A privacy notice (or privacy policy) is the document where you tell your users what personal data you collect, why you collect it, how long you keep it and what their rights are. Under GDPR, this is mandatory for any organisation that processes personal data. For AI startups, your privacy notice must also cover AI-specific data processing such as model training, profiling and automated decision-making.
What to include:
- Identity and contact details: Who is the data controller? Include your company name, address and a contact email for privacy questions.
- Data you collect and why: List every category of personal data (name, email, usage data, AI interaction logs) and the specific purpose for each.
- Legal basis: State your legal ground for each processing activity — consent, legitimate interest, contractual necessity or legal obligation.
- AI-specific disclosures: If you use data for model training or automated decisions, explain this clearly. Users have the right to know about profiling and to object to it.
- Retention and rights: State how long you keep data and explain users' rights: access, rectification, erasure, portability and the right to lodge a complaint.
- Third parties and transfers: List categories of recipients (cloud providers, analytics tools, AI providers) and any cross-border transfers.
Use the Dutch Data Protection Authority's guidance as a starting point. Write in plain language — avoid legal jargon. Tidal Control helps you generate and maintain your privacy notice and link it to your processing register for consistency.