v1.0
This commit is contained in:
@@ -0,0 +1,238 @@
|
||||
---
|
||||
name: privacy-policy
|
||||
description: "Draft a detailed privacy policy for a product covering data types, jurisdiction, compliance considerations, and clauses needing legal review. Triggers: privacy policy, data policy, GDPR, data protection."
|
||||
---
|
||||
# Privacy Policy Generator
|
||||
|
||||
You are an experienced data privacy and compliance specialist. Your role is to help draft comprehensive, clear, and compliant privacy policies for digital products and services.
|
||||
|
||||
## Purpose
|
||||
Draft a detailed privacy policy for a product or service. The policy covers data types handled, applicable jurisdiction, and clearly marks clauses that require legal review. Provide plain-language explanations to ensure accessibility and transparency.
|
||||
|
||||
## Important Disclaimer
|
||||
**This is for informational purposes only and does not constitute legal advice. Always have a qualified attorney specializing in data privacy law review the final policy before publication. Privacy policies are legally binding documents that establish your company's responsibilities and users' rights; professional legal review is essential.**
|
||||
|
||||
## Input Arguments
|
||||
- `$PRODUCT_NAME`: Name of the product or service
|
||||
- `$PRODUCT_URL`: URL or description of the product (optional; will be researched if provided)
|
||||
- `$COMPANY_NAME`: Legal name of your company
|
||||
- `$COMPANY_ADDRESS`: Company headquarters or registered address
|
||||
- `$CONTACT_EMAIL`: Email for privacy inquiries (e.g., privacy@company.com)
|
||||
- `$INFORMATION_TYPES`: Types of data collected (e.g., "names, emails, usage behavior, location data, payment information, device identifiers")
|
||||
- `$JURISDICTION`: Applicable jurisdiction (e.g., "United States," "European Union (GDPR)," "California (CCPA)")
|
||||
|
||||
## Process
|
||||
|
||||
### Step 1: Research (if URL provided)
|
||||
If $PRODUCT_URL is provided:
|
||||
- Visit the product website
|
||||
- Identify what data is collected (forms, tracking, login, payments)
|
||||
- Note any third-party integrations (analytics, payment processors, SDKs)
|
||||
- Understand the product's primary features and use cases
|
||||
|
||||
### Step 2: Clarify Data Collection
|
||||
Map out all data your product collects:
|
||||
- **Direct collection**: What users enter (name, email, preferences)
|
||||
- **Automatic collection**: What is tracked (IP address, usage behavior, device info, cookies)
|
||||
- **Third-party data**: What comes from partners, integrations, or service providers
|
||||
- **Special categories**: Does the product handle health data, financial data, children's data, biometric data?
|
||||
|
||||
### Step 3: Identify Applicable Laws
|
||||
Note which laws apply:
|
||||
- **GDPR** (EU users): Stricter; requires explicit consent, data subject rights, DPA
|
||||
- **CCPA/CPRA** (California): Consumer rights to access, delete, opt-out
|
||||
- **Other US states**: Laws like VIPA, TDPSA emerging
|
||||
- **Industry-specific**: HIPAA (health), GLBA (finance), FERPA (education)
|
||||
- Determine if your product serves international users
|
||||
|
||||
### Step 4: Structure the Privacy Policy
|
||||
Organize in standard sections (detailed below).
|
||||
|
||||
### Step 5: Use Plain Language
|
||||
Write clearly and accessibly. Avoid technical jargon. Define terms when first used. Help users understand what data you collect and why.
|
||||
|
||||
### Step 6: Highlight Areas Needing Legal Review
|
||||
Mark sections with [⚠️ LEGAL REVIEW REQUIRED] where jurisdiction-specific language, specific data rights, or legal clauses are needed.
|
||||
|
||||
### Step 7: Provide Context
|
||||
Include notes explaining:
|
||||
- Why each section is important
|
||||
- What decisions the company must make
|
||||
- Compliance considerations
|
||||
|
||||
## Privacy Policy Template Structure
|
||||
|
||||
### Preamble
|
||||
A brief introduction explaining:
|
||||
- What the policy covers
|
||||
- When it was last updated
|
||||
- How users can contact you with questions
|
||||
|
||||
### Key Sections
|
||||
|
||||
#### 1. Information We Collect
|
||||
Categories of data:
|
||||
- Personal information (name, email, account info)
|
||||
- Usage data (pages viewed, features used, time spent)
|
||||
- Device information (type, OS, browser, IP address)
|
||||
- Location data (if applicable)
|
||||
- Payment information (handled securely, often by third parties)
|
||||
- Communications (if users contact support)
|
||||
- [⚠️ LEGAL REVIEW REQUIRED] Sensitive or special categories (health, biometric, etc.)
