gridlyx.com / Write a Privacy Policy with AI / gdpr-privacy-policy-generator

Generate a GDPR-Compliant Privacy Policy in Minutes

Tested prompts for gdpr privacy policy generator compared across 5 leading AI models.

BEST BY JUDGE SCORE GPT-5.4 8/10

If you're searching for a GDPR privacy policy generator, you're probably launching a website, app, or SaaS product that collects data from European users, and you need a legally structured document without paying a lawyer hundreds of dollars for a first draft. GDPR requires any site targeting EU residents to disclose what personal data you collect, why you collect it, how long you keep it, and what rights users have. Missing or vague policies can result in fines up to 4% of global annual turnover.

AI models can generate a solid, structured privacy policy draft in under two minutes when given the right inputs. The key is feeding the model specific details about your data practices rather than asking for a generic template. A generic output will sound like every other boilerplate policy online and may miss clauses specific to your actual data flows.

This page shows you exactly what prompt to use, compares outputs from four leading AI models, and tells you what to verify before publishing. The result is a working first draft you can hand to a lawyer for a quick review or publish directly if your data practices are straightforward.

When to use this

This approach works well when you need a structured, GDPR-aligned privacy policy draft quickly and your data collection practices are relatively standard. It is best suited for founders, indie developers, small business owners, and marketers who understand what data their product collects but need that information organized into legally recognizable language.

  • Launching a new SaaS product or mobile app that will have EU users
  • Running an e-commerce store using Stripe, Shopify, or WooCommerce that ships to Europe
  • Building a lead generation site that collects email addresses via forms or analytics cookies
  • Updating an outdated privacy policy to reflect GDPR and current data practices
  • Creating a privacy policy for a client as a freelancer or agency needing a fast, editable starting point

When this format breaks down

  • Your product handles sensitive categories of data under GDPR Article 9, such as health records, biometric data, or data about minors. These require specialized legal review, not an AI draft.
  • You operate in a heavily regulated industry like fintech or healthcare where sector-specific regulations layer on top of GDPR and a generic prompt will miss critical compliance requirements.
  • You need a Data Processing Agreement (DPA) or Records of Processing Activities (ROPA) rather than a user-facing privacy policy. These are different documents with different legal functions.
  • Your organization is large enough to require a formal Data Protection Impact Assessment (DPIA) or has a designated Data Protection Officer. At that scale, AI-generated drafts need substantial legal revision and should not be the primary tool.

The prompt we tested

You are a privacy law specialist drafting a GDPR-compliant Privacy Policy for a business. Follow these instructions exactly: Write in clear, plain English using numbered section headings and short paragraphs or bullet points. Ensure every section explicitly references the relevant GDPR articles where applicable, and keep the total length between 900 and 1,500 words. Output only the finished Privacy Policy text — no commentary, preamble, or explanations.

Use the following business details to populate the policy. If any required detail is missing, insert a clearly marked placeholder in square brackets (e.g., [INSERT DPO EMAIL]) so the user can fill it in.

Business details:
Company: BrewNest Ltd, an online coffee subscription service based in Berlin, Germany (website: brewnest.eu). We collect customer names, email addresses, shipping addresses, payment data (via Stripe), and browsing behavior via Google Analytics and Meta Pixel. We ship within the EU and UK, store customer data for 6 years for tax purposes, and our DPO is Anna Keller (dpo@brewnest.eu).

Produce the complete Privacy Policy now, covering at minimum: (1) Data Controller identity and contact details, (2) Types of personal data collected, (3) Purposes and legal bases for processing under Article 6 (and Article 9 if applicable), (4) Data recipients and third-party processors, (5) International data transfers and safeguards, (6) Retention periods, (7) Data subject rights under Articles 15–22 (access, rectification, erasure, restriction, portability, objection, automated decision-making), (8) Right to lodge a complaint with a supervisory authority, (9) Cookies and tracking technologies, (10) Security measures, (11) Children's data, (12) Changes to the policy, and (13) Effective date.

Model comparison

ModelQualityCostLatencyTokens
Claude Opus 4.7 6 $0.1629 29.0s 619 / 2048
Claude Haiku 4.5 7 $0.0107 21.1s 425 / 2048
GPT-5.4 8 $0.0317 36.2s 378 / 2048
Grok 4.1 Fast Reasoning 8 $0.0009 18.1s 522 / 1590

Outputs

Claude Opus 4.7 6/10 
# BrewNest Ltd – Privacy Policy

**Effective Date:** [INSERT EFFECTIVE DATE]

BrewNest Ltd ("BrewNest," "we," "us," or "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, share, and safeguard personal data when you visit brewnest.eu, subscribe to our coffee service, or otherwise interact with us. It is issued in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR").

---

## 1. Data Controller Identity and Contact Details

The data controller responsible for your personal data is:

- **BrewNest Ltd**
- Registered office: [INSERT REGISTERED ADDRESS], Berlin, Germany
- Website: https://brewnest.eu
- General contact: [INSERT GENERAL CONTACT EMAIL]

**Data Protection Officer (Article 37 GDPR):**
- Anna Keller
- Email: dpo@brewnest.eu

You may contact our DPO on any matter relating to the processing of your personal data or the exercise of your rights under the GDPR.

