Basic Privacy Policy Template for GDPR

[Maddox]

Below is a basic privacy policy template to help you to get started in complying with the GDPR. I believe that it covers all of the basics, but if anyone finds something lacking please post a copy of what you believe should be added. This template is directed at forum owners - other website types may benefit from it or may need some adjustments.

This privacy policy sets out how we use and protect any information that you provide, whilst using {insert website name} website.

We are committed to ensuring that your privacy is protected. Any information provided by you to us, by which you can be identified, will only be used in accordance with this privacy policy.

We may change this policy as and when necessary. It is your responsibility to check this privacy policy periodically to ensure you agree with any changes; you will be notified on your next login to the website whenever changes are made.

What information we collect:

When using our services, we may require some of the following information:

• Email address
• Internet Protocol (IP) address
• Geographical location
• Length of visit, page views, website navigation and any other related browsing activity

What we do with the information we collect:

The information you provide to us is required for, but not limited to, the following reasons:

• Internal record keeping
• Access to {insert website name} website
• Account management
• Sending notices of relevant communications

Security:

We are committed to ensuring that any information you provide to us is secure. To prevent unauthorised access or disclosure, we have put in place safeguards to secure the information we collect.

{Use the below paragraph if this option is available, otherwise delete}

You have the option to activate ‘two factor authentications’ in your account settings. This is a recommended step to take after registering, however we reserve the right to make this mandatory at any future date. To use this additional security setting you will need access to a smart mobile phone and download the Google Authenticator App or other authentication applications that are supported.

How we use cookies and IP addresses:

We use small text files, called cookies, to store information in your web browser. The information stored may include preferences, session identification, HTTP information, and IP address.

You can set your browser to not receive cookies, but this may degrade your ability to use {insert website name} website.

The Cookies we use are as follows:

{add your cookie information here – below is an example of what you CAN use if required}

Session Cookies – we use these when you enter our website and they remain in place whilst you are using our website. A session cookie is stored in temporary memory and is not normally retained after the browser is closed. Session cookies do not collect information from a user’s computer.

User Cookies – these remember your choices when using our website such as login details, what you have viewed and other actions that you perform whilst visiting our website. These cookies are retained after you close your web browser.

Third Party Cookies – generally these are cookies deposited by other websites which may or may not be affiliated with {insert website name} website. These may be tracking, or analytical cookies related to: {name the services that you use that may drop these cookies – an example would be Google for YT videos}

IP addresses of computers used to visit {insert website name} website, are stored in our database. This includes when first registering for an account, managing your account details, writing a private or public message or performing any other transaction which results in data being transferred to or from your computer and the website in question.

Your IP address is not visible to the public at any time.

Links to other websites:

The {insert website name} website may contain links to other websites. These websites may or may not be affiliated with {insert website name} website.

We have no control over any external websites therefore clicking any link which results in you visiting an external website will result in this privacy policy no longer applying and we cannot be held responsible for the protection and privacy of any information which you provide whilst visiting such sites.

Controlling your personal information:

When using {name of website}, you may choose to limit public viewing of applicable personal information through the settings located in your personal account.

We will not sell, distribute or lease your personal information to third parties unless we have your explicit permission or are required by law to do so. We may use your personal information to send you site information or other information pertaining to your account. You can adjust what types of communication you prefer to receive in your account settings.

You may request a copy of any information that we hold on you that could potential identify you as an individual. You may also request that we delete all information that we hold on you should you wish to close your account and no longer be a member of {insert website address}.

If you discover any of the information that we hold for you is incorrect or incomplete, that you are unable to change yourself, please contact us as soon as possible so the necessary changes can be made. A contact link is available at the bottom of every page on this site and you can also Personal Message an administrator using the sites internal messaging system.

I hope this helps those who are pulling their hair out trying to comply with this new regulation.

 

[Nev_Dull]

Two quick things I see are missing here:

• There's no policy statement. It goes around the houses a few times and implies much but nothing here explicitly says "It is our policy that ....." Really, that's the point of the document.
• There's no definition of terms. That's important so everyone understands what you're talking about. How does your site define "Personal information"? What does two-step verification mean?
• A policy document should include a revision history, so it's easy to track changes and when they were made. That can be done in a separate document but it should exist in the event of a dispute.

 

[Maddox]

The statement is the first two paragraphs, you are telling people that this is your Privacy Policy and what it covers; what else would you like to see?

This privacy policy sets out how we use and protect any information that you provide, whilst using {insert website name} website.

We are committed to ensuring that your privacy is protected. Any information provided by you to us, by which you can be identified, will only be used in accordance with this privacy policy.

We may change this policy as and when necessary. It is your responsibility to check this privacy policy periodically to ensure you agree with any changes; you will be notified on your next login to the website whenever changes are made.

You don't really need a definition of terms unless you are including a lot of terms that could easily be misconstrued - it's an optional that you can put in if you want. Remember it has to be in clear and easy understandable language, definition of terms can often be confusing to people, but you can add them if you wish.

As for a revision history that's an internal matter for you - the only Privacy Policy that matters is the one in effect and has been agreed to. Remember you have to notify your members that your Privacy Policy has changed and that they agree to it; once they do any past revisions are no longer in force.

As I said at the beginning this is a 'basic' privacy policy template - you can change whatever you wish and add whatever you wish; it's a starting point.

 

[highlander29]

This is what I've written up. Not sure it's perfect but its what I came up with. Any comments or critique would be appreciated.

Privacy On XXXX

Introduction
xxxxx is a hobby site without any gainful interest in the course of its own exclusively personal activity. xxxx does not offer goods or services, nor does it advertise or have any revenue. As a forum where anonymity is the norm, you should not share any information that will identify you personally. The site does not does not monitor the behavior of its users, track individuals online activity for purposes of creating profiles, or to take decisions concerning members or for analyzing or predicting personal preferences, behaviors and attitudes.

