v1.3.03 loop iterations

Privacy Policy Generator

Most privacy policy generators produce a wall of generic text that over-discloses (listing practices the business doesn't use) or under-discloses (missing what actually creates risk). The Privacy Policy Generator maps your real data practices first, then writes a policy that matches them — accurate to the business, compliant with the right jurisdictions, readable by humans.

What this skill does

A privacy policy that doesn't match the business's real data practices is worse than not having one — it's a liability. Over-disclosure creates commitments you can't keep. Under-disclosure creates the gap that becomes the ICO complaint. This skill maps what the business actually does with data first, then writes the policy from that map, so every section corresponds to a real practice rather than a hypothetical one.

The audit covers nine data categories (identity, account, payment, usage, device, location, cookies, user-generated, third-party-sourced), how each is collected (directly, automatically, from third parties), why each is collected (mapped to a GDPR lawful basis), who it's shared with (named processors and partners, not "third parties"), how long it's kept (with retention criteria where periods are variable), and where it's stored (with international transfer flagged where data crosses borders).

Jurisdiction analysis is layered, not exclusive. UK GDPR + PECR, EU GDPR, CCPA/CPRA, PIPEDA, COPPA for under-13 users in the US, and FTC enforcement under Section 5 for deceptive practices all apply where they apply — the policy needs to satisfy all of them rather than picking one. When in doubt, the skill includes the jurisdiction; the cost of over-compliance is low and the cost of under-compliance is the fine.

Every policy follows the same twelve-section structure (who we are, what we collect, why, how we use it, who we share with, international transfers, retention, your rights, cookies and tracking, children's privacy, changes to the policy, contact). Plain language is enforced — GDPR requires it, and an 8th-grade reading level is the target for the main text. Each section gets a plain-English summary box at the top with the detail below, because most users only read the summary. Cookies are listed specifically — not a copy-pasted list of every cookie any site might use, only the ones actually present.

Mobile apps get extra sections: device permissions and the reason for each, App Tracking Transparency / Data Safety alignment, SDK data collection disclosure, push notification handling, offline sync behaviour. B2B SaaS gets the explicit two-policy split — the website privacy policy (you as controller for visitors and leads) and a separate Data Processing Statement (you as processor for client data inside the product). Merging them confuses customers and creates compliance gaps.

This produces a drafted policy, not legal advice. Privacy regulation is enforced — by the ICO, the EU data protection authorities, the California Attorney General, the FTC — and a policy that doesn't match your real practices is the kind of detail that gets cited in enforcement actions. Have a qualified privacy lawyer or DPO review the draft and the underlying data map before publishing. The skill is a starting point for professional review, not a substitute for one.

When this triggers

·You're launching a website or app that collects user data and need a policy that fits
·Your existing policy was copied from another site and you're not sure how much of it is true for you
·You operate in the UK or EU and need GDPR-aligned wording with cookie consent that actually holds up
·You serve California users and need CCPA/CPRA rights and the 'Do Not Sell My Personal Information' link handled
·You're a B2B SaaS and you've realised your website policy and your data-processor statement should not be the same document

Example

Trigger

User: 'B2B SaaS, UK-registered, customers in UK/EU/US. Stripe for payments, AWS for hosting, Mixpanel for analytics, Intercom for support, Mailchimp for marketing emails. We also process client data on their behalf in the app.'

Output

Jurisdiction Analysis UK GDPR + PECR (you're UK-registered, ICO is supervisory authority) EU GDPR (EU customers — full applicability) CCPA/CPRA (California customers — disclosure + rights apply) PECR for cookies (UK) and ePrivacy for EU cookies Data Map Summary | Data type | Purpose | Lawful basis | Retention | |---|---|---|---| | Account email/name | Service delivery | Contract | Life of account + 6 years | | Stripe payment data | Billing | Contract | Stripe holds; we see last-4 only | | Mixpanel events | Product analytics | Legitimate interest | 24 months | | Mailchimp mailing list | Marketing | Consent | Until withdrawn | | Intercom support chats | Support | Legitimate interest | 36 months | The Privacy Policy — 12 sections, plain language, layered with summary boxes at the top of each section. Specific third parties named. International transfer disclosed (UK→US via SCCs + adequacy where available). Implementation Notes · Cookie consent banner needed BEFORE non-essential cookies fire · SAR handling process — 1-month response window · Two policies needed: this one (website + your-as-controller), plus a separate Data Processing Statement for client data you process in-app. Do NOT merge them. · Date and version-number the policy. Keep previous versions.

Get this skill + 6 more

Included in the The Freelancer Stack — win clients, deliver work, get paid. Save $100+ vs buying individually.

Get The Freelancer Stack — $99

Also in

The Agency Owner Stack · $149

What you get

173-line SKILL.md, ready to drop into ~/.claude/skills/
Tested through 3 Karpathy-loop iterations (versions v1.0.0 → v1.3.0)
Triggers automatically when relevant — no command to remember
Lifetime updates as the skill is refined further