Does my website need a privacy policy?

Yes, if it collects any personal data — including just an email address from a contact form, or uses analytics tools like Google Analytics. UK GDPR requires you to provide a privacy notice to individuals when you collect their data.

Where should I put my privacy policy?

Your privacy policy should be easily accessible from every page of your website — typically linked in the footer. It should also be linked from any form that collects personal data (contact forms, newsletter sign-ups, checkout pages).

Do I need a cookie banner?

If your website uses non-essential cookies (analytics, marketing), you need to obtain consent before setting them. This is typically done with a cookie consent banner. Strictly necessary cookies (required for the website to function) do not require consent.

How often should I update my privacy policy?

Update your privacy policy whenever your data practices change — for example, if you start using a new analytics tool, add a newsletter, or begin selling online. Update the 'Last updated' date whenever you make changes.

Is this template suitable for an e-commerce website?

This template covers the basics for a standard small business website. For an e-commerce website, you will need to add sections on transaction data, payment processing, and order fulfilment. You may also need a separate cookie policy and terms and conditions.

Free UK Website Privacy Policy Template (2026)

Last updated May 2026Reviewed against UK gov.uk sources

Every website that collects personal data — including just an email address from a contact form — needs a privacy policy. UK GDPR requires you to tell visitors what data you collect, why, and what their rights are. This template covers the requirements for a standard small business website. It is written in plain English, as the ICO recommends.

Direct answer

A UK GDPR-compliant privacy policy for a standard small business website. Covers all the required disclosures — data collection, lawful basis, individual rights, cookies, and how to complain to the ICO. Copy, paste, and update the bracketed sections. Use the key facts, step list and official source links on this page to confirm the decision before you spend money or register anything.

Required by: UK GDPR (ICO)
Must be: Easily accessible on your website
Updated when: Your data practices change
ICO registration: £40–£60/year (most businesses)

PRIVACY POLICY Last updated: [DD Month YYYY] This privacy policy explains how [BUSINESS NAME] ("we", "us", "our") collects, uses and protects personal information when you visit our website at [WEBSITE URL] ("our website"). We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy is written in plain English to make it as clear as possible. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1. WHO WE ARE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ [BUSINESS NAME] is the data controller for the personal data collected through this website. Business name: [BUSINESS NAME] Legal structure: [Sole trader / Limited company] [Company number: [NUMBER] (if limited company)] Address: [ADDRESS] Email: [EMAIL ADDRESS] [ICO registration number: [NUMBER] (if registered with the ICO)] ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2. WHAT PERSONAL DATA WE COLLECT ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ We may collect the following types of personal data: Contact information: name, email address, phone number, and postal address when you contact us or submit an enquiry form. Technical data: IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website. Usage data: information about how you use our website, including pages visited, time spent, and links clicked. [Marketing data: your preferences in receiving marketing from us and your communication preferences. (Include only if you send marketing emails.)] [Transaction data: details of products or services you have purchased from us. (Include only if you sell online.)] ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3. HOW WE COLLECT YOUR DATA ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ We collect data in the following ways: Direct interactions: when you fill in a contact form, send us an email, or call us. Automated technologies: when you visit our website, we may automatically collect technical and usage data using cookies and similar technologies. See our cookie notice below. [Third parties: we may receive data about you from analytics providers (such as Google Analytics), advertising networks, and search information providers.] ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 4. HOW WE USE YOUR DATA ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ We use your personal data for the following purposes: Purpose Lawful basis ───────────────────────────────────────────────────────────── To respond to your enquiries Contract / Legitimate interests To provide our services to you Contract To send you marketing emails Consent / Soft opt-in (existing customers) To improve our website Legitimate interests To comply with legal obligations Legal obligation To analyse website usage Legitimate interests (or Consent for cookies) We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 5. WHO WE SHARE YOUR DATA WITH ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ We may share your personal data with: Service providers: companies that provide services to us, such as [website hosting, email marketing, payment processing, analytics]. These companies are only permitted to use your data to provide services to us, not for their own purposes. [List specific providers if you know them, e.g.: - Google Analytics (website analytics) — Google LLC - Mailchimp (email marketing) — Intuit Inc. - Stripe (payment processing) — Stripe Inc.] Professional advisers: solicitors, accountants, and insurers who provide professional services to us. Regulatory authorities: HMRC, the ICO, or other authorities where required by law. We do not sell your personal data to third parties. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 6. INTERNATIONAL TRANSFERS ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ [If you do not transfer data outside the UK, use this: We do not transfer your personal data outside the United Kingdom.] [If you use US-based services like Google Analytics or Mailchimp: Some of our service providers are based outside the United Kingdom. Where we transfer data outside the UK, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or adequacy regulations.] ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 7. HOW LONG WE KEEP YOUR DATA ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ We will only keep your personal data for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are: Contact enquiries: [2 years] from the date of last contact Customer records: [6 years] from the end of the business relationship (to comply with HMRC record-keeping requirements) Marketing contacts: Until you unsubscribe or withdraw consent Website analytics: [26 months] (Google Analytics default) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 8. YOUR RIGHTS ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Under UK GDPR, you have the following rights: Right of access: you can request a copy of the personal data we hold about you. Right to rectification: you can ask us to correct inaccurate or incomplete data. Right to erasure: you can ask us to delete your data in certain circumstances. Right to restrict processing: you can ask us to restrict how we use your data in certain circumstances. Right to data portability: you can ask us to provide your data in a machine-readable format. Right to object: you can object to our processing of your data where we rely on legitimate interests. Right to withdraw consent: where we rely on consent, you can withdraw it at any time. To exercise any of these rights, please contact us at [EMAIL]. We will respond within one month. We do not charge a fee for reasonable requests. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 9. COOKIES ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Our website uses cookies. A cookie is a small text file placed on your device when you visit a website. Strictly necessary cookies: required for the website to function. These cannot be disabled. [Analytics cookies: we use Google Analytics to understand how visitors use our website. These cookies collect anonymous information. We only set these cookies with your consent.] [Marketing cookies: we use [service] to [purpose]. These cookies are only set with your consent.] You can control cookies through your browser settings. Note that disabling certain cookies may affect website functionality. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 10. COMPLAINTS ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ If you are unhappy with how we handle your personal data, please contact us first at [EMAIL] and we will do our best to resolve the issue. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 11. CHANGES TO THIS POLICY ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ We may update this privacy policy from time to time. We will notify you of significant changes by posting a notice on our website or, where appropriate, by email. This policy was last updated on [DD Month YYYY].

