Free Privacy Policy Template (UK)

What is this document?

A privacy policy is a legal document that explains how your organisation collects, uses, stores, and protects personal data. Under UK data protection law, any organisation that processes personal data must provide clear and transparent information to individuals about how their data is handled.

Who needs it?

Any business, organisation, or individual that collects or processes personal data from individuals in the United Kingdom. This includes websites that use contact forms, analytics, cookies, email marketing, user accounts, or any other method of gathering personal information.

Why is it important?

Publishing a privacy policy is a legal requirement under the UK GDPR and the Data Protection Act 2018. Failure to provide adequate privacy information can result in enforcement action by the Information Commissioner's Office (ICO), including fines of up to £17.5 million or 4% of annual global turnover. Beyond compliance, a clear privacy policy builds trust with your users.

Key UK legislation

UK General Data Protection Regulation (UK GDPR)Data Protection Act 2018Privacy and Electronic Communications Regulations 2003 (PECR)

Template document

Privacy Policy

This privacy policy explains how [your organisation name] ("we", "us", or "our") collects, uses, stores, shares, and protects your personal data when you visit our website at [your website URL] (the "Website") or otherwise interact with us.

This policy was last updated on [date].

1. Introduction and who we are

1.1 We are [your full legal company name], a company registered in [England / England and Wales / Scotland / Northern Ireland] under company registration number [company registration number], whose registered office is at [registered office address].

1.2 For the purposes of the UK General Data Protection Regulation (the "UK GDPR") and the Data Protection Act 2018 (the "DPA 2018"), we are the data controller responsible for your personal data. Our ICO registration number is [ICO registration number, if applicable].

1.3 If you have any questions about this privacy policy, please contact us using the details set out in Section 13 below.

1.4 [We have appointed [name] as our Data Protection Officer (DPO), who can be contacted at [DPO email address]. / Our primary contact for data protection matters is [name], who can be reached at [email address].]

2. How we collect your personal data

2.1 Directly from you — when you fill in forms on our Website (including contact forms, registration forms, and order forms), correspond with us by email, telephone, or post, create an account, subscribe to our newsletter, enter a competition or survey, or provide feedback.

2.2 Automatically — as you navigate our Website, we may automatically collect technical data about your equipment, browsing actions, and usage patterns using cookies, server logs, and similar technologies. Please see our cookies policy for further details.

2.3 From third parties or publicly available sources — we may receive personal data about you from analytics providers such as [Google Analytics], advertising networks, payment and delivery service providers, social media platforms, publicly available sources such as Companies House, and credit reference agencies [if applicable].

3. Types of personal data we collect

3.1 We may collect, use, store, and transfer the following categories of personal data about you:

(a) Identity data — first name, last name, title, date of birth, gender, username or similar identifier.

(b) Contact data — email address, postal address, telephone numbers.

(c) Financial data — bank account details, payment card details [as processed by our payment service provider]. We [do / do not] store your full payment card details on our systems.

(d) Transaction data — details about payments to and from you, and details of products and services you have purchased from us.

(e) Technical data — internet protocol (IP) address, login data, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform.

(f) Profile data — your username and password, purchases or orders, your interests, preferences, feedback, and survey responses.

(g) Usage data — information about how you use our Website, including pages visited, time spent on pages, and page interaction information.

(h) Marketing and communications data — your preferences in receiving marketing from us and your communication preferences.

3.2 We do not knowingly collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). We also do not knowingly collect information about criminal convictions and offences.

4. How and why we use your personal data

4.1 We will only use your personal data when the law allows us to. Under the UK GDPR, we must have a valid lawful basis for processing. The lawful bases we rely on are set out below.

4.2 Performance of a contract (Article 6(1)(b) UK GDPR) — we process your data where necessary for the performance of a contract with you, or to take steps at your request before entering into a contract. This includes processing orders, managing your account, providing requested products or services, managing payments, and communicating with you about your orders or enquiries.

4.3 Legitimate interests (Article 6(1)(f) UK GDPR) — we process your data where necessary for our legitimate interests (or those of a third party) and your rights do not override those interests. Our legitimate interests include:

(a) administering and improving our Website and services;

(b) analysing how our Website is used so we can improve it;

(d) managing our business operations, including accounting and auditing; and

(e) sending you information about our products and services where you are an existing customer and have not opted out (the "soft opt-in" under Regulation 22 of PECR).