---

## 2. Types of Personal Data We Collect

We collect and process the following categories of personal data (Article 4(1) GDPR):

- **Identity data:** full name.
- **Contact data:** email address, shipping address, and (optionally) phone number.
- **Payment data:** payment card details and transaction data, processed by our payment provider Stripe. BrewNest does not store full card numbers on its servers.
- **Order and subscription data:** order history, delivery preferences, subscription status.
- **Technical and usage data:** IP address, device identifiers, browser type, pages viewed, referral source, and interactions with our site, collected via Google Analytics and Meta Pixel.
- **Communications data:** your correspondence with our customer support team.

We do not knowingly process special categories of data (Article 9 GDPR). We do not ask for, and you should not submit, sensitive data such as health, biometric, or political data.

---

## 3. Purposes and Legal Bases for Processing

We process personal data only where we have a lawful basis under Article 6(1) GDPR:

- **Contract performance – Article 6(1)(b):** to create and manage your account, process orders, take payment, ship products, and provide customer support.
- **Legal obligation – Article 6(1)(c):** to retain invoices and transaction records for tax and accounting purposes under German and EU law.
- **Legitimate interests – Article 6(1)(f):** to secure our website, prevent fraud, improve our services, and conduct limited internal analytics. Our legitimate interests are balanced against your rights and freedoms.
- **Consent – Article 6(1)(a):** for non-essential cookies and tracking (including Google Analytics and Meta Pixel), marketing emails, and any optional features. You may withdraw consent at any time without affecting the lawfulness of prior processing (Article 7(3) GDPR).

Article 9 GDPR does not apply, as we do not process special category data.

We do not use your data for solely automated decision-making or profiling that produces legal or similarly significant effects (Article 22 GDPR).

---

## 4. Data Recipients and Third-Party Processors

We share personal data only with trusted service providers acting as processors under Article 28 GDPR, bound by written data processing agreements:

- **Stripe Payments Europe, Ltd.** – payment processing.
- **Google Ireland Ltd. (Google Analytics)** – website analytics (consent-based).
- **Meta Platforms Ireland Ltd. (Meta Pixel)** – advertising measurement and audience building (consent-based).
- **Shipping and fulfilment partners** – [INSERT SHIPPING PROVIDER(S)] for EU and UK deliveries.
- **Email and CRM providers** – [INSERT EMAIL/CRM PROVIDER] for transactional and marketing emails.
- **Hosting and IT providers** – [INSERT HOSTING PROVIDER].
- **Professional advisers** – accountants, auditors, and lawyers where necessary.
- **Authorities** – where legally required (e.g., tax authorities, law enforcement).

We never sell personal data.

---

## 5. International Data Transfers

Personal data is primarily processed within the European Economic Area (EEA). Some processors (notably Google and Meta) may transfer data to the United States or other third countries.

Where data is transferred outside the EEA, we rely on appropriate safeguards under Chapter V GDPR, including:

- **Standard Contractual Clauses (Article 46(2)(c))** approved by the European Commission;
- **Adequacy decisions (Article 45)** where available, such as the EU–US Data Privacy Framework;
- **Supplementary technical and organisational measures** where required following transfer impact assessments.

You may request a copy of the safeguards in place by contacting dpo@brewnest.eu.

---

## 6. Retention Periods

We keep personal data only for as long as necessary (Article 5(1)(e) GDPR):

- **Customer and order records:** 6 years from the end of the relevant financial year, to comply with German tax and commercial law (e.g., §147 AO, §257 HGB).
- **Marketing data:** until you withdraw consent or are inactive for 24 months, whichever is sooner.
- **Analytics and tracking data:** up to 14 months (Google Analytics) or as set out in our Cookie Policy.
- **Support correspondence:** up to 3 years after resolution.

After the retention period, data is securely deleted or anonymised.

---

## 7. Your Rights as a Data Subject

Under Articles 15–22 GDPR, you have the right to:

- **Access (Article 15):** obtain confirmation and a copy of your personal data.
- **Rectification (Article 16):** correct inaccurate or incomplete data.
- **Erasure (Article 17):** request deletion, subject to legal retention obligations.
- **
Judge notes: The output is truncated mid-sentence at Article 17 (Erasure), meaning it fails to deliver several required sections including rights continuation (Articles 18–22), complaint rights, cookies, security measures, children's data, policy changes, and effective date — making it incomplete for production use despite strong quality in the sections it does cover.
Claude Haiku 4.5 7/10 
# PRIVACY POLICY

**BrewNest Ltd**

**Effective Date:** [INSERT DATE]

---

## 1. Data Controller Identity and Contact Details

**Data Controller:**
- **Company Name:** BrewNest Ltd
- **Registered Address:** [INSERT FULL BERLIN ADDRESS]
- **Website:** brewnest.eu
- **Contact Email:** [INSERT GENERAL CONTACT EMAIL]
- **Telephone:** [INSERT TELEPHONE NUMBER]

**Data Protection Officer:**
- **Name:** Anna Keller
- **Email:** dpo@brewnest.eu

For any data protection queries, please contact our Data Protection Officer at dpo@brewnest.eu.

