Your Privacy Policy Is a Copy-Paste Disaster

Most startups have a privacy policy. Almost none of them actually reflect product or service functionality.

I've reviewed hundreds of privacy policies. Heck, it might be thousands at this point.

You can guess how it typically goes: 

Founder Googles "free privacy policy generator," plugs in their company name, pastes the result onto a page labelled “Privacy Policy,” and calls it a day. (The policy says the business collects "name, email, and usage data." In reality, the product is ingesting behavioral analytics every second, syncing with a CRM, passing data to 10 third-party APIs, and training a model on user activity.)

Folks: that's not a privacy policy. That's a massive liability. 

Here's what your policy actually needs to cover:

What specific data you collect. “Usage data" means nothing. If you collect IP addresses, device identifiers, session recordings, or payment information, say so. Vague language doesn't protect you; it’s a sign to regulators and enterprise buyers that you haven't thought this through.

Why you’re collecting it. Every data category needs a stated purpose. You collect email addresses to send transactional notifications. You collect behavioral data to improve the product. Linking data to purpose is the foundation of every major privacy framework.

With whom you share it. Your customers have a right to know their data is going to Stripe, Google, Plaid, or whichever vendors you use. "We may share data with third-party service providers" is technically true and completely useless. Naming the categories is statutorily required, with a handful of limited exceptions involving protected interests like trade secrets. Best practice? Publish an up-to-date subprocessor list.

How long you’ll keep it. This one almost nobody includes. If you don't have a retention policy, you're creating risk both legally and operationally. "We retain data for as long as your account is active, plus 90 days" is a reasonable starting point.

How users can exercise their data subject rights. Even if you think CPRA doesn't apply, your state has an analogous law or your next enterprise customer will ask. Even if you have no EU users today, you likely will someday as your business grows in the coming years. Build the deletion and access request process now, before you need to prove it exists.

Lesson: A privacy policy isn't a one-and-done formality. It's a living document that you’ll need to revise regularly to reflect reality. A template won’t work. Period.

Your action item this week: Review your current privacy policy and your actual list of third-party vendors/integrations side by side. If they don't match, that’s a gap worth fixing (and worth discussing with an attorney before your next enterprise procurement process.