Last updated: [DATE] Effective date: [DATE]
1. Introduction and Who We Are
Welcome to [Your Company Name] (“Company”, “we”, “us”, or “our”). We operate the website [yourwebsite.com] (the “Site”) and any related services (collectively, the “Services”).
We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our Site or use our Services.
Data Controller: [Your Company Name] [Your Registered Address] [City, State/Province, Postcode, Country] Email: [privacy@yoursite.com] Phone: [Your Phone Number]
If you have questions or concerns, please contact us at the details above before taking any formal action.
2. Summary of Key Points
| Topic | Summary |
|---|---|
| What data we collect | Name, email, browsing data, purchase history, and data you provide voluntarily |
| Why we collect it | To provide Services, process orders, communicate with you, and improve our Site |
| Legal basis (EU/UK) | Contract, legitimate interest, consent, or legal obligation depending on the purpose |
| Do we sell your data? | No. We do not sell personal data to third parties |
| Third-party sharing | Only with processors (hosting, analytics, payment) under strict contracts |
| Data retention | As long as necessary for the stated purpose or as required by law |
| Your rights | Access, correction, deletion, portability, objection, restriction |
| International transfers | Protected by Standard Contractual Clauses or adequacy decisions |
| Children | Our Site is not directed to children under 13 (or 16 in the EU) |
3. Information We Collect
3.1 Information You Provide Directly
- Account registration: name, email address, username, password
- Purchase/checkout: billing name, billing address, shipping address, phone number, payment details (processed securely by our payment provider — we do not store full card numbers)
- Contact forms and support: name, email, message content, and any attachments you send
- Subscriptions and newsletters: email address and communication preferences
- User-generated content: reviews, comments, forum posts, or other content you submit
- Survey and research participation: any information you choose to provide
3.2 Information Collected Automatically
When you visit our Site, we automatically collect:
- Device information: IP address, browser type and version, operating system, device identifiers
- Usage data: pages visited, time spent on pages, links clicked, referring URL, exit pages
- Transaction data: purchase history, items viewed, cart contents
- Location data: approximate location inferred from IP address (not precise GPS)
- Log data: server logs including date/time stamps, error reports
3.3 Information from Third Parties
- Social media platforms: if you connect a social account or use social login
- Payment processors: transaction status and fraud-prevention signals (not full card data)
- Analytics providers: aggregated behavioural data
- Advertising partners: interest segments and ad interaction data (only with your consent)
- Business partners: referral information if you arrive via a partner programme
3.4 Cookies and Tracking Technologies
We use cookies, web beacons, pixels, and similar technologies. For full details, see our Cookie Policy.
4. How We Use Your Information
We use personal information for the following purposes:
| Purpose | Legal Basis (EU/UK GDPR) | Legal Basis (Other) |
|---|---|---|
| Provide and manage your account | Contract performance | Legitimate interest / contract |
| Process and fulfil orders | Contract performance | Necessary for contract |
| Send order confirmations and receipts | Contract performance | Legitimate interest |
| Provide customer support | Contract performance / Legitimate interest | Legitimate interest |
| Send marketing communications (with your consent) | Consent | Consent (where required) |
| Send service-related announcements | Legitimate interest | Legitimate interest |
| Improve and personalise our Services | Legitimate interest | Legitimate interest |
| Conduct analytics and research | Legitimate interest | Legitimate interest |
| Prevent fraud and ensure security | Legal obligation / Legitimate interest | Legitimate interest |
| Comply with legal obligations | Legal obligation | Legal obligation |
| Enforce our Terms and Conditions | Legitimate interest | Legitimate interest |
| Process job applications | Pre-contractual steps | Pre-contractual steps |
5. Disclosure of Your Information
5.1 Service Providers (Data Processors)
We share data with trusted third-party companies that process it on our behalf:
- Hosting and infrastructure: [e.g., WP Engine, SiteGround, Cloudflare]
- Payment processing: [e.g., Stripe, PayPal] — governed by their own privacy policies
- Email delivery: [e.g., Mailchimp, Brevo, Postmark]
- Analytics: [e.g., Google Analytics, Plausible]
- Customer support: [e.g., Zendesk, Freshdesk]
- Shipping and fulfilment: [e.g., Royal Mail, FedEx, UPS]
- Accounting and tax: [e.g., Xero, QuickBooks]
All processors are contractually bound to use your data only on our instructions, maintain appropriate security, and not retain data longer than necessary.
