£9UK law · England & Wales

UK Privacy Policy Template

A UK GDPR + Data Protection Act 2018 compliant privacy policy for any UK website that collects personal data. Tailored to your business, lawful bases set out, ICO-aligned. Editable Word + PDF, £9.

Generate your privacy policy — £9 →See all pricing

Editable Word (.docx) + PDF · Re-download any time · UK GDPR compliant

Legal background

Every UK website that processes personal data must publish a privacy notice meeting Articles 13–14 of the UK GDPR and Schedule 1 of the Data Protection Act 2018. The Information Commissioner's Office (ICO) expects clear lawful bases, retention periods, and a complete list of data subject rights. Failure to publish a compliant notice exposes you to ICO enforcement and reputational risk.

Sample excerpt

A short preview of the kind of clauses your generated document will contain. The full document is tailored to your inputs.

1. Who we are. [Company Name] ("we", "us") is the data controller of personal data processed through this website. Our registered office is at [Address] and you can contact us at hello@example.co.uk. 2. What we collect and why. We collect: (a) contact data (name, email) when you submit a form, on the lawful basis of legitimate interests in responding to enquiries; (b) account data when you register, on the lawful basis of contract; (c) usage data via cookies, on the lawful basis of consent (see our Cookie Policy). 3. How long we keep it. Enquiry data: 24 months from last contact. Account data: duration of the account plus 6 years for tax record purposes (Companies Act 2006). Usage data: 26 months (Google Analytics default). 4. Your rights. Under the UK GDPR you have the right to access, rectify, erase, restrict, port and object to processing of your personal data, and to withdraw consent where processing is based on consent. To exercise any right, email us at the address above. You also have the right to complain to the ICO (ico.org.uk).

What's in the template

✓Identity and contact of the data controller
✓Categories of personal data and lawful bases (consent, contract, legitimate interests, etc.)
✓Purposes of processing and any automated decision-making
✓Recipients and international transfers (UK adequacy regime)
✓Retention periods aligned to your business
✓All eight data subject rights with how to exercise them
✓Right to complain to the ICO
✓Cookies summary (links to a separate Cookie Policy)

Who this is for

→Any UK website collecting names, emails or analytics
→E-commerce stores processing customer orders
→SaaS products collecting account data
→Agencies and freelancers running enquiry forms

Ready in under a minute

Answer a few questions, get a fully tailored UK document. Editable Word + PDF.

Generate your privacy policy — £9 →

Frequently asked questions

Is this enough for UK GDPR compliance?

The privacy notice itself is one part of compliance. You also need cookie consent (Cookie Policy + banner — see our Cookie Policy template), records of processing activities (ROPA), and where applicable a DPIA. The notice gets you the visible-to-users piece right.

Do I need a Data Protection Officer (DPO)?

Only if you process special category data at scale, conduct large-scale systematic monitoring, or are a public authority. Most UK SMEs do not — but you should still document why you concluded a DPO is not required.

How does this handle international transfers post-Brexit?

The template references the UK adequacy regime: the UK has issued adequacy regulations for the EEA and several other countries. For transfers to the US the UK Extension to the EU-US Data Privacy Framework is referenced where applicable.

Do I need a separate Cookie Policy too?

Yes — under PECR, cookie consent is a separate legal regime. We sell a UK Cookie Policy (£9) or you can get both as part of the £29/mo unlimited.

These templates are general legal information, not bespoke legal advice. For high-value or unusual matters, ask a solicitor to review.