Privacy Policy Generator

Overview

Scans a website or application codebase to detect data collection signals — cookies, web forms, payment processors, analytics scripts, social media embeds, and third-party trackers — then generates a tailored privacy policy with 12 sections. Includes specific GDPR rights (7 individual rights), CCPA rights (6 consumer rights), and cookie consent banner text in both minimal and full GDPR formats.

The detection phase maps every data touchpoint to its legal basis and disclosure requirement, ensuring the generated policy accurately reflects actual data practices rather than relying on generic boilerplate.

Legal Disclaimer: This skill generates template documents for informational and educational purposes only. Generated privacy policies are not a substitute for legal advice. Data protection requirements vary by jurisdiction, industry, and data type. All documents should be reviewed by a licensed attorney and/or data protection officer before publication. No attorney-client relationship is created by using this tool.

Prerequisites

• A live website URL or local codebase to scan
• Knowledge of the business entity name and jurisdiction
• Understanding of what data is collected and why (the scan detects signals but cannot capture server-side-only processing)

Instructions

1. Scan for data collection signals. Use WebFetch on the target URL to detect:

   Signal Category	What to Look For
   Cookies	Set-Cookie headers, cookie consent banners, tracking pixels
   Analytics	Google Analytics, Mixpanel, Amplitude, Hotjar, Segment
   Forms	Contact forms, registration, login, newsletter signup
   Payments	Stripe, PayPal, Square, Braintree, payment form fields
   Social	Facebook Pixel, Twitter tags, LinkedIn Insight, social login
   Advertising	Google Ads, Facebook Ads, retargeting pixels
   CDN/Third-Party	Cloudflare, AWS CloudFront, Google Fonts, embedded iframes
   Chat/Support	Intercom, Zendesk, Drift, live chat widgets

2. If scanning a codebase instead, use Glob and Grep to find:

   • Cookie-setting code (

     document.cookie

     ,

     setCookie

     ,

     cookies

     middleware)
   • Analytics initialization (

     gtag

     ,

     analytics.track

     ,

     mixpanel.init

     )
   • Form handlers and data submission endpoints
   • Payment SDK imports and configurations
   • User model/schema definitions showing stored fields
   • Environment variables referencing third-party API keys

3. Classify data types collected. Map detected signals to data categories:

   • Identifiers (name, email, phone, address)
   • Financial (payment card, bank account, transaction history)
   • Technical (IP address, device info, browser fingerprint)
   • Behavioral (browsing history, click patterns, purchase history)
   • Content (user uploads, messages, reviews)
   • Sensitive (health, biometric, political — flag these for special handling)

4. Determine legal bases (GDPR). For each data category, assign:

   • Consent — marketing emails, non-essential cookies, analytics
   • Contract — account data, payment processing, service delivery
   • Legitimate interest — security logs, fraud prevention, basic analytics
   • Legal obligation — tax records, regulatory reporting

5. Generate the 12-section privacy policy:

   #	Section	Covers
   1	Introduction	Who the company is, what this policy covers
   2	Information We Collect	Data types, collection methods, sources
   3	How We Use Your Information	Purposes mapped to legal bases
   4	Cookies & Tracking	Cookie types, duration, opt-out mechanisms
   5	Information Sharing	Third parties, categories, purposes
   6	Data Retention	How long each data type is kept
   7	Your Rights Under GDPR	7 specific rights with exercise instructions
   8	Your Rights Under CCPA	6 specific rights with exercise instructions
   9	Data Security	Technical and organizational measures
   10	International Transfers	Cross-border data flow safeguards
   11	Children's Privacy	Age restrictions, COPPA compliance
   12	Contact & Updates	DPO contact, policy change notification

6. Detail GDPR rights (Section 7). Include all seven with exercise instructions:

   1. Right of Access (Article 15) — request a copy of personal data
   2. Right to Rectification (Article 16) — correct inaccurate data
   3. Right to Erasure (Article 17) — "right to be forgotten"
   4. Right to Restrict Processing (Article 18) — limit data use
   5. Right to Data Portability (Article 20) — receive data in machine-readable format
   6. Right to Object (Article 21) — object to processing based on legitimate interest
   7. Rights Related to Automated Decision-Making (Article 22) — opt out of profiling

