Privacy Policy Template
A starter privacy policy for OTT platforms — requires legal review and adaptation.
This is a starter template only. It does not constitute legal advice. It must be reviewed and adapted by qualified legal counsel before publication.
What to Add to This Template
Before publishing, add:
- Your company name, registered address, and data controller contact details
- Your actual third-party processors (email, analytics, billing, ad tech, CDN, support)
- Specific data retention periods for each category
- International transfer safeguards (if you transfer data outside UK/EEA)
- Any special category data processing (health information, children's data)
- Your DPO details (if required by your organisation size and processing activities)
- DSAR contact method and response time commitment
- Jurisdiction-specific sections (CCPA/CPRA for California users, etc.)
Privacy Policy (Template)
[Company Name] Privacy Policy
Last updated: [Date]
1. Who We Are
[Company Name] ([Company Website]) is the data controller for personal data collected through this website and our OTT platform services.
Contact: [email address] | [postal address]
2. What Personal Data We Collect
| Category | Examples | How Collected |
|---|---|---|
| Account data | Name, email, password (hashed) | Registration form |
| Payment data | Billing name, last 4 digits of card, billing address | Payment processor (we do not store full card numbers) |
| Viewing data | Titles watched, watch time, playback position, device | Platform activity |
| Device & technical data | IP address, device type, browser, OS, app version | Automatic |
| Communication data | Support tickets, emails, call notes | Direct communication |
3. Why We Process Your Data (Legal Bases)
| Purpose | Legal Basis |
|---|---|
| Providing the platform and services | Contract performance |
| Processing payments and managing subscriptions | Contract performance |
| Analytics to improve the platform | Legitimate interests |
| Marketing communications (if opted in) | Consent |
| Legal and regulatory compliance | Legal obligation |
| Fraud prevention and security | Legitimate interests |
4. Third Parties We Share Data With
We share data with the following categories of processor:
- Payment processors: [e.g. Stripe, Apple, Google] — for subscription billing
- Cloud infrastructure: [e.g. AWS, GCP] — for hosting and data storage
- Analytics providers: [e.g. Mixpanel, Mux] — for platform analytics
- CDN and video delivery: [e.g. Cloudflare, Akamai, AWS CloudFront] — for video streaming
- Email service providers: [e.g. Braze, Mailchimp] — for transactional and marketing emails
- Ad tech partners: [list if applicable] — for ad delivery (see Cookie Policy for details)
- Customer support tools: [e.g. Intercom, Zendesk] — for support communications
We do not sell your personal data.
5. International Transfers
[If applicable: describe transfers outside UK/EEA and safeguards e.g. Standard Contractual Clauses, UK International Data Transfer Agreement]
6. Data Retention
| Category | Retention Period |
|---|---|
| Account data | Duration of account + [X] years after closure |
| Payment records | [X] years (legal/tax requirement) |
| Viewing history | [X] months/years |
| Analytics data | [X] months (aggregate) |
| Support communications | [X] years |
7. Your Rights
Under UK/EU GDPR, you have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your data ("right to erasure")
- Restrict processing
- Data portability
- Object to processing based on legitimate interests
- Withdraw consent at any time (where consent is the legal basis)
To exercise your rights, contact: [DSAR contact email/form]
We will respond within 30 days.
8. Cookies
We use cookies and similar technologies. See our Cookie Policy for full details.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS) and at rest, access controls, and regular security reviews.
10. Children
Our platform is [describe age restriction or "not directed at children under 13 / 16 / 18"]. [Add specific children's data handling if applicable — see Kids & Age Policies section.]
11. Changes to This Policy
We will notify registered users of material changes to this policy. The "last updated" date at the top indicates when the policy was last revised.
12. Contact and Complaints
Data controller contact: [email]
If you are in the UK and unsatisfied with our response, you have the right to complain to the ICO: ico.org.uk
If you are in the EU, you may contact your national supervisory authority.
Ready to finalise your privacy policy?
Book a call to identify gaps between this template and your actual data processing.