TLDR:
A public statement explaining how an organization collects, uses, stores, and shares personal data, fulfilling transparency obligations under data protection laws.
What a Privacy Notice Must Cover
A compliant privacy notice typically discloses the identity and contact details of the controller, the categories of personal data processed, the purposes and legal bases for processing, recipients of the data (including third parties and processors), data retention periods, international data transfer mechanisms, and the rights available to data subjects (access, rectification, erasure, restriction, portability, and objection). It must be presented in clear, plain language and made readily accessible — typically through a permanent footer link, sign-up flows, and product onboarding screens.
Privacy Notice vs. Privacy Policy
Although used interchangeably, the privacy notice is the external-facing document that informs users at the moment of data collection, whereas a privacy policy is often the broader internal framework governing how the organization handles personal data. The notice is the legal disclosure obligation under GDPR, KVKK, and similar laws.
Practical Drafting Considerations
Privacy notices should be layered — a short summary at the top with detailed sections below — and version-controlled to reflect changes in data processing. Modifications that materially affect users (new processing purposes, new recipients, expanded retention) typically require fresh notice and, where consent is the legal basis, renewed explicit consent.