Pick a market. Answer focused questions. Get a policy your counsel can actually edit.

EDPB-aligned GDPR / UK GDPR path. Build the notice to satisfy Articles 12–14, the EDPB Guidelines on transparency, and the live enforcement record. Pay particular attention to: (a) Guidelines 2/2019 on contract necessity (Art. 6(1)(b)) — most personalisation, profiling, behavioural ads and "service improvement" do not qualify; (b) Guidelines 05/2020 on consent — free, specific, informed, unambiguous, with equally easy withdrawal and no cookie walls or pre-ticked boxes; (c) Recommendations 01/2020 on transfers — Schrems II requires a transfer impact assessment, supplementary measures, and updated SCCs / UK IDTA; (d) Meta Platforms v Bundeskartellamt (C-252/21, July 2023) — controllers cannot rely on contract or legitimate interests to justify cross-service personalised advertising; (e) Irish DPC v Meta (binding decision, May 2023) — €1.2bn fine over US transfers without adequate safeguards; (f) Irish DPC v TikTok (Sept 2023) — €345m fine for child-facing dark patterns and weak Art. 8 controls. Capture controller / joint-controller identity, EU representative (Art. 27), DPO contact, lead supervisory authority, full purpose / legal-basis matrix, any legitimate-interests balancing test, profiling / automated-decision logic (Art. 22), sub-processor list, international transfer mechanism, retention windows, DSR workflow, DPIA trigger and child-consent age (Art. 8).

California path: answer categories, purposes, disclosures, sale/share, sensitive personal information, and rights request methods.

COPPA path: answer whether the service is directed to children and how parents can consent, review, delete, or stop collection.