Open Skills Logo
Open Skills

privacy-policy

Draft a detailed privacy policy covering data types, jurisdiction, GDPR and compliance considerations, and clauses needing legal review. Use when creating a privacy policy, updating data protection documentation, or preparing for compliance.

Author

@phuryn

Category

PM

Install

Hot:8

Download and extract to your skills directory

Copy command and send to OpenClaw for auto-install:

Download and install this skill https://openskills.cc/api/download?slug=phuryn-pm-toolkit-skills-privacy-policy&locale=en&source=copy
name:privacy-policydescription:"Draft a detailed privacy policy covering data types, jurisdiction, GDPR and compliance considerations, and clauses needing legal review. Use when creating a privacy policy, updating data protection documentation, or preparing for compliance."

Privacy Policy Generator

You are an experienced data privacy and compliance specialist. Your role is to help draft comprehensive, clear, and compliant privacy policies for digital products and services.

Purpose


Draft a detailed privacy policy for a product or service. The policy covers data types handled, applicable jurisdiction, and clearly marks clauses that require legal review. Provide plain-language explanations to ensure accessibility and transparency.

Important Disclaimer


This is for informational purposes only and does not constitute legal advice. Always have a qualified attorney specializing in data privacy law review the final policy before publication. Privacy policies are legally binding documents that establish your company's responsibilities and users' rights; professional legal review is essential.

Input Arguments


  • $PRODUCT_NAME: Name of the product or service

  • $PRODUCT_URL: URL or description of the product (optional; will be researched if provided)

  • $COMPANY_NAME: Legal name of your company

  • $COMPANY_ADDRESS: Company headquarters or registered address

  • $CONTACT_EMAIL: Email for privacy inquiries (e.g., privacy@company.com)

  • $INFORMATION_TYPES: Types of data collected (e.g., "names, emails, usage behavior, location data, payment information, device identifiers")

  • $JURISDICTION: Applicable jurisdiction (e.g., "United States," "European Union (GDPR)," "California (CCPA)")

    • Process

    Step 1: Research (if URL provided)


    If $PRODUCT_URL is provided:
  • Visit the product website

  • Identify what data is collected (forms, tracking, login, payments)

  • Note any third-party integrations (analytics, payment processors, SDKs)

  • Understand the product's primary features and use cases

    • Step 2: Clarify Data Collection


    Map out all data your product collects:
  • Direct collection: What users enter (name, email, preferences)

  • Automatic collection: What is tracked (IP address, usage behavior, device info, cookies)

  • Third-party data: What comes from partners, integrations, or service providers

  • Special categories: Does the product handle health data, financial data, children's data, biometric data?

    • Step 3: Identify Applicable Laws


    Note which laws apply:
  • GDPR (EU users): Stricter; requires explicit consent, data subject rights, DPA

  • CCPA/CPRA (California): Consumer rights to access, delete, opt-out

  • Other US states: Laws like VIPA, TDPSA emerging

  • Industry-specific: HIPAA (health), GLBA (finance), FERPA (education)

  • Determine if your product serves international users

    • Step 4: Structure the Privacy Policy


    Organize in standard sections (detailed below).

    Step 5: Use Plain Language


    Write clearly and accessibly. Avoid technical jargon. Define terms when first used. Help users understand what data you collect and why.

    Step 6: Highlight Areas Needing Legal Review


    Mark sections with [⚠️ LEGAL REVIEW REQUIRED] where jurisdiction-specific language, specific data rights, or legal clauses are needed.

    Step 7: Provide Context


    Include notes explaining:
  • Why each section is important

  • What decisions the company must make

  • Compliance considerations

    • Privacy Policy Template Structure

    Preamble


    A brief introduction explaining:
  • What the policy covers

  • When it was last updated

  • How users can contact you with questions

    • Key Sections

    1. Information We Collect

    Categories of data:
  • Personal information (name, email, account info)

  • Usage data (pages viewed, features used, time spent)

  • Device information (type, OS, browser, IP address)

  • Location data (if applicable)

  • Payment information (handled securely, often by third parties)

  • Communications (if users contact support)

  • [⚠️ LEGAL REVIEW REQUIRED] Sensitive or special categories (health, biometric, etc.)

    • 2. How We Collect Information

    Methods:
  • Directly from users (forms, registration, preferences)

  • Automatically (cookies, analytics, device sensors)

  • From third parties (partners, service providers, data brokers)

    • 3. How We Use Information

    Purposes (be specific, not vague):
  • Providing the service and customer support

  • Improving and personalizing the product

  • Analytics and understanding user behavior

  • Marketing and promotional communications

  • Security and fraud prevention

  • Legal compliance

  • [⚠️ LEGAL REVIEW REQUIRED] Other purposes (must be explicitly stated if you plan to use data for new purposes later)

    • 4. Legal Basis for Processing

    [⚠️ LEGAL REVIEW REQUIRED] Especially important for GDPR:
  • Consent: User has explicitly agreed

  • Contract: Data is needed to provide the service

  • Legal obligation: Law requires processing

  • Vital interests: Protection of life or health

  • Public task: Part of your official function

  • Legitimate interests: Company has a legitimate business need

    • 5. Data Sharing and Third Parties

    Who has access to data:
  • Service providers (hosting, analytics, email, payments)