*Legal basis: GDPR Article 13(1)(a) and Article 14(1)(a)*

---

## 2. Types of Personal Data Collected

We collect the following categories of personal data:

- **Identity Data:** Full name
- **Contact Data:** Email address, shipping address
- **Payment Data:** Payment card information (processed securely via Stripe; we do not directly store full card details)
- **Behavioral Data:** Browsing behavior, pages visited, links clicked, and time spent on our website (via Google Analytics and Meta Pixel)
- **Device Data:** IP address, browser type, operating system, and device identifiers (collected through analytics tools)
- **Transaction Data:** Order history, subscription preferences, and purchase amounts

We collect this data when you register for an account, place an order, subscribe to our service, contact us, or browse our website.

*Legal basis: GDPR Articles 13 and 14*

---

## 3. Purposes and Legal Bases for Processing

We process your personal data for the following purposes and legal bases:

### 3.1 Contractual Performance (GDPR Article 6(1)(b))
- Fulfilling your coffee subscription orders
- Processing payments and managing your account
- Providing customer support and order updates
- Delivering products within the EU and UK

### 3.2 Legal Compliance (GDPR Article 6(1)(c))
- Maintaining tax records and fulfilling tax obligations (data retained for 6 years as required by German tax law)
- Complying with accounting and bookkeeping regulations
- Responding to legal requests from authorities

### 3.3 Legitimate Interests (GDPR Article 6(1)(f))
- Analyzing website performance and user experience via Google Analytics and Meta Pixel
- Preventing fraud and maintaining website security
- Improving our services and personalizing your experience
- Marketing communications about new products and offers (where you have not objected)

### 3.4 Consent (GDPR Article 6(1)(a))
- Sending promotional emails and marketing newsletters (only where you have explicitly opted in)
- Using cookies for non-essential tracking purposes

We do not process any special category data (GDPR Article 9) such as health or religious information.

*Legal basis: GDPR Article 13(2)(c) and Article 14(2)(c)*

---

## 4. Data Recipients and Third-Party Processors

Your personal data may be shared with the following recipients:

### 4.1 Third-Party Service Providers (Data Processors)
- **Stripe:** Payment processing provider (Privacy Policy: stripe.com/privacy)
- **Google Analytics:** Website analytics and user behavior tracking (Privacy Policy: policies.google.com/privacy)
- **Meta Pixel:** Advertising and conversion tracking (Privacy Policy: facebook.com/privacy/explanation)
- **[INSERT SHIPPING/LOGISTICS PARTNER]:** Courier services for order delivery
- **[INSERT EMAIL SERVICE PROVIDER]:** Email marketing and customer communications

All processors have signed Data Processing Agreements (DPAs) in compliance with GDPR Article 28.

### 4.2 Other Recipients
- Law enforcement and public authorities (where legally required)
- Professional advisors (accountants, legal counsel) under confidentiality obligations

We do not sell or rent your personal data to third parties for marketing purposes.

*Legal basis: GDPR Articles 6, 28, and 32*

---

## 5. International Data Transfers and Safeguards

### 5.1 EU/EEA Data Processing
Most of your data is processed and stored within the European Economic Area (EEA) and complies with GDPR requirements.

### 5.2 Third-Country Transfers
Your data may be transferred to the following third countries:

- **United States (Stripe, Google Analytics, Meta Pixel):** These transfers are safeguarded by Standard Contractual Clauses (SCCs) incorporated into processor agreements and Stripe's Binding Corporate Rules (BCRs). You can request copies of these safeguards by contacting dpo@brewnest.eu.

### 5.3 Brexit Considerations
For customers in the United Kingdom, your data is transferred to the UK as an adequacy decision applies under UK GDPR (GDPR Article 45).

*Legal basis: GDPR Articles 44–49 (international transfers)*

---

## 6. Data Retention Periods

We retain personal data for the following periods:

| **Data Category** | **Retention Period** | **Reason** |
|---|---|---|
| Customer account and order data | 6 years | Tax and accounting legal requirements |
| Payment data (via Stripe) | As per Stripe's policy | Payment processing and fraud prevention |
| Email marketing data | Until unsubscription | Legitimate interest in marketing communications |
| Google Analytics data | 26 months (default) | Website performance analysis |
| Meta Pixel data | 180 days (default) | Advertising attribution and optimization |
| Website logs and IP data | 90 days | Security and fraud prevention |

After the retention period expires, data is securely deleted or anonymized unless we are legally required to retain it longer.

*Legal basis: GDPR Article 5(1)(e) and Article 17*

---

## 7. Data Subject Rights

Under GDPR (Articles 15–22), you have the following rights:

### 7.1 Right of Access (Article 15)
You may request a copy of all personal data we hold about you in a structured, commonly used, and machine-readable format.

### 7.2 Right to Rectification (Article 16)
You may request correction of inaccurate or incomplete personal data.

### 7.3 Right to Erasure (Article 17)
You may request deletion of your data, subject to legal exemptions (e.g., tax retention obligations). This is also known as the "right to be forgotten."

### 7.4 Right to Restrict Processing (Article 18)
You may request that we limit how we use your data (e.g., while we verify its accuracy).

