All templates
Data & PrivacyPolicyRequired · UK

Privacy Policy template

A privacy policy is the public-facing document that tells the people whose personal data you handle — customers, website visitors, enquirers, suppliers, job applicants — what you collect, why, who you share it with, how long you keep it, and what rights they have. Under UK GDPR you must give people this information, and a published privacy policy is how almost every organisation does it.

Free to use
UK-focused
Updated 11 July 2026

It is also the first thing a complainant, a customer's solicitor, or the ICO reads when something goes wrong. A policy that accurately describes what your business actually does with data is a strong first line of defence; a borrowed one that describes someone else's business is a liability.

This template gives you a complete, ready-to-edit policy: who you are, the data you collect, the lawful bases you rely on, sharing and international transfers, retention, individuals' rights, and how people complain.

The template

Full text, ready to adapt.

Highlighted fields are placeholders — replace them with your organisation's specifics. A starting point, not legal advice.

Privacy Policy

Policy · Data & Privacy

1. Purpose and scope

This privacy policy explains how {{org.name}} collects, uses, shares, and protects personal data, and the rights people have over their information. It covers customers, website visitors, enquirers, suppliers, and job applicants.

Personal data about our own staff is covered separately in our privacy notice for employees.

2. Who we are

{{org.name}}, [registered address], is the data controller for the personal data described in this policy — we decide why and how it is used. Questions about this policy or your data go to [name/role of data protection lead] at [email address].

3. The personal data we collect

  • Contact and identity details: name, email address, phone number, and postal address, collected when you enquire, order, or book.
  • Transaction details: orders, bookings, quotes, invoices, and payment records. Card payments are processed by [payment provider]; we do not store full card numbers.
  • Website and device data: pages visited, device type, and cookie identifiers — see our cookie policy.
  • Correspondence: emails, messages, call notes, and complaint records.
  • CCTV images at [locations], where signage is displayed. [Delete if not used.]
  • Job applicant data: CVs, application forms, interview notes, and references.

4. How and why we use personal data

  • To provide our products and services and manage your account — necessary for our contract with you.
  • To keep accounting and tax records and meet other regulatory duties — necessary to comply with our legal obligations.
  • To answer enquiries, improve our services, and prevent fraud — our legitimate interests, balanced against your rights.
  • To send marketing messages — only with your consent, or to existing customers about similar products where the law allows, always with an opt-out in every message.
  • We do not use automated decision-making that produces legal or similarly significant effects. [Amend and describe if you do.]

5. Who we share it with

  • Providers who process data on our instructions under written contracts: [payment provider], [booking or e-commerce platform], [email or marketing platform], [IT support], [accountant].
  • Professional advisers, insurers, banks, and — where the law requires — regulators, HMRC, or law enforcement.
  • We never sell personal data.
  • Where a provider stores data outside the UK, an appropriate safeguard is in place, such as [adequacy regulations or standard data protection clauses — confirm with each provider].

6. How long we keep it

We keep personal data only as long as we need it for the purposes above, then delete or anonymise it. As a guide: customer and transaction records for [period], enquiry records for [period], unsuccessful applicant records for [period], and CCTV for [period]. Some records must be kept for periods set by tax and other legislation — our data retention policy holds the full schedule.

7. Your rights

  • Ask for a copy of your personal data (a subject access request).
  • Have inaccurate or incomplete data corrected.
  • Ask us to delete data, restrict its use, or object to particular uses — objections to direct marketing are always honoured.
  • Receive certain data in a portable format.
  • Withdraw consent at any time where consent is the basis we rely on.
  • To exercise any right, contact [email address]. We respond within one calendar month.

8. How we keep data secure

We protect personal data with measures proportionate to the risk: access limited to staff who need it, password and [multi-factor] controls on systems holding personal data, encryption on portable devices, and data protection training for staff. Paper records are kept in [locked location] and shredded when disposed of.

9. Complaints, changes, and review

If you are unhappy with how we handle your data, contact us first at [email address] and we will try to put it right. You also have the right to complain to the Information Commissioner's Office (ICO).

This policy is reviewed [frequency, e.g. annually] and whenever what we collect or the tools we use change materially. Owner: [name/role]. Last updated: [date].

Make it yours

How to adapt this template.

1

List every place personal data actually enters the business — website forms, phone, email, till, booking system — before editing the collection section; the policy must describe reality.

2

Name your real providers in the sharing section; a vague "trusted third parties" line is the first thing complainants and the ICO query.

3

Set the retention section with your data retention policy open beside it so the two never disagree.

4

Run the ICO's data protection fee self-assessment and record the outcome.

5

Publish the policy wherever data is collected — website footer, booking pages, and paper forms — not buried in a PDF.

6

Diarise the review date and re-read the policy whenever you adopt a new tool that touches customer data.

A document is not a system

Turn this template into trained, proven behaviour

A policy in a drawer proves nothing. In TrainedTeam this template becomes assigned training with knowledge checks, e-signature acknowledgments, version history, and an audit-ready record of who completed what, when.

Privacy Policy template FAQs

Is a privacy policy a legal requirement in the UK?

In effect, yes. UK GDPR requires you to tell people, when you collect their data, what you collect, why, who you share it with, how long you keep it, and what rights they have. A published privacy policy or notice is how virtually every organisation meets that transparency duty.

What is the difference between a privacy policy and a privacy notice?

In practice the terms are interchangeable for the public-facing document. Some organisations use "policy" for their internal rules (see our data protection policy template) and "notice" for the external statement. What matters is that the external document exists, is accurate, and is easy to find.

Do we need to register with the ICO?

Most UK organisations that process personal data must pay a data protection fee to the ICO unless exempt. Use the ICO's online self-assessment to check whether the fee applies and at which tier — do not assume you are exempt because you are small.

Does a small business really need all these sections?

Keep every section that reflects something you actually do and delete the rest — a short accurate policy beats a long borrowed one. UK GDPR has no small-business exemption from telling people how you use their data.

How often should a privacy policy be reviewed?

Reviewing at least annually is common practice, and you should update it immediately whenever you start collecting new types of data, adopt a new system or provider, or change retention. A policy that misdescribes your current processing is worse than one that is merely overdue for review.