Sign in Sign up
Drafting your startup's privacy policy: A step-by-step guide

Drafting your startup's privacy policy: A step-by-step guide

Editor's note: We've partnered with technology company Atticus AI to provide insights on complex legal topics such as brand rights, contracts, and policies to benefit the Polywork community.

A privacy policy is a legal document explaining how a company handles user data. This may include personal details like names and addresses, as well as browsing patterns and purchase history.

Here, we outline how to create your very own privacy policy. Throughout this post, we’ll use 1Password’s privacy policy, which is clear, concise, and among the highest scorers against our Privacy Scout rubric, as a model throughout this article (you can view our analysis of 1Password’s privacy policy here).

Privacy policies: An introduction

Privacy policies are consumer-facing documents. They are typically written in plain language and free of legal jargon. It is important for privacy policies to be made easily accessible, for instance, in a website’s footer.

A privacy policy is required by law for almost every company that handles user data. In the EU, this is notably governed by GDPR (General Data Protection Regulation). In the U.S., this is notably governed by CCPA (California Consumer Privacy Act), COPPA (Children’s Online Privacy Protection Act), among others.

A privacy policy typically begins with a short introduction. It explains who the company or service provider is and the general philosophy encapsulated in their privacy policy. Your introduction should include a description of your company or service, your company’s stance towards user data, and a high-level description of how your company uses user data.

Here’s what 1Password’s Introduction looks like:

1Password is a Canadian company located at 4711 Yonge St, 10th Floor, Toronto, Ontario, M2N 6K8, Canada. At 1Password, we believe that the less information we know about you, the better. After all, it is impossible to lose, misuse, or abuse information we don’t have. To the extent that we have control over your data or data about you, we see ourselves as custodians of that data on your behalf.

We use your data solely to provide you with Services in which you enroll and to provide you an enhanced user experience when you visit our Website. Our business is providing 1Password products and Services to you, the customer. We have no desire or interest to use or transfer the limited data we acquire for any other purposes.

Data collection & usage

After the introduction comes the real content of the privacy policy, beginning with a list of all data that your company collects (or plans to collect) from users and how it uses that data.

Transparency and detail is key here. Your policy should detail all the types of personal data you gather, such as names, email addresses, browsing habits, IP addresses, and any other user-specific information. You should also explain how the different data is used by your company or service.

3 common brand deal mistakes | Polywork Blog
A quick guide to three common mistakes made in brand deals, why they’re problematic, and what you can do to avoid them now and in the future.

For example, if you use Rollbar for error monitoring, you might explain how the user’s IP address, operating system, and device make and model are collected, and how that information may be used to debug errors in the system to provide a better user experience.

Here’s an excerpt of 1Password’s description of the data it collects:

We process two kinds of user data to deliver our services: (i) Secure Data and (ii) Service Data.

Secure Data are the data that we are not capable of decrypting under any circumstance. It includes all information stored within vaults in 1Password accounts. These data are encrypted using secure cryptographic keys that exist only in the possession and under the control of our customers. We have no way of accessing or providing decrypted Secure Data, and we never receive copies of unencrypted Secure Data.

We inevitably acquire Service Data about your usage of 1Password, your account, and your payments through operating our services. Service Data are kept confidential. It is visible to our staff and includes, but is not limited to, server logs, billing information, client IP addresses, number of vaults and number of items in vaults, company or family name, and email addresses.

As long as you are using our services, we retain the right to hold and use Service Data to provide our services, troubleshoot problems, analyze the performance and demands on our services, and to provide our payment processors with the information they need to process payments.

Data sharing

These days, it is not uncommon for user data to be shared with third parties. This may be to offer a critical service like credit card information to a payment processor. But this may also be for non-critical functionality, like serving targeted advertisements.

Users in California and the EU have the right to not have their data shared for purposes non-critical to the core offering of a company or service. Depending on the size of your company and where your users are located, failure to comply with this may grant the consumer the right to sue your company for user data violations.

Here’s an excerpt from 1Password’s policy:

Agents or contractors of 1Password may have access to your personal information for the purpose of performing services on behalf of 1Password. All such agents or contractors who have access to your personal information have Data Processing and Confidentiality obligations to keep the information confidential and not use it for any other purpose than to carry out the services they are performing for 1Password.

Unless We tell you otherwise, or unless otherwise stated in this Privacy Policy or required by law, We do NOT sell or rent your personal information to any third parties. However, We might share your personal information with Our service providers, such as Our hosting services providers.

User rights

Next, your policy should clearly explain what rights your users have over any personal data collected by your systems. With the passing of GDPR, companies with users in the EU have little room for negotiation. GDPR makes it very clear– EU citizens have the right to access, update, delete, and download all data a company has collected about themselves.

