The one-sentence answer
A privacy policy is a public document that tells visitors what personal data you collect, how you use it, who you share it with, and what rights they have over their data. It is required by GDPR (EU), CCPA (California), LGPD (Brazil), the App Store, Google Play, and most ad networks.
What every privacy policy must contain
- Who you are — legal name and contact email
- What data you collect — categories, not raw values
- Why you collect it — purposes, mapped to legal basis under GDPR Article 6
- Who you share it with — every third-party SDK and service
- How long you keep it — retention periods per category
- What rights users have — access, deletion, portability, opt-out
- How to contact you — for data subject requests
- When the policy was last updated
What a privacy policy is not
- It is not a cookie banner — that's for managing consent
- It is not terms of service — that's for defining the deal
- It is not a Data Processing Agreement — that's a B2B contract
- It is not legally binding on the user — it binds you
What happens if you do not have one
Three consequences. (1) Regulator fines: GDPR up to €20M or 4% of turnover; CCPA up to $7,500 per intentional violation. (2) App store rejection: Apple and Google both reject submissions without a working privacy policy URL. (3) Loss of ad revenue: AdMob, AdSense, Meta, and most networks suspend accounts that fail policy checks.