4.4 Consent (Article 6(1)(a) UK GDPR) — we rely on your consent for:

(a) sending you marketing communications where you are not an existing customer;

(b) placing non-essential cookies on your device (see our cookies policy); and

4.5 You may withdraw consent at any time by contacting us using the details in Section 13, or by using the unsubscribe link in any marketing email. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4.6 Legal obligation (Article 6(1)(c) UK GDPR) — we process your data where necessary for compliance with a legal obligation, including complying with HMRC and other regulatory requirements, responding to lawful requests from public authorities and courts, and maintaining legally required records.

4.7 We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for a compatible purpose. If we need to use it for an unrelated purpose, we will notify you and explain the legal basis.

5. Marketing communications

5.1 We may send you marketing communications where you have purchased from us and have not opted out (the soft opt-in under PECR), or where you have given your consent.

5.2 We will not share your personal data with third parties for their direct marketing purposes without your explicit consent.

5.3 You can opt out of marketing at any time by following the unsubscribe link in any marketing email, contacting us using the details in Section 13, or updating your account preferences [if applicable].

6. Who we share your personal data with

6.1 We may share your personal data with the following categories of third parties:

(a) Service providers — companies that provide services to us, such as website hosting, payment processing, email delivery, analytics, and customer support. These providers process data on our instructions under a written data processing agreement. Our providers include [list key providers].

(b) Professional advisers — our lawyers, accountants, bankers, auditors, and insurers.

(c) Regulatory and government bodies — HM Revenue and Customs (HMRC), the Information Commissioner's Office (ICO), and other regulators where required.

(d) Law enforcement agencies — where required by law or for the prevention or detection of crime.

(e) Business transfers — third parties to whom we may sell, transfer, or merge parts of our business. New owners may use your data as set out in this policy.

6.2 We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our service providers to use your data for their own purposes.

7. International transfers of personal data

7.1 Some of our service providers may be based outside the United Kingdom. Where we transfer your personal data outside the UK, we ensure appropriate safeguards are in place, including:

(a) transferring to countries deemed to provide adequate protection by the UK Secretary of State (an adequacy regulation under Section 17A of the DPA 2018);

(b) using International Data Transfer Agreements or the UK Addendum to the EU Standard Contractual Clauses approved by the Secretary of State;

(d) relying on binding corporate rules approved by the ICO.

7.2 [We transfer personal data to the following countries: [list countries]. The safeguard(s) we rely on are: [specify safeguards].]

7.3 Contact us using the details in Section 13 for further information about our international transfer safeguards.

8. Data retention

8.1 We retain your personal data only for as long as necessary to fulfil the purposes for which we collected it, including to satisfy legal, regulatory, tax, accounting, or reporting requirements.

8.2 We apply the following general retention periods:

(a) Customer account data — retained for the duration of your account and for [number] years after closure.

(b) Transaction and purchase records — retained for [6] years from the transaction date, in line with HMRC requirements and the Limitation Act 1980.

(c) Marketing data — retained until you unsubscribe or withdraw consent, then deleted or suppressed within [30] days.

(d) Website analytics data — retained for [number] months from collection.

(e) Contact form enquiries — retained for [number] years from the date of your enquiry.

(f) Contractual records — retained for [6] years after the contract ends, in line with the Limitation Act 1980.

8.3 In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

8.4 Notwithstanding the above, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or to protect your vital interests or those of another person.

9. Data security

9.1 We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed in an unauthorised way. These measures include:

(a) encryption of personal data in transit and at rest where appropriate;

(b) access controls to limit access to personal data to those employees, agents, contractors, and third parties who have a business need to know;

(d) procedures for dealing with any suspected personal data breach; and

(e) [any other specific security measures you implement, such as firewalls, two-factor authentication, or intrusion detection systems].

9.2 We have procedures in place to deal with any suspected personal data breach and will notify you and the ICO where we are legally required to do so, in accordance with Articles 33 and 34 of the UK GDPR.

9.3 While we take all reasonable precautions, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your personal data.

10. Your rights under data protection law

10.1 Under the UK GDPR and the DPA 2018, you have the following rights (subject to certain exemptions):

10.2 Right of access — you may request a copy of the personal data we hold about you (a "subject access request"). We will respond within one month, extendable by a further two months for complex requests.

10.3 Right to rectification — you may request correction of inaccurate or incomplete personal data.

10.4 Right to erasure — you may request deletion of your personal data where there is no compelling reason for continued processing, though we may decline where retention is necessary for legal compliance or the defence of legal claims.

