Most privacy policies on the web are templates copied from someone else's site, with the wrong AG contact, the wrong opt-out mechanism, and disclosures that don't match the actual data flows. I read your stack, draft the document, and tell you exactly which CPRA, GDPR, and FTC obligations are non-negotiable for the way you actually do business.
Flat fees. Direct work with me. No hourly surprises unless you specifically request the custom-drafting tier.
One document. One redline. Plain-English notes on what's broken and a corrected draft you can publish.
PaypalButtons.contractReview349 when the NCP id lands.
Privacy Policy + Terms of Service rewrite + Data Processing Agreement template. One round of revisions. Compliance gap memo.
privacyComplianceBundle1200 key. Email to start while id is created.
Non-template work: novel data flows, EU/UK representative coordination, biometric notice, ad-tech rewrites, regulator response.
Six concrete deliverables, each written for your specific stack and jurisdictions — not a generic template I rebadge.
Notice at Collection, categories of personal information collected, business purposes for processing, retention periods, third parties to whom data is sold or shared, and the consumer rights matrix — tied to the actual data flows in your stack, not a copy-paste from a SaaS template.
"Do Not Sell or Share My Personal Information" link, "Limit the Use of My Sensitive Personal Information" link, Global Privacy Control honoring statement, and the actual opt-out endpoint or banner integration documented for your engineering team.
A working list of every vendor that touches user PI, categorized by processing role (controller, processor, sub-processor) and jurisdiction. Required as a CPRA disclosure if you sell or share, and required by GDPR Article 28 regardless. The starter registry feeds your DPA template.
Notice clauses tied to California Civ. Code 1798.82, the 50-state mosaic, GDPR Article 33/34 timelines, and the FTC Health Breach Notification Rule when health data is in scope. Plus an internal escalation playbook so your team knows what to do in the first 72 hours.
Categorization of every cookie and tracker in your site's actual deployment, consent banner copy and configuration, and an updated cookie policy that matches the banner. Aligned with current CPPA enforcement positions on Google Analytics, Meta Pixel, and similar.
If you process precise geolocation, financial accounts, biometric identifiers, health data, or contents of communications, CPRA treats those differently. The bundle includes the notice language, the "Limit the Use" mechanism, and the storage/processing controls you need to claim the carve-outs.
If any of these scenarios match your business, the bundle pays for itself the moment a customer, investor, or regulator asks "show me your privacy program."
Investors ask. Enterprise prospects ask. App stores reject the listing without a working privacy URL. Launching with a free generator policy is the fastest way to box yourself into representations you'll regret at the seed round diligence call.
Once you cross 100,000 California consumers or households — or hit the revenue/sales-share triggers — you owe CPRA disclosures, GPC honoring, and the opt-out links. Most Shopify-default policies don't include any of these.
Most consumer health apps aren't HIPAA-covered, but they are subject to California's CMIA and the FTC Health Breach Notification Rule (recently expanded by the 2024 amendments). Each one has its own notice obligations and breach timelines.
Enterprise customers won't sign without a Data Processing Agreement that maps to GDPR Article 28. The bundle includes a DPA template you can send so deals stop stalling at procurement, plus the SCCs for international transfers.
Section 1033 of Dodd-Frank, the GLBA Privacy Rule, the Safeguards Rule, and the new CFPB Personal Financial Data Rights rule all interact with your privacy notice. The bundle aligns the layers so your policy doesn't contradict your Reg E and 1033 posture.
A scannable list of the defects I find in roughly half the policies that come across my desk — and what the corrected version looks like.
Templates copied in 2018–2020 still point users to the California Attorney General for CCPA complaints. Enforcement has shifted to the California Privacy Protection Agency (CPPA) for most consumer matters since July 2023.
FixUpdated complaint pathway pointing to the CPPA, with the AG retained for the carve-out matters where it still has jurisdiction.
Consumer health apps assume HIPAA doesn't apply (correct) and stop there (incorrect). California's CMIA reaches consumer-facing health and wellness data in ways the federal rule doesn't.
FixCMIA-compliant disclosure layer for California users, plus the FTC Health Breach Notification Rule alignment as expanded in the 2024 amendments.
CPRA created a separate "Limit the Use of My Sensitive Personal Information" right in addition to "Do Not Sell or Share." Most policies still only have the latter, leaving the SPI right unfulfilled.
FixBoth links present, both tied to a working opt-out endpoint, both honored alongside Global Privacy Control.
CPRA's definition of "sell" and "share" is broader than colloquial sale — cross-context behavioral advertising counts. Saying "we don't sell" while running Meta Pixel or Google Ads is a misrepresentation enforcement actions have already cited.
FixHonest "we share for cross-context behavioral advertising" disclosure plus the opt-out link, or actually disable the trackers.
Both CPRA and GDPR require specific or specifically-determinable retention periods. "As long as necessary" alone is non-compliant and was the focus of multiple CPPA enforcement advisories in 2024.
FixCategory-specific retention table with concrete timeframes, plus the criteria for any "as long as necessary" residual category.
Two notice frameworks stapled together produce contradictions: the CCPA layer says "we collect for business purposes" while the GDPR layer says "we have legitimate interests." Both can be true, but they need to map cleanly.
FixSingle unified notice with jurisdiction-specific sections that cross-reference rather than duplicate, and a clear data subject rights matrix.
The banner says "we only use essential cookies" while the policy lists 47 trackers. Either the banner is misleading or the policy is. Either way, it's a CPPA target and a GDPR Article 7 consent-validity problem.
FixAudit of the actual deployed cookies, banner copy that matches, and consent management platform configured for granular opt-in where required.
Mass arbitration plaintiffs, the FAA's 2022 Sexual Assault carve-out, and the recent California App Store rulings all turn on whether the arbitration clause was reasonably surfaced. A clickwrap link buried 14 paragraphs deep is increasingly being held unenforceable.
FixConspicuous arbitration notice with checkbox or scroll-through acknowledgment, mass-arbitration protective language, and statutorily-mandated carve-outs.
A four-row snapshot. The quick way to see whether the bundle pays for itself for your business stage.
Send me a one-paragraph description of your product and where your users live. I'll tell you whether the $349 single-document review is enough or whether the bundle makes more sense.
Email me directlyBefore you pick a tier, run the Privacy Compliance Readiness Score. Score 0-100 plus a list of the failed items, mapped to CCPA, GDPR, vendor management, opt-out flow, and breach response. Score under 40 → Bundle. Score 40-75 → single review. Score above 75 → quarterly maintenance.
Each answer resolves in one sentence before the expansion. Click any question for the full answer.
Real questions from the Terms.Law forum where founders, freelancers, and tenants worked through situations like yours.
Email me your current Privacy Policy and ToS (or a note that you don't have one yet) plus a one-paragraph product description. I'll send back a scope confirmation and the PayPal invoice within one business day.
Email me to start →Disclaimer. The information on this page is for informational purposes only and does not constitute legal advice. Reading this page or contacting me does not create an attorney-client relationship. Privacy and consumer-protection law is evolving rapidly — CPRA enforcement, CPPA rulemaking, FTC HBNR amendments, EU/UK divergence, and the patchwork of state comprehensive privacy laws all change the analysis — and any engagement is current as of the engagement date. Sergei Tokmakov is licensed in California (CA Bar #279869); privacy and ToS matters that don't require state-specific litigation are handled nationwide. Past results do not guarantee future outcomes.