assets/sample_template_politique_confidentialite.docx

IMPORTANT: The default template

sample_template_politique_confidentialite

is designed for a brochure website without user accounts. If the request concerns an application or platform with users, additional data categories will need to be added, such as:

• User account management (creation, authentication, profile)
• Login data and activity history
• Data generated by application usage
• User-to-user communications (messages, comments, etc.)
• User preferences and settings

Adapt the template according to the platform type (brochure site, e-commerce, SaaS, mobile app, marketplace, etc.).

IMPORTANT: Before drafting the policy, collect ALL the information below from the client.

• Full company name
• Legal form (SAS, SARL, Ltd, etc.)
• Company registration number (SIREN/SIRET)
• Registered office address
• Legal representative (name and title)
• General contact email
• DPO appointed? If yes, contact details

• Existing website URL (for analysis)
• Platform type:
  • Brochure website
  • E-commerce
  • SaaS / Web application
  • Mobile application
  • Marketplace
  • Other: ___________
• Business sector
• Target audience (B2B, B2C, both)
• Target countries (France only, EU, international)

• IDENTIFICATION DATA
  • First name, last name
  • Email
  • Phone
  • Postal address
  • Date of birth
  • Photo / Avatar
• CONNECTION DATA
  • IP address
  • Connection logs
  • Device ID
  • Account identifiers
• BROWSING DATA
  • Pages visited
  • Time spent
  • Clicks
  • Traffic source
• TRANSACTION DATA
  • Order history
  • Payment data (via provider)
  • Invoices
• SENSITIVE DATA (special attention)
  • Health data
  • Political/religious opinions
  • Ethnic origin
  • Biometric data

KEY QUESTION: For each processing activity, what is the legal basis?

• TECHNICAL PROCESSORS
  • Host: ___________
  • Email provider: ___________
  • Payment provider: ___________
  • Analytics: ___________
  • CRM: ___________
  • Support/Ticketing: ___________
• TRANSFERS OUTSIDE EU
  • Yes / No
  • If yes, to which countries? ___________
  • Safeguards in place:
    • Standard contractual clauses
    • Adequacy decision
    • Other: ___________

• COOKIES USED
  • Strictly necessary cookies (session, cart, authentication)
  • Analytics cookies (Google Analytics, Matomo, etc.)
  • Advertising cookies (Facebook Pixel, Google Ads, etc.)
  • Social media cookies (share buttons)
  • Other: ___________
• CONSENT MANAGEMENT PLATFORM
  • None
  • Axeptio
  • Didomi
  • Cookiebot
  • Other: ___________

NEVER DRAFT A POLICY FROM SCRATCH. Always start from a given template for drafting, either:

• the default template in

  assets/sample_template_politique_confidentialite.docx

  ;
• another internal template provided by the user.

This template is your base reference. You must:

• Faithfully reproduce the template's structure and wording
• Keep the exact template phrasing (they are validated)
• Only replace placeholders with client information
• Do NOT rewrite sentences even if you think you can phrase them better
• Do NOT add sections that are not in the template

The collected information (T&Cs, site, etc.) is used to fill in the template, not to rewrite it.

"I will draft the privacy policy starting from the provided default template. Do you have an internal template that would be more suitable as a starting point?"

assets/sample_template_politique_confidentialite.docx

MAIN OBJECTIVE: Truly understand what the client does, their business, the user journey on their platform.

"To draft a perfectly tailored policy, please provide:
- Information you have about the client and their business
- Existing documents (T&Cs, sales conditions, order forms, contracts...)
- Exchanges or key points raised by the client
- The site/application URL (if accessible)
- Points that must absolutely be included according to you

You may anonymize this information if necessary for confidentiality reasons.

The more information you provide, the better adapted the policy will be to the actual case. Otherwise, we will conduct our own research but it will be limited to publicly accessible information."

Note: Some sites only display a "Request a quote" form without access to the platform. In that case, rely primarily on the documents provided.

• Understand what the company actually does
• Read the existing privacy policy (if present)
• Read the existing T&Cs/Legal notices
• Identify the typical user journey (if visible)
• Identify data collection forms (registration, contact, order...)
• Spot cookies/trackers via the banner
• List features (account, newsletter, chat, payment...)

CLIENT: [Name]
BUSINESS: [Description in 2-3 sentences]
PLATFORM TYPE: [SaaS, e-commerce, mobile app, etc.]
USER JOURNEY: [Key steps]
DATA COLLECTED: [List by collection point]
COOKIES IDENTIFIED: [Types of cookies spotted]
FORMS: [List of collection points]
KEY LAWYER POINTS: [What must absolutely be included]
SPECIFICITIES: [What makes this case particular]

Once the summary is ready → Proceed to Draft 1

ABSOLUTE RULE: The template is your validated base.

• START from the template: structure, wording, tone → this is your reference
• ADAPT to the client case: integrate the specific information collected
• DO NOT rewrite everything: keep the template wording, only adapt what needs to be

In summary: Template + client information = Draft 1. Not a complete rewrite.

1. Identity of the data controller
2. Data collected (by category)
3. Purposes and legal bases (table)
4. Recipients and processors
5. International transfers
6. Retention periods (table)
7. Data subject rights
8. How to exercise rights
9. Cookies and trackers
10. Data security
11. Policy changes
12. Contact

Immediate compliance check: Before presenting Draft 1, verify the mandatory disclosures checklist (Art. 13 GDPR):

• Controller identity and contact details
• DPO contact details (if appointed)
• Processing purposes
• Legal basis for each purpose
• Legitimate interests pursued (if applicable)
• Recipients or categories of recipients
• Transfers outside EU and safeguards
• Retention period or criteria for determination
• Data subject rights (access, rectification, erasure, restriction, portability, objection)
• Right to withdraw consent (if applicable)
• Right to lodge a complaint with the CNIL
• Whether data provision is mandatory/optional
• Existence of automated decision-making (if applicable)

If Draft 1 is compliant → Proceed to Step 3.

• All Art. 13 GDPR disclosures present
• Client information correctly integrated
• Clear and accessible language
• No internal references (template, sources) in final document
• Update date present

• Clear language: understandable by a non-lawyer user
• Visible structure: table of contents, numbered headings
• Layered information: summary + details if needed
• Update date: visible at top of document

These sanctions illustrate the importance of a compliant policy and rigorous cookie management.

• Date each version
• Inform users of substantial changes
• Keep previous versions

• Public authority
• Large-scale processing of sensitive data
• Regular and systematic large-scale monitoring

1. Step 1 - Choose the template: Default, or lawyer's internal template
2. Step 2 - Understand the business: Collect lawyer docs + site research
3. Step 3 - Draft Draft 1: Complete template + compliance check
4. Step 4 - Deliver + Benchmark: Present Draft 1 + systematic benchmark + improvement suggestions
5. Step 5 - Finalize: Integrate approved improvements + final verification

TEMPLATE REMINDER: Never draft from scratch. Always start from the template and adapt it.

SOURCES REMINDER: The CNIL and GDPR references in this guide are for the drafter. They should not appear in the final document, except for mandatory legal disclosures (right to lodge a complaint with CNIL, etc.).