Generate a fully EU GDPR-compliant privacy policy for your website or app. Covers all 8 data subject rights, lawful basis, DPA requirements, and cross-border transfers. 100% free, no signup.
No paywalls. No subscriptions. Just instant, professional legal documents.
Our GDPR policy automatically includes all eight data subject rights — access, erasure, portability, objection, rectification, restriction, automated decisions, and the right to be informed.
If you use US-based tools (AWS, Google, Stripe), we include Standard Contractual Clauses (SCCs) and adequacy decision language to cover international data transfers.
Select your processing basis — consent, contract, or legitimate interest — and we generate the correct legal language required by GDPR Article 13/14.
Everything you need to know about GDPR Privacy Policies
It applies to your website even if you've never set foot in Europe.
GDPR — the General Data Protection Regulation — came into force in May 2018 and immediately became the most consequential privacy law on the planet. Not because it only applies in Europe. Because it applies to anyone who has European users. That means a solo founder running a SaaS from Austin, Texas, is subject to GDPR the moment a user in Frankfurt signs up.
British Airways was fined £183 million after a breach exposed 500,000 customers' data. Marriott International got a £99 million fine. Google was fined €50 million by French regulators for lack of transparent consent. H&M was hit with €35 million for monitoring employee personal lives. These aren't edge cases. GDPR enforcement has accelerated every year since 2018.
Here's the part that surprises a lot of people: GDPR doesn't just care about data breaches. It cares about transparency. If you collect an email address and don't tell people why you're keeping it, that's a violation. If you use Google Analytics without documenting a legal basis for processing, that's a violation. Austria's data protection authority actually ruled in 2022 that using Google Analytics violates GDPR because data gets sent to US servers. Several other EU countries followed.
And the UK? Post-Brexit, the UK has its own version called UK GDPR, which is nearly identical to EU GDPR and enforced by the ICO (Information Commissioner's Office). The ICO is active. They fined Marriott £18.4 million and British Airways £20 million on UK GDPR grounds alone. So "we left the EU" is not a compliance exit strategy.
A proper GDPR privacy policy demonstrates that you've thought about your legal basis for processing, that you respect user rights, and that you're not hiding anything. It's not a magic shield against every fine. But having nothing, or copying a template that doesn't match your actual practices, is significantly worse than having a properly tailored document that reflects what you actually do.
Any website, app, or service that processes personal data of people in the EU or UK, regardless of where the business is based. No exceptions for small companies.
Fines up to €20M or 4% of global turnover, supervisory authority investigations, mandatory processing bans, and reputational damage that is very hard to recover from.
Clear user trust, documented compliance posture, easier to pass enterprise vendor security reviews, and a framework for handling subject access requests confidently.
Every mandatory GDPR disclosure, covered in plain language.
Your full business name, address, and contact details. GDPR Article 13 requires you to identify yourself clearly as the entity responsible for processing.
If you have a Data Protection Officer, their contact information must be disclosed. Our policy includes a placeholder section for this where required.
Consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Each processing activity maps to the correct basis.
Access, rectification, erasure, restriction, portability, objection, and rights around automated decisions. With instructions on how users can exercise each one.
Specific time periods or criteria for how long each category of data is retained. GDPR prohibits keeping data longer than necessary for its stated purpose.
Users have the right to lodge a complaint with their national data protection authority. Your policy must tell them this and ideally point them to how.
If you transfer data outside the EU or EEA, you must explain what safeguards apply, such as Standard Contractual Clauses, adequacy decisions, or binding corporate rules.
If you use any automated profiling or decision-making that produces legal effects, this must be disclosed. Includes basic logic like automated email segmentation.
When you rely on legitimate interests as your legal basis, you must explain what those interests are and confirm they don't override user rights. Our policy includes this assessment.
The ones that actually keep compliance officers up at night
You shouldn't need a subscription to comply with a regulation you didn't choose to be subject to.
| Feature | FreeTOS | Termly | iubenda |
|---|---|---|---|
| Price | Free | $14/mo | $27/yr+ |
| GDPR Article 13 Coverage | Full | Full | Full |
| UK GDPR Coverage | Yes | Yes | Yes |
| PDF Download | Free | Paid plan | Paid plan |
| No Signup Required | Yes | No | No |
| AI-Tailored Output | Yes | Template | Template |
| All 6 Legal Bases Covered | Yes | Yes | Yes |
Where to put it, how to link it, and what to do on forms.