Privacy Policy Drafting · GDPR · DPDPA · CCPA
Custom privacy policies drafted by lawyers, compliant with the GDPR, the UK GDPR, India’s DPDPA, and California’s CCPA. For websites, mobile apps, SaaS, and every platform that collects personal data. Paired with cookie policy and terms. Fixed fees, 24 to 48 hours.
Share what your platform does, what personal data it handles, and which jurisdictions your users are in. A contract lawyer from our team will assess which documents you need, privacy policy, cookie policy, data processing agreement, and respond with a precise quote and timeline.
Most privacy policies are drafted in 24 to 48 hours. A complete privacy and data pack in 3 to 5 days.
Your terms and conditions are strongly advisable. Your privacy policy is legally mandatory, the moment your website, app, or platform collects any personal data, which in practice is the moment it goes live. A contact form, an analytics script, a sign-up field, a cookie: each one triggers a legal obligation to tell users what you collect, why, and what rights they have.
My Legal Pal drafts privacy policies for websites, mobile apps, SaaS platforms, and digital services that comply with the regulations that actually apply to you: the EU’s General Data Protection Regulation (GDPR), the UK GDPR, India’s Digital Personal Data Protection Act, 2023 (DPDPA), California’s CCPA and CPRA, Australia’s Privacy Act, and Singapore’s PDPA. Drafted by a contract lawyer for your specific data practices, not generated from a template that names regulations it does not actually implement.
Privacy policies do not stand alone. Most platforms need a matching cookie policy, and where you process data on behalf of business customers, a data processing agreement. We draft these as a consistent set alongside your terms so every document references the others correctly.
From a data audit to launch-ready documents, with internal review at every stage.
What personal data you collect, from whom, how, and why. The foundation of any compliant policy and the step templates skip.
Which regulations bind you, based on where your users are and what data you handle. Usually more than one.
A policy that actually implements the applicable requirements: lawful basis, rights, retention, transfers, sharing.
Cross-checked against your terms, cookie policy, and any DPA for consistency and genuine compliance.
Plain-language summary of your obligations and what you must actually do, not just publish, to stay compliant.
Adjusted to your feedback, delivered ready to publish and to satisfy app store privacy disclosures.
Select your platform or the regulation you need to meet. We will tell you what the policy must cover, the timeline, and what comes next.
A generated template lists generic sections. A compliant policy implements the specific obligations of the laws that apply to you. At minimum, ours address the following.
Specific categories, not vague generalities. Identity data, contact data, financial data, technical and usage data, marketing preferences. Regulators expect specificity; “we collect data to improve our service” is not compliant.
Under the GDPR and UK GDPR, every processing activity needs one of six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Naming the correct basis for each activity is a core requirement that templates almost never do properly.
Why you collect each category of data, and the principle that you collect only what you need for that purpose. Collecting data “in case it is useful later” is a compliance failure under most modern frameworks.
The rights users have: access, rectification, erasure (the right to be forgotten), portability, objection, and restriction under GDPR; the equivalent rights of data principals under India’s DPDPA; the right to know, delete, and opt out under CCPA. The policy must explain how users exercise them and how you respond.
Who you share data with, payment processors, analytics providers, cloud hosts, marketing tools, and on what basis. Each third party that processes personal data on your behalf needs a data processing agreement, which the policy should reference.
If you transfer personal data across borders (almost every platform does, via cloud hosting alone), the policy must identify the transfer mechanism: adequacy decisions, Standard Contractual Clauses (SCCs), or equivalent safeguards. A frequent and serious gap in template policies.
How long you keep each category of data and the criteria for deletion. “We keep data as long as necessary” is insufficient; the policy should give real retention logic.
The technical and organisational measures you take to protect personal data. Required disclosure under most frameworks, and a genuine commitment a regulator can hold you to.
The relationship with your cookie policy and consent mechanism. Under the GDPR and UK GDPR, non-essential cookies require prior consent, which the policy and the consent banner must work together to obtain.
Yes, in almost every case. The moment your platform collects any personal data, a name, an email, an IP address, a cookie identifier, you trigger a legal obligation to have a privacy policy under whichever data-protection law applies to you. The GDPR, UK GDPR, India’s DPDPA, California’s CCPA, Australia’s Privacy Act, and Singapore’s PDPA all require it. Unlike terms and conditions, which are advisable but not always mandatory, a privacy policy is legally required from the moment you collect data.