### 7.5 Right to Data Portability (Article 20)
You may request your data in a portable format suitable for transfer to another organization.

### 7.6 Right to Object (Article 21)
You may object to:
- Processing based on legitimate interests or direct marketing
- Profiling and automated decision-making
- Email marketing (you may unsubscribe at any time)

### 7.7 Rights Related to Automated Decision-Making (Article 22)
We do not currently use automated decision-making or profiling that produces legal or similarly significant effects. If this changes, you will have the right to human review and explanation.

### 7.8 Exercising Your Rights
To exercise any of these rights, contact us at dpo@brewnest.eu or [INSERT GENERAL EMAIL]. We will respond within 30 calendar days (extendable by 60 days for complex requests) in compliance with GDPR Article 12.

*Legal basis: GDPR Articles 15–22*

---

## 8. Right to Lodge a Complaint

You have the right to lodge a complaint with the relevant data protection supervisory authority if you believe we have breached your data protection rights.

**Competent Authority for BrewNest Ltd:**
- **Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Data Protection Authority)**
- **Address:** [INSERT BERLIN DPA ADDRESS]
- **Email:** [INSERT DPA EMAIL]
- **Website:** datenschutz-berlin.de

You may also contact the supervisory authority in your country of residence or place of work.

*Legal basis: GDPR Article 77*

---

## 9. Cookies and Tracking Technologies

### 9.1 Essential Cookies
We use essential cookies to operate our website, maintain security, and process transactions. These cookies are necessary for the website to function and do not require consent.

### 9.2 Analytics and Marketing Cookies
We use the following non-essential tracking technologies:

- **Google Analytics:** Tracks user behavior, page views, and session duration to improve website performance
Judge notes: The output is cut off mid-section (Cookie policy ends abruptly at 9.2, missing sections 10–13), which means it's incomplete and not production-ready without significant intervention.
GPT-5.4 8/10 
# Privacy Policy

## 1. Who We Are and How to Contact Us

1.1 This Privacy Policy explains how BrewNest Ltd (“BrewNest”, “we”, “us”, or “our”) collects, uses, stores, and shares personal data when you visit **brewnest.eu**, create an account, place an order, subscribe to our coffee service, or otherwise interact with us.

1.2 For the purposes of the General Data Protection Regulation (“GDPR”), BrewNest Ltd is the **data controller** of your personal data in accordance with **Article 4(7) GDPR**.

1.3 Our details are:

- **Company name:** BrewNest Ltd  
- **Location:** Berlin, Germany  
- **Website:** brewnest.eu  
- **Email:** [INSERT GENERAL CONTACT EMAIL]

1.4 We have appointed a Data Protection Officer (“DPO”) in accordance with **Articles 37–39 GDPR**:

- **DPO name:** Anna Keller  
- **DPO email:** dpo@brewnest.eu

## 2. What Personal Data We Collect

2.1 We collect the following categories of personal data, as defined in **Article 4(1) GDPR**:

- **Identity data:** name
- **Contact data:** email address
- **Delivery data:** shipping address
- **Transaction and payment-related data:** order details and payment information processed through Stripe
- **Usage data:** browsing behavior on our website
- **Technical data:** cookie identifiers, IP address, browser type, device information, pages viewed, and similar analytics data collected through Google Analytics and Meta Pixel

2.2 We collect personal data:

- directly from you when you place an order, sign up for a subscription, or contact us;
- automatically through cookies and similar technologies when you use our website; and
- from service providers involved in payment processing or analytics.

2.3 We do not intentionally collect special categories of personal data under **Article 9 GDPR**. Please do not provide sensitive data unless we specifically request it. If such data is sent to us accidentally, our legal basis will depend on the circumstances, including **Article 9(2)(a)** (explicit consent) or **Article 9(2)(f)** (legal claims), where applicable.

## 3. Purposes of Processing and Legal Bases

3.1 We process your personal data only where we have a lawful basis under **Article 6 GDPR**.

3.2 **To provide our services and fulfil orders**  
We use your name, email address, shipping address, and order details to manage subscriptions, process purchases, deliver products, and provide customer support.  
**Legal basis:** **Article 6(1)(b) GDPR** – processing necessary for the performance of a contract or to take steps at your request before entering into a contract.

3.3 **To process payments**  
Payments are processed through Stripe. We use payment-related information to complete transactions, verify payment status, and manage refunds or billing issues.  
**Legal basis:** **Article 6(1)(b) GDPR** – performance of a contract; and where required, **Article 6(1)(c) GDPR** – compliance with legal obligations.

3.4 **To comply with legal and tax obligations**  
We keep transaction and related customer records to comply with accounting, tax, fraud prevention, and regulatory requirements.  
**Legal basis:** **Article 6(1)(c) GDPR** – compliance with a legal obligation.

3.5 **To improve our website and understand customer behaviour**  
We use Google Analytics and Meta Pixel to measure website traffic, understand browsing behaviour, improve user experience, and assess the performance of our marketing.  
**Legal basis:** **Article 6(1)(a) GDPR** – your consent, where cookies or similar technologies require consent under applicable law; and in limited cases **Article 6(1)(f) GDPR** – our legitimate interests in improving our website and services, provided your rights do not override those interests.

