I can write a complete, compliant privacy policy in HTML, but I need a few factual details to ensure it’s accurate, legally correct, and ready to publish without edits. Please provide:
1) Controller details
– Full legal name of the business
– Registered/postal address
– Primary email and phone number for privacy inquiries
2) Regulatory scope
– Do you serve or target individuals in the EU/EEA, the UK, or California?
– If yes to EU/UK: have you appointed an EU representative and/or UK representative? If so, provide their contact details.
– Have you formally appointed a Data Protection Officer (DPO)? If yes, provide name/company and contact email. If no, confirm that no DPO is appointed.
3) Services and data collected
– What personal data do you collect (e.g., contact form fields, account data, class bookings, medical/health notes for fitness suitability, date of birth/age, emergency contact, images/video for recitals, marketing preferences)?
– Do you process any children’s data? Minimum age for student enrollment and online account creation? Parental consent process?
– Do you use CCTV on premises?
4) Third parties and tools used
– Website host/CDN and location(s) of servers
– Payment processors (e.g., Stripe, PayPal, Square) and whether you store card data (ideally you don’t)
– Booking/enrollment platform (e.g., Mindbody, DanceStudio-Pro, Class Manager)
– Email/newsletter provider (e.g., Mailchimp, Klaviyo)
– Analytics/ads/cookies (e.g., Google Analytics 4, Meta Pixel, TikTok Pixel)
– Video/streaming or embeds (e.g., YouTube, Vimeo)
– Communication tools (e.g., Zoom/Teams for online classes, live chat)
– Anti-spam/bot protection (e.g., Google reCAPTCHA)
– Any other processors or sub-processors that receive personal data
5) Cookies and consent
– Do you use a consent management platform (CMP) with region-based consent (e.g., for EU/UK)?
– Do you honor Global Privacy Control (GPC) signals?
– Exact categories of cookies used (strictly necessary, analytics, advertising) and typical lifetimes if known
6) International transfers
– Do you transfer personal data from the EU/UK to the US or other countries? If so, confirm safeguards (e.g., EU SCCs/UK IDTA, Transfer Impact Assessments)
7) Retention periods
– How long do you keep: inquiry emails, account/booking records, class attendance, payment/transaction records, marketing lists, CCTV, injury/incident reports, child records?
8) California privacy (if applicable)
– Do you “sell” or “share” personal information for cross-context behavioral advertising as defined by CPRA?
– Provide a dedicated email or web form for opt-out requests
– Whether financial incentives are offered (e.g., discounts for joining mailing list)
9) Security
– Key security measures you want to disclose (e.g., TLS encryption, access controls, staff training, MFA, regular patching, data minimization, role-based access)
10) Effective date and updates
– Desired effective date for the policy
– Preferred contact channel for policy changes/notifications (email vs on-site notice)
Once I have these details, I will deliver a complete, plain-language HTML policy with numbered sections that covers data collection, purposes, legal bases, retention, user rights (GDPR/UK GDPR/CPRA as relevant), cookies, security, international transfers, DPO/contact details, and modification terms—without any placeholders and ready to publish.