A privacy policy is a disclosure document about personal data: what you collect, why, how you use it, who you share it with, and what rights users have. Terms and conditions are the contract governing how users may use your platform: acceptable use, IP, payment, liability, termination. They do different jobs and most platforms need both. The privacy policy is mandatory; the terms are strongly advisable.
Quite possibly yes. The GDPR applies based on where your users are, not where your business is. If you have visitors, customers, or users in the EU, or you monitor the behaviour of people in the EU (which analytics often does), the GDPR can apply to you regardless of where you are incorporated. The same extraterritorial logic applies to the UK GDPR and, increasingly, to India’s DPDPA and California’s CCPA.
Three data-protection regimes with overlapping but distinct requirements. The GDPR (EU) and UK GDPR are the most prescriptive: six lawful bases, broad data subject rights, strict transfer rules, large fines. India’s DPDPA, 2023 is consent-centric, with a data-principal rights framework and a consent-manager model unique to India. California’s CCPA and CPRA focus on the right to know, delete, and opt out of the sale or sharing of personal information. A platform with global users often needs a policy that satisfies all three at once, which is what we draft.
A generator produces a template that lists sections but does not implement the law for your actual data practices. It will name the GDPR without correctly assigning lawful bases, claim CCPA compliance without a working opt-out, and reference data it has no idea whether you collect. For a hobby site this may be tolerable. For any platform handling user accounts, payments, health or financial data, or operating in regulated markets, a generated policy represents compliance you do not actually have, which is the precise thing that turns a data incident into a regulatory penalty.
If your site uses non-essential cookies (analytics, marketing, advertising), yes. Under the GDPR and UK GDPR, non-essential cookies require prior consent obtained through a compliant consent banner, and a cookie policy explaining what cookies you use and why. The cookie policy and the privacy policy are separate but linked documents; we draft them together so they align.
A data processing agreement (DPA) is a contract required under GDPR Article 28 whenever one party processes personal data on behalf of another. If you are a SaaS platform processing your customers’ data, your enterprise customers will require a DPA from you. If you use vendors who process data for you (cloud hosting, email tools, analytics), you need a DPA with them. It is distinct from the privacy policy and frequently requested during enterprise sales and procurement.
Exposure on several fronts: regulatory penalties (GDPR fines reach into the millions; DPDPA penalties are significant; CCPA carries per-violation statutory damages), app store rejection for mobile apps, failed enterprise procurement reviews, and loss of user trust. The cost of a properly drafted policy is a small fraction of any one of these.
Data-protection law is not one global standard. The regulation that binds you depends on where your users are. We draft to each, and to all of them at once where your user base is global.
The EU General Data Protection Regulation is the most prescriptive data-protection framework in the world. A GDPR-compliant privacy policy must identify the lawful basis for each processing activity (consent, contract, legal obligation, vital interests, public task, legitimate interests), explain the full set of data subject rights, disclose international transfer mechanisms (adequacy decisions, Standard Contractual Clauses), state retention periods, and name your data protection officer where one is required. We draft to the regulation, not around it.
Post-Brexit, the UK retained the GDPR as the UK GDPR, supplemented by the Data Protection Act 2018. The requirements closely track the EU GDPR but with UK-specific elements, including the role of the Information Commissioner’s Office (ICO) and divergence on certain transfer and adequacy questions. We draft UK-facing policies to the UK framework.
India’s Digital Personal Data Protection Act, 2023 is consent-centric, built around notice and consent, the rights of data principals, the obligations of the data fiduciary, and a consent-manager framework distinct to India. As the implementing rules take shape, we draft DPDPA-compliant policies for businesses processing the personal data of individuals in India.
California’s Consumer Privacy Act and the Privacy Rights Act that amended it focus on the right to know what data is collected, the right to delete, and the right to opt out of the sale or sharing of personal information. Other US states (Virginia, Colorado, Connecticut, and a growing list) have enacted comparable laws. We draft for California and the broader US state-privacy landscape.
