What GDPR actually requires in a privacy policy
Article 13 (data collected from the user) and Article 14 (data collected from third parties) list eleven specific items every privacy notice must contain: identity of the controller, contact details of the DPO if applicable, purposes and legal basis, recipients, retention period, data subject rights, right to lodge a complaint with a supervisory authority, whether provision is statutory, automated decision-making, source of the data, and international transfer safeguards. The generator emits each one as its own labelled section so a regulator scanning the page can find the answer instantly.
Legal bases (Article 6)
For each processing purpose the generator picks one of the six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interest. Most product-analytics flows land on legitimate interest with a stated balancing test; account data lands on contract; marketing emails land on consent. The output names the basis next to the purpose, which is the form regulators expect.
International transfers
If you use any US-based service (Google, AWS, Stripe, Meta), your policy must describe the safeguards for EU-to-US transfers. The generator references the EU-US Data Privacy Framework certification status of each named subprocessor and includes Standard Contractual Clauses 2021/914 as the fallback when DPF is not available.
Data subject requests
Articles 15–22 give EU users eight rights: access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and rights related to automated decisions. The generator publishes a contact email for each right and a one-month response SLA — the maximum allowed under Article 12(3).