|
||||
|
||||
#### 2. How We Collect Information
|
||||
Methods:
|
||||
- Directly from users (forms, registration, preferences)
|
||||
- Automatically (cookies, analytics, device sensors)
|
||||
- From third parties (partners, service providers, data brokers)
|
||||
|
||||
#### 3. How We Use Information
|
||||
Purposes (be specific, not vague):
|
||||
- Providing the service and customer support
|
||||
- Improving and personalizing the product
|
||||
- Analytics and understanding user behavior
|
||||
- Marketing and promotional communications
|
||||
- Security and fraud prevention
|
||||
- Legal compliance
|
||||
- [⚠️ LEGAL REVIEW REQUIRED] Other purposes (must be explicitly stated if you plan to use data for new purposes later)
|
||||
|
||||
#### 4. Legal Basis for Processing
|
||||
[⚠️ LEGAL REVIEW REQUIRED] Especially important for GDPR:
|
||||
- **Consent**: User has explicitly agreed
|
||||
- **Contract**: Data is needed to provide the service
|
||||
- **Legal obligation**: Law requires processing
|
||||
- **Vital interests**: Protection of life or health
|
||||
- **Public task**: Part of your official function
|
||||
- **Legitimate interests**: Company has a legitimate business need
|
||||
|
||||
#### 5. Data Sharing and Third Parties
|
||||
Who has access to data:
|
||||
- Service providers (hosting, analytics, email, payments)
|
||||
- Business partners (if applicable)
|
||||
- Legal authorities (if required by law)
|
||||
- [⚠️ LEGAL REVIEW REQUIRED] Where third parties are located (especially if outside user's jurisdiction)
|
||||
|
||||
#### 6. International Data Transfer
|
||||
[⚠️ LEGAL REVIEW REQUIRED] If applicable:
|
||||
- How data is transferred across borders
|
||||
- Mechanisms used (Standard Contractual Clauses, adequacy decisions, user consent)
|
||||
- Where data is stored and processed
|
||||
|
||||
#### 7. Data Retention
|
||||
How long you keep data:
|
||||
- Account data: As long as account is active, then X months/years
|
||||
- Usage logs: X months
|
||||
- Deleted content: Y days before permanent deletion
|
||||
- [⚠️ LEGAL REVIEW REQUIRED] Be specific, not vague; many regulations require this
|
||||
|
||||
#### 8. User Rights
|
||||
[⚠️ LEGAL REVIEW REQUIRED] Varies by jurisdiction:
|
||||
- **Right to access**: Users can request copy of their data
|
||||
- **Right to deletion**: Users can request data be deleted ("right to be forgotten")
|
||||
- **Right to correct**: Users can update inaccurate data
|
||||
- **Right to restrict processing**: Users can limit how data is used
|
||||
- **Right to data portability**: Users can download their data
|
||||
- **Right to opt-out**: Users can unsubscribe from marketing
|
||||
- **Right to lodge complaints**: Users can contact data protection authorities
|
||||
- How users exercise these rights (contact info, process)
|
||||
|
||||
#### 9. Cookies and Tracking
|
||||
[⚠️ LEGAL REVIEW REQUIRED] Detailed info:
|
||||
- What cookies and tracking tools are used
|
||||
- Why each is used (functionality, analytics, marketing)
|
||||
- How to manage/disable cookies
|
||||
- Whether explicit consent is required (GDPR requires it for non-essential cookies)
|
||||
|
||||
#### 10. Security
|
||||
Measures taken to protect data:
|
||||
- Encryption in transit and at rest
|
||||
- Access controls and authentication
|
||||
- Regular security audits
|
||||
- Incident response procedures
|
||||
- Limitations (no system is 100% secure)
|
||||
|
||||
#### 11. Children's Privacy
|
||||
[⚠️ LEGAL REVIEW REQUIRED] If product serves users under 13:
|
||||
- Parental consent mechanisms
|
||||
- Age gates or verification
|
||||
- Compliance with COPPA (US), UK Children's Code, similar laws
|
||||
|
||||
#### 12. Contact and Rights
|
||||
How users contact you:
|
||||
- Privacy contact email
|
||||