Routine Information Collected from All Visitors
All web servers track basic information about their visitors and our site is no exception. This information includes things like IP addresses, browser details, timestamps and referring pages. The information is tracked for routine site administration and maintenance purposes, and lets us know which pages and information are useful and helpful to visitors. We also use website analytics tools to retrieve information from your browser, including the site you came from, the search engine(s) and the keywords you used to find our site, the pages you view within our site, your browser add-ons, and your browser's width and height. This information is used to assess and improve the effectiveness of our site.

Information Collected from Members
When you make an account on xxxx, we ask for your email address, which is used to provide you with periodic updates on forum activities and automated notifications, such as email updates for new threads posted in a sub-forum, or an incoming private message. Site moderators and administrators may also contact you via this email address. You are encouraged to keep your identity a secret. To use this forum, you must use an email account that does not allow your "real life" identity to be determined. We also ask for your age, which is used to determine access to age-restricted subforums. You may provide other information as part of your member profile, such as your ZIP code/location, preferences, occupation, and interests, but this is strictly voluntary.

Members may choose to take personality tests that are linked from the site home page or at other places on the forum. The significant majority of those tests are hosted on other websites that xxxx has no relationship with. We take no responsibility for those tests, those sites or information you enter into them. We do have two tests that are hosted by xxxx - the Free yyyyy Test and the zzzz Social Media Test. Your individual results are placed in a file in a public directory accessible to anyone who visits the site. Results from these tests are also stored in a database and the information in that database may be used for various purposes such as to help people determine their personality type or to facilitate improvements to these and other tests. The information may be analyzed in various ways to support studies on personality type, preferences, testing methods and the like. The results are not tied to your member name, userID or email address though if you post your results on the forum, that connection is established. At no time will this information be used to target individuals for marketing campaigns or other purposes, nor will it be resold for such purposes.

We collect personal information from those applying for the xxxx Scholarship, the details of which vary from year to year and are listed on the Scholarship application page. This information is used as input to select the scholarship winners and is used for no other purpose. Information provided by Scholarship applicants is deleted within sixty days of the scholarship winners being announced. Essays are published on the forum and through social media and are not considered personal information.

Cookies
xxxx uses only standard Vbulletin cookies. No advertising is allowed on the forum, so you won’t run into any cookies from advertisers. You need not use cookies to use the forum, but doing so will improve your experience here. We use cookies to enable functions like showing whether a subforum you are viewing has new posts since your last visit, or to log you back in automatically when you return to the site if you have chosen this option when registering. If you are using a public computer, such as in a library, school or internet cafe; or if you have reason not to trust others who share your computer, it is best not to enable automatic login. After registering, you may change your cookie options at any time by editing the settings in your browser. If you have privacy concerns about cookies, you can disable cookies entirely through your browser, or disable or enable cookies on a per-site basis. Consult your browser documentation for instructions on how to block cookies and other tracking mechanisms.

Sharing With Third Parties
Vendors provide services to support the operation of this site, including hosting services, programming services and other related technical support services and given their role, they will have access at various times to information on the site. Additionally, we may access or disclose information including the content of your posts and messages, for the following reasons: (a) to comply with the law; (b) to protect the rights or property of other forum members; or (c) to protect the personal safety of our members or the public.

What You Post or Share
This site is structured with the intent of members on the forum preserving anonymity while interacting here. On the other hand, members may choose to become Facebook friends, exchange personal emails, or even meet in person at meet-ups, foregoing that privacy. Should you engage in such activity, privacy is your responsibility. Ultimately it is up to you to decide how much personal information to disclose, and to protect information you wish to remain private. The vast majority of information you share on the forum is accessible to anyone on the public Internet, so anyone can view what you post. Other areas are restricted to members, or more specifically to members over a certain age or post count. Keep this in mind as you choose what to post and where. Information that you post in publicly accessible forums may be reposted or accessed via links that are shared on sites outside of xxxx, such as blogs, Twitter and other websites. If you wish to protect your identity, you need to be cautious about whom you connect with on social networking sites such as Facebook. Do not externally share or reblog information posted in private members only sections of the forum as information in those areas is intended for members only. You should never share private information about others. Since this forum is intended for public sharing of information and encourages you to remain anonymous, privacy is largely your personal responsibility. Any requests related to individual rights or complaints related to privacy should be sent to xxxx@gmail.com.

Information Retention
Information mentioned above is retained to support the continuity of the platform operations and not deleted.

General Suggestions On Protecting Your Information Online

• Be careful what personal information you share online, especially on social networking sites like Facebook and Twitter, forums like this one, and even in email.
• Create a separate email account for registering on social networking sites and other online spaces. Don't connect it with your real name or identity.
• Don't feel obligated to fill out fields that are not required when registering online or provide identifying information.
• In your online user profile or forum avatar, use a photo that doesn’t identify you or your location, so you can’t be recognized.
• Choose a username unrelated to your real name, usual nickname, or other identifying information, ideally one that is gender and age neutral.
• Websites such as Facebook change their privacy policy all the time, so check your privacy settings periodically to make sure you are sharing only the information you want to share, with only those people you trust and not the general public online.
• Do an Internet search of your name periodically to see where you appear online. If you find unauthorized information about yourself, contact the website admin to request its removal.

 

[JulieVA]

Looks good! I have something similar. My original Terms of Use (TOU) & Privacy Policy (PP) were reviewed by an attorney & I was able to make some simple changes to them to account for GDPR using the EU resource page. Here's my TOU & PP.

Julie