All toolsTools Pro£9/mo
Compliance // free tool

UK GDPR privacy policy generator.
ICO-aligned. Free.

By Hasnat Mashhadi, Founder · Last reviewed 2026-06-17

Summary

A starter UK GDPR / Data Protection Act 2018 privacy policy, generated from your business type, the data you collect, and your sub-processors. Aligns with ICO guidance and PECR. Not a legal substitute for a solicitor on regulated work, but the right starting draft for most UK SMBs.

  • ICO-aligned structure: identity, legal basis, data, rights, retention.
  • Sub-processor disclosure block prebuilt for common UK SaaS stacks.
  • PECR-compliant marketing consent language.
  • Generates markdown you can paste into your website footer.
01 // Run it
Inputs
Data you collect (tick all that apply)
Pro features
Output (markdown)
# Privacy Policy

**Effective date:** 2026-06-18
**Data controller:** [Your Company Ltd], [Registered address, UK]
**Contact for data matters:** [email protected]

## 1. Who we are

[Your Company Ltd] is registered in England and Wales. We act as data controller for the personal data described in this policy, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

## 2. What data we collect

- Contact details (name, email, phone number)
- Payment data (handled by Stripe, we do not store full card numbers)
- Website usage data (anonymised IP, pages visited, referrer)
- Marketing consent records (timestamp, source, opt-in evidence) per PECR

## 3. Why we collect it (lawful basis)

We process personal data on the following lawful bases under Article 6 UK GDPR:

- **Contract** (Art. 6(1)(b)): to deliver the products and services you have requested.
- **Legitimate interests** (Art. 6(1)(f)): to operate, secure, and improve our service; to respond to enquiries; to prevent fraud.
- **Consent** (Art. 6(1)(a)): for marketing communications and non-essential cookies. You may withdraw consent at any time.
- **Legal obligation** (Art. 6(1)(c)): to comply with tax, accounting, and regulatory requirements.


## 4. How long we keep it

We retain personal data for **36 months** after the end of your relationship with us, except where a longer period is required by law (tax records: 6 years; medical records: 8 years for adults, until the patient turns 25 or 26 for under-18s).

## 5. Who we share it with (sub-processors)

We use the following sub-processors to deliver our service. Each is bound by a Data Processing Agreement that meets UK GDPR Article 28 requirements:

- Stripe (payments)
- Hetzner (hosting, EEA)
- Cloudflare (CDN)
- Anthropic (AI features)
- Voyage AI (embeddings)

We do not sell personal data. We do not share personal data with third parties for their own marketing.

## 6. International transfers

Where personal data is transferred outside the UK, we rely on UK-adequacy decisions, the International Data Transfer Agreement (IDTA), or equivalent safeguards under UK GDPR Article 46.

## 7. Your rights

Under UK GDPR you have the right to:

- Access the personal data we hold about you.
- Have inaccurate data corrected.
- Have your data erased (subject to lawful grounds for retention).
- Restrict or object to processing.
- Receive your data in a portable format.
- Withdraw consent at any time.
- Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by post to Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

Requests should be sent to [email protected]. We will respond within one calendar month.

## 8. Cookies and tracking

We use essential cookies (required for the service to function) and analytics cookies (only with your consent). See our cookie policy for details.

## 9. Marketing communications

We send marketing communications only with your explicit opt-in consent, in line with PECR. You may unsubscribe at any time using the link in every marketing message or by emailing [email protected].

## 10. Changes to this policy

We will update this policy when our processing changes. The effective date at the top of this document reflects the most recent revision. Material changes will be notified by email where we have your contact details.

---

*This template is provided as a starting point. It does not constitute legal advice. Regulated activities (healthcare, financial services, children's data, large-scale automated decision-making) require professional legal review before publication.*
02 // What the number means

The privacy policy most UK SMBs ship and shouldn't

The default UK SMB privacy policy is a 2017 EU GDPR template lifted off Iubenda or Termly, with the company name find-and-replaced. It mentions the wrong regulator, references EU SCCs that are no longer the correct UK transfer mechanism, and lists sub-processors that haven't been the vendor of record for two years. The ICO does not enforce on cosmetics, but the gap between what your policy says and what your stack actually does is what gets you in trouble when a data-subject request lands.