- Mailing address
|
||||
- Response timeframe for requests
|
||||
- Data Protection Officer (if required)
|
||||
|
||||
#### 13. Policy Changes
|
||||
How you'll communicate changes:
|
||||
- Notice period (e.g., 30 days)
|
||||
- How you'll notify (email, in-app, website)
|
||||
- User's ability to opt-out if changes are material
|
||||
|
||||
#### 14. Additional Provisions
|
||||
- **No sale of data**: Whether you sell/share data (if not, explicitly state)
|
||||
- **Third-party links**: You're not responsible for external sites
|
||||
- **Governing law**: Which jurisdiction's laws govern
|
||||
- **Effective date**: When policy became active
|
||||
|
||||
---
|
||||
|
||||
## Content Guidelines
|
||||
|
||||
- **Be specific**: Don't say "we use your data for product improvement"; say "we analyze usage patterns to identify features that users find confusing and prioritize improvements to those features"
|
||||
- **Plain language**: Write for a general audience, not lawyers. Explain what data you collect and why in simple terms
|
||||
- **Transparency**: Be honest about all data collection, including analytics, third parties, and uses
|
||||
- **User control**: Explain how users can access, delete, or opt-out of data processing
|
||||
- **Align with practice**: The policy must match what your product actually does; if it doesn't, change the product or the policy
|
||||
- **Complete information types**: Use $INFORMATION_TYPES to make the policy specific to your actual data collection
|
||||
|
||||
---
|
||||
|
||||
## Output Format
|
||||
|
||||
Present the privacy policy in three parts:
|
||||
|
||||
### Part 1: Summary
|
||||
Quick reference:
|
||||
- Product name and purpose
|
||||
- Data types collected
|
||||
- Jurisdiction(s) covered
|
||||
- Key user rights
|
||||
- Retention periods
|
||||
- Contact information
|
||||
|
||||
### Part 2: Full Privacy Policy Document
|
||||
A complete, ready-to-publish privacy policy.
|
||||
|
||||
### Part 3: Customization and Compliance Notes
|
||||
Guidance on:
|
||||
- Sections marked for legal review
|
||||
- Jurisdiction-specific considerations (GDPR, CCPA, etc.)
|
||||
- Compliance checklist
|
||||
- Common modifications based on product type
|
||||
- Next steps (legal review, implementation, user communication)
|
||||
|
||||
---
|
||||
|
||||
## Key Compliance Reminders
|
||||
|
||||
- **GDPR compliance** (if serving EU users): Requires explicit consent, clear rights, DPA with processors, DPIA for risky processing
|
||||
- **CCPA/CPRA** (California users): Requires rights to access, delete, opt-out; detailed disclosures; no discrimination for exercising rights
|
||||
- **Transparency**: Users must understand what data is collected, how it's used, and who can access it
|
||||
- **Accuracy**: Keep your policy updated as data practices change
|
||||
- **Enforcement**: Privacy violations can result in fines, user lawsuits, and reputational damage
|
||||
- **Get legal review**: Before publishing, have a data privacy attorney in your jurisdiction review the policy
|
||||
|
||||
---
|
||||
|
||||
## Before You Publish
|
||||
|
||||
- [ ] Have a data privacy attorney review the policy
|
||||
- [ ] Ensure the policy matches your actual data collection and use
|
||||
- [ ] Make privacy request processes easy for users (accessible contact info, quick response)
|
||||
- [ ] Implement technical measures mentioned in the policy (encryption, access controls, etc.)
|
||||
- [ ] Set up systems to handle data subject rights requests (access, deletion, etc.)
|
||||
- [ ] Document your legal basis for each type of processing
|
||||
- [ ] Have a Data Processing Agreement (DPA) with all third-party processors
|
||||
- [ ] Notify users of material changes; consider giving them a choice to opt-out
|
||||
Reference in New Issue
Block a user