About this template:
This template does not constitute legal advice and is meant for use by businesses headquartered in the United States of America only. You may not resell or share this template with anyone outside your own business, under any circumstances.
The content in this template was drafted by licensed attorneys with the Law Office of Autumn Witt Boyd, PLLC.
How to use this template:
This template is set to ‘read only’, so you will be unable to make changes directly in this document. Follow these instructions to make your own copy and complete the template for your unique business and website:
- Click the File menu
- (For Google Docs users) Select “Make a Copy” or (for Word users) “Download”
- Save to your computer or Google Drive folder
- You will now have a copy saved on your computer/ Drive that you can edit and fill in the highlighted text
[for United States-headquartered companies – GDPR, UK AND CANADIAN LAW COMPLIANT]
[Bracketed text in GREEN is meant to give you information or instructions]
[Bracketed text in YELLOW is meant for you to fill in or choose the right text for your business]
[DELETE ALL GREEN BRACKETED TEXT BEFORE POSTING YOUR POLICY!]
Your privacy is important to [insert website or company name]. Please read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use, and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.
- Who We Are
[Insert legal business name – if you have set up an LLC or corporation, include it here] (doing business as [insert familiar name if different] – if your business or website name is long you can choose a short version to include here – like “AWB Firm” – and use the short version everywhere it says [insert website or company name] below) and operating at [insert website address] collects, uses and is responsible for certain personal information about you.
- Children’s Online Privacy Protection Act
This website and any products and services offered herein are not intended for persons under the age of 13. [insert website or company name] does not knowingly collect information from anyone under 13 years of age. [insert website or company name] prohibits children under the age of 13 from using all interactive portions of this website, including leaving any comments, filling out forms, or otherwise submitting information. [insert website or company name] will not knowingly collect personally identifiable information from children under 13. If [insert website or company name] learns it has any information or content from anyone under the age of 13, it will delete that information. [if your website is intended for users under the age of 13, please consider working with an attorney to be sure you are complying with this law]
- The Personal Information We Collect and Use
- Information Collected by Us
[insert website or company name] may collect, use, and is responsible for certain personal information that you provide when you voluntarily [edit as needed sign up for e-mails or free gifts, register for a class or presentation, leave comments, order a service or product, fill out any type of form, access private membership pages, or otherwise contact [insert website or company name] via an online form or e-mail]. The information collected may include your name, e-mail, address, phone number, and/or billing information [add any other types of information you collect]. You are not required to provide any personally identifiable information to merely access or visit this website.
[insert website or company name] may collect domain information, your numerical IP address, the type of browser you use, which pages you view, and the files you request. We may also use “cookies” (small files saved on your hard drive by your web browser) to analyze website [if applicable- delete if no advertising- and advertisement] performance, track user patterns, save information from your previous visits and customize your experience. [NOTE if you use this technology, such as the Facebook ad pixel or Google analytics, you must obtain affirmative consent when a user first visits your website – usually through a pop-up or banner the visitor must dismiss, read more here: www.awbfirm.com/gdpr]
OPTION 1: if your website does not honor “Do Not Track” browser signals, include this language – most websites will use this option:
If your browser sends a “Do Not Track” signal, only a generic cookie will be placed on your device while the website is accessed.
OPTION 2: if your website does honor “Do Not Track” browser signals, include this language:
If your browser sends a “Do Not Track” signal, our website will honor it.
If you are located in the European Economic Area (“EEA”), we are regulated under the General Data Protection Regulation which applies across the European Union and we are responsible as controller of that personal information for the purposes of those laws.
If you are located in the United Kingdom (“UK”), we are regulated under UK data regulations known as “UK GDPR.”
- Information Collected from Other Sources
[insert if needed: We also obtain [describe personal information] from other sources, such as [list third party sources]. [for example – if your website uses a third-party service such as OpenTable to take reservations, or Survey Monkey to gather for information, your visitors may actually submit their information to a third party company, which then passes it along to you]
- How we use your personal information
[insert website or company name] collects such information in order to [list all ways information is used and edit as needed send e-mails, fulfill orders, deliver services and products, complete customer transactions, oversee contests and promotions and improve website performance and customer service].
- Who We Share Your Personal Information With
[insert website or company name] respects your privacy and will never sell, trade or transfer your personally identifiable information to third parties (beyond what is necessary for fulfilling a customer transaction or for the basic functionality of an online service) without your consent. [change if this statement is not true]
We do, however, share [insert categories of personal data shared (e.g., your name and delivery address details)] with [list all recipients including company name (e.g., our third-party suppliers, credit card processors or shipping companies)].
This data sharing enables [insert the reasons for the data sharing (e.g., them to deliver the goods you ordered directly to you)]. Those third-party recipients are [or are not] based outside the European Economic Area or the UK [change if this statement is not true]— for further information including on how we safeguard your personal data when this occurs, see Transfer of your information out of the EEA, UK below.
[insert website or company name] may release personal information to enforce its Website Terms and Conditions of Use, other Terms and Conditions, manage its business, protect users or the general public, or to otherwise comply with legal obligations.
If you give [insert website or company name] your permission, it may also use personal identification information for internal or external marketing and promotional purposes.
On occasion, [insert website or company name] may collect personal identification information from you in connection with optional contests, special offers or promotions. [insert website or company name] will share such information with necessary third parties for the purpose of carrying out the contest, special offer or promotion. We will ask for your consent to such disclosure and use of such information, prior to your participation in the contest, special offer or promotion.
We reserve the right to transfer personal information in the event that we merge with or are acquired by a third party. We also may disclose your personal information for any other purpose permitted by law or to which you consent.
We will not share your personal information with any other third party.