10.5 Right to object — you may object to processing based on legitimate interests where your particular situation warrants it. You have an absolute right to object to direct marketing at any time.

10.6 Right to restriction — you may request that we suspend processing in certain circumstances, such as where you contest the data's accuracy or where processing is unlawful but you oppose erasure.

10.7 Right to data portability — where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.

10.8 Right to withdraw consent — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

10.9 Rights regarding automated decision-making — you have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects, unless the decision is necessary for a contract, authorised by law, or based on your explicit consent. [We do / do not] carry out automated decision-making.

10.10 To exercise any of these rights, contact us using the details in Section 13. We may request information to verify your identity before processing your request. There is generally no fee, but we may charge a reasonable fee for manifestly unfounded or excessive requests.

11. Cookies

11.1 Our Website uses cookies and similar technologies. For detailed information about the cookies we use and how to manage your preferences, please see our cookies policy.

11.2 In accordance with the Privacy and Electronic Communications Regulations 2003 (PECR), we will ask for your consent before placing any non-essential cookies on your device.

12. Children's privacy

12.1 Our Website is not intended for children under the age of 13, and we do not knowingly collect personal data from children under that age. Under UK data protection law, specifically the Data Protection Act 2018, the age at which a child can give their own consent to the processing of their personal data in relation to information society services is 13.

12.2 If we learn that we have collected personal data from a child without appropriate consent, we will delete that information as quickly as possible. If you are a parent or guardian and believe your child has provided us with personal data, please contact us using the details in Section 13.

12.3 Where services are offered to children, we will seek parental consent where required and provide safeguards in accordance with the UK GDPR, the DPA 2018, and the ICO's Age Appropriate Design Code (Children's Code).

13. How to contact us

13.1 If you have any questions about this privacy policy or wish to exercise your data protection rights, please contact us:

(a) By post: [your postal address]

(b) By email: [your email address]

(d) Through our website: [your contact page URL]

13.2 The data controller is [your full legal company name], registered in [England / England and Wales / Scotland / Northern Ireland] under company number [company registration number], with registered office at [registered office address].

13.3 Our ICO registration number is [ICO registration number, if applicable].

14. How to complain

14.1 If you have concerns about how we handle your personal data, please contact us first using the details in Section 13. We will investigate and respond as soon as possible.

14.2 You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent supervisory authority for data protection. You can contact the ICO as follows:

(a) Website: www.ico.org.uk

(b) Telephone: 0303 123 1113

14.3 We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.

15. Changes to this privacy policy

15.1 We may update this privacy policy from time to time to reflect changes in our practices, services, or applicable legislation.

15.2 Changes will be posted on this page and, where appropriate, notified to you by email [or through a notice on our Website]. The updated policy takes effect from the date it is posted.

15.3 This privacy policy was last updated on [date].

16. Third-party links

16.1 Our Website may include links to third-party websites, plug-ins, and applications. We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to read the privacy policy of every website you visit.

This document was created using a template from website-contracts.co.uk.

Clause-by-clause guide

Plain English explanations of the key sections.

This is the core of your privacy policy and the area most scrutinised by the ICO. Under the UK GDPR, you must identify a lawful basis for every type of processing you carry out. The four main lawful bases used by businesses are contract performance, legitimate interests, consent, and legal obligation. You must be specific and honest about which basis applies to each processing activity. Getting this wrong can render your entire processing operation unlawful. Review each processing activity and map it to the correct legal basis before publishing your policy.

You must be transparent about what data you collect. List every category of personal data your organisation processes, including data collected automatically through cookies and analytics. Do not use vague catch-all phrases. If you collect special category data (health, biometric, religious beliefs, etc.), you need an additional condition under Article 9 of the UK GDPR and should add specific provisions to this section. If you do not collect special category data, state this explicitly to reassure your users.

The UK GDPR gives individuals eight key rights: access, rectification, erasure, restriction of processing, data portability, objection, rights relating to automated decision-making, and the right to withdraw consent. You must inform individuals of all these rights and explain how to exercise them. You must respond to a valid request within one calendar month. Failing to handle subject rights requests properly is one of the most common reasons the ICO takes enforcement action against organisations.

Under the data minimisation principle, you must not keep personal data for longer than necessary. Your privacy policy should set out clear retention periods for each category of data. Some retention periods are dictated by law (for example, HMRC requires you to keep financial records for six years, and the Limitation Act 1980 sets a six-year limitation period for contractual claims), while others are a matter of business judgment. Document your reasoning and review your retention schedule regularly. Keeping data longer than necessary is a breach of the UK GDPR.

