Attestly
Home/Docs

Documentation

Privacy Policy

GDPR + UK GDPR + CCPA + state-level US laws + sector overlays (HIPAA / COPPA / GLBA / FCRA).

Last updated May 8, 2026

The privacy policy generator covers GDPR (EU + UK), CCPA/CPRA (California), VCDPA, CPA, CTDPA, TDPSA, Quebec Law 25, and the Australian Privacy Act, with optional sector-specific overlays for HIPAA, COPPA, GLBA, and FCRA when the scanner sees fields that imply they apply.

Sections produced

  • Effective date — auto-set to the publish date.
  • Controller details — pulled from your tenant facts (legal entity, contact email, optional DPO and EU/UK representative).
  • Information collected — one block per data category, with examples, sources, purposes, retention period, retention rationale, and a concrete deletion mechanism (in-product setting, support email, etc.).
  • Legal bases — mapped to GDPR Article 6(1)(a)–(f).
  • Sensitive personal information — explicit Art. 9 / CPRA disclosure.
  • Automated decision-making — Art. 22 disclosure with safeguards.
  • Marketing preferences — unsubscribe channels and GPC.
  • Data portability — format (JSON/CSV) and SLA.
  • Personal-data breach notification — explicit customer-notification SLA.
  • Disclosures — to subprocessors and (if applicable) sub-processors of subprocessors.
  • International transfers — with SCC language when transfers cross EEA borders.
  • Jurisdiction-specific addenda — EU GDPR, UK GDPR, California CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA. Each addendum lists the rights and the contact channel residents of that jurisdiction should use.
  • Sector overlays (when applicable) — HIPAA (PHI fields detected), COPPA (children-directed product), GLBA (financial institution), FCRA (consumer-credit decisions).

Special-category data

If the scanner flags a special-category field flowing into your application (e.g. patient_id, diagnosis, biometric_*), the generator inserts an explicit Article 9 disclosure with the appropriate legal basis (typically Art. 9(2)(a) — explicit consent — or Art. 9(2)(h) for healthcare contexts).

If a Special-Category field is detected and you have not declared a healthcare or workplace context, Attestly will surface a blocking review in the dashboard. This is intentional — getting Article 9 wrong is the single most expensive privacy mistake a startup can make.

Customization

The generator reads tenant facts from the onboarding interview:

FactEffect
jurisdictionWhich addenda are included.
customerTypes (B2B/B2C)Which rights sections apply.
contactEmailThe "contact us" address used throughout the doc.

Anything not provided falls back to "Customer-defined" rather than guessing — we never invent retention periods or contact addresses.