Back to all answers

/ Business

What is a privacy policy and do I need one?

A privacy policy is a legal statement explaining what data you collect and how you use it. Yes — you need one if you collect any personal data (which basically every website does).

/ 01

The short version

Under UK GDPR and the Data Protection Act 2018, if you collect any personal data (contact form submissions, cookies, email signups, analytics) you're legally required to have a privacy policy.

/ 02

What it must include

  • Who you are and how to contact you
  • What personal data you collect
  • Why you collect it (lawful basis)
  • Who you share it with (analytics providers, hosting, email tools)
  • How long you keep it
  • User rights (access, deletion, correction, portability)
  • How to complain (ICO details)
  • How you handle international transfers

/ 03

How to actually get one

For most SMBs, a generator template (Termly, iubenda, or your solicitor's version) is fine as a starting point. Then customise for your actual tools — GA4, Klaviyo, Mailchimp, Stripe, Meta Pixel, etc. must all be named.

/ 04

Related requirements

Cookie consent banner (with reject-all option). Terms and Conditions page. If ecommerce: returns policy, delivery information, VAT info. If B2B: data processing agreements with subprocessors.

/ 05

Where RIOT fits in

We're a small Colchester studio helping UK SMBs get your legal pages right without agency waste or freelancer flake. If you've read this far and you want a second opinion on your specific setup, book a 20-minute call and we'll tell you honestly whether it's worth doing anything at all.

We work with clients across Essex, Suffolk, London and the wider UK — and remotely with brands abroad. No lock-in, no monthly retainer minimums, no pretending your problem is bigger than it is.

/ FAQs

Common questions

Can I copy someone else's privacy policy?

Legally risky and often inaccurate for your actual data flows. Use a template as a base and customise.

Do I need a cookie banner?

Yes if you use any non-essential cookies (analytics, marketing, session recording). Reject-all must be as easy as accept-all.

Still not sure?

Book a free 20-minute call — we'll answer your specific version of this question with no sales pitch.

Book a call