Content

    Here is what this guide covers:

    1. Why every startup needs a privacy policy, and what it actually has to say
    2. The 10 sections every GDPR-compliant privacy policy must include
    3. What to write in each section, with practical examples
    4. The most common mistakes startups make with privacy policies
    5. A fill-in-the-blank template you can adapt immediately
    6. How PrivaLex can help you go from template to a policy that holds up under scrutiny

    Every company that processes personal data needs a privacy policy. Under the GDPR, this is not optional, it is a legal obligation rooted in the transparency principle of Article 5(1)(a) and the information requirements of Articles 13 and 14. But beyond legal compliance, a well-written privacy policy is one of the most practical tools a startup has: it tells users what you do with their data, sets expectations you can actually meet, and signals to investors and enterprise clients that you take data protection seriously.

    The problem is that most startup privacy policies are either copied from a generic template with no connection to the actual business, or written by a lawyer in language no user will ever read. Neither approach works well. A policy that does not accurately reflect what you do creates legal risk. A policy that nobody understands fails its core purpose.

    This guide gives you a practical, step-by-step approach to building a privacy policy that is accurate, transparent and GDPR-compliant, without unnecessary legal complexity. At PrivaLex Partners we help startups and growing companies turn compliance into a commercial advantage, starting with the documents their stakeholders actually read.

    Step 1: Identify Your Company and Who Is Responsible for Data

    Your privacy policy must make clear who is the data controller, the legal entity responsible for deciding how and why personal data is processed. Under Article 13(1) of the GDPR, the first thing any privacy policy must include is the identity and contact details of the controller.

    This section should include your legal entity name (not a trading name alone), registered address, and a dedicated privacy contact, either an email address monitored for privacy enquiries, or the contact details of your Data Protection Officer if one has been appointed. If you have a DPO, their details must be provided separately under Article 13(1)(b).

    Example: “We are PLX SaaS, S.L., a company registered in Barcelona, Spain (CIF: B12345678). For any questions about this Privacy Policy or how we handle your personal data, contact us at privacy@plxsaas.com or write to us at Carrer del Rosselló 231, 08008 Barcelona.”

    If you use a third-party data processor (such as a CRM or email platform), this section is also where you distinguish yourself as the controller from those processors. Your users do not need a full list here, that comes in the third-party sharing section, but they need to know who is accountable for their data.

    Step 2: Describe the Personal Data You Collect

    Transparency under the GDPR requires you to tell users specifically what categories of personal data you collect, not a vague catch-all. Article 13(1)(e) requires you to specify the categories of data in question. Being specific here is both a legal requirement and a trust signal: users who see a precise list feel more confident than users who see “we may collect various types of data.”

    Common categories for SaaS and startup businesses include:

    • Identity and contact data: name, email address, phone number, company name, job title
    • Account and authentication data: username, password (hashed), login history
    • Billing and payment data: billing address, invoice details (note: full card numbers should never be stored, reference Stripe or your payment processor instead)
    • Usage and behavioural data: pages visited, features used, session duration, click patterns collected via analytics tools
    • Device and technical data: IP address, browser type, operating system, device identifiers
    • Communications data: content of support tickets, chat messages, email exchanges with your team
    • Marketing preferences: consent status for marketing emails, unsubscribe history

    You should also briefly explain how you collect this data, directly from users (registration forms, payment forms), automatically (cookies, analytics trackers) or from third parties (LinkedIn, referral partners). This is required under Article 14 if the data was not collected directly from the individual.

    Step 3: Explain Why You Collect Personal Data (Purposes)

    The purpose limitation principle under Article 5(1)(b) of the GDPR requires you to collect personal data only for specified, explicit and legitimate purposes. Your privacy policy must communicate these purposes in plain language, not in abstract terms that could mean anything.

    For most startups, the core purposes will be:

    • Service delivery: creating and managing user accounts, providing the features and functionality of your product
    • Billing and payments: processing transactions, issuing invoices, managing subscriptions
    • Customer support: responding to questions, resolving issues, handling complaints
    • Security and fraud prevention: detecting suspicious activity, protecting accounts, maintaining system integrity
    • Product improvement: analysing usage patterns to identify bugs, improve features and understand how users interact with the product
    • Marketing communications: sending newsletters, product updates or promotional emails where the user has consented or where legitimate interest applies
    • Legal compliance: meeting obligations under tax law, anti-money laundering rules, or data retention requirements

    A practical tip: structure this section so each category of data maps to at least one purpose. This makes the policy easier for users to understand and makes it easier for you to demonstrate transparency during a regulatory review.

    Step 4: State Your Legal Basis for Each Processing Activity

    This is one of the sections that distinguishes a compliant privacy policy from a generic template. Under Article 13(1)(c) of the GDPR, you must state the legal basis for each processing activity. There are six legal bases under Article 6, and choosing the right one matters, it determines what rights users have and what obligations you carry.

