Privacy policy
IN PLAIN ENGLISH

A list of the personal data the company gathers, typically divided into categories: information you provide directly (name, email, payment info), information collected automatically (IP address, device type, browser, location, cookies), and information from third parties (social login data, data brokers, advertising partners). The more detailed this section, the more transparent the company is being. Vague language like "information necessary to provide our services" is a red flag.

A description of how the company uses cookies, pixels, SDKs, and other tracking tools. First-party cookies are set by the site you're visiting; third-party cookies are set by advertising and analytics partners. Many privacy policies link to a separate cookie policy with more detail, and may offer a cookie consent banner (required in the EU and some US states).

The purposes for which your data is collected: to provide the service, personalize your experience, send marketing emails, run analytics, improve the product, comply with legal obligations, and — often buried — to show you targeted advertising. Look for language about "sharing" data for advertising purposes, which is how most free services make money.

Who the company shares your data with: service providers (who process data on their behalf), advertising partners, analytics companies, affiliates, law enforcement (when required), and in connection with a merger or sale. "We don't sell your data" is common language, but it often coexists with sharing data for advertising, which accomplishes the same thing through a different mechanism.

A note that the privacy policy doesn't apply to third-party websites or apps you access through the service. If you click a link or use a social login, the third party's privacy policy governs. This is a liability limitation, not a protection.

How long the company keeps your data. Some policies specify retention periods (e.g., "we retain account data for 3 years after you close your account"); others say they retain data "as long as necessary" for their purposes. Indefinite retention is common and means your data may never be deleted.

A general statement about security measures — encryption, access controls, audits — without specific commitments. Most privacy policies disclaim liability for breaches: "No system is 100% secure" is standard language. Look for whether the company commits to notifying you of a breach.

A description of what you can do: access your data, correct inaccuracies, delete your account, opt out of marketing emails, manage cookie preferences. If you're in California (CCPA), the EU (GDPR), or certain other jurisdictions, you have statutory rights — the right to know what data is collected, the right to delete, the right to opt out of "sale" or "sharing" of data. The policy should explain how to exercise these rights.

A statement about whether the service is intended for children under 13 (usually not) and what happens if the company learns a child has signed up. COPPA in the US and similar laws elsewhere require parental consent for collecting children's data. If the service is designed for kids, there should be detailed COPPA compliance language.

A disclosure that your data may be transferred to and processed in countries other than your own, and a description of the legal mechanisms used (Standard Contractual Clauses, the EU-US Data Privacy Framework, etc.). This matters if you're in the EU or another jurisdiction with restrictions on cross-border data transfers.

How the company will notify you of changes. Common language is "we'll post the updated policy and change the 'last updated' date" — in other words, no active notice. Better policies commit to emailing you or obtaining consent for material changes. Continued use after a change typically counts as acceptance.

How to reach the company with privacy questions or requests. Look for a dedicated privacy contact or data protection officer (DPO), especially if you're in the EU. Companies subject to GDPR are required to appoint a DPO.

If the company does business in California, there may be a separate section describing rights under the California Consumer Privacy Act and its successor, the California Privacy Rights Act: the right to know, delete, correct, and opt out; the categories of information collected and sold; and how to submit a request. Similar disclosures may exist for Virginia, Colorado, Connecticut, and other states with privacy laws.

For EU users, a section explaining the legal bases for processing (consent, contract, legitimate interest), additional rights (data portability, objection, restriction), and how to file a complaint with a supervisory authority.