Sample Site Built on a dependable Classic ASP foundation

Privacy Policy

Last updated: [YYYY-MM-DD — set when real policy is drafted]

Scaffold only. The sections below are placeholders describing what a privacy policy should cover — not actual legal text. Privacy obligations depend on where users live and what data is collected, and requirements differ by jurisdiction (GDPR, CCPA, state privacy statutes, others). This page must be replaced with a policy drafted by an attorney or qualified privacy consultant before the site goes live. Do not ship this scaffold to production.

1. Who we are

[Legal entity name, registration details if applicable, principal address, and — for EU/UK users — the name and contact of a data protection officer or EU/UK representative if one is required. Attorney to confirm whether a DPO or representative is required based on processing scale and category.]

2. Information we collect

[List every category of personal information the site actually collects: name, email, phone, IP address, device information, cookies, payment information, usage analytics, location, uploaded content, account credentials, etc. Do not list categories the site does not actually collect — misrepresentation here is worse than under-disclosure.]

[Be explicit about any sensitive categories — health, financial, biometric, children's data — since these trigger additional obligations under most regimes.]

3. How we use the information

[List the actual purposes for which each category is used: account management, service delivery, payment processing, marketing communications, analytics, legal compliance, security. Tie purposes to categories so the reader can see what is used for what.]

[For GDPR jurisdictions: state the lawful basis for each purpose — consent, contract, legal obligation, vital interests, public task, or legitimate interests.]

4. Who we share information with

[Name the categories of third parties: payment processors, email providers, analytics platforms, hosting infrastructure, customer support tools, legal and regulatory recipients. Where specific named providers appear (Stripe, Google Analytics, Mailchimp, etc.), list them. If no third-party sharing occurs, say so explicitly.]

[For CCPA/CPRA jurisdictions: state whether personal information is sold or "shared" as those terms are defined in the statute, and provide the required opt-out mechanism if applicable.]

5. Cookies and tracking technologies

[Describe the actual cookies and tracking technologies used: essential, analytics, preferences, advertising. For EU/UK users, describe the consent mechanism (cookie banner) and what happens if consent is declined. Omit this section only if the site truly uses no cookies or tracking of any kind, including server-side analytics.]

6. Data retention

[State how long each category of data is retained and the criteria used to determine retention periods. "As long as necessary" is insufficient under GDPR and most state regimes — give concrete periods or criteria where possible.]

7. Your rights

[List the rights available to users under each applicable regime: access, rectification, erasure, restriction, portability, objection, opt-out of sale/sharing, opt-out of targeted advertising, limit use of sensitive information, non-discrimination for exercising rights. Rights vary by jurisdiction — the attorney specifies which apply to the business's user population.]

[Describe the mechanism for exercising rights: email address, web form, phone. Commit to a response timeline (typically 30 or 45 days). Describe the authentication process for verifying a request is from the actual user.]

8. Security

[Describe the actual security measures in place: encryption in transit (HTTPS), encryption at rest if applicable, access controls, authentication, incident response. Do not claim security measures that aren't actually in place; that claim becomes actionable if a breach occurs.]

9. International transfers

[If data crosses borders — most sites' data does, via hosting, email, or third-party services — describe the safeguards: standard contractual clauses, adequacy decisions, derogations. Omit this section only if all data processing genuinely occurs within a single jurisdiction.]

10. Children's privacy

[Age threshold below which the site does not knowingly collect information, and how such collection is handled if discovered. COPPA (US) applies under 13; GDPR applies under 13–16 depending on member state. Most general-purpose sites state they do not target or knowingly collect from children.]

11. Changes to this policy

[Describe how and where policy updates will be communicated. Common pattern: "We may update this policy; material changes will be posted here with a revised 'last updated' date."]

12. Contact

Questions about this privacy policy or to exercise your rights: [replace-with-privacy-contact@example.com]

[Or the postal address of the legal entity. For EU/UK: contact details of the DPO or representative, if applicable.]