7. Detail CCPA rights (Section 8). Include all six:

   1. Right to Know — what personal information is collected
   2. Right to Delete — request deletion of personal information
   3. Right to Opt-Out — "Do Not Sell or Share My Personal Information"
   4. Right to Non-Discrimination — equal service regardless of rights exercised
   5. Right to Correct — correct inaccurate personal information
   6. Right to Limit Use of Sensitive Information — restrict sensitive data processing

8. Generate cookie consent banner text. Two versions:

   • Minimal (US): Brief notice with link to full policy
   • Full GDPR: Granular consent with necessary/analytics/marketing toggles

9. Tag assumptions. Insert

   [VERIFY]

   for any data practice inferred from signals but not confirmed by the user (e.g.,

   [VERIFY: Google Analytics detected — confirm if IP anonymization is enabled]

   ).

10. Write the output file using the naming convention below.

Output

Generate a single Markdown file named

PRIVACY-POLICY-{company}-{YYYY-MM-DD}.md

with:

# Privacy Policy
**{Company Name}**

**Last Updated:** {date}
**Effective Date:** {date}

---

## Data Collection Summary
| Data Type | Source | Legal Basis | Retention |
|-----------|--------|-------------|-----------|
{table of all detected data points}

---

## 1. Introduction
{formal legal text}

> **Plain English:** {simple explanation}

{... sections 2-12 ...}

---

## Cookie Consent Banner Text

### Minimal Version (US)
{banner text}

### Full GDPR Version
{banner text with granular consent options}

---

**[VERIFY] Tags Summary:**
{numbered list of assumptions}

**Detection Results:** {count} data signals detected across {count} categories
**Generated by:** Legal Assistant Plugin — Not a substitute for legal counsel.

Error Handling

Error	Cause	Solution
Website unreachable	URL down or behind authentication	Ask for a description of data practices or codebase path
No data signals detected	Static site with no tracking	Generate minimal policy covering server logs and hosting
Sensitive data detected	Health, biometric, or financial data	Flag for enhanced protection; recommend DPO consultation
Multiple jurisdictions	Global audience detected	Include both GDPR and CCPA sections, add [VERIFY] for others
Server-side processing invisible	Cannot detect backend data flows	Ask user to describe server-side data collection
Third-party script unrecognized	Unknown tracking pixel or SDK	List as "unidentified third-party service" with [VERIFY]

Examples

Example 1: SaaS with Analytics and Payments

Request: "Generate a privacy policy for https://example-app.com"

Result:

PRIVACY-POLICY-ExampleApp-2026-04-02.md

detecting:

• Google Analytics 4 (behavioral data, IP address)
• Stripe payment processing (financial data)
• Intercom chat widget (identifiers, conversation content)
• HubSpot forms (email, name, company)
• 12-section policy with GDPR + CCPA rights
• Cookie consent banner in both formats
• 6 [VERIFY] tags for server-side assumptions

Example 2: Content Blog with Newsletter

Request: "Create privacy policy for my WordPress blog with Mailchimp newsletter"

Result:

PRIVACY-POLICY-MyBlog-2026-04-02.md

detecting:

• WordPress cookies (session, comment author)
• Mailchimp email collection (consent-based)
• Google Fonts (IP address to Google servers)
• Simplified policy focusing on minimal data collection
• GDPR consent basis for newsletter subscription

Resources

• ICO Privacy Notice Code of Practice — UK data protection authority
• California Attorney General CCPA Guidance — Official CCPA regulations
• FTC Data Security Guidance — Federal data protection standards
• GDPR Full Text (EUR-Lex) — Official GDPR regulation
• NIST Privacy Framework — US government privacy standards
• CommonPaper DPA — CC BY 4.0 data processing terms