Sitewrightstudio
Start a project
Back to blog
Article
10 June 2026by Sitewright Studio

How to write a privacy policy for your small business website

A privacy policy is legally required if your small business website collects any personal data. Learn what you actually need to include, how to tailor it to your operations, and why a generic template isn't enough.

How to write a privacy policy for your small business website

A privacy policy isn't optional admin work—it's the legal foundation that protects both you and your customers. Yet many small business owners either skip it, use a generic template that doesn't fit their actual operations, or pay thousands to a lawyer for something they never update. The middle ground is a realistic one: understand what you actually need to comply with, tailor it to your business, and maintain it as your operations change.

Do you actually need a privacy policy?

Most small businesses in the UK do need one. If your website collects any personal data—names, email addresses, phone numbers, payment details, or even just analytics cookies—you're legally required to have a privacy policy under the General Data Protection Regulation (GDPR). The exemption is narrow: you'd need to collect zero data from anyone, which rules out contact forms, email signups, and analytics.

The picture gets muddier beyond the UK. If you have customers or visitors from the EU, GDPR applies regardless of where you're based. If you serve California residents, the California Consumer Privacy Act (CCPA) adds its own thresholds—but they only kick in if you hit £18+ million in annual revenue, control or process data on 100,000+ people, or derive 50%+ of your income from selling personal data. Most small services businesses stay well under those ceilings.

The honest answer: if you're a plumber, salon, coach, or local service business collecting names and emails, you need a privacy policy for GDPR alone. If you're shipping products or running subscriptions, compliance gets more nuanced—but a solid privacy policy is still non-negotiable.

What actually goes in a privacy policy

A privacy policy for a small business answers six core questions: what data do you collect, why do you collect it, who can access it, how long you keep it, where it's stored, and what rights people have over it. That's the whole structure.

Data you collect on a typical small business site includes:

  • Contact form submissions (name, email, message)
  • Email newsletter signups
  • Payment information (usually handled by Stripe or PayPal, so you declare that Stripe processes it on your behalf, not that you store it)
  • Website analytics (IP address, page views, device type—cookies or pixel tracking)
  • Google Search Console data (search queries people used to find you)

For each category, state the legal basis. GDPR demands one of six: consent (they ticked a box), contract (they're a paying customer), legal obligation, vital interest, public task, or legitimate interest. Contact form replies fall under "contract" or "legitimate interest" (you need to respond to their enquiry). Analytics might be consent-based or legitimate interest, depending on your tracking setup.

The data retention section is where most generic templates fail. A free privacy policy generator might claim "we keep data for as long as necessary," which is too vague. Instead, specify: contact form enquiries stay in your email for six months before deletion, newsletter subscribers stay until they unsubscribe, payment records stay for seven years (UK tax law), analytics data is deleted after 26 months. These timelines should match your actual practice, not a template.

One mistake in many auto-generated policies: they claim "industry-standard encryption" without defining it. Replace that with specifics: "payment data is encrypted in transit via HTTPS and processed through Stripe's PCI-compliant infrastructure." If you're using cookie consent tools to comply with GDPR, mention that too.

DIY generators vs. templates vs. hiring a lawyer

A free privacy policy generator (Termly, Privacy Policies, iubenda) takes 10–15 minutes and costs nothing. You answer questions about your business, it spits out a policy tailored to your answers. The upside: it's faster and often good enough for a straightforward small business. The downside: it assumes standard practices, so if you do anything unusual (like selling customer data to third parties, which most small businesses don't), the generated policy might be incomplete or inaccurate. Risk is low for a coach or local tradesperson; higher if you run a SaaS or data-driven service.

A template from Rocket Lawyer, LawBite, or a legal document site costs £30–£100 and requires you to customise it. You're doing more work, but you have more control over what goes in. The trade-off: you need to understand data law enough to edit it safely. A template that claims "industry-standard security" without specifics still needs your attention.

Hiring a lawyer to draft a bespoke policy costs £500–£2,000 in the UK, depending on complexity and your lawyer's hourly rate. You get a policy tailored exactly to your operations and defensible in a data breach. The trade-off: it's expensive for a freelancer or small salon, and many small businesses never need that level of tailoring.

A practical middle ground: use a free generator to create a first draft, then spend an hour editing it to match your actual data practices. Check it against your website's real contact forms, payment setup, and analytics. If you're uncomfortable with the legal language, hire a lawyer to review it (around £150–£300 for a 30-minute review) rather than drafting it from scratch.

Auditing and maintaining your privacy policy

A privacy policy is not write-once-and-forget. Every time your business changes how it handles data—adding a new tool, stopping use of an old one, changing your data retention period—your policy needs to reflect that. Quarterly updates are overkill for most small businesses, but annual reviews are realistic.

Common slip-ups in auto-generated policies:

  • Claiming features you don't have. A template might say "we comply with CCPA" when your US revenue is £500K and CCPA doesn't apply to you. Delete it. Claiming compliance you don't actually meet is worse than being silent.
  • Listing integrations you don't use. If your policy mentions Google Analytics but you've switched to Plausible, update it. Data processors that aren't actually involved confuse readers and create liability.
  • Vague deletion timelines. "We delete data when no longer needed" is weak. Say "contact form data is deleted after six months unless the lead converts to a paying customer, in which case we keep it for seven years for tax purposes."
  • No mention of third parties. If Stripe, Mailchimp, or Calendly touches customer data on your behalf, they're data processors—list them and link to their privacy policies.