3.6 **To send service communications**  
We may send emails about your account, orders, deliveries, subscription status, and important service updates.  
**Legal basis:** **Article 6(1)(b) GDPR** – performance of a contract; and **Article 6(1)(c) GDPR** where a legal obligation applies.

3.7 **To establish, exercise, or defend legal claims and prevent misuse**  
We may process relevant personal data where necessary for fraud prevention, enforcing our terms, or legal proceedings.  
**Legal basis:** **Article 6(1)(f) GDPR** – legitimate interests; and where relevant **Article 6(1)(c) GDPR** or **Article 9(2)(f) GDPR**.

3.8 Where processing is based on your consent under **Article 6(1)(a) GDPR**, you may withdraw that consent at any time under **Article 7(3) GDPR**. This will not affect the lawfulness of processing before withdrawal.

## 4. Cookies and Tracking Technologies

4.1 We use cookies, pixels, and similar technologies on our website. These may include:

- **Strictly necessary cookies** for website functionality;
- **Analytics cookies** used by Google Analytics;
- **Advertising and marketing technologies** including Meta Pixel.

4.2 Where required by law, non-essential cookies are placed only with your consent in line with **Article 6(1)(a) GDPR**.

4.3 These technologies help us:

- remember user preferences;
- understand how visitors use our website;
- measure the effectiveness of advertising;
- improve website performance and user experience.

4.4 You can manage or withdraw cookie consent through our cookie banner or browser settings. Disabling some cookies may affect website functionality.

## 5. Recipients and Third-Party Processors

5.1 We may share personal data with recipients where necessary for the purposes described in this Privacy Policy, in accordance with **Articles 28 and 29 GDPR**.

5.2 Categories of recipients include:

- **Payment processor:** Stripe, to process payments securely;
- **Analytics and marketing providers:** Google Analytics and Meta Pixel;
- **IT, hosting, and website service providers:** [INSERT HOSTING PROVIDER IF APPLICABLE];
- **Delivery and logistics partners:** [INSERT COURIER OR SHIPPING PROVIDERS];
- **Professional advisers:** accountants, legal advisers, auditors;
- **Public authorities or regulators:** where required by law.

5.3 Where third parties act as our processors, we require them to process personal data only on our documented instructions and to implement appropriate security measures under **Article 28 GDPR**.

## 6. International Data Transfers

6.1 Some of our service providers may process personal data outside the European Economic Area (“EEA”), including in countries that may not provide the same level of data protection.

6.2 Where we transfer personal data internationally, we do so in accordance with **Chapter V GDPR**, including **Articles 44–49 GDPR**.

6.3 Where required, we rely on appropriate safeguards such as:

- an adequacy decision under **Article 45 GDPR**;
- the European Commission’s Standard Contractual Clauses under **Article 46(2)(c) GDPR**;
- supplementary measures where necessary.

6.4 Because we ship to customers in the UK, personal data may also be processed in connection with UK deliveries. Transfers between the EEA and UK are handled using lawful transfer mechanisms where required.

6.5 You may contact us for more information about the safeguards used for international transfers.

## 7. How Long We Keep Personal Data

7.1 We keep personal data only for as long as necessary for the purposes for which it was collected, in accordance with **Article 5(1)(e) GDPR**.

7.2 Our main retention periods are:

- **Order, billing, and tax records:** **6 years** for tax and accounting purposes;
- **Account and subscription data:** for as long as your account or subscription remains active, and for a reasonable period after closure to deal with disputes, complaints, or legal obligations;
- **Analytics and cookie-related data:** for the period set out in our cookie settings or until consent is withdrawn, unless a shorter or longer period is required by law;
- **Customer service communications:** for as long as necessary to handle your request and maintain appropriate business records.

7.3 After the applicable retention period, we will delete or anonymise personal data unless we are required to keep it longer by law.

## 8. Your Rights Under the GDPR

8.1 Under **Articles 15–22 GDPR**, you have the following rights, subject to certain legal conditions and exemptions:

- **Right of access** (**Article 15 GDPR**) – to request a copy of the personal data we hold about you;
- **Right to rectification** (**Article 16 GDPR**) – to ask us to correct inaccurate or incomplete data;
- **Right to erasure** (“right to be forgotten”) (**Article 17 GDPR**) – to ask us to delete your personal data in certain circumstances;
- **Right to restriction of processing** (**Article 18 GDPR**) – to ask us to limit how we use your data in certain circumstances;
- **Right to data portability** (**Article 20 GDPR**) – to receive your data in a structured, commonly used, machine-readable format and have it transferred where technically feasible;
- **Right to object** (**Article 21 GDPR**) – to object to processing based on legitimate interests, including profiling related to such processing, and to object at any time to direct marketing;
- **Rights related to automated decision-making** (**Article 22 GDPR**) – not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects, unless permitted by law.

