Privacy Policy Generators: What Templates Miss

Privacy policy generators exist in two categories: the quick one-page tools that produce a generic text in 30 seconds, and the more thorough questionnaire-based tools that ask about your specific processing activities. Both are useful starting points. Neither produces a compliant policy without further work.

This guide explains what generators typically get right, what they miss, and how to use one effectively for a Dutch website. Mandatory information is set out in GDPR Articles 13 and 14.

What a Good Privacy Policy Generator Does Well

Covers the mandatory GDPR elements

A reputable generator will include all 14 mandatory elements of Articles 13 and 14 of the GDPR (see our privacy policy requirements guide):

• Identity and contact details of the controller
• Legal basis for processing
• Retention periods
• Data subject rights
• Right to complain to the AP

This structural completeness is the generator's main value. It ensures you have at least a section for each required element, even if the content needs customisation.

Standard data subject rights language

The GDPR rights (access, rectification, erasure, restriction, portability, objection) are well-known and generators produce accurate boilerplate. This section rarely needs significant customisation beyond adding your specific contact details.

Contact for data subject requests

Generators typically produce a section explaining how to exercise rights and provide a placeholder for your contact email. Fill this in: it is a required element.

What Generators Get Wrong or Miss

Inaccurate third-party services

This is the most critical failure. Generators typically offer a list of common services to toggle on or off: Google Analytics, Facebook Pixel, Mailchimp, etc. Two problems:

1. You may not know what's running on your website. Many services are added by plugins, themes or widget code that you did not personally install. If you do not know what's running, a generator cannot account for it.

2. The generated language may be outdated. Service policies change. Generated text about "Google Analytics" may not accurately reflect GA4's data collection behaviour.

Solution: Scan your website before completing the generator (scan free here). Know exactly which third-party services are present before you start writing your policy.

Vague retention periods

Generators almost universally produce vague retention periods: "We keep your data as long as necessary" or "We keep data for a reasonable period." This does not comply with GDPR.

The regulation requires specific timeframes. Generators cannot know your specific business processes. You must fill these in manually.

What to write instead: See our data retention periods guide for specific timeframes by data category.

Missing Dutch-specific services

Dutch business websites commonly use services that US-based generators do not cover:

• Mollie (payment processor used by most Dutch webshops, different from Stripe or PayPal)
• Exactonline (Dutch accounting software that may receive customer data)
• Formitable / Resengo (Dutch restaurant reservation systems)
• Thuisbezorgd / Deliveroo (delivery platforms used by Dutch restaurants)
• TransIP / Antagonist / Byte (Dutch hosting providers)

If you use any of these, add them manually as data recipients or processors.

Missing the Dutch DPA contact

Your privacy policy must include the right to lodge a complaint with the AP (Autoriteit Persoonsgegevens). US-generated templates typically reference the relevant national DPA but may not include the correct AP contact details.

Correct AP contact: the AP's complaint form is the canonical entry point. Include this URL and state that complaints can be lodged with the AP at this address.

No mention of cookies in the privacy policy

A cookie consent banner and a privacy policy are separate documents, but the privacy policy should mention cookie usage. Generators sometimes omit this or produce a separate "cookie policy" that is not connected to the main privacy policy.

For Dutch websites: the Telecommunications Act (cookie law) and the GDPR (personal data processing) both apply to cookies. Your privacy policy should include a section on cookies that references your full cookie declaration.

Missing the legal basis for legitimate interests

If you claim legitimate interests as a legal basis for any processing, the GDPR requires you to specify what those interests are and that they outweigh the data subject's interests. Generators typically produce: "Legal basis: legitimate interests" with no further explanation.

This is insufficient. Specify the actual interest: "to prevent fraud and maintain the security of our services" or "to send transactional emails following a purchase, as customers expect confirmation of their orders."

A Template for a Typical Dutch Small Business Website

Rather than relying entirely on a generator, here is a structure you can fill in directly:

---

Privacy Policy: [Your Business Name]

Last updated: [Date]

1. Who we are [Business name] ([legal form]), registered at KVK [number], with registered address at [address]. Contact: [email], [phone].

2. What data we collect and why

Website analytics: We use [Plausible Analytics / Google Analytics] to understand website traffic. This processes [no personal data / IP addresses and browser information] for the purpose of improving our website. Legal basis: [not applicable, no personal data / our legitimate interest in understanding website performance]. Retention: [not applicable / 14 months in Google Analytics, after which data is automatically deleted].

Contact form: When you contact us via our website form, we process your name, email address and message. Purpose: to respond to your enquiry. Legal basis: your request to make contact (pre-contractual action / legitimate interest). Retention: 1 year after the enquiry is resolved.

Newsletter: If you subscribe to our newsletter, we process your email address and, if provided, your name. Purpose: to send our newsletter. Legal basis: your consent. You can unsubscribe at any time via the unsubscribe link in each email. Retention: until you unsubscribe.

Orders and purchases [if applicable]: We process your name, delivery address, email, phone number and payment reference. Purpose: to fulfil your order. Legal basis: contract. Retention: 7 years (invoices and financial records, required by Dutch tax law). Customer account data retained for [2 years after last purchase / duration of account + 2 years after closing].

3. Third parties who receive your data

4. International transfers [Service X] is based in the US. Data is transferred on the basis of the EU-US Data Privacy Framework. [Or: Standard Contractual Clauses.]

5. Your rights You have the right to access, correct, delete, restrict and receive your personal data in portable format. You have the right to object to processing based on legitimate interests. To exercise any right, contact us at [email]. We will respond within one month.

You have the right to lodge a complaint with the AP (Autoriteit Persoonsgegevens) via the AP complaint form.

6. Cookies Our website uses [no cookies / functional cookies only / functional and analytics cookies, see our cookie banner for details]. [Link to cookie declaration if separate.]

---

This template is a starting point. Fill in the bracketed sections and add any processing activities specific to your business (reservations, employee data, camera footage, etc.).

Recommended Generators for Dutch Websites

If you prefer to use a generator, these produce reasonably Dutch-law-aware output:

• Iubenda: Dutch and multi-language support, service database includes common European services, subscription required for full functionality
• Cookieyes: includes privacy policy generation alongside cookie consent management
• Complianz: WordPress plugin with built-in privacy policy builder
• Juridoo: Dutch-language generator focused on the Dutch market (various price points)

After generating: run through the checklist above and make sure all sections are accurate for your specific situation.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.