Web Link to Product/Service Privacy Notice
Explanation
Provide the URL to your product or service's privacy notice, sometimes called a privacy policy. A privacy notice is a public document that explains how your organization collects, uses, shares, and protects personal data. It outlines what data you collect, why you collect it, how long you retain it, and what rights users have regarding their data.
The question is being asked in a security assessment because privacy is a critical component of overall security posture. Organizations need to ensure that any vendor they work with handles personal data responsibly and in compliance with relevant privacy laws (like GDPR, CCPA, etc.). The privacy notice serves as a formal declaration of your privacy practices and demonstrates transparency.
The guidance notes that if your product has multiple privacy notices (perhaps for different regions or user types), you should provide all relevant links. Additionally, if your privacy notice references other documents (like terms of service or specific data processing agreements), you should provide those links as well.
To best answer this question, provide direct links to all applicable privacy notices on your public website. Make sure these links are current and the policies are up-to-date. If you have different privacy notices for different aspects of your service or for different regions, clearly label each link. If your privacy notice incorporates other documents by reference, include links to those as well.
Guidance
If multiple notices are implicated, provide all that apply. If any other documents are incorporated by reference, provide them as well.
Example Responses
Example Response 1
Our product's Privacy Notice is available at https://www.ourcompany.com/privacy-policy This comprehensive privacy notice covers all aspects of our service and is applicable globally We also have a supplementary Data Processing Agreement that is referenced in our Privacy Notice, which can be found at https://www.ourcompany.com/data-processing-agreement.
Example Response 2
We maintain several privacy notices depending on the user type and region: - General Privacy Policy: https://www.productname.io/privacy - EU-Specific Privacy Notice (GDPR Compliant): https://www.productname.io/privacy/eu - Healthcare Customer Privacy Notice (HIPAA Compliant): https://www.productname.io/privacy/healthcare - California Consumer Privacy Notice (CCPA Compliant): https://www.productname.io/privacy/california Our Terms of Service, which is referenced in all privacy notices, can be found at: https://www.productname.io/terms
Example Response 3
We are currently in the process of developing a formal privacy notice for our product At this time, we do not have a published privacy notice available on our website We recognize this is an important compliance requirement, and our legal team is working to finalize our privacy documentation, which we expect to publish within the next 30 days In the interim, we can provide a draft document that outlines our current privacy practices upon request, though this is not yet publicly available.
Context
- Tab
- Privacy
- Category
- General Privacy
Related questions
- Does your solution process FERPA-related data?
- Does your solution process GDPR-related or PIPL-related data?
- Does your solution process personal data regulated by state law(s) (e.g., CCPA)?
- Does your solution process user-provided data that may contain regulated information?
- Have you had a personal data breach in the past three years that involved reporting to a governmental agency, notice to individuals (including voluntary notice), or notice to another organization or institution?
- Use this area to share information about your privacy practices that will assist those who are assessing your company data privacy program.*

