Privacy Policy for Your Agency
A privacy policy that handles two sides: your own business contacts AND the client data you process under engagement contracts.
- Clear controller-vs-processor split — what you do as your own business, what you do for clients
- Reference to a Data Processing Addendum for client engagements
- Confidentiality + IP handling described so prospective clients can evaluate before signing
An agency privacy policy has a dual-personality problem. For your own website visitors and prospects, you act as a data controller — same as any other business. But for the client engagements you deliver, you usually act as a data processor on behalf of the client, who is the controller of their end-user data. A single privacy policy needs to address both relationships clearly, or your enterprise clients will ask you to rewrite it before they sign. Most agency policies skip the processor side entirely, then scramble when a client's legal team asks for the DPA.
Disclosures that matter for agency.
Controller / processor distinction
For your own website + CRM + sales contacts, you are the controller. For the data you process under client engagements (their CRM exports, their customer support transcripts, their analytics dumps), you are the processor and they are the controller. The policy should say this explicitly.
DPA reference for client engagements
GDPR Art. 28 requires a DPA whenever you process personal data on behalf of a client. The policy should reference the DPA and tell readers where to request it. Most enterprise clients will ask for it during procurement.
Subprocessor list
For your own ops (HubSpot, QuickBooks, Calendly, Zoom, Slack, Google Workspace), name them as sub-processors. Clients want to know what tools their data may pass through.
Confidentiality commitments
Clients' data is confidential by default in agency engagements. The policy should state your standard confidentiality posture, separate from any NDA they sign.
Engagement-specific tooling
If a client engagement requires you to add tools beyond your standard stack, you usually need to disclose that and get their approval. The policy should describe this process.
Project deletion and return
When an engagement ends, what happens to the client's data? Standard practice: return or destroy within 30 days, with a copy for your own records (typically 3-7 years for tax/dispute purposes).
Where agency policies usually go wrong.
Single-role policy
Most agency policies talk only about the agency's own data collection — analytics on the website, prospect emails in HubSpot. They skip the processor role entirely. Result: enterprise procurement asks for a custom rider before signing.
No mention of subprocessors
The data tools you use (HubSpot, Slack, Google Workspace) handle client data when client work flows through them. Clients want them named — both for assessment and for their own GDPR Art. 30 records.
Confidentiality buried in the NDA
Confidentiality is typically in a separate NDA, not the privacy policy. But the privacy policy should at least reference your confidentiality posture so prospects do not assume the worst.
No project-end data handling described
When an engagement closes, the data should go somewhere. Clients want to know whether it gets returned, destroyed, or retained. State your default.
Ready to generate your agency privacy policy?
A 2-minute wizard. Free preview shows the first three sections — pay $2 only if you want to unlock the full document.
Questions people ask about a agency privacy policy.
Other industries, same privacy policy.
A real anonymized example for agency.
Read the full text of a agency privacy policy generated through this same pipeline. No signup needed.
Generate your agency privacy policy now.
Free preview, no signup. Two minutes through the wizard. Only pay if you want to unlock the full document.