I can write a complete, ready-to-publish privacy policy in HTML, but I need a few specifics to ensure it’s accurate and compliant without using placeholders. Please provide:
1) Controller details
– Full legal entity name (and trading name if different)
– Registered office address (including country)
– Company number (if applicable)
– Primary contact email and phone for privacy queries
– Do you have a Data Protection Officer? If yes: name/title and dedicated DPO email. If no, who is the data protection lead/contact?
2) Scope and audience
– Do you target or serve users in the EEA as well as the UK? Do you have/need an EU representative?
3) Website features and data collected
– Which features are used: contact form, newsletter sign-up, user accounts/portal, e-commerce/payments, events, job applications, comments, live chat?
– Payment provider(s) (e.g., Stripe, PayPal) if you take payments online
– Any special category data collected (e.g., health data)? Likely “no,” but please confirm.
– Do you collect data from children under 13/16, or is the site not directed at children?
4) Third parties and processors
– Hosting provider/CDN (e.g., Cloudflare), email/SMS provider (e.g., Mailchimp, SendGrid), analytics (e.g., Google Analytics/GA4), advertising pixels (Meta, LinkedIn, Google Ads), CRM/helpdesk (e.g., HubSpot, Zendesk), forms (e.g., Typeform), file storage (e.g., Microsoft 365, Google Workspace), other vendors.
– Whether any of these process data outside the UK/EEA (e.g., US).
5) Cookies and consent
– Do you use a consent-management platform (cookie banner)? Which one?
– Main categories of cookies in use (strictly necessary, analytics, advertising, functional). Any specific tools to name (e.g., GA4, Hotjar, Meta Pixel)?
– Can users change cookie preferences via a visible icon or link on your site?
6) Retention periods (your preferences)
– Contact form enquiries (e.g., 12 or 24 months)
– Marketing lists (e.g., until withdrawal of consent or three years of inactivity)
– Account data (e.g., while account is active + six years)
– Transaction records (e.g., six years for tax/audit)
– Server logs and security logs (e.g., 12 months)
– Recruitment data (e.g., 6 months for unsuccessful candidates)
7) International transfers
– Do you rely on the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs? For US providers, do you rely on EU-U.S./UK extension of the Data Privacy Framework where applicable?
8) Complaints route
– OK to include the UK ICO’s contact details? (I’ll include the ICO’s address, phone, and website in plain text, not as a link.)
9) “Last updated” date
– Which date should appear as the effective/last updated date?
Once you share the above, I’ll deliver the final, fully formatted HTML content (without an H1, no placeholders, no links to other pages).