How to write a privacy policy that does not backfire
Privacy policies do not impress anyone when they are long. They impress people when they are honest, specific, and match what the organisation actually does in practice.
Why small organisations struggle with privacy policies
Many policies are copy pasted from templates designed for large companies. These documents include tools you do not use and promises you cannot keep.
This creates risk. If your policy says you do something, legally you must do it. If you do not, the policy becomes evidence against you in a complaint.
What a small organisation actually needs to cover
A good privacy policy answers five questions clearly:
- What data do you collect.
- Why do you collect it.
- Where do you store it.
- Who has access.
- How long you keep it.
Anything beyond that should only be included if it is real today, not aspirational.
A structure that works
You can use this simple structure for almost any small organisation:
1. Who we are
2. The data we collect
3. Why we collect it
4. How long we keep it
5. Who can see the data
6. Where the data is stored
7. Your rights
8. How to contact us
Common mistakes to avoid
1. Mentioning tools you do not use
If your policy says you use advanced analytics, profiling, advertising pixels, or automated decision making, that becomes a liability when you do not. Only mention tools and vendors that are genuinely in use.
2. Promising things you cannot enforce
Example: “We delete emails every 30 days.” If you do not have a process to guarantee that, remove it. It is safer to state what you can actually do than to promise automated behaviour that does not exist.
3. Adding long GDPR explanations instead of clear answers
A privacy policy is not a law textbook. Visitors want to know what you actually do, not what the law says in theory. You can link to the ICO if you want deeper reading, rather than copying whole sections of GDPR wording into your policy.
4. Hiding behind vague phrases
Phrases like “we may use your data to improve our services” do not help anyone. If you cannot explain what that means in one sentence, either clarify it or remove it.
What to write if you are not sure
When in doubt, keep it honest and simple:
We only collect the information you choose to send us via our contact form or email.
We use it to reply to your message.
We do not sell it, and we do not share it with third parties unless required by law.
You can then add short, specific sections about any extra tools you use, for example a newsletter platform or a ticketing system, rather than padding the policy with generic paragraphs.
In plain English
- Your privacy policy should describe reality, not aspiration.
- You can avoid GDPR issues by being specific and honest about what you do.
- Most small organisations only need a simple, well structured policy that is kept up to date.
You can find more guides in the Ki-Ki knowledge hub, including domain strategy, Cloudflare basics, and website hygiene for small organisations.