Privacy Policies and Terms and Conditions for Websites and Apps: What They Must Contain to Be Compliant and Easy to Understand

• Privacy Policy (or Data Protection / Data Processing Policy)
• Terms and Conditions (Terms of Use / Terms of Service)

To be useful and lawful, these documents must be both compliant with applicable legislation and easy for ordinary users to understand. This article explains, in a practical structure, what privacy policies and terms and conditions for websites and apps should contain, with a focus on GDPR, essential clauses, and transparency, and with links to legislation and official guidance.

1. Legal framework: GDPR, national law and official guidance

1.1. GDPR – the backbone of the privacy policy

The main legal instrument for data protection in the EU is Regulation (EU) 2016/679 – the GDPR. The full text is available in multiple languages via EUR-Lex, and there are also consolidated and annotated versions such as gdpr-info.eu.

Several provisions are particularly important for the content of a privacy policy:

• Article 5 GDPR – Principles relating to processing (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality);
• Article 6 GDPR – Lawfulness of processing (consent, contract, legal obligation, vital interests, public task, legitimate interests);
• Article 12 GDPR – requires controllers to provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language;
• Articles 13 and 14 GDPR – specify in detail what information must be given to data subjects when data is collected directly from them or obtained from other sources;
• Article 24 GDPR – accountability of the controller;
• Articles 25 and 30 GDPR – data protection by design and by default, and records of processing activities.

These provisions are the backbone of the obligation to have a clear, complete and user-friendly privacy policy, tailored to the controller’s actual activities rather than copied from a generic template.

1.2. Data protection authorities and their guidance

Every EU Member State has an independent supervisory authority responsible for monitoring GDPR compliance. Their websites are valuable sources of official guidance, FAQs and examples. For instance, the list of supervisory authorities is maintained by the European Data Protection Board (EDPB), and national authorities typically publish:

• basic GDPR guides for businesses and organisations
• templates and checklists (including example privacy notices)
• decisions and press releases on enforcement actions related to privacy notices and cookie banners

Even if your business is small, it is worth checking your national authority’s website regularly to see how they interpret key concepts such as transparency, consent and information duties in practice.

1.3. EDPB guidelines – transparency and consent

The European Data Protection Board (EDPB) issues guidelines, recommendations and best practices to clarify how GDPR should be interpreted. The full list is available here: EDPB guidelines.

For privacy policies, two guidelines are particularly relevant:

• “Guidelines on transparency under Regulation 2016/679” (WP260 rev.01), accessible via the European Commission’s site at Guidelines on transparency. They explain in depth how information under Articles 12–14 should be provided: structure, tone, layered format, and how to ensure that people truly understand what is being done with their data.
• “Guidelines 05/2020 on consent under Regulation 2016/679”, available at Guidelines on consent, clarifying what valid consent looks like, how it must be obtained and how withdrawal must work. These guidelines are crucial when your service relies on consent for marketing, profiling or non-essential cookies.

These documents are not optional reading for lawyers only; they provide practical examples that are directly useful for product teams and developers designing user journeys and interfaces.

1.4. ePrivacy, cookies and consumer protection rules

Besides GDPR, several other legal instruments influence the content of your privacy policy and terms and conditions:

• ePrivacy rules – based on the ePrivacy Directive (2002/58/EC) and its national implementations. They regulate cookies and similar technologies and require user consent for non-essential cookies (analytics, advertising etc.), as highlighted in multiple national and EU-level enforcement actions and in guidance from authorities and the EDPB’s statements on ePrivacy.
• Consumer protection and e-commerce law – these rules require clear pre-contractual information, prohibit unfair contract terms and impose transparency obligations regarding prices, withdrawal rights, complaint handling and dispute resolution. The European Commission’s guidance on unfair contract terms and the overview of consumer contracts and e-commerce are useful starting points.

All of these elements must be reflected in the wording and structure of your privacy policy and terms and conditions.

2. Privacy Policy vs Terms and Conditions: different roles, complementary documents

2.1. What the Privacy Policy is for

The Privacy Policy deals specifically with personal data processing. In essence, it should answer, in a structured way, the following questions:

• Who is processing my data (the controller and, where applicable, its representative)?
• What categories of data are collected and from which sources?
• For which purposes and on what legal bases (Article 6 GDPR) is my data used?
• Who receives my data (processors, partners, authorities)?
• How long are my data stored?
• What rights do I have (access, rectification, erasure, restriction, portability, objection)?
• How can I exercise my rights and how can I contact the supervisory authority?