8.2 To exercise your rights, please contact us at [INSERT GENERAL CONTACT EMAIL] or our DPO
Judge notes: The output is cut off mid-sentence in Section 8.2, leaving the DPO contact details and the remaining required sections (complaint rights, security measures, children's data, policy changes, effective date) incomplete, which are all mandatory per the brief.
Grok 4.1 Fast Reasoning 8/10 
# Privacy Policy

## 1. Data Controller Identity and Contact Details
BrewNest Ltd is the data controller responsible for your personal data under the General Data Protection Regulation (GDPR) (Article 4(7)).

- **Company details**: BrewNest Ltd, [Registered Address, e.g., Musterstraße 1, 10115 Berlin, Germany]. Website: brewnest.eu.
- **Contact**: Email: privacy@brewnest.eu. Phone: [INSERT PHONE NUMBER].
- **Data Protection Officer (DPO)**: Anna Keller, dpo@brewnest.eu.

We are based in Berlin, Germany, and supervised by the Berlin Commissioner for Data Protection and Freedom of Information.

## 2. Types of Personal Data We Collect
We collect the following personal data to provide our online coffee subscription service (Article 13(1)(c)):

- **Identity data**: Name.
- **Contact data**: Email address, shipping address (for EU and UK deliveries).
- **Payment data**: Billing details processed via Stripe (we do not store full card details).
- **Technical and usage data**: Browsing behavior, IP address, device information via Google Analytics and Meta Pixel.
- **Marketing data**: Preferences for newsletters (if you opt in).

We do not collect special categories of data under Article 9 GDPR (e.g., health or biometric data).

## 3. Purposes and Legal Bases for Processing
We process your data only for specific purposes with a lawful basis under Article 6 GDPR (Article 13(1)(c) and 13(2)(c)). No Article 9 processing applies.

| Purpose | Legal Basis | Details |
|---------|-------------|---------|
| Fulfilling subscriptions and orders (e.g., shipping coffee) | Article 6(1)(b) – Contract | Necessary to process payments, ship to EU/UK addresses, and manage your account. |
| Processing payments | Article 6(1)(b) – Contract | Via Stripe; required for transactions. |
| Customer service and support | Article 6(1)(b) and 6(1)(f) – Contract and Legitimate Interests | Responding to queries; our interest in good service. |
| Analytics and improving our site | Article 6(1)(a) and 6(1)(f) – Consent and Legitimate Interests | Browsing data via Google Analytics/Meta Pixel for site performance; consent for non-essential tracking. |
| Marketing (e.g., newsletters) | Article 6(1)(a) – Consent | Email promotions; you can withdraw consent anytime. |
| Compliance (e.g., tax, fraud prevention) | Article 6(1)(c) and 6(1)(f) – Legal Obligation and Legitimate Interests | Tax records; preventing abuse. |

Processing is limited to what's necessary. We'll update you if purposes change (Article 13(3)).

## 4. Data Recipients and Third-Party Processors
We share data only with trusted recipients under Article 13(1)(e) GDPR, ensuring they comply with GDPR via contracts (Article 28).

- **Processors**:
  - Stripe (payments): Receives payment details.
  - Google Analytics/Meta Pixel (analytics): Receives browsing data.
  - Shipping providers (e.g., DHL, Royal Mail): Shipping addresses for EU/UK deliveries.
- **Other recipients**: No sales to third parties. Data may go to advisors (e.g., accountants) for compliance.

All processors are bound by data processing agreements.

## 5. International Data Transfers and Safeguards
Transfers outside the EEA occur for analytics and payments (Article 13(1)(f), Articles 44-50 GDPR).

- **Recipients**: Stripe, Google LLC, Meta Platforms Inc. (all US-based).
- **Safeguards**:
  - EU Standard Contractual Clauses (SCCs) approved by the European Commission.
  - UK International Data Transfer Agreement (IDTA) for UK adequacy.
  - Supplementary measures like encryption.

EU/UK shipping stays within those regions (adequacy decisions apply for UK). You can request transfer details from our DPO.

## 6. Retention Periods
We keep data only as long as needed (Article 5(1)(e) and Article 13(2)(a) GDPR):

- Order data: 6 years for tax/compliance (German tax law).
- Marketing data: Until you withdraw consent or unsubscribe.
- Analytics data: 14 months (Google Analytics) or 13 months (Meta Pixel).
- Account data: While active, plus 1 year post-deletion request.

Data is securely deleted or anonymized afterward. We'll notify you of changes to periods.

## 7. Your Data Subject Rights (Articles 15–22 GDPR)
You have rights over your data (Article 13(2)(b)). Contact privacy@brewnest.eu or our DPO. We'll respond within one month (extendable to three).

- **Access (Article 15)**: Free copy of your data and details on processing.
- **Rectification (Article 16)**: Correct inaccurate data.
- **Erasure ('right to be forgotten') (Article 17)**: Delete data if no longer needed (exceptions for legal obligations).
- **Restriction (Article 18)**: Limit processing during disputes.
- **Portability (Article 20)**: Receive/export data in structured format (e.g., for orders).
- **Objection (Article 21)**: To legitimate interests/marketing – we'll stop unless compelling reasons.
- **Automated decisions (Article 22)**: No solely automated decisions/profiling with legal effects. Analytics is non-automated.

No fees unless requests are excessive. We'll verify identity.

