All tools
Business

Privacy Policy Generator

Generate a GDPR-compliant privacy policy for your website or app — covering data collection, lawful basis, user rights, cookies, retention and more.

GDPR compliant UK & EU Lawful basis User rights Cookie policy Data retention
Get started free Sign in

Free · No credit card · 50 credits/day

The 6 GDPR lawful bases for data processing

Lawful basis When to use Example
Consent User has given clear, specific, freely given consent Newsletter sign-up, marketing emails, non-essential cookies
Contract Processing necessary to perform a contract with the user Processing address to fulfil an order; processing payment details
Legal obligation Required by law Keeping financial records for HMRC/tax authorities
Vital interests Necessary to protect someone's life Emergency health data processing
Public task Official functions or public interest tasks Government or public authority functions
Legitimate interests Necessary for legitimate business interests (unless overridden by user rights) Fraud prevention, network security, product analytics

Frequently asked questions

Does my website need a privacy policy?

Yes, if you collect any personal data (emails, names, IP addresses, cookies). GDPR applies to any website accessible to EU residents regardless of where your business is located. UK GDPR applies in the UK. Required by most ad platforms (Google, Meta), app stores and payment processors (Stripe, PayPal).

What are the six GDPR lawful bases for processing personal data?

Consent (freely given, specific, informed); Contract (necessary to perform a contract); Legal obligation (required by law); Vital interests (protect someone's life); Public task (official functions); Legitimate interests (necessary for business interests unless overridden by user rights). Legitimate interests requires a 3-part test; Consent is most commonly used for marketing.

What rights do users have under GDPR?

Eight rights: (1) Right to be informed; (2) Right of access (SAR — 1 month to respond); (3) Right to rectification; (4) Right to erasure (right to be forgotten); (5) Right to restrict processing; (6) Right to data portability; (7) Right to object; (8) Rights related to automated decision-making.

What must a GDPR-compliant privacy policy include?

Controller identity and contact details; DPO contact if applicable; what data you collect and how; lawful basis for each type of processing; retention periods; third parties/processors you share data with; international transfer safeguards; all eight user rights and how to exercise them; right to complain to supervisory authority (ICO in the UK); details of automated decision-making.

Related tools

More legal document tools.

Terms & Conditions Generator

Generate T&Cs for your website or app.

GDPR Clauses Generator

Generate GDPR-compliant data processing clauses.

Contract Generator

Generate basic service and freelance contracts.

Stay GDPR-compliant and build user trust

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →