Free, open-source privacy policy, terms of service, and cookie policy templates for websites, mobile apps, SaaS products, and ecommerce stores. Fully compliant with GDPR, CCPA, COPPA, LGPD, CalOPPA, and other major privacy regulations worldwide.
Every template uses clear placeholder syntax ([YOUR COMPANY NAME], [YOUR WEBSITE URL], etc.) so you can quickly customize them for your business. No signup required, no strings attached.
- Why You Need a Privacy Policy
- Templates
- Privacy Regulation Overview
- How to Use These Templates
- Generate a Custom Privacy Policy
- Check Your Privacy Compliance
- Frequently Asked Questions
- Contributing
- License
A privacy policy is not optional. If your website or app collects any personal data — including IP addresses, email addresses, cookies, analytics data, or payment information — you are legally required to disclose your data practices to users.
Here is why privacy policies matter:
-
Legal requirement: GDPR, CCPA, LGPD, and dozens of other privacy laws mandate that businesses disclose how they collect, use, and share personal data. Non-compliance carries severe penalties — GDPR fines can reach up to 4% of global annual revenue or EUR 20 million, whichever is higher.
-
Platform requirements: Apple's App Store, Google Play, Amazon, Shopify, and most major platforms require a privacy policy before you can list your app or product. Your app will be rejected without one.
-
Third-party service requirements: Google Analytics, Google AdSense, Facebook/Meta Pixel, Stripe, and many other third-party services require you to have a privacy policy that discloses their use.
-
User trust: Users are increasingly privacy-conscious. A clear, honest privacy policy builds trust and credibility with your audience.
-
Business protection: A well-drafted privacy policy defines the boundaries of your data practices and helps protect your business from legal disputes.
Even if you run a simple blog with Google Analytics and a contact form, you are collecting personal data and need a privacy policy.
We provide 9 templates covering the most common use cases:
| Template | Best For | Regulations Covered |
|---|---|---|
| General Website | Blogs, portfolios, business websites | GDPR, CCPA, CalOPPA |
| SaaS / Web App | Software-as-a-Service products | GDPR, CCPA, CalOPPA |
| Ecommerce Store | Online stores, Shopify, WooCommerce | GDPR, CCPA, PCI-DSS |
| Mobile App | iOS and Android applications | GDPR, CCPA, COPPA, App Store/Play Store |
| WordPress Site | WordPress blogs and business sites | GDPR, CCPA, CalOPPA |
| GDPR-Focused | Businesses serving EU customers | GDPR (comprehensive) |
| CCPA-Focused | Businesses serving California consumers | CCPA / CPRA (comprehensive) |
| Template | Purpose | Details |
|---|---|---|
| Terms of Service | Define user-service relationship | User obligations, liability, disputes |
| Cookie Policy | Cookie and tracking disclosure | Cookie types, consent, management |
Understanding the major privacy regulations helps you choose the right template and ensure full compliance. Below is a summary of the laws that affect most online businesses.
The GDPR is the most comprehensive privacy regulation in the world. It applies to any organization that processes personal data of individuals in the EU/EEA, regardless of where the organization is located.
Key requirements:
- Obtain explicit consent before collecting personal data
- Provide a lawful basis for all data processing (consent, contract, legitimate interest, legal obligation, vital interest, or public task)
- Appoint a Data Protection Officer (DPO) if processing data at scale
- Implement data protection by design and by default
- Notify supervisory authorities of data breaches within 72 hours
- Honor user rights: access, rectification, erasure ("right to be forgotten"), data portability, restriction of processing, and objection
- Maintain records of processing activities
Penalties: Up to EUR 20 million or 4% of global annual turnover, whichever is higher. In 2023 alone, over EUR 2 billion in GDPR fines were issued across the EU.
Who it applies to: If you have even one user from the EU, GDPR applies to you. This includes websites accessible from Europe, apps available in EU app stores, or any service that accepts EU customers.
Use our GDPR-focused template for comprehensive EU compliance.
The CCPA (amended by the CPRA in 2023) gives California residents significant control over their personal data. It applies to for-profit businesses that meet any of these criteria:
- Annual gross revenue over $25 million
- Buy, sell, or share the personal information of 100,000+ California consumers, households, or devices annually
- Derive 50% or more of annual revenue from selling or sharing California consumers' personal information
Key requirements:
- Provide a clear "Do Not Sell or Share My Personal Information" link
- Allow consumers to opt out of the sale or sharing of their personal information
- Respond to consumer requests within 45 days
- Disclose categories of personal information collected, the purposes, and third parties with whom data is shared
- Provide a right to delete and a right to correct
Penalties: $2,500 per unintentional violation, $7,500 per intentional violation. The California Privacy Protection Agency (CPPA) actively enforces these rules.
Use our CCPA-focused template for California compliance.
COPPA applies to websites, apps, and online services directed at children under 13, or that knowingly collect personal information from children under 13.
Key requirements:
- Obtain verifiable parental consent before collecting data from children
- Post a clear, comprehensive privacy policy
- Give parents access to their child's data and the ability to delete it
- Limit data collection to what is reasonably necessary
- Implement reasonable security measures
Penalties: Up to $50,120 per violation. The FTC has brought significant enforcement actions under COPPA, including a $170 million fine against YouTube in 2019.
Our Mobile App template includes COPPA-specific sections.
Brazil's LGPD is modeled after the GDPR and applies to any processing of personal data of individuals in Brazil.
Key requirements:
- Obtain consent or establish another legal basis for processing
- Appoint a Data Protection Officer (Encarregado)
- Provide clear notice about data processing activities
- Honor data subject rights: access, correction, deletion, portability, and information about sharing
- Report data breaches to the national authority (ANPD)
Penalties: Up to 2% of revenue in Brazil per violation, capped at BRL 50 million (approximately USD 10 million).
Our GDPR-focused template provides a strong foundation for LGPD compliance as well, since the regulations share similar principles.
Several other privacy laws may apply to your business:
- PIPEDA (Canada) — Applies to private-sector organizations collecting personal data in Canada
- POPIA (South Africa) — Comprehensive data protection law similar to GDPR
- PDPA (Singapore, Thailand) — Personal data protection acts in Southeast Asia
- APP (Australia) — Australian Privacy Principles under the Privacy Act 1988
- CalOPPA (California) — Requires websites to post a conspicuous privacy policy if collecting personal information from California residents
- PECR (UK) — Privacy and Electronic Communications Regulations, covering cookies, marketing emails, and communications data
Select the template that best matches your business type. If you serve EU customers, add the GDPR-specific sections. If you have California users, ensure CCPA sections are included.
Every template uses clear placeholders enclosed in square brackets:
| Placeholder | Replace With |
|---|---|
[YOUR COMPANY NAME] |
Your legal business name |
[YOUR WEBSITE URL] |
Your website address (e.g., https://example.com) |
[YOUR APP NAME] |
The name of your mobile application |
[CONTACT EMAIL] |
Your privacy-related contact email |
[PHYSICAL ADDRESS] |
Your registered business address |
[DPO EMAIL] |
Your Data Protection Officer email (GDPR) |
[DATE] |
The date the policy takes effect |
[COUNTRY/REGION] |
Where your servers/data are located |
- Remove sections that do not apply to your business (e.g., remove mobile app sections if you only have a website)
- Add any additional data collection practices specific to your business
- Ensure all third-party services you use are listed
- Add the privacy policy to a dedicated page on your website (e.g.,
/privacy-policyor/privacy) - Link to it from your website footer on every page
- For mobile apps, link to it from your app store listing and within the app settings
- Update the "Last Updated" date whenever you make changes
After publishing your privacy policy, use our free compliance checker to verify you have covered all the required bases:
Check Your Privacy Compliance — Scan any website and get an instant GDPR/CCPA compliance score with specific recommendations for improvement.
These templates are an excellent starting point, but every business has unique data practices. If you need a privacy policy that is tailored to your specific situation — including the exact third-party services you use, the types of data you collect, and the jurisdictions you serve — you can generate one automatically.
PolicyForge — Free Privacy Policy Generator
PolicyForge asks you targeted questions about your website or application and generates a complete, publication-ready privacy policy. It covers:
- GDPR, CCPA, COPPA, and LGPD compliance
- Cookie consent and tracking disclosures
- Third-party service integrations (analytics, payments, advertising)
- Children's privacy protections
- Data retention and deletion policies
- International data transfer disclosures
The generator is free to use. No account required.
You can also generate a Terms of Service for your website, app, or SaaS product.
Already have a privacy policy? Make sure it actually covers what it needs to.
PolicyForge Compliance Checker
Enter any URL and get an instant analysis that evaluates:
- Whether your privacy policy covers all GDPR-required disclosures
- Whether CCPA-required consumer rights are addressed
- Cookie and tracking technology disclosures
- Data retention and security disclosures
- Contact information and DPO designation
- Overall compliance grade (A through F)
The checker is free, requires no account, and provides actionable recommendations to improve your score.
Most likely yes. If your website uses any analytics (Google Analytics, Plausible, etc.), cookies, or third-party services, you are collecting personal data — even if it is just IP addresses. Most privacy laws consider IP addresses to be personal data.
Yes. All templates are released under the MIT License. You can use, modify, and distribute them freely for personal and commercial purposes.
These templates are provided as starting points and general guidance. While they cover the key requirements of major privacy regulations, they are not a substitute for legal advice. For complex situations — especially those involving healthcare data (HIPAA), financial data (PCI-DSS, GLBA), or children's data (COPPA) — you should consult a qualified attorney.
Update your privacy policy whenever your data practices change. Common triggers include:
- Adding a new analytics or advertising service
- Changing payment processors
- Expanding to new geographic markets
- Starting to collect a new type of personal data
- Changes in applicable privacy laws
At minimum, review your privacy policy annually.
A privacy policy discloses how you collect, use, store, and share personal data. It is required by law in most jurisdictions.
A terms of service (or terms of use) is a contract between you and your users that defines the rules for using your service, your liability limitations, dispute resolution, and other legal terms. While not always legally required, terms of service are strongly recommended.
We provide both: privacy policy templates and a terms of service template.
A privacy policy alone is not enough for cookie compliance. Under GDPR and the ePrivacy Directive, you must obtain consent before setting non-essential cookies. This requires a cookie consent banner. Our Cookie Policy template covers the disclosure side — you will also need a consent mechanism on your website.
We welcome contributions! Whether you want to fix a typo, improve a template, or add a new one, please see our Contributing Guide for details.
Some ideas for contributions:
- Templates for specific industries (healthcare, fintech, education)
- Translations of existing templates into other languages
- Country-specific templates (UK post-Brexit, Canada PIPEDA, Australia APP)
- Improvements to legal language or coverage
All templates in this repository are released under the MIT License.
You are free to use, modify, and distribute these templates for any purpose, including commercial use. Attribution is appreciated but not required.
These templates are provided for informational purposes only and do not constitute legal advice. Privacy laws vary by jurisdiction and change frequently. The authors and contributors of this repository are not responsible for any legal consequences arising from the use of these templates. For complex situations or specific legal requirements, consult a qualified attorney.
Built and maintained by PolicyForge — a free privacy policy generator and compliance checker.