Section 01

How to use this template

Replace every item in square brackets with your own information. Delete any sections that do not apply to your business. The notes in square brackets are guidance — remove them from the final document.

Section 1 (Who we are): Add your business name, legal structure, address, and ICO registration number if you have one.
Section 2 (What data we collect): Remove any data types you do not collect. Add any types not listed.
Section 4 (How we use your data): Update the table to reflect your actual processing activities and lawful bases.
Section 5 (Who we share with): List the specific third-party services you use (Google Analytics, Mailchimp, Stripe, etc.).
Section 6 (International transfers): Choose the appropriate paragraph depending on whether you use US-based services.
Section 9 (Cookies): Update to reflect the cookies your website actually sets.
Publish the policy on your website with a clear link in the footer. Update the 'Last updated' date whenever you make changes.

Section 02

What UK GDPR requires in a privacy notice

UK GDPR Article 13 specifies the information you must provide when collecting personal data. This template covers all required elements.

Your identity and contact details.
The purposes and lawful basis for processing.
Legitimate interests pursued (if that is your lawful basis).
Recipients or categories of recipients of the data.
Details of any international transfers and safeguards.
Retention periods.
The individual's rights (access, rectification, erasure, portability, objection, restriction).
The right to withdraw consent (where consent is the lawful basis).
The right to complain to the ICO.
Whether providing data is a statutory or contractual requirement.
Details of any automated decision-making.

Section 03

Lawful basis — which one applies to you?

You must identify a lawful basis for each type of processing. The most common bases for small business websites are:

Contract: you need the data to fulfil a contract (e.g. processing an order, responding to an enquiry about your services).
Legitimate interests: you have a legitimate reason to process the data that is not overridden by the individual's rights (e.g. website analytics, fraud prevention).
Consent: the individual has actively agreed to the processing (e.g. signing up for a newsletter, accepting analytics cookies). Consent must be freely given, specific, informed, and unambiguous.
Legal obligation: you are required by law to process the data (e.g. keeping PAYE records).

Partner offers

Before you go — claim your reader offers

Two offers we recommend to every UK founder. Codes are exclusive to readers of this guide.

See full terms

Business bank account

Reader offer

Tide Business Account

£200 free cash

£75 when you complete £100 of card transactions within 30 days, plus a further £125 when you deposit £5,000 within 7 days. No credit check, open in 5 minutes.

Tide codeREFER200

Claim £200 free

Business credit card

Reader offer

Capital on Tap business credit card

7,500 free points

Get 7,500 points (worth £75) when you complete your first card transaction within 30 days. 1% uncapped cashback. Up to £250k credit limit.

Capital on Tap codeSETTINGUP

Claim 7,500 points

18+, UK residents only. Offers are subject to each provider's terms. Tide: £75 paid after completing £100 of card transactions within 30 days of opening, plus a further £125 paid after depositing £5,000 within 7 days (total £200, code REFER200). Capital on Tap: 7,500 points (≈ £75) after first card transaction within 30 days; credit subject to status. We may receive a commission if you sign up — it doesn't change the offer to you.

Common questions

Free UK website privacy policy template

How to use this template

What UK GDPR requires in a privacy notice

Lawful basis — which one applies to you?

Before you go — claim your reader offers

Frequently asked questions