How to Draft a Privacy Policy
A privacy policy is one of the most important legal documents for any organisation that collects personal data. This guide walks you through drafting a comprehensive, compliant privacy policy using Parachute - from initial setup to expert review.
If your organisation collects, stores, or processes personal data in any form, you need a privacy policy. This includes:
- Websites that use cookies or analytics
- Apps that collect user information
- SaaS products that store customer data
- Businesses with employee records
- E-commerce sites processing payment information
- Any organisation operating in jurisdictions with data protection laws
Before drafting, add relevant context to your Parachute knowledge base:
- Existing policies - upload any current privacy policies or data protection documents
- Data processing activities - describe what personal data you collect, how you process it, and where you store it
- Third-party services - list vendors and services that process data on your behalf (analytics, payment processors, cloud providers, CRM systems)
- Jurisdictions - ensure your organisation’s geographic settings are correct in Parachute
The more context Parachute has, the more specific and accurate your privacy policy will be.
Your privacy policy needs to comply with the data protection laws of every jurisdiction where you:
- Have customers or users
- Have employees
- Process personal data
- Are incorporated
Common frameworks include:
| Jurisdiction | Legislation | Key requirements |
|---|---|---|
| Australia | Australian Privacy Act 1988 | 13 Australian Privacy Principles (APPs), mandatory data breach notification |
| EU/UK | GDPR / UK GDPR | Lawful basis for processing, data subject rights, DPO requirements |
| California, US | CCPA/CPRA | Consumer rights to know, delete, opt-out of sale |
| Canada | PIPEDA | Consent requirements, limited collection principle |
Parachute handles multi-jurisdictional coverage automatically when you configure your jurisdictions in organisation settings.
Navigate to Documents and click New Document. Choose one of:
- Privacy Policy template - the fastest path. Parachute’s template includes all standard sections with conditional logic that adapts to your jurisdictions.
- AI-generated from description - describe your needs: “Draft a privacy policy for an Australian SaaS company that processes customer data and uses Google Analytics, Stripe, and AWS.”
A comprehensive privacy policy typically includes:
- Introduction - who you are, what the policy covers
- Information we collect - types of personal data collected (directly, automatically, from third parties)
- How we use your information - purposes and lawful bases for processing
- How we share your information - third parties, service providers, legal requirements
- Data retention - how long you keep personal data
- Your rights - jurisdiction-specific rights (access, deletion, portability, opt-out)
- Cookies and tracking - cookie usage, analytics, advertising technologies
- International transfers - if data moves across borders
- Children’s privacy - if applicable
- Changes to this policy - how updates are communicated
- Contact information - how to reach your privacy team or DPO
Review each section and update with your specific details:
- Replace placeholder names with your organisation’s legal name
- Add your actual data processing activities
- List your real third-party service providers
- Include your actual contact information and data protection officer (if applicable)
- Adjust language to match your brand voice
Click Review to run Parachute’s automated document review. The review checks for:
- Missing required sections for your jurisdictions
- Inconsistencies with your knowledge base
- Unclear or ambiguous language
- Legal gaps for each applicable regulation
Address any High or Medium severity issues before proceeding.
5. Request expert verification (recommended)
Section titled “5. Request expert verification (recommended)”For a privacy policy - which has legal implications and regulatory exposure - we strongly recommend expert verification. A qualified legal professional will:
- Verify alignment with applicable laws
- Identify issues Parachute may have missed
- Suggest improvements based on current case law and regulatory guidance
- Provide sign-off that gives your team confidence
Once finalised:
- Publish the privacy policy on your website
- Add to your knowledge base - so future documents reference it
- Set a review schedule - privacy policies should be reviewed at least annually, or whenever you change data processing activities, add new third-party services, or enter new jurisdictions
- Communicate changes - notify users when you make material changes
- Being too vague - “We may share your data with third parties” is not sufficient. Name the categories of third parties and the purposes.
- Copy-pasting from other companies - every organisation’s data practices are different. A copied privacy policy likely doesn’t reflect your actual practices.
- Forgetting jurisdiction-specific requirements - GDPR requires a lawful basis for processing. The Australian Privacy Act requires notification of overseas data transfers. Each jurisdiction has specific requirements.
- Not updating after changes - your privacy policy must reflect your current practices. If you add a new analytics tool, update the policy.
- Making it unreadable - plain language is increasingly a legal requirement. Avoid unnecessary jargon.
- AI Document Drafting - learn more about Parachute’s drafting capabilities
- Document Review - understand the automated review process
- Knowledge Base - keep your policies current for better AI output
Was this page helpful?