    For most startups, four bases are relevant:

    Contract (Article 6(1)(b))

    Processing necessary to perform a contract with the user or to take steps at their request before entering into a contract. Use this for core service delivery, account management and billing.

    Consent (Article 6(1)(a))

    Processing based on a freely given, specific, informed and unambiguous indication of agreement. Use this for marketing emails, non-essential cookies and any processing that goes beyond what is strictly necessary for the service. Consent must be as easy to withdraw as to give, make sure your policy explains how.

    Legitimate interests (Article 6(1)(f))

    Processing necessary for the legitimate interests of the controller or a third party, unless overridden by the interests or rights of the data subject. Use this for basic analytics, fraud prevention, improving your product and B2B direct marketing (with care). You must always conduct and be able to evidence a balancing test when relying on this basis.

    Legal obligation (Article 6(1)(c))

    Processing necessary to comply with a legal obligation. Use this for tax record-keeping, regulatory reporting, responding to lawful requests from authorities and data retention periods set by law.

    Step 5: Explain Data Sharing and Third Parties

    Users have a right to know who else receives their personal data. Article 13(1)(e) requires you to identify recipients or categories of recipients. Vague language like “we may share with trusted partners” does not satisfy this requirement and destroys user trust.

    Be specific but proportionate. You do not need to list every sub-processor with their registered address, but you should name the key categories and, where possible, the specific companies involved:

    • Cloud hosting providers: name the provider and, where relevant, the region (e.g., “Amazon Web Services, hosted in the EU (Ireland)”)
    • Payment processors: name the provider (e.g., Stripe, PayPal) and note that they process card data directly under their own privacy policy
    • CRM and marketing tools: name the platform (e.g., HubSpot, Mailchimp) and explain what data is shared
    • Analytics platforms: name the tool (e.g., Google Analytics, Mixpanel) and note what data is collected
    • Customer support software: name the tool (e.g., Intercom, Zendesk) and explain what data flows into it
    • Professional advisors: mention that data may be shared with legal, financial or security advisors where necessary

    If you share data with other controllers (not just processors acting on your behalf), that must be made explicit. The distinction matters legally: a processor only acts on your instructions, while a separate controller determines their own purposes.

    Step 6: International Data Transfers

    If any personal data is transferred outside the EU/EEA, including to cloud services, software tools or subsidiaries based in the US or elsewhere, the GDPR requires you to explain what safeguards are in place. This is one of the most commonly overlooked sections in startup privacy policies.

    The main transfer mechanisms you may rely on are:

    • Adequacy decisions: the European Commission has recognised certain countries as providing an adequate level of data protection (e.g., the UK, Switzerland, Japan, Canada). Transfers to these countries require no additional safeguards.
    • Standard Contractual Clauses (SCCs): model contractual clauses approved by the European Commission, incorporated into your agreements with the recipient. The updated 2021 SCCs are the primary mechanism for transfers to countries without an adequacy decision, including the US.
    • Binding Corporate Rules (BCRs): approved internal policies for multinational groups, less common for startups.
    • EU-US Data Privacy Framework (DPF): organisations certified under the DPF can receive EU personal data from the US without additional SCCs.

    In practice, if you use US-based tools like Google Workspace, AWS, Stripe or Salesforce, you should check whether those providers are DPF-certified or whether your contracts include the updated SCCs, and reflect this in your privacy policy.

    Step 7: Retention Periods

    The storage limitation principle under Article 5(1)(e) of the GDPR requires that personal data is kept no longer than necessary for the purpose for which it was collected. Your privacy policy must reflect actual retention periods, not vague language like “as long as necessary.”

    Define clear rules for your main data categories:

    • Account data: retained while the account is active, then deleted within [X] days of account closure (or anonymised for aggregate analytics)
    • Contract and billing records: retained for the period required by applicable law, typically 5 years in Spain for commercial records and 4 years for tax records
    • Support communications: retained for [X] months after resolution, or longer if the matter involves a legal claim
    • Marketing preferences and consent records: retained for as long as you are sending marketing communications, plus a reasonable period to evidence consent status
    • Usage and analytics data: retained in identifiable form for [X] months, then aggregated and anonymised
    • Security and access logs: retained for [X] months for fraud prevention and incident investigation purposes

    Setting and documenting retention periods is also required for your Records of Processing Activities (ROPA) under Article 30 of the GDPR. If you have not yet defined your retention schedule, this section of the privacy policy is a good forcing function.

    Step 8: Data Subject Rights

    Under the GDPR, individuals have a set of rights over their personal data. Your privacy policy must explain what these rights are and how users can exercise them. Articles 15 to 22 of the GDPR set out each right in detail.