5.2 Business Transfers
If we are involved in a merger, acquisition, financing, reorganisation, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you if this occurs and your data becomes subject to a different privacy policy.
5.3 Legal Requirements
We may disclose your information where we believe disclosure is necessary to:
- Comply with applicable law, regulation, legal process, or governmental request
- Enforce our Terms and Conditions or other agreements
- Protect the rights, property, or safety of us, our customers, or others
- Detect, investigate, or prevent fraud or security incidents
5.4 With Your Consent
We may share your information with other third parties when we have your explicit consent to do so.
5.5 What We Do Not Do
- We do not sell your personal data to data brokers or advertisers
- We do not share your data with unaffiliated third parties for their own marketing without your consent
- We do not use your data to make automated decisions with legal or significant effects without human review
6. International Data Transfers
We are based in [Your Country]. If you access our Services from outside this country, your data may be transferred to and processed in a country with different data protection laws.
For users in the European Economic Area (EEA), United Kingdom, and Switzerland: Where we transfer personal data outside the EEA/UK, we ensure an adequate level of protection through:
- Adequacy decisions issued by the European Commission or UK Secretary of State
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreements (IDTAs)
- Binding Corporate Rules where applicable
You may request a copy of the transfer mechanism by contacting us at [privacy@yoursite.com].
7. Data Retention
We retain personal information only as long as necessary for the purposes described in this policy, unless a longer period is required by law.
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 3 years after closure |
| Purchase/transaction records | 7 years (tax and legal obligations) |
| Contact and support enquiries | 3 years from last contact |
| Marketing consent records | 5 years from consent date |
| Cookie consent logs | 13 months |
| Server/access logs | 90 days |
| Job applications (unsuccessful) | 6 months after decision |
| Fraud and security records | As required by law, up to 7 years |
When data is no longer needed, we securely delete or anonymise it.
8. Security of Your Information
We implement appropriate technical and organisational measures to protect your personal information, including:
- Encryption in transit: TLS/HTTPS on all pages
- Encryption at rest: sensitive databases are encrypted at rest
- Access controls: role-based access; staff access data only on a need-to-know basis
- Regular audits: periodic security reviews and vulnerability assessments
- Incident response: a documented process for detecting and responding to data breaches
Important: No method of transmission over the internet or electronic storage is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security.
Data breach notification: If we become aware of a breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (where required by law) and affected individuals without undue delay.
9. Your Privacy Rights
Depending on where you live, you may have some or all of the following rights:
9.1 For Everyone
- Right to access: Request a copy of the personal data we hold about you
- Right to correction: Request correction of inaccurate or incomplete data
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting lawfulness of prior processing
9.2 EEA, UK, and Switzerland (GDPR / UK GDPR)
- Right to erasure (“right to be forgotten”): Request deletion of your data, subject to legal exceptions
- Right to restrict processing: Request that we limit how we use your data
- Right to data portability: Receive your data in a structured, machine-readable format
- Right to object: Object to processing based on legitimate interests or for direct marketing
- Right not to be subject to automated decision-making: Including profiling with significant effects
- Right to lodge a complaint with your national supervisory authority (e.g., ICO in the UK, CNIL in France)
9.3 California Residents (CCPA / CPRA)
California residents have the right to:
- Know what personal information is collected, used, shared, or sold
- Delete personal information held by us and our service providers
- Opt out of the sale or sharing of personal information (we do not sell personal information)
- Correct inaccurate personal information
- Limit use and disclosure of sensitive personal information
- Non-discrimination for exercising privacy rights
CCPA categories collected: identifiers, commercial information, internet/electronic network activity, geolocation, inferences. For a full list, contact us.
Shine the Light: California residents may request a list of third parties to whom we disclosed personal information for direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing.
