Privacy policy
PRY-vuh-see PAH-luh-see
A legal document that explains what personal data a company collects, how it uses that data, and how it protects it.
A privacy policy tells users what data you collect, why you collect it, and what you do with it. It is required by law in most jurisdictions if you collect any personal information at all.
GDPR in Europe, CCPA in California, and similar laws worldwide all mandate that companies disclose their data practices. The privacy policy is where that disclosure lives. It covers cookies, analytics, email addresses, payment information, and anything else that identifies a user.
For developer tools, the privacy policy also needs to address what happens with data processed through the platform. If a developer builds an app on your API and their users' data flows through your infrastructure, your privacy policy needs to explain your role as a data processor versus data controller. A data processing agreement formalizes this relationship with enterprise customers.
Examples
A developer tool collects usage analytics.
The privacy policy discloses that the company tracks feature usage, session duration, and error rates. It states that this data is aggregated and not sold to third parties.
An enterprise customer asks about data handling.
The sales team points to the privacy policy section on sub-processors. It lists every third-party service that touches customer data: AWS for hosting, Stripe for billing, Datadog for monitoring.
A startup expands into Europe.
The legal team updates the privacy policy to include GDPR-specific disclosures: legal basis for processing, data subject rights, and the contact information for their Data Protection Officer.
Frequently asked questions
Is a privacy policy legally required?
Yes, in most cases. If you collect any personal data from users in the EU, California, or many other jurisdictions, you are legally required to have a privacy policy that discloses your data practices.
How often should a privacy policy be updated?
Update it whenever your data practices change: new analytics tools, new sub-processors, new data collection. At minimum, review it annually. Notify users of material changes.
Related terms
The European Union regulation that governs how companies collect, store, and process personal data of EU residents.
California's privacy law that gives residents the right to know what personal data is collected, request deletion, and opt out of data sales.
The requirement that data be stored and processed within specific geographic boundaries, often mandated by local laws or regulations.
A contract between a data controller and data processor that defines how personal data will be handled, required under GDPR.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.