The main goal is to comply with Articles 12–14 GDPR, but in a way that ensures genuine transparency, not just formal compliance.

2.2. What Terms and Conditions are for

Terms and Conditions (T&C) govern the contractual relationship between the service provider and the user. They define how the website or app can be used and under what conditions services are provided. Typically, T&C cover:

• a description of the services or products offered
• who can use the service (age requirements, eligibility)
• how accounts are created, used and closed
• user obligations and acceptable use rules
• intellectual property and use of content
• pricing, payment conditions, cancellations, refunds (for paid services)
• limitations of liability and disclaimers (within the limits of consumer law)
• applicable law, jurisdiction and dispute resolution mechanisms.

T&C must comply with contract law and consumer protection law. They have to be written clearly and must not contain unfair contract terms. Otherwise, authorities and courts may consider certain clauses null and void or even impose sanctions.

2.3. Why it is risky to merge everything into one long document

Many sites still include all data protection information within the T&C or mix T&C and privacy topics in a single massive page. While this is sometimes technically allowed, it has clear disadvantages:

• privacy information is hard to find and often buried under unrelated clauses
• there is a high risk of non-compliance, because GDPR-specific information may be incomplete or inconsistent
• transparency suffers – users do not know where to look for data protection information and are unlikely to read it.

A modern and user-friendly structure usually involves:

• a separate “Privacy Policy” page, clearly linked in the footer, sign-up forms and cookie banner
• a separate “Terms and Conditions” page, linked in the footer and at key contractual steps (e.g. before registration or checkout)
• optionally, a separate “Cookie Policy” page, linked from the cookie banner and privacy policy.

3. What a GDPR-compliant Privacy Policy should contain

The minimum content of a Privacy Policy is largely determined by Articles 13 and 14 GDPR. The EDPB transparency guidelines explain how that information should be presented so that data subjects genuinely understand it.

3.1. Identity and contact details of the controller and, where applicable, the DPO

The first section should immediately answer the question “Who is responsible for processing?”. Typically, it includes:

• the full legal name of the controller (for example: “Example Tech SRL”)
• identification details (company registration number, VAT number, registered office address)
• contact details for data protection matters (dedicated email address, contact form, postal address)
• where applicable, the contact details of the Data Protection Officer (DPO) as required by Articles 37–39 GDPR.

These elements are explicitly required by Articles 13 and 14 GDPR and overlap with information duties under e-commerce and consumer law, which require traders to identify themselves clearly.

3.2. Categories of data and sources

The Policy should describe, in a user-friendly way, which types of data are processed. Common categories include:

• identity and contact data (name, email, phone number)
• account data (username, password, settings, preferences)
• transaction data (order history, billing details)
• technical and usage data (IP addresses, device identifiers, log data, browser type, operating system)
• approximate location data (based on IP) or precise location data (when using GPS, with consent where necessary)
• data obtained from third parties (social media logins, analytics providers, business partners), with identification of the sources.

It is good practice to structure this information in tables or bullet lists and to relate categories of data to specific activities (“when you register”, “when you purchase”, “when you use our app” etc.). The EDPB transparency guidelines explicitly recommend “user-centric” presentation instead of abstract lists.

3.3. Purposes and legal bases (Article 6 GDPR)

Under GDPR, each processing operation must be justified by at least one legal basis in Article 6. The Privacy Policy must explain:

• the purposes for which data are processed (e.g. account creation and management, provision of services, payment processing, communication, marketing, analytics, security, fraud prevention)
• the legal basis used for each purpose (e.g. performance of a contract, compliance with a legal obligation, legitimate interests, consent)
• where legitimate interest is relied upon, a brief explanation of that interest and balancing test
• where consent is used, how it is collected, how it can be withdrawn, and what happens if it is withdrawn, in line with EDPB Guidelines on consent.

A recommended best practice is to use a table linking data categories, purposes, legal bases, storage periods and recipients. This format makes it easier for users to understand and for auditors or regulators to verify compliance.