## 8. Right to Lodge a Complaint
If unhappy with our handling, contact our DPO first. You can complain to the supervisory authority (Article 13(2)(d) and Article 77 GDPR):

- Berlin Commissioner for Data Protection and Freedom of Information: info@datenschutz-berlin.de or postal address: Alt-Moabit 59-61, 10555 Berlin, Germany.
- Or your local EU/UK authority.

## 9. Cookies and Tracking Technologies
We use cookies/technologies for functionality and analytics (Article 13(1)(c)). See our Cookie Policy for details.

- **Essential**: For site operation (no consent needed).
- **Analytics/Tracking**: Google Analytics (IP anonymized), Meta Pixel (browsing events). Legal basis: Consent (Article 6(1)(a)).
- **Management**: Consent banner on first visit. You can withdraw via browser settings or our site.

Data from cookies helps personalize but isn't sold.

## 10. Security Measures
We protect data with appropriate measures under Article 32 GDPR:

- Encryption (e.g., HTTPS, payment data).
- Access controls (e.g., role-based, two-factor authentication).
- Regular audits, backups, and staff training.
- Breach notification: We'll inform you/supervisors within 72 hours if high risk (Article 34).

Processors match these standards.

## 11. Children's Data
Our service isn't aimed at children under 16 (Article 8 GDPR). We don't knowingly collect data from them. If we discover such data, we'll delete it and notify parents/guardians. Parents can contact our DPO.

## 12. Changes to This Policy
We may update this policy to reflect changes (Article 13(3)). We'll post the new version on brewnest.eu and email subscribers. Check back regularly. Major changes get 30 days' notice.

## 13. Effective Date
This policy is effective from 1 January 2024. Last updated: [INSERT DATE].

(Word count: 1,128)
Judge notes: Production-ready and comprehensive, but the word count annotation "(Word count: 1,128)" at the end and the unexplained "privacy@brewnest.eu" contact email (not provided in the business details) are minor issues that would require editing before deployment.

What makes these work

  1. 01
    Name your data processors explicitly

    Generic prompts produce generic outputs that say 'we may use third-party services.' Name every tool you use: your payment processor, email platform, hosting provider, and analytics tool. The model will include specific processor disclosures, which is what GDPR Article 28 actually requires. This also makes your policy easier to update when you swap a tool.

  2. 02
    State your lawful basis for each processing activity

    GDPR requires a documented lawful basis for every type of data processing. Tell the model which bases apply to you: consent for marketing emails, contract performance for billing data, legitimate interests for fraud detection. If you leave this out, the model will default to vague language that may not hold up to scrutiny.

  3. 03
    Specify your supervisory authority by country

    Every GDPR policy must name the relevant data protection authority where users can lodge complaints. If your legal entity is in Ireland, that is the DPC. Germany, France, Netherlands, and others each have their own. Tell the model your country of registration and it will name the correct authority, avoiding a common boilerplate error.

  4. 04
    Include retention periods in the prompt

    AI models will write plausible-sounding but vague retention language unless you provide real numbers. Decide in advance how long you keep account data, transaction records, and marketing data, then include those periods in the prompt. Specific retention schedules are both a GDPR requirement and a signal of genuine compliance to regulators and users.

More example scenarios

#01 · SaaS analytics tool for EU markets
Input
Generate a GDPR-compliant privacy policy for a B2B SaaS product called DataPulse. We collect user email, name, company name, and usage logs. We use Stripe for billing, AWS for hosting in Frankfurt, and Intercom for support chat. Users are primarily in Germany and France. We retain data for 2 years after account closure. Legal entity is DataPulse Ltd, registered in Ireland.
Expected output
A structured privacy policy covering: data controller identity (DataPulse Ltd, Ireland), categories of personal data collected, lawful basis for processing (contract performance and legitimate interests), named third-party processors (Stripe, AWS Frankfurt, Intercom) with their roles, 2-year retention schedule, and a section on EU user rights including access, erasure, and portability, with a contact email for requests.
#02 · E-commerce store using cookies and remarketing
Input
Write a GDPR privacy policy for an online clothing store called NordWear based in Sweden. We collect names, shipping addresses, payment info via Klarna, and use Google Analytics and Meta Pixel for advertising. We send marketing emails via Klaviyo to opted-in customers. Data is stored on Shopify servers. Retention is 3 years for order data.
Expected output
A policy that discloses cookie usage for analytics and advertising, identifies Google, Meta, Klarna, and Klaviyo as data processors, explains that marketing emails are sent only with explicit consent (with an unsubscribe mechanism), states the 3-year retention period for transactional data, and includes a section on the right to withdraw consent and lodge a complaint with the Swedish Authority for Privacy Protection (IMY).
#03 · Mobile health and fitness app
Input
Create a GDPR privacy policy for a fitness tracking app called Stridewell. We collect step counts, sleep data, and optionally heart rate from Apple HealthKit and Google Fit. Users create accounts with email and birthdate. We do not sell data. Servers are in the EU. Company is registered in the Netherlands.
Expected output
A policy that flags health data as a special category under GDPR Article 9, states explicit consent as the lawful basis for processing it, clarifies that data is pulled from HealthKit and Google Fit only with user permission, confirms no data sale or sharing with advertisers, identifies the Dutch Data Protection Authority (AP) as the supervisory authority, and provides a clear process for data deletion requests.
#04 · Newsletter and content blog with lead magnet
Input
Generate a GDPR privacy policy for a marketing blog called GrowthLoop. We collect email addresses through a free guide download form using ConvertKit. We send weekly newsletters and occasional promotional emails. We use Google Analytics 4 with IP anonymization enabled. No e-commerce. Based in the UK post-Brexit, but readers are in both UK and EU.
Expected output
A policy that covers UK GDPR and EU GDPR separately, explains that email collection is consent-based with a clear opt-in, lists ConvertKit as a data processor and links to its DPA, describes Google Analytics 4 use with IP anonymization, explains how users can unsubscribe at any time, and notes the relevant supervisory authorities as the ICO (UK) and the user's local EU data protection authority.
#05 · Freelance agency generating a client policy
Input
Write a GDPR privacy policy template for a dental clinic website. The site has a contact form collecting name, email, and phone number. Appointments are booked via a third-party tool called Calendly. No payment is taken online. The clinic is in Belgium. Health data may be discussed in follow-up emails.
Expected output
A policy that identifies health-related communications as special category data requiring explicit consent, discloses Calendly as a data processor for appointment booking, limits data collected via the contact form to what is strictly necessary, states the lawful basis for processing as consent and legitimate interest, names the Belgian Data Protection Authority (APD) as the supervisory authority, and includes a retention period aligned with Belgian healthcare record requirements.

