Privacy Policy Template (GDPR & CCPA Compliant)

# Privacy Policy **Last Updated: [Date]** ## 1. Introduction **[Company Name]** ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This privacy policy describes how we collect, use, store, and share your information. ## 2. Information We Collect ### 2.1 Information You Provide - **Account information**: Name, email address, company name - **Payment information**: Processed securely via [Stripe], we do not store payment card data - **Content**: Data you upload or create within our platform - **Communications**: Support requests, feedback, survey responses ### 2.2 Information Collected Automatically - **Usage data**: Pages visited, features used, actions taken - **Device data**: Browser type, OS, device type, screen resolution - **Log data**: IP address, timestamps, referring URLs - **Cookies**: See Section 7 ## 3. How We Use Your Information | Purpose | Legal Basis (GDPR) | |---------|-------------------| | Provide and maintain our service | Performance of contract | | Process payments | Performance of contract | | Send service notifications | Legitimate interest | | Improve our product | Legitimate interest | | Respond to support requests | Performance of contract | | Prevent fraud and abuse | Legitimate interest | | Comply with legal obligations | Legal obligation | | Marketing communications (opt-in only) | Consent | ## 4. Data Sharing We do not sell your personal data. We share data only with: - **Service providers**: Cloud hosting, payment processing, analytics (under DPAs) - **Legal requirements**: When required by law, subpoena, or court order - **Business transfers**: In connection with mergers, acquisitions, or asset sales (with notice) ### Sub-Processors | Provider | Purpose | Location | |----------|---------|----------| | [AWS/GCP] | Cloud hosting | [Region] | | Stripe | Payment processing | US | | [Email provider] | Transactional email | US | | [Analytics provider] | Product analytics | US | ## 5. Data Retention We retain your data for the duration of your account plus **30 days** after account deletion. Specific retention periods: - Active account data: Duration of contract - Deleted account data: 30 days (then permanently deleted) - Audit logs: 1 year - Financial records: 7 years (legal requirement) ## 6. Your Rights ### GDPR Rights (EU/EEA/UK) - **Access**: Request a copy of your personal data - **Rectification**: Correct inaccurate or incomplete data - **Erasure**: Request deletion of your data ("right to be forgotten") - **Restriction**: Request restriction of processing - **Portability**: Receive your data in machine-readable format - **Objection**: Object to processing based on legitimate interests ### CCPA Rights (California) - **Know**: What personal information we collect and how we use it - **Delete**: Request deletion of personal information - **Opt-out**: Opt out of sale of personal information (we do not sell data) - **Non-discrimination**: Equal service regardless of privacy choices To exercise your rights, email **privacy@[company].com**. ## 7. Cookies We use cookies for: - **Essential**: Required for the service to function (session, CSRF) - **Analytics**: Understand usage patterns (anonymized) - **Preferences**: Remember your settings You can manage cookie preferences via your browser settings. ## 8. Security We implement appropriate technical and organizational measures to protect your data, including encryption in transit and at rest, access controls, and regular security assessments. ## 9. Children Our service is not directed to children under 16. We do not knowingly collect personal information from children. ## 10. Changes We may update this policy from time to time. We will notify you of material changes via email or in-app notification. ## 11. Contact **Data Controller**: [Company Name] **Email**: privacy@[company].com **Address**: [Address] For EU representatives: [EU Representative name and contact] --- *Effective Date: [Date]*