3.4. Recipients, international transfers and security

The Policy must also identify who receives personal data and whether any international transfers take place:

• categories of recipients: IT service providers, payment processors, logistics and delivery partners, marketing agencies, consultants, group companies, authorities
• if there are transfers to third countries or international organisations, the safeguards used (for example, Standard Contractual Clauses, adequacy decisions, binding corporate rules)
• a general description of security measures (for example access controls, encryption, security policies, training, incident response procedures), in terms understandable for non-technical readers.

Articles 13 and 14 require information on recipients or categories of recipients. The EDPB encourages controllers to go beyond generic labels like “other companies” and provide meaningful descriptions of who processes the data and why.

3.5. Storage periods

GDPR’s storage limitation principle (Article 5) requires controllers to keep data no longer than necessary. The Privacy Policy must therefore explain:

• either specific retention periods (for example “we keep invoice data for 10 years to comply with tax law”)
• or clear criteria used to determine how long data are stored (for example “for as long as your account is active, and for a further period necessary to protect our legitimate interests in case of disputes”).

The EDPB considers vague formulations like “we keep your data for as long as necessary” to be insufficient unless accompanied by additional context that allows users to estimate the storage period.

3.6. Data subject rights and how to exercise them

The Policy must include a dedicated section describing the rights that individuals have under GDPR:

• right of access (Article 15)
• right to rectification (Article 16)
• right to erasure (“right to be forgotten”, Article 17)
• right to restriction of processing (Article 18)
• right to data portability (Article 20)
• right to object (Article 21), including to direct marketing and profiling related to marketing
• where applicable, rights related to automated individual decision-making (Article 22).

In addition to listing these rights, the Policy must explain how they can be exercised (for example via a dedicated form, an email address, account settings and opt-out links in marketing emails). It should also inform users of their right to lodge a complaint with the competent supervisory authority and provide a link to the relevant authority’s complaint form.

3.7. Cookies and similar technologies

In many cases, a significant part of data processing on websites and apps relates to cookies, SDKs and similar tracking technologies. The Privacy Policy should briefly explain:

• what categories of cookies and similar technologies are used (strictly necessary, functional, analytics, advertising etc.)
• for which purposes they are used (authentication, security, statistics, personalisation, advertising)
• how users can manage their preferences (via cookie banners, consent management tools, browser settings)
• that more detailed information is available in a dedicated Cookie Policy, where appropriate.

Many data protection authorities publish guidelines on cookie banners and consent; for example, the French CNIL and the Irish DPC have detailed explanations and enforcement examples, referenced by the EDPB in its work on online tracking.

3.8. Structure and language: how to make the policy genuinely understandable

The EDPB transparency guidelines strongly recommend:

• a clear and direct style, avoiding unnecessary legalese and complicated subordinate clauses
• a layered approach – a short, high-level summary (“key points”) combined with links to detailed sections, rather than a single long block of text
• descriptive headings (“What data we collect”, “Why we use your data”, “Who we share your data with” etc.)
• language tailored to the target audience – with additional explanations if the service is directed at children or vulnerable users
• mobile-friendly formatting: short paragraphs, bullet points, enough spacing.

Transparency is one of GDPR’s core principles. Supervisory authorities have repeatedly fined organisations whose privacy policies were overly vague, contradictory, hidden or simply impossible for ordinary users to understand.

4. What Terms and Conditions for websites and apps should contain

There is no single EU regulation enumerating everything that must appear in T&C, but a combination of contract, consumer and e-commerce rules shapes their content.

4.1. Identifying the provider

Just like the Privacy Policy, T&C must clearly identify the service provider:

• full legal name of the company or individual
• registration data and VAT number where applicable
• registered office and, if necessary, service address
• contact details (email address, phone, online contact form)
• where the activity is regulated, details of licensing or professional registration.

EU consumer protection law requires traders to provide this information clearly before a contract is concluded. The European Commission’s consumer shopping portal highlights the type of information consumers should expect to see before buying online.

4.2. Description of services and conditions of use

Terms and Conditions should clearly describe:

• the type of services or products offered (for example: marketplace platform, SaaS service, e-commerce shop, content platform)
• what using the service involves (e.g. account creation, subscription, in-app purchases)
• eligibility criteria (minimum age, residence, professional status)
• how accounts are created, used and closed; responsibilities regarding passwords and security
• acceptable use rules (no unlawful content, no harassment, no infringement of intellectual property, no security breaches)
• consequences of breaching the rules (warnings, suspension, termination, reporting to authorities).