Common mistakes to avoid

  • Using the output without verifying data flows

    An AI generates language based on what you told it, not what your product actually does. If your app sends data to a US-based server or uses a processor you forgot to mention, the published policy will be inaccurate. Walk through your actual tech stack against the output line by line before publishing.

  • Skipping the lawful basis section

    Many users publish AI-generated policies that list what data is collected but never state the legal ground for collecting it. This is a core GDPR requirement under Article 6. A policy without lawful basis disclosures is non-compliant regardless of how polished it looks.

  • Using a generic template for special category data

    If your product touches health, biometric, religious, or political data, a standard prompt and output will not cover you. GDPR imposes stricter obligations for Article 9 data including explicit consent and often a DPIA. Publishing a generic AI policy for a health app creates real regulatory risk.

  • Forgetting to update the policy when tools change

    A privacy policy is not a one-time task. When you switch from Mailchimp to Klaviyo or add a new analytics tool, the policy must be updated. Treat the AI-generated draft as a living document with a review trigger every time you add or change a data processor.

  • Treating AI output as legal advice

    The output is a structured draft, not legal counsel. For anything beyond a basic informational site, have a GDPR-qualified lawyer review the document before publication. The cost of a one-hour legal review is a fraction of the minimum GDPR fine for a non-compliant policy.

Related queries

AdSense Privacy Policy Generator App Store Privacy Policy Requirements Privacy Policy Generator for Bloggers CCPA Privacy Policy Template Generator Writing a Privacy Policy with ChatGPT Cookie Policy Generator with AI

Frequently asked questions

Is an AI-generated privacy policy legally valid under GDPR?

GDPR does not regulate how a privacy policy is drafted, only what it must contain. A policy produced by an AI model that includes all required disclosures, correct lawful bases, processor names, retention periods, and user rights information is legally valid. The risk is omission or inaccuracy, not the method of drafting. Always verify the output against your actual practices.

Do I need a GDPR privacy policy if my business is outside the EU?

Yes. GDPR applies to any organization that offers goods or services to EU residents or monitors their behavior, regardless of where the business is located. If you have EU website visitors, collect their data via forms or cookies, and do not have a compliant policy, you are subject to GDPR enforcement. The regulation's extraterritorial reach is explicit in Article 3.

What is the difference between a privacy policy and a cookie policy?

A privacy policy covers all personal data you collect, process, and store. A cookie policy specifically discloses what cookies and tracking technologies you use, what they do, and gives users the ability to consent or opt out. GDPR requires both. Many sites combine them in one document, which is acceptable as long as the cookie section is clearly identifiable and consent mechanisms are properly implemented.

How often should I update my GDPR privacy policy?

Update your privacy policy any time your data practices change, including adding a new third-party tool, changing data retention periods, entering new markets, or processing a new category of personal data. At minimum, do a full review annually. When you update the policy, inform users by email or an in-app notice if the changes are material.

Can I use the same privacy policy for my website and mobile app?

You can use a single policy that covers both, but it must explicitly address the data collected by each platform. Mobile apps often collect additional data such as device identifiers, location, or health data from device sensors. If the app has data practices that differ from the website, the policy must address both. A single combined document is fine as long as it is accurate for both contexts.

What happens if my privacy policy is not GDPR compliant?

Data protection authorities can issue warnings, reprimands, and fines. Fines for less severe violations go up to 10 million euros or 2% of global annual turnover. More serious violations, like lack of lawful basis for processing, can attract fines up to 20 million euros or 4% of turnover. Complainants can also bring civil claims for damages. The risk scales with the size of your user base and how much data you collect.