    The rights you must cover are:

    • Right of access (Article 15): users can request a copy of the personal data you hold about them and information about how it is processed
    • Right to rectification (Article 16): users can request correction of inaccurate or incomplete data
    • Right to erasure (Article 17): users can request deletion of their data in certain circumstances, such as when the data is no longer necessary or consent is withdrawn
    • Right to restriction of processing (Article 18): users can request that processing is limited in certain circumstances, for example while an accuracy dispute is being resolved
    • Right to data portability (Article 20): users can request their data in a structured, machine-readable format and have it transferred to another controller, where processing is based on consent or contract
    • Right to object (Article 21): users can object to processing based on legitimate interests or for direct marketing purposes, objections to direct marketing must always be honoured
    • Rights related to automated decision-making (Article 22): if you use automated decision-making with significant effects, users have the right to human review

    Your policy must explain how to exercise these rights, typically by emailing a designated address, and note that you have one month to respond (extendable to three months for complex requests). You must also inform users that they have the right to lodge a complaint with a supervisory authority, such as the AEPD in Spain.

    Step 9: Security Measures

    Article 32 of the GDPR requires you to implement appropriate technical and organisational measures to protect personal data. Your privacy policy should describe these measures at a high level, without disclosing so much detail that you create a security risk.

    A balanced description typically covers:

    • Encryption of data in transit (TLS/HTTPS) and, where appropriate, at rest
    • Access controls: role-based access, the principle of least privilege, multi-factor authentication for staff accessing personal data
    • Incident response: procedures for detecting, responding to and reporting security incidents, including your GDPR breach notification obligations
    • Vendor security: your process for assessing the security of third-party processors before onboarding them

    Avoid making absolute security claims. Saying your systems are “100% secure” or that data breaches will “never happen” creates an expectation you cannot guarantee and can be used against you if an incident does occur. Honest, measured language is both more credible and more legally prudent.

    Step 10: Policy Updates

    Privacy policies need to evolve as your business evolves. When you launch new features, onboard new vendors, enter new markets or change how you use personal data, your policy must be updated to reflect those changes. Article 13(3) of the GDPR requires you to inform users of any changes to the information provided at collection time.

    Your policy should:

    • State the date it was last updated (visible at the top or bottom of the document)
    • Explain how users will be notified of material changes, typically by email, in-app notification or a prominent notice on your website
    • Give users a reasonable period to review significant changes before they take effect, particularly where new processing activities are involved
    • Maintain a version history or changelog if your policy is updated frequently, this is good practice and useful if you are ever asked to evidence what your policy said at a given time

    A practical approach is to set a calendar reminder to review your privacy policy every six months, and every time you add a significant new data processing activity, a new analytics tool, a new marketing platform, a new product feature that touches personal data.

    Quick Fill-In-The-Blank Template

    Use the structure below as a starting point. Replace all items in [square brackets] with information specific to your company. This template should be reviewed by a legal specialist before publishing, particularly the legal basis, international transfer and retention sections.

    Privacy Policy | [Company Name]

    Last updated: [Date]

    1. Who we are

    [Legal entity name], registered at [address]. Privacy contact: [email address]. DPO (if appointed): [name/email].

    2. What personal data we collect

    [List categories: e.g., name, email, billing address, payment reference, usage data, device data, support communications.] We collect this data directly from you when you register, use our service or contact us, and automatically through [cookies/analytics tools].

    3. Why we use your data and our legal basis

    [For each purpose, state: what you do, which data is involved, and which legal basis applies. E.g., “We use your email address to send you product updates (legal basis: legitimate interests). We use your payment details to process your subscription (legal basis: contract).”]

    4. Who we share your data with

    [Name key processors: e.g., Amazon Web Services (hosting, EU), Stripe (payments), HubSpot (CRM), Google Analytics (analytics). Each processes data only as instructed under a data processing agreement.]

    5. International transfers

    [State whether you transfer data outside the EU/EEA. If yes: “We transfer personal data to [country/provider]. We ensure adequate safeguards through [Standard Contractual Clauses / EU-US Data Privacy Framework certification / adequacy decision].”]

    6. How long we keep your data

    [State retention periods per category: e.g., account data deleted within 30 days of account closure; billing records retained for 5 years; support records retained for 12 months after resolution.]

    7. Your rights

    You have the right to access, correct, delete, restrict, port and object to processing of your personal data. To exercise any right, contact us at [privacy email]. You also have the right to lodge a complaint with the AEPD (www.aepd.es) or your local supervisory authority.

    8. Security

    We implement [encryption in transit, access controls, multi-factor authentication, incident response procedures] to protect your personal data. No system is completely secure; we encourage you to use a strong password and notify us immediately if you suspect any unauthorised access to your account.