9.4 Canadian Residents (PIPEDA / Québec Law 25)
- Right to access personal information we hold about you
- Right to challenge accuracy and completeness, and have it amended
- Right to withdraw consent (subject to legal and contractual restrictions)
- Québec residents: right to be informed of the use of technology for profiling
9.5 Brazilian Residents (LGPD)
- Confirmation of the existence of processing
- Access to your data
- Correction of incomplete, inaccurate, or outdated data
- Anonymisation, blocking, or deletion of unnecessary or excessive data
- Portability to another service provider
- Deletion of personal data processed with your consent
- Information about third parties with whom we share data
- Information about the possibility of denying consent and consequences
- Revocation of consent
9.6 Australian Residents (Privacy Act 1988)
- Access to your personal information
- Correction of personal information
- Complain to the Office of the Australian Information Commissioner (OAIC)
10. How to Exercise Your Rights
To exercise any of your rights, please:
Email: [privacy@yoursite.com] Subject line: “Privacy Rights Request — [Right you are exercising]” Online form: [Link to your privacy request form if applicable] Postal address: [Your Address]
We will respond within:
- 30 days (GDPR / UK GDPR / LGPD)
- 45 days, extendable to 90 days (CCPA)
- 30 days, extendable to 60 days (PIPEDA)
We may ask you to verify your identity before processing your request. We will not charge a fee unless the request is manifestly unfounded or excessive.
11. Children’s Privacy
Our Services are not directed to children under 13 years of age (or 16 years in jurisdictions that require a higher age of consent for data processing, including many EU member states).
We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately and we will delete it promptly.
12. Third-Party Links and Services
Our Site may contain links to third-party websites, plugins, and applications. Clicking those links may allow third parties to collect data about you. We do not control those third-party sites and are not responsible for their privacy practices. We encourage you to review their privacy policies.
13. Marketing Communications
13.1 Email Marketing
We send marketing emails only to people who have explicitly opted in. Each email includes an easy unsubscribe link.
To unsubscribe:
- Click the “Unsubscribe” link in any marketing email, or
- Email us at [unsubscribe@yoursite.com]
13.2 Legitimate Interest Emails
We may contact existing customers about similar products or services under the “soft opt-in” exemption (where permitted by local law). You can object at any time by unsubscribing.
14. Do Not Track
Some browsers include a “Do Not Track” (DNT) feature. Our Site does not currently respond to DNT signals because no uniform standard has been established. However, you can manage your tracking preferences through our [Cookie Preference Centre].
15. Jurisdiction-Specific Disclosures
15.1 India (DPDP Act 2023)
We process personal data of Indian residents lawfully, fairly, and transparently. You may:
- Withdraw consent at any time
- Request access to, correction of, or erasure of your data
- Nominate another person to exercise your rights on your behalf in the event of death or incapacity
We will not process children’s personal data without verifiable parental consent.
15.2 South Africa (POPIA)
We process personal information in accordance with POPIA. Our Information Officer is [Name, email]. You may lodge a complaint with the Information Regulator (South Africa) at https://www.justice.gov.za/inforeg/.
15.3 Japan (APPI)
If you are located in Japan, you may request disclosure, correction, addition, deletion, or suspension of use of your personal information by contacting our privacy team.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the “Last updated” date at the top of this page
- Send an email notification to registered users (where required by law or where changes are significant)
- Display a prominent notice on our Site
Your continued use of our Services after the effective date of the updated policy constitutes your acceptance of the changes.
17. Contact Us and Supervisory Authorities
Data Privacy Enquiries: [Your Company Name] Attn: Privacy Team [Address]
[privacy@yoursite.com]
EU Representative (if applicable): [Name and address of EU representative]
[eu-rep@yoursite.com]
UK Representative (if applicable): [Name and address of UK representative]
Relevant Supervisory Authorities:
| Region | Authority | Website |
|---|---|---|
| UK | Information Commissioner’s Office (ICO) | ico.org.uk |
| EU | Your national DPA (find at edpb.europa.eu) | edpb.europa.eu |
| USA (California) | California Privacy Protection Agency | cppa.ca.gov |
| Canada | Office of the Privacy Commissioner | priv.gc.ca |
| Australia | Office of the Australian Information Commissioner | oaic.gov.au |
| Brazil | Autoridade Nacional de Proteção de Dados (ANPD) | gov.br/anpd |
| India | Data Protection Board of India | (to be established) |
| South Africa | Information Regulator | justice.gov.za/inforeg |
This Privacy Policy was last reviewed by [Your Legal Counsel / Company Name] on [DATE]. It is provided for informational purposes and does not constitute legal advice. We recommend consulting a qualified lawyer to ensure compliance with all applicable laws in your specific jurisdiction.