Privacy Policy Checklist: 14 Sections Every Site Needs

A privacy policy isn't a legal formality you copy from another site and forget about. It's a contract with your visitors and a document regulators will reference if something goes wrong. Whether you run a SaaS product, an e-commerce store, or a personal blog with analytics, the same core sections apply — only the depth changes.

Below is a working checklist of the 14 sections your privacy policy should cover, with concrete examples of what to put in each.

1. Who You Are and How to Contact You

Start with identity. Visitors and regulators need to know exactly who controls their data.

• Legal entity name (not just the brand)
• Business address
• Contact email for privacy inquiries (e.g. privacy@yourdomain.com)
• Data Protection Officer details, if you have one
• EU/UK representative, if you're based outside but serve those regions

2. What Data You Collect

Be specific. "We may collect personal information" is not enough. Break it down by category.

Information users provide directly

• Name, email, password
• Billing address, payment details (note if handled by a processor like Stripe)
• Profile data, uploaded content, support messages

Information collected automatically

• IP address and approximate location
• Browser type, device type, OS
• Pages viewed, time on page, referrer
• Cookie IDs and similar identifiers

Information from third parties

• Social login data (Google, GitHub, etc.)
• Enrichment services or marketing partners

3. How You Collect It

List the actual mechanisms: web forms, account registration, cookies, server logs, analytics scripts, pixels, SDKs in mobile apps. If you use fingerprinting techniques, disclose them — modern privacy laws treat these as identifiers.

4. Why You Use the Data (Legal Basis)

Every processing activity needs a purpose, and under GDPR, a legal basis. Map them clearly:

• Contract — to deliver the service the user signed up for
• Legitimate interest — fraud prevention, basic analytics
• Consent — marketing emails, non-essential cookies
• Legal obligation — tax records, lawful requests

A table format works well here: purpose → data used → legal basis.

5. Cookies and Tracking Technologies

Either include a full cookie section or link to a separate cookie policy. Cover:

• Categories: strictly necessary, functional, analytics, advertising
• Specific cookies with names, providers, and durations
• How users can manage or refuse them
• Whether you use Do Not Track signals or Global Privacy Control

6. Third Parties and Sub-processors

List every external service that touches user data. Common ones:

• Hosting (AWS, Cloudflare, Vercel)
• Analytics (Google Analytics, Plausible, Fathom)
• Payments (Stripe, PayPal)
• Email (Postmark, SendGrid, Mailchimp)
• Support tools (Intercom, Zendesk)
• Advertising and retargeting networks

For each, state what data is shared and link to their privacy policy. If you don't know what's actually being loaded on your site, run it through a header and asset inspection tool like the AXOX Hub HTTP Header Checker to see what trackers your pages are pulling in — you'd be surprised how often a forgotten Hotjar or Facebook Pixel is still firing.

7. International Data Transfers

If data leaves the user's region (especially EU → US), say so. Mention the safeguards you rely on:

• Standard Contractual Clauses (SCCs)
• EU-US Data Privacy Framework certification
• Adequacy decisions

8. How Long You Keep Data

Vague retention promises age badly. Give specifics where you can:

• Account data: kept while the account is active, deleted within 30 days of closure
• Server logs: 14–90 days
• Invoices and tax records: 6–10 years depending on jurisdiction
• Marketing lists: until consent is withdrawn

9. User Rights

Spell out what users can do and how. Under GDPR, CCPA, and similar laws, this typically includes:

1. Access — request a copy of their data
2. Rectification — correct inaccurate data
3. Erasure — delete their data ("right to be forgotten")
4. Restriction — pause processing
5. Portability — receive data in a machine-readable format
6. Objection — opt out of certain processing
7. Withdraw consent — anytime, without penalty
8. Lodge a complaint with a supervisory authority

Include the exact email or form to use, and your response timeframe (GDPR mandates one month).

10. How You Secure the Data

Don't oversell, but don't be silent. Describe practical measures:

• TLS/HTTPS for all traffic
• Encryption at rest for sensitive fields
• Access controls and 2FA for staff
• Regular backups and incident response procedures

11. Children's Data

State your age threshold (usually 13 under COPPA, 16 under GDPR in some member states) and what you do if you discover a younger user has signed up.

12. Automated Decisions and Profiling

If you use algorithms that make decisions affecting users — credit scoring, content moderation, ad targeting — disclose it, describe the logic in plain terms, and explain how to request human review.

13. Changes to the Policy

Tell users how you'll notify them of changes: email, in-app banner, or a notice on the homepage. Always keep a "last updated" date at the top, and ideally a changelog or archive of previous versions.

14. Jurisdiction-Specific Disclosures

Different regions require different additions:

• California (CCPA/CPRA): categories of personal info sold or shared, "Do Not Sell or Share My Personal Information" link, financial incentives disclosure
• EU/UK (GDPR): legal bases, DPO contact, supervisory authority info
• Brazil (LGPD): data controller identification, rights under Article 18
• Virginia, Colorado, Connecticut, Utah: opt-out rights and appeal processes

Common Mistakes to Avoid

• Copying another site's policy verbatim — it almost never reflects your actual data flows
• Listing tools you no longer use — or worse, omitting ones you do
• Burying contact details in legalese instead of putting them up top
• Forgetting to update the date after a real change
• Promising "bank-level security" without defining what that means

Generate a Starting Draft in Minutes

Drafting from scratch is tedious, and starting from a competitor's policy is risky. If you want a tailored baseline that already structures these 14 sections around your stack, region, and data practices, use the free AXOX Hub Privacy Policy Generator. Answer a short questionnaire, get an editable policy you can refine with your legal advisor, and pair it with the header checker to confirm your live site actually matches what you've disclosed.