    9. Changes to this policy

    We will notify you of material changes to this policy by [email / in-app notice] at least [X] days before they take effect. The current version is always available at [URL].

    Common Mistakes Startups Make With Privacy Policies

    Copying a generic template without adapting it

    A privacy policy that lists data processing activities your business does not perform, or omits ones that it does, creates a direct GDPR compliance gap. During investor due diligence or an enterprise security review, this kind of mismatch is spotted quickly and is difficult to explain.

    Using vague legal bases

    Many startup policies say “we process your data as required by law” or “we have a legitimate interest in processing your data” without specifying which law or what the interest is. This does not satisfy the GDPR’s transparency requirements and would not survive scrutiny from a supervisory authority.

    Not updating the policy when the business changes

    A privacy policy written at incorporation often bears no resemblance to the actual processing activities of a company 18 months later. Every time you add a new tool that processes personal data, launch a new product feature or enter a new market, the policy needs to be reviewed and, if necessary, updated.

    No information about international transfers

    The vast majority of startups use US-based software tools, and the vast majority of startup privacy policies say nothing about how those transfers are safeguarded. This is one of the most common findings in GDPR audits and a persistent area of enforcement by European supervisory authorities.

    How PrivaLex Can Help

    This guide gives you a solid framework. But a framework is only as good as the company-specific information you put into it, and that is where most startups struggle. The legal basis analysis, the international transfer review, the retention period decisions and the third-party mapping all require time, legal knowledge and an understanding of how your product actually works.

    At PrivaLex Partners we help startups and scale-ups build privacy programmes that work in practice, not just on paper. That includes drafting or reviewing privacy policies, building Records of Processing Activities, advising on legal bases and cookie consent, assessing international transfer mechanisms and preparing for investor due diligence or enterprise security questionnaires.

    We also offer External DPO services for companies that need ongoing GDPR oversight without a full-time specialist, including policy management, incident response support and acting as the point of contact for supervisory authorities. If compliance is a growth blocker for your startup right now, contact us for a free initial assessment.

    Frequently Asked Questions (FAQs)

    Does my startup legally need a privacy policy?

    Yes, if you process personal data of individuals in the EU. Under Articles 13 and 14 of the GDPR, you are required to provide privacy information to individuals at the time of data collection. This is typically done through a privacy policy. Beyond the legal obligation, a privacy policy is also required by most app stores, advertising platforms and enterprise procurement processes.

    Can I copy a privacy policy template I found online?

    You can use a template as a starting point, but a copy-pasted policy that does not accurately reflect your actual processing activities creates compliance risk rather than reducing it. If your policy describes data uses that you do not carry out, or omits data uses that you do carry out, it fails its core purpose. Always adapt any template to your specific business and have it reviewed by a legal specialist.

    How often should I update my privacy policy?

    At a minimum, review your privacy policy every six months and whenever you make a material change to your data processing, adding a new third-party tool, launching a new product feature, entering a new market or changing your legal basis for any processing activity. Under Article 13(3) of the GDPR, you must inform users of any changes that affect the processing information provided to them at collection.

    What is the difference between a privacy policy and a cookie policy?

    A privacy policy covers all personal data processing by your company. A cookie policy (or cookie notice) specifically explains what cookies and similar tracking technologies you use, why you use them, and how users can manage their preferences. Under the ePrivacy Directive, a separate cookie notice is required if you use non-essential cookies. The two documents can be combined or kept separate, either approach is acceptable provided all required information is present.

    What happens if I do not have a privacy policy or it is not GDPR compliant?

    Under Article 83(4) of the GDPR, infringements of the transparency obligations can result in fines of up to €10 million or 2% of global annual turnover. Beyond regulatory risk, a missing or clearly inadequate privacy policy creates practical problems: investor due diligence, enterprise client procurement and app store approvals all typically require a compliant privacy policy. The commercial consequences of non-compliance are often felt before any regulatory action.

    Do I need a DPO to have a valid privacy policy?

    No. A DPO is only mandatory under the GDPR in specific circumstances: for public authorities, for organisations whose core activities involve large-scale systematic monitoring of individuals, or for organisations whose core activities involve large-scale processing of special category data. For most startups, a DPO is not mandatory, but having a dedicated privacy contact (and including their details in your privacy policy) is good practice and a requirement under Article 13(1)(b) if a DPO has been appointed.

    Avatar photo

    Diana Illueca

    Diana specializes in data protection and privacy, guiding companies through the practical realities of GDPR compliance and European privacy regulation. At PrivaLex Partners, she helps organizations build robust compliance programs from the ground up and acts as an external DPO for clients across a range of industries. Diana’s strength lies in making the law accessible, translating dense regulatory requirements into clear, actionable steps that fit seamlessly within each client’s business objectives. Her approach is collaborative, pragmatic, and always grounded in what actually works in practice.