Rules should be written in a way that users can realistically understand and follow. For community or social features, many providers add separate community guidelines, but these should be consistent with the T&C.

4.3. Prices, payments, withdrawal rights and complaints (for paid services)

If your website or app involves paid services or goods, T&C must cover a number of aspects required by consumer law:

• how prices are displayed (whether they include VAT and any additional charges)
• payment methods (cards, bank transfer, digital wallets) and any fees
• the moment when the contract is concluded (e.g. when the user clicks “Place order” and receives a confirmation email)
• right of withdrawal for consumers in distance contracts (usually 14 days), and the exceptions provided by the Consumer Rights Directive (for example for digital content supplied immediately with the consumer’s explicit consent)
• refund policies and timeframes
• complaints procedures (how consumers can contact you, how fast you respond, links to alternative dispute resolution where relevant).

The European Commission’s information on guarantees and returns and the consumer rights overview provide useful references you can use to benchmark your own T&C.

4.4. Intellectual property and user-generated content

T&C should clarify how intellectual property rights are handled:

• ownership of the website or app content (text, logos, design, source code)
• how users are allowed to use that content (viewing, downloading for personal use, restrictions on reproduction or redistribution)
• rules for user-generated content (UGC): who owns it, what licence users grant to the platform, for which purposes and for how long
• what happens if UGC infringes third-party rights (notice and takedown procedures, allocation of responsibility).

These clauses must be carefully drafted to avoid creating excessive imbalances. Consumer law and unfair contract term rules can render ineffective clauses that unduly deprive users of their rights or bind them by broad and undefined licences without clear justification.

4.5. Limitation of liability and disclaimers

Most T&C include clauses that limit the provider’s liability for certain types of damage (for example loss of profit, indirect damage, unavailability of the service, content posted by users). However:

• such clauses must comply with national contract and consumer law – they cannot exclude liability for intentional misconduct or gross negligence
• in consumer contracts, certain rights are mandatory and cannot be waived through T&C
• clauses must be clearly drafted and visible; hiding them in dense text in tiny font may be considered unfair.

The European Commission’s guidance on unfair terms in consumer contracts explains which types of limitations are more likely to raise concerns and how to draft balanced clauses.

4.6. Governing law, jurisdiction, dispute resolution and changes to T&C

Finally, T&C should indicate:

• the governing law (for example “These Terms are governed by the laws of Romania/EU Member State X, without prejudice to mandatory consumer protection rules in your country of residence”)
• how disputes are handled (national courts, arbitration, mediation, reference to the EU Online Dispute Resolution platform at ec.europa.eu/consumers/odr)
• how and when the provider may change the Terms, how users will be informed, and whether they may terminate the contract if they disagree with substantive changes.

Unilateral change clauses are particularly sensitive in consumer contracts. They must be limited to justified situations, described clearly and accompanied by fair notice periods and exit options.

5. Transparency and readability: making documents user-friendly

5.1. GDPR transparency requirements

Article 12 GDPR and the EDPB transparency guidelines emphasise that information for data subjects must be:

• concise – no unnecessarily long or repetitive paragraphs
• intelligible – adapted to the audience, avoiding obscure legal or technical jargon
• easily accessible – placed where users can reasonably expect to find it (footer, account settings, sign-up forms) and accessible on all devices
• written in clear and plain language – avoiding ambiguous formulations such as “we may use your data for any other legitimate purpose” without further explanation.

The EDPB recommends using layered notices, combining short summaries with links to more detailed explanations, and checking readability against the level of knowledge expected from your user base.

5.2. Transparency in Terms and Conditions

Transparency is also a core principle in consumer law. EU rules require that contract terms be drafted in plain, intelligible language. Where there is doubt about the meaning of a term, national courts will often interpret it in favour of the consumer.

Practical recommendations include:

• using descriptive headings and a table of contents at the start of the document
• breaking up long sections into short paragraphs and bullet points
• highlighting core rights and obligations (prices, withdrawal rights, key limitations of liability)
• avoiding “wall of text” layouts and extremely small fonts.

From a business perspective, clear T&C and a clear Privacy Policy help build trust and reduce the risk of complaints and disputes.

