Home / Guides / How to Write a Privacy Policy & Terms

How to Write a Privacy Policy & Terms

A practical step-by-step guide — with a simple structure, an example, and the mistakes to avoid.

Don’t want to write it yourself?

Our AI writes a polished, personalized privacy policy & terms from a few quick details — in about 60 seconds.

Create my privacy policy & terms — $19 →
$19 once — no subscription, no signup to try.

Why a privacy policy & terms matter (and what trips people up)

A privacy policy tells users what personal data you collect, why you need it, and how you keep it safe. A terms‑of‑service (or “terms”) contract sets the rules of the relationship: what users can expect, what you expect from them, and what happens when things go wrong. Both documents are legal shields and trust signals.

Most founders treat them as boilerplate, copy‑pasting from a competitor or a generator, then hoping “it looks right.” The hardest part is not the wording but the discipline required to map your actual practices onto clear, enforceable text. You need to:

The guide below walks you through that process, gives you a reusable skeleton, and points out the pitfalls that turn a decent draft into a legal nightmare.

Step by Step

Create a spreadsheet with columns: Source (website, mobile app, email), Data collected (email, IP, location), Purpose (authentication, marketing, analytics), Retention period, Third‑party recipients. Include hidden sources like embedded videos or social‑login SDKs. This map becomes the factual backbone of your privacy policy.

Check where your users reside and where you process data. If you have EU visitors, GDPR applies; California residents trigger CCPA; Canada brings PIPEDA. List the relevant statutes beside each data category in your spreadsheet. If you’re unsure, note “needs legal review” and move on—don’t stall the whole draft.

For each row, write a short sentence that answers the “what, why, how long” question. Example: “We collect your email address to create an account and send transactional notifications; we retain it for the duration of the account plus 2 years.” Keep sentences under 25 words; avoid legalese that obscures meaning.

Start with a Scope clause that defines the service (e.g., “the website and mobile app”) and who may use it (age restrictions, prohibited jurisdictions). Follow with User Obligations (no scraping, no harassment), Intellectual Property (who owns the content), Disclaimers & Limitation of Liability, Termination, and Governing Law. Use the same spreadsheet to spot any feature‑specific obligations (e.g., a paid subscription requires a “Payment” clause).

Ensure every data‑related activity mentioned in the terms also appears in the privacy policy, and vice‑versa. If the terms say “we may share anonymized usage data with partners,” the privacy policy must disclose that sharing, the purpose, and the opt‑out mechanism (if any).

* GDPR: lawful basis, data‑subject rights, contact DPO, and a “right to withdraw consent” statement.

* CCPA: “Do Not Sell My Personal Information” link, non‑discrimination notice.

* Any jurisdiction: contact details, effective date, and a method for users to submit requests (email, web form, or postal address).

Run a quick internal audit: ask a teammate who isn’t involved in the product to read both documents and list anything they don’t understand. Verify that the URLs in the “Contact us” section actually work. Once the text is final, host it on a dedicated, crawlable URL (e.g., `/privacy` and `/terms`) and add a clear link in the footer of every page and in the app’s settings.

A Simple Structure to Follow

Below is a reusable outline. Replace bracketed placeholders with your own content.

Privacy Policy

a. Directly provided* (name, email, payment details)

b. Automatically collected* (IP, device ID, cookies)

c. From third parties* (social login, analytics providers)

Terms of Service

Copy the headings into a new document, then fill in each bullet with the specifics you gathered in steps 1‑4.

Common Mistakes to Avoid

A Short Example

> Privacy Policy – Information We Collect

> We collect the email address you provide when you create an account (Purpose: account management, lawful basis: contract). We also collect your IP address and device type automatically when you access the service (Purpose: security monitoring, lawful basis: legitimate interest). If you sign in with Google, we receive your Google profile ID and email address (Purpose: streamlined login, lawful basis: consent). All data are stored for the duration of your account plus two years, after which they are securely deleted.

> Terms of Service – User Conduct

> You may not (i) scrape, crawl, or otherwise extract data from the service in bulk; (ii) upload malicious software; or (iii) impersonate any person or entity. Violations may result in immediate suspension of your account without refund.

Pro Tips

Follow the checklist, keep the documents in sync with your product, and you’ll have a privacy policy and terms of service that protect your business while giving users confidence in how you handle their data.

Don’t want to write it yourself?

Our AI writes a polished, personalized privacy policy & terms from a few quick details — in about 60 seconds.

Create my privacy policy & terms — $19 →
$19 once — no subscription, no signup to try.

Frequently asked questions

Is this legal advice?

No — it’s a professionally structured starting draft to customize. For high-stakes use, have a lawyer review it.

Related guides

How to Write a Formal LetterHow to Write a NDAHow to Write a Cease & Desist LetterHow to Write a Freelance Contract