What this generator includes

The ten sections the ICO expects in a UK GDPR privacy policy: identity of the controller, the categories of personal data, the lawful basis for each, retention period, sub-processor list, international transfer mechanism, data subject rights (with the ICO complaint route), cookie and marketing consent positions. The output is markdown, ready to paste into your website footer or a Notion docs site.

What this generator does not include (and why)

Three things deliberately. Children's data provisions because if you process under-13 data you have an Age Appropriate Design Code obligation that requires legal review. Automated decision-making disclosures because if you run model-based decisions affecting customer rights you need Article 22 specific language reviewed by counsel. Regulated-sector language(healthcare beyond general clinic, financial services, insurance) because those carry sector-specific obligations the generator can't cover safely.

The right way to use this output

Generate the policy. Publish it. Set a calendar reminder to re-review every 12 months and after any change to your sub-processor list. Audit against your actual stack at least once a year; the most common compliance gap is shipping a new third-party tool and forgetting to add it to the policy. Tools that hold personal data (analytics, CRM, support inbox, email broadcaster, file storage) all need to be listed.

Where NuvenarHub fits

NuvenarHub captures customer data in the UK / EEA (Hetzner Helsinki), has a published DPA aligned to UK GDPR Article 28 (see /legal/dpa), and maintains a sub-processor list that updates when our vendors change. For operators who don't want to maintain a privacy policy themselves, hosting customer data inside NuvenarHub means you can reference our public DPA in your own policy and rely on our maintained processing chain rather than tracking it across twelve different vendors.

03 // FAQ

Is this generated policy enough for the ICO?

It is a good starting draft for an unregulated UK SMB SaaS, agency, e-commerce, consultancy, or general clinic. It includes the structure the ICO expects (identity, lawful basis, data categories, retention, rights, sub-processors). If your activity is regulated (healthcare beyond general clinic, financial services, children's data, large-scale profiling) you must have a solicitor review before publishing.

What's the difference between UK GDPR and EU GDPR for this policy?

Substantively very similar. UK GDPR has the same Article 6 lawful bases, the same data subject rights, the same Article 28 sub-processor requirements. The differences are: the regulator is the ICO (not EU DPAs), the relevant act is the Data Protection Act 2018, international transfers use the UK IDTA rather than EU SCCs. This generator produces UK-aligned policies; if you serve EU customers you also need to satisfy EU GDPR via separate disclosure.

Why does the generator pre-fill different sub-processors by business type?

Because most UK SMB SaaS shares a common stack (Stripe + Hetzner + Cloudflare), most UK clinics use Treatwell/Fresha + Stripe, most agencies use Google Workspace + Slack. The pre-fill gets you 80% of the way; edit the list to your actual stack. Missing sub-processors is the single most common cause of ICO complaints.

What retention period should I pick?

Three years (36 months) is a reasonable default for most service businesses. Tax records have a statutory 6-year minimum (HMRC). Medical records have specific rules (8 years for adults, longer for under-18s). Marketing-consent records should be kept for the lifetime of the consent plus a reasonable evidence period. When in doubt, default to 36 months and override for the specific categories that have legal minimums.

Does this cover cookie consent?

It references it. UK PECR requires explicit consent for non-essential cookies, which means you also need a cookie banner. This generator outputs the privacy policy text; the cookie banner is a separate UI implementation (we have a separate cookie policy template at /legal/cookies). For most UK sites the privacy policy explains what you collect; the cookie banner gets the actual consent.

Where does this fit in NUVENAR's product?

The standalone privacy policy generator is free and produces markdown. NuvenarHub Pro includes a maintained, UK GDPR-aligned privacy policy that updates when regulation changes, plus a built-in consent capture surface for PECR-compliant marketing opt-in. The generator is the starting point; the maintained policy is the long-term answer.

Related free tools

All 22 tools →

UK GDPR-aligned operations, out of the box.

NuvenarHub stores customer data in the EEA (Hetzner Helsinki), publishes a UK GDPR Article 28 DPA, and maintains the sub-processor list. 7-day free trial.

See our DPA