A guide to writing a simple privacy policy
If you ask for a name, a phone number, or an email, you already handle people's data. A clear privacy policy isn't big-company paperwork: it's how you tell your customer their data is in good hands.

Every time a customer leaves you their name to book, their phone number so you can confirm, or their email for a promotion, they're trusting you with something that's theirs: their personal data. A privacy policy is, in short, the document where you explain what you do with that information. It's not a corporate luxury; any business that stores people's data should have one.
Before going further, an important clarification: this article is educational, not legal advice. Data protection laws vary by country and by type of business. For anything definitive, it's wise to check the rules where you operate and, if you handle sensitive data, consult a professional. What follows helps you understand the basics and arrive better prepared.
Why it's worth having one
Beyond following the law, a privacy policy builds trust. Telling the customer how you protect their data reassures them and shows you're confident in what you do. In many countries it's also mandatory: regulations like Europe's GDPR require you to explain your data practices and people's rights, with serious fines for those who don't comply.
Think about the flip side too: if a customer asks what you do with their number and you don't have a clear answer, it leaves the feeling that you're improvising. Having your policy ready, even a simple one, makes you look more professional and serious than the many competitors who don't have one at all.
Telling your customers how you plan to protect their data reassures them it's safe with you.
What every basic policy should answer
Don't get tangled in legal language copied from somewhere else. A good policy answers, in plain words, a few questions any customer would ask:
- What data you collect. Name, phone, email, address, payment details. Be specific.
- What you use it for. Booking, confirming appointments, sending reminders, billing, promotions.
- How and where you store it, and what you do to protect it.
- How long you keep it, and what happens to it afterward.
- Who you share it with, if anyone (for example, a messaging or payment platform).
- What rights the customer has: to see their data, correct it, delete it, or stop receiving messages.
- How they contact you to exercise those rights: a clear email or phone number.
Where you collect data without noticing
Before writing anything, make an honest list of every point where you capture information. There are almost always more than you think:
- The form or chat where the person books.
- Your WhatsApp list or business contacts.
- The system you use to charge or invoice.
- Your newsletter or promotional campaigns.
- Cookies and tracking on your website, if you have one.
If you don't know what data you hold or how it came in, you can't explain it. This map is the foundation of the whole policy. And it does something healthy along the way: it reveals whether you're storing information you don't actually need. The simplest privacy rule of all is not to ask for or keep more data than you genuinely use.
A concrete example: if you only need the phone number to confirm appointments, you may not need to store every customer's home address 'just in case'. Less data stored means less risk if something is lost or leaked, and a policy that's far easier to live up to.
How to write it so people actually understand
The most common mistake is copying a long, jargon-filled policy that no one reads. A useful policy is short and honest. A few tips:
- Write like you'd speak to the customer in person, not like a lawyer.
- Use simple headings for each question: what we collect, what for, how long.
- Put a short notice right where you ask for the data, not buried on another page.
- Always give an easy way to say 'stop sending me messages'.
- Review it when something changes: a new tool, a new type of data, a new use.
If you use tools that handle data for you, like a WhatsApp assistant such as Lidia or your payment platform, mention them and explain what information passes through them. Being transparent about your providers counts too.
Common mistakes worth avoiding
There are a couple of traps almost everyone falls into when drafting their first policy. The first is copy-pasting someone else's without reading it: you end up promising things you don't do, or mentioning data you don't even collect, which is worse than having nothing. The second is writing it once and forgetting it forever.
- Don't copy a policy from a business in a different industry; yours collects different data.
- Don't promise more than you deliver: if you say you delete data after a year, actually do it.
- Don't hide it; put it where the customer can easily find it.
- Update it when you change tools or start collecting a new type of data.
- If you handle sensitive data, like health information, don't improvise: get advice.
An honest, modest policy that genuinely reflects what you do is worth more than a long, ambitious one you don't live up to. Trust breaks the day a customer discovers you promised something that wasn't true.
Takeaway
A simple privacy policy isn't meant to impress a judge, it's meant to earn your customer's trust. Make your list of where you collect data, answer clearly what you do with it, and give people an easy way to exercise their rights. Start with something honest and short, and when you grow or handle delicate data, bring in a professional who knows the law in your country.
Sources
- Termly — https://termly.io/resources/articles/privacy-policy-template-for-small-business/
- CookieYes — https://www.cookieyes.com/blog/gdpr-for-small-businesses/
- DataGuard — https://www.dataguard.com/blog/gdpr-for-small-businesses
- GDPR.eu — https://www.gdprregulation.eu/gdpr-for-small-businesses/