Here’s an excerpt from 1Password:

Data Portability

You may export your 1Password data at any time you wish during the life of your account. If you discontinue payment, your account will enter a frozen (read-only) state for a period not less than six months during which you may still retrieve and export your data.

Your Right to Know What We Know

You have the right to know what we know about you and to see how that data is handled. You may request a screenshot of what we can see about you in our back office systems. However, to protect customer privacy, such requests must be carefully authenticated beyond demonstrating control of the customer’s email address.

Your Right to Have Your Data Erased

As we are merely custodians of your data, account owners have the right to instruct us to remove data permanently from our systems. To ensure that no one’s data is deleted without their consent, you must first delete your account through an authenticated session. After your account has been deleted, the account owner may contact us and ask for the data to be expunged. Once the request is authenticated, the data will be removed from our active systems within 72 hours.

Data security

Your policy should detail any data security practices you implement to secure user data. For example, sensitive user information may be encrypted before being stored. Or user information may have strict access controls, limiting the number of company employees who can access user data.

1Password’s data security practices are described throughout their policy; here are some excerpts:

Secure Data are the data that we are not capable of decrypting under any circumstance. It includes all information stored within vaults in 1Password accounts. These data are encrypted using secure cryptographic keys that exist only in the possession and under the control of our customers. We have no way of accessing or providing decrypted Secure Data, and we never receive copies of unencrypted Secure Data.

We understand and accept our responsibility to protect Service Data and Secure Data. We use strict access control mechanisms, network isolation, and encryption to ensure that Secure and Service Data is only available to authorized personnel. Additionally, Secure Data cannot be decrypted even by those who do have access to it.

Child data policy

Your policy should describe the minimum age required to access your services. For services intended for users below the age of 16, you must provide a method for verifiable parental consent to be obtained. For example, this can be by requiring a credit card number to be provided on account creation.

Usually, the easiest way to comply with this requirement is by stating an age restriction for using your service, as 1Password has done:

Those under the age of 16 may not use the services without the consent or authorization of their parent or legal custodian. Family account organizers and team owners are responsible for that authorization when they add someone under the age of 16 to an account.

Data breach notification

In the event of a data breach, EU citizens have the right to be notified within 72 hours. Your policy should describe what your planned response will be in the event of such a breach.

This is 1Password’s policy:

In an event of a breach, we recognize our responsibility to our customers and to the public to disclose the nature of the risk and provide a transparent account of the events without undue delay. We follow applicable requirements under the laws, that is, the Canadian data privacy breach notification requirements and the requirements related to data breach notification under the GDPR.

Privacy Policy changes

Your privacy policy should outline how and when the policy might be updated and the method of informing users about these changes. Your privacy policy must be updated if you change what data you collect or how it’s used,  if new laws in any relevant jurisdictions are passed, or if you enter new markets with different privacy laws.

Any changes to your privacy policy should also be made available, either through a changelog or through a public archive.

1Password keeps a detailed change log of their privacy policy changes, along with this excerpt:

At our discretion, we may make changes to this Policy and note the date of the last revision. You should check here frequently if you need to know of updates to our Privacy Policy. We maintain the right to send you an email informing you of substantive changes. Previous versions will be made available from this page.

Contact information

Lastly, your privacy policy should include contact information for users with any questions or concerns about how their data is handled. If your company collects particularly sensitive information (like health data, or racial data), GDPR may necessitate that you appoint a Data Protection Officer, responsible for informing and advising the organization and its employees in their compliance with GDPR.

1Password provides their company address and an email address for inquiries.

Tactics for your first tech consulting agreement | Polywork Blog
We explore four simple tactics consultants can use to make the most of contracts to strengthen their business.

Drafting a privacy policy: Final thoughts

Creating a privacy policy can be confusing and intimidating, but we hope that after reading this article, you have a clearer idea of the fairly sensible aims behind a privacy policy. Users have the right to know how companies collect and utilize their personal information, who that information is shared with, and how it is secured. Writing a thoughtful privacy policy is the first step in building a long-lasting and trusting relationship with your users.

We built Privacy Scout, a privacy policy analyzer, to help both consumers and companies understand and navigate privacy policies. Privacy Scout analyzes any privacy policy on the web in plain English, tells you what may be missing, and finally assigns a score, so you can easily compare it with others.

Once you’ve created your own privacy policy, you can upload it to our platform to see how it compares with others.

Disclaimer: The information in this article is for general informational purposes only and is not legal advice. Consult with a qualified attorney for advice regarding your individual situation.