- Whether Information Has to Be Provided by You and Why
The provision of [insert category of personal data (e.g., name, address, delivery address, etc.)] is required from you to enable us to [insert purpose, or change this sentence if you do not require personal information for certain services like viewing the information on your website: “We do not require you to provide any personal data in order to [insert what they can do without providing data – for example – access the public areas of our website]. We will inform you when we collect it whether you are required to provide the information to us.
- How Long Your Personal Information Will Be Kept
We will hold [insert category of personal data (e.g., name, address, and contact details)] for [insert period (UK tax law requires 6 years; US companies are advised by the IRS to keep income and expense documents for 6 years].
[example: We will hold all non-client personal data until you let us know you would like for us to delete it or unsubscribe from our marketing contacts, which you are free to do at any time. We will hold all client and customer personal data in our files for six years, or until you are no longer a client or customer, whichever occurs last.]
- Reasons We Can Collect and Use Your Personal Information
[insert website or company name] collects and uses your personal information [list all ways information is used and edit as needed – to send e-mails, fulfill orders, deliver services and products, complete customer transactions, oversee contests and promotions and improve website performance and customer service [NOTE – be sure to review whether your intended use of data is permitted under GDPR and other privacy laws].
- Use and Transfer of Your Information Out of the EEA, UK
This website is operated in the United States and third parties with whom we might share your personal information as explained above are [also] located in the United States [add other countries if applicable]. If you are located in the EEA, the UK, or elsewhere outside of the United States, please be aware that any information you provide will be transferred to the United States. By using this website, participating in any of its services and/or providing your information, you consent to this transfer.
These countries do not have the same data protection laws as the EEA or UK. While the European Commission has not given a formal decision that [these countries OR United States] provide[s] an adequate level of data protection similar to those which apply in the EEA, any transfer of your personal information will be subject to CHOOSE ONE OPTION BELOW and delete the other:
OPTION 1: if a small percentage of your email list or customers reside in the EU or UK, you may use the following language:
the derogation in Article 49 permitting non-repetitive transfers that concern only a limited number of data subjects, as permitted by Article 49 of the General Data Protection Regulation that is designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information.
OPTION 2: if a large percentage of your email list or customers reside in the EU or UK, you will need to research what safeguards you may use for the safe transfer of data and include them here – please consider working with an attorney to be sure you are complying with this regulation]:
[provide details of the appropriate or suitable relevant safeguards you will use and reference the specific Article in GDPR:]
[include this language for both options] If you would like further information, (see “How to contact us” below. We will not otherwise transfer your personal data outside of the EEA or UK, or to any organization (or subordinate bodies) governed by public international law or which is set up under any agreement between two or more countries.
- Your Rights
If you want to unsubscribe from receiving e-mails from [insert website or company name], you may do so at any time. Each e-mail from [insert website or company name] includes instructions for unsubscribing from these e-mail communications.
If you are covered by the General Data Protection Regulation, or other relevant privacy regulations, you have a number of important rights free of charge. In summary, those include rights to:
- Fair processing of information and transparency over how we use your use personal information
- Access to your personal information and to certain other supplementary information that this Privacy Notice is already designed to address
- Require us to correct any mistakes in your information which we hold
- Require the erasure of personal information concerning you in certain situations
- Receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations
- Object at any time to processing of personal information concerning you for direct marketing
- Object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
- Object in certain other situations to our continued processing of your personal information
- Otherwise restrict our processing of your personal information in certain circumstances
You may also have the right to claim compensation for damages caused by our breach of any data protection laws.
For further information on each of those rights, including the circumstances in which they apply, visit www.gdpr.eu; https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/; or https://www.priv.gc.ca/en .
If you would like to exercise any of those rights, please:
- Email, call, or write to us
- Provide us enough information to identify you [(e.g., first and last name, account number, user name, registration details)]
- Provide us proof of your identity and address (a copy of your driver’s license or passport and a recent utility or credit card bill)
- Provide us with the information to which your request relates [including any account or reference numbers, if you have them]
- Keeping Your Personal Information Secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, used or accessed in an unauthorized way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorized manner and may be subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable authorities of a suspected data security breach where we are legally required to do so.
It is important to understand that no security measures are absolute. We cannot guarantee the safety of any information you provide to us.
Please note that any comments or information that you post on the website, including the [insert website or company name] [if applicable- delete if not-membership site] and social media pages or groups, become public and third parties may use your information. [insert website or company name] is not responsible for any unauthorized uses by third parties in such context. You disclose such information at your own risk.
- Links to Other Sites
You may see advertising or other content on this website that links to the sites and services of our partners, suppliers, advertisers, sponsors, licensors or other third parties. Any products or services reached through a third-party link are subject to separate privacy policies. [insert website or company name] is not responsible for or liable for any content on or actions taken by such third-party websites.
- How to Complain
We hope that we can resolve any question or concern you raise about our use of your information.
If you are covered by the General Data Protection Regulation or UK GDPR, you may lodge a complaint with a supervisory authority, in particular in the UK or European Union (or European Economic Area) state where you work, normally live, or where any alleged infringement of data protection laws occurred.
- Changes to This Privacy Notice
- How to Contact Us
[NOTE: you must include contact information for the Data Protection Officer or Privacy Officer if you have appointed one. Learn more about this requirement here: https://gdpr.eu/data-protection-officer/ ; here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-law-enforcement-processing/accountability-and-governance/data-protection-officers/and here: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-compliance-and-training-tools/gl_acc_201204/ ]
- Do You Need Extra Help?
If you would like this notice in another format (for example: audio, large print, braille) please contact us (see “How to contact us” above).