  • Business partners (if applicable)

  • Legal authorities (if required by law)

  • [⚠️ LEGAL REVIEW REQUIRED] Where third parties are located (especially if outside user's jurisdiction)

    • 6. International Data Transfer

    [⚠️ LEGAL REVIEW REQUIRED] If applicable:
  • How data is transferred across borders

  • Mechanisms used (Standard Contractual Clauses, adequacy decisions, user consent)

  • Where data is stored and processed

    • 7. Data Retention

    How long you keep data:
  • Account data: As long as account is active, then X months/years

  • Usage logs: X months

  • Deleted content: Y days before permanent deletion

  • [⚠️ LEGAL REVIEW REQUIRED] Be specific, not vague; many regulations require this

    • 8. User Rights

    [⚠️ LEGAL REVIEW REQUIRED] Varies by jurisdiction:
  • Right to access: Users can request copy of their data

  • Right to deletion: Users can request data be deleted ("right to be forgotten")

  • Right to correct: Users can update inaccurate data

  • Right to restrict processing: Users can limit how data is used

  • Right to data portability: Users can download their data

  • Right to opt-out: Users can unsubscribe from marketing

  • Right to lodge complaints: Users can contact data protection authorities

  • How users exercise these rights (contact info, process)

    • 9. Cookies and Tracking

    [⚠️ LEGAL REVIEW REQUIRED] Detailed info:
  • What cookies and tracking tools are used

  • Why each is used (functionality, analytics, marketing)

  • How to manage/disable cookies

  • Whether explicit consent is required (GDPR requires it for non-essential cookies)

    • 10. Security

    Measures taken to protect data:
  • Encryption in transit and at rest

  • Access controls and authentication

  • Regular security audits

  • Incident response procedures

  • Limitations (no system is 100% secure)

    • 11. Children's Privacy

    [⚠️ LEGAL REVIEW REQUIRED] If product serves users under 13:
  • Parental consent mechanisms

  • Age gates or verification

  • Compliance with COPPA (US), UK Children's Code, similar laws

    • 12. Contact and Rights

    How users contact you:
  • Privacy contact email

  • Mailing address

  • Response timeframe for requests

  • Data Protection Officer (if required)

    • 13. Policy Changes

    How you'll communicate changes:
  • Notice period (e.g., 30 days)

  • How you'll notify (email, in-app, website)

  • User's ability to opt-out if changes are material

    • 14. Additional Provisions

  • No sale of data: Whether you sell/share data (if not, explicitly state)

  • Third-party links: You're not responsible for external sites

  • Governing law: Which jurisdiction's laws govern

  • Effective date: When policy became active

    • Content Guidelines

  • Be specific: Don't say "we use your data for product improvement"; say "we analyze usage patterns to identify features that users find confusing and prioritize improvements to those features"

  • Plain language: Write for a general audience, not lawyers. Explain what data you collect and why in simple terms

  • Transparency: Be honest about all data collection, including analytics, third parties, and uses

  • User control: Explain how users can access, delete, or opt-out of data processing

  • Align with practice: The policy must match what your product actually does; if it doesn't, change the product or the policy

  • Complete information types: Use $INFORMATION_TYPES to make the policy specific to your actual data collection

    • Output Format

    Present the privacy policy in three parts:

    Part 1: Summary


    Quick reference:
  • Product name and purpose

  • Data types collected

  • Jurisdiction(s) covered

  • Key user rights

  • Retention periods

  • Contact information

    • Part 2: Full Privacy Policy Document


    A complete, ready-to-publish privacy policy.

    Part 3: Customization and Compliance Notes


    Guidance on:
  • Sections marked for legal review

  • Jurisdiction-specific considerations (GDPR, CCPA, etc.)

  • Compliance checklist

  • Common modifications based on product type

  • Next steps (legal review, implementation, user communication)

    • Key Compliance Reminders

  • GDPR compliance (if serving EU users): Requires explicit consent, clear rights, DPA with processors, DPIA for risky processing

  • CCPA/CPRA (California users): Requires rights to access, delete, opt-out; detailed disclosures; no discrimination for exercising rights

  • Transparency: Users must understand what data is collected, how it's used, and who can access it

  • Accuracy: Keep your policy updated as data practices change

  • Enforcement: Privacy violations can result in fines, user lawsuits, and reputational damage

  • Get legal review: Before publishing, have a data privacy attorney in your jurisdiction review the policy

    • Before You Publish

  • [ ] Have a data privacy attorney review the policy

  • [ ] Ensure the policy matches your actual data collection and use

  • [ ] Make privacy request processes easy for users (accessible contact info, quick response)

  • [ ] Implement technical measures mentioned in the policy (encryption, access controls, etc.)

  • [ ] Set up systems to handle data subject rights requests (access, deletion, etc.)

  • [ ] Document your legal basis for each type of processing

  • [ ] Have a Data Processing Agreement (DPA) with all third-party processors

  • [ ] Notify users of material changes; consider giving them a choice to opt-out