19 May 2026
What Should a Privacy Policy Include? (GDPR Checklist)
A privacy policy is not just a formality. Under GDPR and similar laws, it must contain specific information or it is non-compliant — even if it looks professional. Here is a practical checklist of everything a privacy policy should include, based on GDPR Article 13 and 14 requirements.
1. Who You Are (the Data Controller)
Your privacy policy must identify your business: its name, address, and contact details. Under GDPR, if you have a Data Protection Officer (DPO), their contact details must also be included.
2. What Personal Data You Collect
List every category of personal data you collect. Do not use vague language. Be specific:
- Name and email address
- IP address and device identifiers
- Payment and billing information
- Usage data and analytics
- Location data
- Any other data you collect through forms, cookies, or integrations
3. Why You Collect It (the Purpose)
For each type of data, explain why you collect it. GDPR requires you to state the specific purpose, not a generic one. 'To improve our services' alone is not sufficient.
4. The Legal Basis for Processing
This is one of the most commonly missing elements. Under GDPR, every processing activity must have a legal basis:
- Contract: processing is necessary to fulfil a contract with the user
- Legitimate interests: you have a legitimate business reason that does not override users' rights
- Consent: the user has explicitly agreed
- Legal obligation: you are required to process the data by law
5. Who You Share Data With
List every third party that receives your users' personal data. This includes analytics tools, payment processors, email providers, customer support tools, hosting providers, and advertising platforms. Name them specifically.
6. International Data Transfers
If you transfer data outside the EU or UK (for example, to a US-based service provider), you must disclose this and explain the safeguards in place — typically Standard Contractual Clauses (SCCs).
7. How Long You Keep Data
State your data retention periods. How long do you keep account data, payment records, usage logs? If you delete data when a user cancels, say so.
8. User Rights
Under GDPR, users have the right to access, correct, delete, restrict, and port their data. Your privacy policy must explain these rights and how users can exercise them — including a contact email for data requests.
9. Cookie Information
If you use cookies, your privacy policy should reference your Cookie Policy and explain the categories of cookies used.
10. How to Contact You
A contact email address for privacy-related requests is required. Under GDPR, you must respond to data subject requests within 30 days.
Get a Policy That Covers All of This
Writing a privacy policy that hits every one of these requirements from scratch takes hours and legal knowledge most founders do not have. PUREDOC generates a complete, compliant privacy policy based on your specific business — along with terms and conditions and a cookie policy. One payment, no subscription.
Ready to get your documents?
Privacy policy, terms & conditions, and cookie policy. $49 once. No subscription. Delivered to your inbox in minutes.
Generate my documents