/ Business
What is a privacy policy and do I need one?
A privacy policy is a legal statement explaining what data you collect and how you use it. Yes — you need one if you collect any personal data (which basically every website does).
/ 01
The short version
Under UK GDPR and the Data Protection Act 2018, if you collect any personal data (contact form submissions, cookies, email signups, analytics) you're legally required to have a privacy policy.
/ 02
What it must include
- • Who you are and how to contact you
- • What personal data you collect
- • Why you collect it (lawful basis)
- • Who you share it with (analytics providers, hosting, email tools)
- • How long you keep it
- • User rights (access, deletion, correction, portability)
- • How to complain (ICO details)
- • How you handle international transfers
/ 03
How to actually get one
For most SMBs, a generator template (Termly, iubenda, or your solicitor's version) is fine as a starting point. Then customise for your actual tools — GA4, Klaviyo, Mailchimp, Stripe, Meta Pixel, etc. must all be named.
/ 04
Related requirements
Cookie consent banner (with reject-all option). Terms and Conditions page. If ecommerce: returns policy, delivery information, VAT info. If B2B: data processing agreements with subprocessors.
/ 05
Where RIOT fits in
We're a small Colchester studio helping UK SMBs get your legal pages right without agency waste or freelancer flake. If you've read this far and you want a second opinion on your specific setup, book a 20-minute call and we'll tell you honestly whether it's worth doing anything at all.
We work with clients across Essex, Suffolk, London and the wider UK — and remotely with brands abroad. No lock-in, no monthly retainer minimums, no pretending your problem is bigger than it is.
/ FAQs
Common questions
Can I copy someone else's privacy policy?
Legally risky and often inaccurate for your actual data flows. Use a template as a base and customise.
Do I need a cookie banner?
Yes if you use any non-essential cookies (analytics, marketing, session recording). Reject-all must be as easy as accept-all.
Still not sure?
Book a free 20-minute call — we'll answer your specific version of this question with no sales pitch.
Book a call →