Australia’s Privacy Act and the Australian Privacy Principles (APPs) govern how organisations handle personal information, with specific obligations around collection, use, disclosure, and cross-border transfer. We draft policies aligned to the APPs for Australian businesses and those serving Australian users.
Singapore’s Personal Data Protection Act sets the standard for much of APAC, with consent, purpose limitation, and notification obligations. We draft PDPA-compliant policies and handle the broader APAC data-protection landscape for businesses operating across the region.
Yes, in almost every case. The moment your platform collects any personal data, a name, email, IP address, or cookie identifier, you trigger a legal obligation to have a privacy policy under the applicable data-protection law (GDPR, UK GDPR, DPDPA, CCPA, Privacy Act, PDPA). It is mandatory from the moment you collect data.
A privacy policy is a disclosure document about personal data. Terms and conditions are the contract governing how users may use your platform. They do different jobs and most platforms need both. The privacy policy is mandatory; the terms are strongly advisable.
Possibly yes. The GDPR applies based on where your users are, not where your business is. If you have users in the EU, or you monitor the behaviour of people in the EU (analytics often does), the GDPR can apply regardless of where you are incorporated. The same extraterritorial logic applies to the UK GDPR, DPDPA, and CCPA.
Three data-protection regimes. The GDPR (EU) and UK GDPR are the most prescriptive: six lawful bases, broad rights, strict transfer rules. India’s DPDPA, 2023 is consent-centric with a data-principal rights framework and consent-manager model. California’s CCPA and CPRA focus on the right to know, delete, and opt out of sale or sharing. Global platforms often need a policy satisfying all three.
A generator produces a template that lists sections but does not implement the law for your actual data practices. It names the GDPR without correctly assigning lawful bases and claims CCPA compliance without a working opt-out. For any platform handling accounts, payments, or sensitive data, a generated policy represents compliance you do not actually have, which is what turns a data incident into a regulatory penalty.
If your site uses non-essential cookies (analytics, marketing, advertising), yes. Under the GDPR and UK GDPR, non-essential cookies require prior consent through a compliant banner, plus a cookie policy explaining what cookies you use. We draft the cookie policy and privacy policy together so they align.
A contract required under GDPR Article 28 whenever one party processes personal data on behalf of another. If you are a SaaS platform processing customer data, your enterprise customers will require a DPA from you. If you use vendors who process data for you, you need a DPA with them. It is distinct from the privacy policy and frequently requested in enterprise procurement.
Yes, and a compliant one. Apple requires a privacy policy and Privacy Nutrition Labels; Google Play requires a privacy policy and a completed Data Safety form. The disclosures must match your actual data practices. A mismatch or missing policy is a common cause of app store rejection.
A standard website or app privacy policy is drafted in 24 to 48 hours. More complex platforms (SaaS, fintech, healthtech) take 2 to 3 days. A complete data pack (privacy policy, cookie policy, DPA) in 3 to 5 days.
Exposure on several fronts: regulatory penalties (GDPR fines reach into the millions; DPDPA and CCPA carry significant penalties), app store rejection, failed enterprise procurement, and loss of user trust. The cost of a properly drafted policy is a small fraction of any one of these.
A contract lawyer from our team with experience in data-protection and technology law for your jurisdiction. Every policy is internally reviewed for genuine compliance and for consistency with your terms and cookie policy before delivery.
Prakhar Rai is an advocate enrolled with the Bar Council of India and the founder of My Legal Pal. An alumnus of the National Law School of India University (NLSIU), Bangalore, with a Master of Business Laws, Prakhar has 10+ years of experience advising startups, technology companies, SMEs, and individual entrepreneurs across India, the UAE, the UK, and Southeast Asia.
His practice focuses on technology and data-protection law, with particular depth in privacy compliance across the GDPR, the UK GDPR, India’s DPDPA, and the US state-privacy landscape. My Legal Pal’s privacy policy drafting service is led by Prakhar and delivered by a team of qualified contract lawyers with experience in data protection and platform law.
GDPR, UK GDPR, DPDPA, CCPA compliant. For websites, apps, SaaS, and platforms. Paired with cookie policy and terms. Fixed fees, 24 to 48 hours for standard policies.
Call +91 8004800100