A privacy policy is the public document where you tell people, in plain language, what personal data you collect about them, why you collect it, how long you keep it, and what they can do about it. It is the visible face of how an organisation handles privacy.

Think of it as the label on a food product. The ingredients are inside the package whether you read the label or not, but the label is your right to know what you are consuming and to make an informed choice. A privacy policy does the same for data: it lists the “ingredients” of your data handling so a visitor can decide whether they are comfortable. Under the GDPR this transparency is not optional, and the policy must honestly reflect the PII you actually process.

A good policy is specific, not boilerplate. It names the real tools you use, the countries where data lives, and the exact rights people can exercise, then keeps that information current as your stack changes.

The common mistake is treating it as a write-once legal page. In reality it has to track what your software actually does. Add a chat widget, swap your email provider, or move hosting to a server outside the EU, and the policy is now wrong until someone updates it. Where data lives matters too: if a US tool processes your customers’ details, that is a data residency question your policy must address honestly, not paper over.

There is also a hard rule to remember. A privacy policy is not a consent banner. The policy explains your practices, while consent is the separate act of asking permission before you load tracking or marketing cookies. Confusing the two is one of the fastest ways to fall foul of the regulator.

At TopDevs we make sure the privacy policy on a site we build matches the systems underneath it, so what the document promises is genuinely what the software does.