If you use any cloud services, analytics tools, email platforms, or payment processors based outside the UK, you are likely transferring personal data internationally. Under the UK GDPR, you can only do this if adequate safeguards are in place. These include UK adequacy regulations, International Data Transfer Agreements (IDTAs), the UK Addendum to the EU Standard Contractual Clauses, and binding corporate rules. You must identify where your data goes and what safeguards you rely on. This is particularly relevant if you use US-based services such as Google Analytics, Mailchimp, or Stripe.

You must disclose the categories of third parties you share data with, and ideally name specific recipients where possible. Common recipients include payment processors, hosting providers, analytics services, email marketing platforms, and professional advisers. For each third-party service provider, you should have a data processing agreement in place that complies with Article 28 of the UK GDPR. Remember that sharing data with a third party without a lawful basis or proper contractual safeguards is a breach of the UK GDPR.

You are legally required to inform individuals of their right to complain to the ICO if they believe their data protection rights have been infringed. Include the ICO's full contact details (website, telephone number, and postal address). It is good practice to encourage individuals to raise concerns with you first, as the ICO will often ask whether the individual has complained to the organisation directly before it will investigate. However, you must not give the impression that contacting you is a prerequisite to complaining to the ICO. Handling complaints promptly and transparently can prevent regulatory action.

Frequently asked questions

Yes. If your website collects any personal data at all — including a name and email address through a simple contact form — you are processing personal data and must comply with the UK GDPR and the Data Protection Act 2018. This means you need a privacy policy that explains what data you collect, why you collect it, how long you keep it, and what rights individuals have. Even very small-scale data collection triggers the full requirements of data protection law. The only exception would be a purely personal or household activity, which does not apply to business websites.

A privacy policy covers all aspects of how you collect, use, store, and share personal data across your entire organisation, including data collected through your website, by email, by telephone, and in person. A cookies policy specifically addresses the cookies and similar tracking technologies used on your website, explains what each cookie does, and describes how users can manage their cookie preferences. Cookies are governed by both the UK GDPR (because cookies often involve personal data) and the Privacy and Electronic Communications Regulations 2003 (PECR), which has specific rules about consent for non-essential cookies. Many organisations publish them as two separate documents for clarity, and this template cross-references a separate cookies policy.

Most organisations that process personal data must pay a data protection fee to the ICO. This is a legal requirement under the Data Protection (Charges and Information) Regulations 2018. The fee is tiered based on the size and turnover of your organisation, starting from £52 per year (tier 1) for micro-organisations. Exemptions exist for some not-for-profit organisations, individuals processing data for personal purposes, and elected representatives. You can check whether you need to register and pay the fee using the self-assessment tool on the ICO's website at ico.org.uk. Failure to pay the fee when required is a criminal offence.

A non-compliant privacy policy can have serious consequences. The ICO has the power to issue enforcement notices requiring you to change your practices, and can impose fines of up to £17.5 million or 4% of your annual global turnover (whichever is higher) for serious infringements. In practice, the ICO is more likely to issue warnings, reprimands, or smaller fines to small and medium-sized businesses, particularly for a first offence. However, individuals can also bring private claims for compensation if they suffer damage (including distress) as a result of a data protection breach. Beyond legal penalties, a poorly drafted or missing privacy policy damages customer trust and your organisation's reputation.

No, and for two important reasons. First, another organisation's privacy policy may be protected by copyright, so copying it could constitute intellectual property infringement. Second, and more importantly, a privacy policy must accurately describe your own data processing activities. Every organisation collects different data, uses it for different purposes, shares it with different third parties, and retains it for different periods. Using a generic or copied policy that does not reflect your actual practices is itself a breach of the UK GDPR's transparency requirements under Articles 13 and 14. You should use a template as a starting point and then carefully customise every section to reflect exactly what your organisation does with personal data.

You should review your privacy policy at least once a year, and update it whenever there is a material change to how you process personal data. Common triggers for an update include adding new features to your website (such as user accounts or e-commerce), starting to use new third-party services (such as a new analytics platform or email marketing tool), changes to UK data protection legislation or ICO guidance, expanding your business to process new categories of data, beginning to transfer data internationally, or changes to your retention periods. When you update the policy, change the 'last updated' date and consider notifying existing users if the changes are significant. Under the UK GDPR, your privacy information must always be accurate and up to date.