use a manual request instead.
Analytics provider and collected identifiers Advertising or remarketing vendors Embedded video, map, chat, or booking tools Whether third parties place or read cookies or similar identifiers Vendor privacy or partner-data links when a platform requires them
If Google publisher products or Google ad code are used, Google currently requires a privacy policy that discloses the resulting data collection, sharing, and usage and explains that third parties may use cookies, web beacons, or IP addresses.
Footer navigation Contact page Newsletter signup Account registration Checkout Cookie banner or cookie settings panel App or webview menu when the site has one
Keep the link easy to find and visible near forms or consent controls so visitors do not have to hunt through navigation after they have already shared data.
Submit each public form and compare the captured fields with the policy Check live scripts and embeds against the vendor list Confirm the cookie notice and privacy policy describe the same consent choices Send a test privacy request to the published contact route Review the page after any major tool, region, or workflow change
A privacy policy becomes inaccurate as soon as a new tool ships without a matching update, so tie the page to release reviews, vendor onboarding, and periodic privacy audits instead of treating it as one-time copy.