Skip to content

Nettsider · · 4 min read

What your privacy policy must contain — a checklist

A privacy policy doesn't need to be long or written in legalese. Here are the points an ordinary business website should include, explained simply.

By Mediseo

Most people know a website "should have a privacy policy". Fewer know what actually belongs in one. The good news is that it isn't a legal document you have to buy at great expense — it's an honest description of what you do with people's information.

What a privacy policy really is

A privacy policy is the page where you tell visitors which personal data you collect, why, and what they can do about it. Personal data is any information that can be tied to a specific person — name, email, phone number, sometimes an IP address.

The point is openness. Anyone visiting your site should be able to read what happens to the information they hand over. That doesn't take legal language; it takes honesty.

The points it should include

For an ordinary small-business website, the content comes down to a few concrete parts.

Who you are. The name of the business and a way to reach you. Someone with a question about their data should know whom to contact.

What you collect. A simple list: name and email from the contact form, email addresses from the newsletter, analytics data about visits, and so on. Be specific rather than vague.

Why you collect it. Tie each type of information to a purpose. The email is used to answer enquiries. The analytics are used to improve the site. One purpose per thing.

How long you keep it. If you no longer need the information, it should be deleted. You don't need an exact date — "as long as needed to respond to you" is an honest answer.

Who gets to see it. If you use external tools — an email system, an analytics tool, a payment provider — you're effectively sharing data with them. Name the main ones.

What rights people have. Visitors can ask to see what you've stored, ask for corrections, and ask to be deleted. Tell them how to do it — an email address is often enough.

A good rule: write what people can actually understand

A privacy policy full of clauses and jargon meets the letter but not the spirit. The spirit is that an ordinary visitor can read it and come away wiser.

  • Use short sentences and plain words.
  • Explain jargon rather than showing it off.
  • Structure it with subheadings, not one wall of text.

A short, clear policy beats a long, baffling one every time — partly because it's easier to keep up to date.

Common mistakes

Copying a template without adapting it. A generic template tends to mention things you don't do and miss things you do. The policy should describe your website, not a hypothetical one.

Writing it once and forgetting it. Add a new tool — a chat widget, a new analytics program — and you change what you collect. The policy should be updated when your practice changes.

Hiding it away. A link in the footer on every page is the standard. If it's impossible to find, it isn't doing its job.

A simple way to get started

You don't have to do this perfectly straight away. A sensible order:

  1. Write down everything the site actually collects, and where it goes.
  2. Tie each thing to a purpose and a retention period.
  3. Write it up in plain language, point by point.
  4. Add a contact address for access and deletion requests.
  5. Link to the page from the footer, and update it when something changes.

What we tend to say is that a privacy policy isn't something you write to tick off a duty — it's a chance to show you have your data in order. That builds more trust than people expect.

Frequently asked questions

Can I use a free template I find online?

As a starting point, yes — but you have to adapt it. A template that doesn't match what your site actually does is worse than nothing, because it paints a false picture. Use the template as a checklist, not a finished text.

Do I need a privacy policy if I only have a contact form?

Yes. The moment someone sends you their name and email, you're processing personal data. A simple policy explaining what happens to it is the right and expected thing.

How often should I update it?

Every time you change what you collect or which tools you use. In practice it's wise to look it over a couple of times a year, and always when you add something new to the site.

This is general guidance, not legal advice. If you're unsure about a specific situation, a short review with someone who knows privacy law can be worth it.

What we can do for you and your business.

Tell us briefly what you need help with — a new website, more visibility on Google, or just a once-over. We get back within a working day, usually with something concrete.

Book a free 20-min callBuild a site with us