Is My Privacy Policy GDPR Compliant?
Paste your policy. We check it against GDPR Articles 13, 14, and the EDPB guidelines.
- Maps each finding to the specific GDPR Article it cites
- Covers UK GDPR (functionally identical, separately reportable)
- Distinguishes blockers from polish — what would attract an ICO action vs. what is best practice
GDPR Articles 13 and 14 enumerate exactly what a privacy policy has to disclose when personal data is collected from EU or UK users. The list is long: identity of the controller, purposes of processing, legal basis under Article 6, retention periods, data-subject rights, the right to lodge a complaint with the supervisory authority, and more. Our checker takes your policy and walks it through the list, item by item. The output is a compliance score plus the specific Articles or Recitals you are missing.
Grounded in real law, not training-data recall.
Article 13 (data collected from the subject)
Identity of controller, contact details of the DPO if appointed, purposes of processing, legal basis under Art. 6, recipients or categories of recipients, international transfer safeguards, retention periods, all data-subject rights, right to lodge complaint, whether providing the data is statutory/contractual.
Article 14 (data not collected from the subject)
Same checklist as Art. 13 plus the categories of personal data concerned and the source. Applies when you obtain data about users from third parties (analytics resellers, data brokers, ad networks).
Article 6 — lawful basis
For each processing purpose, the policy must name one of: consent, contract, legal obligation, vital interests, public task, legitimate interests. We check whether a basis is stated at all, and whether legitimate interest claims describe the specific interest.
Data-subject rights — all eight
Access, rectification, erasure, restriction, portability, objection, withdrawal of consent, lodging a complaint with a supervisory authority. The list is non-negotiable; missing any of them is a critical finding.
International transfer safeguards
Article 46 requires naming the specific safeguard (SCCs, adequacy decision, BCRs, or an Art. 49 derogation). "Adequate protection" without naming the mechanism is a real gap.
What you'll probably see in the report.
Missing the right to lodge a complaint
Article 13(2)(d) requires you tell users they can complain to a supervisory authority. The most omitted right in our audits.
Lawful basis stated but no description
GDPR Art. 13(1)(d) requires the policy state the basis. If you claim "legitimate interest", regulators expect a brief description of the interest. Missing description is common.
EU representative not named
Non-EU businesses serving EU users are required to appoint an EU representative under Art. 27 and name them in the policy. Often skipped.
Ready to see what your policy is missing?
Paste a URL or your policy text. Get a structured gap report plus a 0–100 compliance score in around 20 seconds. Free, no signup, no email.
Questions people ask before running the audit.
Other ways people audit their policies.
Run your audit now.
Free, structured, calibrated for SMBs. Paste your URL or text and get the report in seconds.