5.3. Common mistakes to avoid

Practice and enforcement show a number of recurring issues:

• copying templates from other websites without adapting them to your actual processing activities and services
• contradictions between the Privacy Policy, Cookie Policy and T&C (for example different legal bases or storage periods mentioned for the same data)
• vague, catch-all statements such as “we may use your information for any other purpose compatible with the above” without examples
• mismatch between documents and reality: the site or app performs extensive tracking and profiling, but the Privacy Policy barely mentions analytics or advertising
• failure to update documents when new features are added or legal requirements change.

Supervisory authorities across Europe have sanctioned companies for these issues, and their decisions often highlight the importance of aligning legal texts with actual technical implementation.

6. Practical steps for founders and developers: how to get to compliant, clear documents

6.1. Map your data flows and processing activities

Before drafting anything, you need to understand what data you collect and what you do with it. This is the foundation of your Privacy Policy and T&C. The European Commission’s page on obligations under GDPR suggests that controllers maintain records of processing activities and know which systems and third parties are involved.

In practice, this means answering questions like:

• Which categories of users do we have (visitors, registered users, customers, business clients)?
• What data do we collect for each category and via which channels (forms, tracking, integrations)?
• Which internal systems and external providers receive the data?
• For each processing activity: what is the purpose, the legal basis, the retention period and the risks?
• What technical and organisational measures are in place to protect the data?

Only after this mapping exercise will you be able to draft documents that accurately reflect reality.

6.2. Choose appropriate legal bases and design consent flows

Each purpose of processing must have a legal basis. In many cases, performance of a contract or legitimate interests will be more appropriate than consent. The EDPB’s Guidelines on consent make clear that:

• consent must be freely given, specific, informed and unambiguous
• bundling consent with terms for a service where data processing is not strictly necessary can make consent invalid
• withdrawing consent must be as easy as giving it
• for non-essential cookies and similar tracking, prior consent is usually required, in addition to information obligations.

These principles affect how you describe processing in the Privacy Policy and how you design technical mechanisms such as cookie banners, preference centres and account settings.

6.3. Drafting the Privacy Policy

Based on your mapping and legal analysis, you can structure the Privacy Policy along the following lines:

1. Introduction – scope of the Policy, to which services and users it applies
2. Who we are – controller identity and contact details, DPO contact where applicable
3. What data we collect – grouped by context and purpose
4. Why we use your data and on what legal bases – table linking data, purposes, legal bases and retention periods
5. Who we share your data with – categories of recipients, international transfers and safeguards
6. How long we keep your data – periods and criteria
7. Your rights – with explanations and practical instructions
8. Cookies and similar technologies – summary and link to Cookie Policy
9. Security – general description of measures, without revealing sensitive details
10. Changes to this Policy – how and when you will inform users of changes.

Make sure links to the Privacy Policy appear at all relevant points where you collect personal data – not just in the website footer.

6.4. Drafting Terms and Conditions

For T&C, a typical structure is:

1. Definitions and parties – who is the provider, who is the user, what key terms mean
2. Scope of the service – what you provide and what you do not guarantee (within reason)
3. Account creation and management – registration, verification, keeping credentials safe, account closure
4. User obligations and acceptable use – what is allowed and what is prohibited
5. Commercial terms – prices, payments, subscriptions, renewals, refunds (if applicable)
6. Consumer rights – withdrawal rights, guarantees, statutory rights
7. Intellectual property – ownership of your content and licence for user-generated content
8. Liability and indemnities – balanced, lawful limitations of liability
9. Termination – grounds and procedures for suspension or termination
10. Governing law, jurisdiction and dispute resolution
11. Changes to the Terms – how you update them and how you notify users.

Align T&C with your Privacy Policy and Cookie Policy: references to personal data and cookies should not contradict one another across documents.

6.5. Documenting compliance

Under GDPR’s accountability principle, you must be able to demonstrate compliance. For privacy and T&C documents, this typically means:

• keeping version histories of your Privacy Policy and T&C
• recording when changes were made and how users were informed
• maintaining records of processing and, where necessary, Data Protection Impact Assessments (DPIA)
• documenting how you chose legal bases, set retention periods and assessed legitimate interests.

These materials can be crucial if you face an investigation by a supervisory authority or a dispute with users.

FAQ – Frequently asked questions on Privacy Policies and Terms and Conditions