Skip to content

Public-facing notice

Privacy Notice (for your website)

A starter template for the customer-facing privacy notice on your website.

Every UK business with a website that collects personal data needs a privacy notice. This is a plain-English starter — edit it to your business, then have a competent person check it before going live. It is not legal advice.

How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.

Who we are

[Company Name] (we, us, our) is the data controller for personal data described below. Our registered office is [address]. You can contact us about your data at [privacy@yourcompany.co.uk].

What this notice covers

It explains what personal data we collect about you, what we do with it, who we share it with, how long we keep it, and your rights under UK GDPR.

Data we collect

  • Information you give us: name, email, phone, company, any information you put in a contact or order form.
  • Information we collect automatically: your IP address, browser type, pages visited, referrer, basic device information — via cookies and similar technologies.
  • Information from third parties: [e.g. payment processor, marketing platform].

Why we use your data (legal basis)

  • To answer enquiries you send us — legitimate interest.
  • To fulfil orders or contracts — contract.
  • To send marketing emails (only if you've agreed) — consent, which you can withdraw any time.
  • To meet legal obligations (tax records, etc.) — legal obligation.

Who we share it with

We share your data with [named sub-processors, e.g. Microsoft 365, Xero, HubSpot] who help us run the business. We choose suppliers who meet our supplier security requirements. We do not sell your data.

Where your data is held

Most of our data is held in the [UK / EU]. Some sub-processors operate from the United States under appropriate safeguards (UK-US Data Bridge or Standard Contractual Clauses).

How long we keep it

We keep your data only as long as we have a reason to. Details in our Data Retention Policy. Typical periods:

  • Customer transaction records — 6 years (HMRC).
  • Marketing data — 2 years from last engagement.
  • Job applications — 12 months.

Your rights

Under UK GDPR you have the right to:

  • Access the data we hold about you.
  • Correct inaccurate data.
  • Ask us to delete it (where we're not legally required to keep it).
  • Object to certain processing.
  • Withdraw consent for marketing at any time.
  • Complain to the ICO: ico.org.uk, 0303 123 1113.

Cookies

We use cookies as described in our cookie banner. You can change your choices at any time via the cookie settings link in the footer.

Changes to this notice

This notice was last updated on [date]. We'll update it when our practices change. Material changes are flagged on the site.

Tips for adoption

  • This is a starter, not legal advice. Have it reviewed before publication.
  • Match it to what your site actually does — not to what other people's notices say.
  • Update it whenever you add a new sub-processor or change a retention period.