To audit your own policy: open it alongside your actual website. Walk through a contact form submission; check your email retention; log in to your analytics tool and see what it tracks; look at your integrations list. Update the policy to match reality, not aspiration.

Building data handling into your website from the start

If you're building or redesigning your small business website, this is the time to think about data flows. When you start a new project, consider these questions upfront: Do you need email analytics? (Plausible or Fathom are GDPR-friendlier than Google Analytics because they don't require consent.) Are you collecting names for a newsletter, and which provider? Do you need a contact form, or will email alone do?

Each integration—Stripe, Mailchimp, Calendly, Typeform—adds a data processor to your privacy policy. The more you list, the more you're legally responsible for monitoring. A simpler site with fewer integrations means a simpler privacy policy and fewer compliance obligations to track.

Document your data flows early. Create a simple spreadsheet: what data, where it's stored, how long it stays, who processes it. Use that as your privacy policy outline. It'll take you 30 minutes and save hours of confusion later.

Responding to data requests and breaches

Your privacy policy should state how people can exercise their rights: request a copy of their data, ask you to delete it, or object to how you use it. In practice, this means including your email or contact form on the policy page so someone can ask in writing.

The policy also needs to mention your obligations if there's a data breach. GDPR requires you to notify people without undue delay if their personal data is compromised. That's a separate action from your privacy policy, but your policy should acknowledge it briefly—something like "If we discover a breach involving your personal data, we will notify you by email within 30 days as required by GDPR." That signals you're taking it seriously.

A data breach response plan (what you do the day you find out) is separate from a privacy policy (what you tell people you do). They're linked: a good response plan makes your privacy policy credible, and a clear privacy policy makes your response plan easier because everyone knows the rules.

Your privacy policy is the promise; your data practices are the proof. Keep them aligned, update both when your business changes, and you'll be compliant without overthinking it.

Frequently asked questions

Do I actually need a privacy policy for my small business website

Yes, a privacy policy is legally required if your small business website collects any personal data under GDPR. This includes names, emails, phone numbers, payment details, or analytics cookies from any visitor. The only exemption is collecting zero data whatsoever, which is virtually impossible.

  • GDPR applies to all UK businesses collecting personal data
  • EU customers trigger GDPR compliance regardless of your location
  • CCPA only applies if you hit specific revenue or data-processing thresholds
  • Contact forms, newsletters, and analytics all require a privacy policy
What six things must I include in a privacy policy for small business

A privacy policy for small business must answer: what data you collect, why you collect it, who accesses it, how long you keep it, where it's stored, and what rights people have. These six elements form the complete legal structure required by GDPR.

  • Specify each data type: contact forms, email signups, payments, analytics
  • State the legal basis for collection: consent, contract, or legitimate interest
  • Define exact retention periods: six months for enquiries, seven years for tax records
  • Explain third-party processors like Stripe or Google Analytics
  • Include data subject rights: access, deletion, portability requests
Why shouldn't I just use a generic privacy policy template

Generic templates don't match your actual business operations, creating legal gaps and user confusion. A privacy policy for small business must be specific to your data practices or it loses legal credibility.

  • Templates use vague phrases like 'as long as necessary' instead of exact timelines
  • They claim encryption standards without specifying your actual setup
  • They list data categories you don't collect, confusing visitors
  • They don't align with your specific third-party tools or payment processors
  • Regulators view mismatched policies as negligent or intentionally misleading
How long should I keep customer data in my privacy policy

Data retention timelines in your privacy policy for small business should match your actual practice: contact enquiries six months, newsletter subscribers until unsubscribe, payments seven years, analytics 26 months. Never claim shorter retention than you actually practice.

  • Contact form data: delete after six months if no conversion
  • Email subscribers: retain only while actively subscribed
  • Payment records: keep seven years for UK tax law compliance
  • Analytics: delete after 26 months per Google's defaults
  • Define deletion method: permanent removal or anonymization
What legal basis do I use for collecting data on contact forms

Contact form submissions fall under either contract (you're fulfilling a service request) or legitimate interest (you need their details to respond). Both are valid legal bases under GDPR for a privacy policy.

  • Contract basis: if they're enquiring to hire you or make a purchase
  • Legitimate interest: if you're responding to support or information requests
  • Always state which basis applies to which form type
  • Ensure your form disclosure matches your stated basis
  • Document your legitimate interest assessment in writing
Should my privacy policy mention third party tools like Stripe or Google Analytics

Yes, your privacy policy for small business must name third-party processors like Stripe, PayPal, and Google Analytics. You're legally responsible for declaring who else can access customer data.

  • List Stripe as your payment processor; explain PCI compliance handling
  • Disclose Google Analytics for traffic tracking and IP collection
  • Name email platforms like Mailchimp if you use autoresponders
  • Link to their privacy policies so users can see full terms
  • Clarify you don't store payment data; the processor does