Discovery Guide

Privacy Policy Build Checklist & Discovery Guide

A practical checklist for gathering business, website, tracking, advertising, and privacy-rights information before drafting a privacy policy.

Start here

Fill out the checklist below. At the bottom, Step 11 will generate a custom master prompt for you based only on the boxes you checked.

Important note

AI can help draft and organize a strong privacy policy, but AI is not an attorney and PrimeAxiom is not a law firm. This checklist is not legal advice. Use it to gather accurate operational details, then review the final policy with qualified legal counsel.

1

Business Basics

Start with the information that identifies who the policy belongs to and what the business does.

Legal Business Name
Your Answer:e.g., PrimeAxiom LLC
Primary Website URL
Your Answer:e.g., https://primeaxiom.ai
Main business contact email and mailing address for privacy requests
Your Answer:e.g., privacy@company.com
Products or Services Sold
Your Answer:e.g., B2B AI Workflow Automation Software
Customer types served: consumers, businesses, or both
States and countries where the business is legally registered or physically operates
States and countries where customers, users, or website visitors are served
Whether the business sells to EU, UK, Canadian, California, or other regulated-region residents
Whether the business acts as a data controller, data processor, service provider, or both
Effective date or last updated date for the privacy policy
How users will be notified of material privacy policy changes
Whether the privacy policy needs multiple languages or accessible formats
Privacy officer, data protection officer, or internal owner for privacy requests
2

Website, Forms, And Accounts

Map the places where visitors can submit information or create an ongoing relationship with the business.

Contact forms, quote forms, newsletter forms, and booking forms
Account registration or login areas
Customer dashboards, portals, or profile settings
Checkout, payment, or subscription flows
File upload areas or document intake portals
Chat widgets, AI assistants, or support ticket forms
Any embedded third-party forms or calendars
Mobile apps, browser extensions, or connected devices that collect data
Offline intake sources such as phone calls, SMS, events, imports, or paper forms
3

Personal Information Collected

List the categories of information the business collects directly or indirectly.

Names, emails, phone numbers, and business contact details
Usernames, passwords, account IDs, profile details, and authentication data
Billing, shipping, and payment-related information
Messages, form details, attachments, and support requests
Website usage data, device data, IP addresses, and browser information
Location data, if collected from device settings, IP address, shipping details, or service area
Employment, applicant, contractor, or vendor information, if collected
Audio recordings, call transcripts, chat logs, or screen recordings, if collected
Sensitive information, if collected
Sensitive Data CategoriesWhat this means: Certain states require explicit opt-in consent if you collect highly regulated personal details.
Your Answer:
Children's information, if knowingly collected
Whether the service is directed to children, the minimum user age, and what happens if child data is discovered
Regulated data categories such as HIPAA health data, GLBA financial data, FERPA education data, COPPA children’s data, employment data, biometric data, precise geolocation, financial data, or health and wellness data
Data collected from third-party sources such as social platforms, lead providers, enrichment tools, or public records
4

Tools And Integrations

Document the systems that receive, store, process, or help analyze customer information.

CRM, email marketing, and sales pipeline tools
Analytics tools such as Google Analytics or Search Console
Ad platforms such as Google Ads, Meta, LinkedIn, or TikTok
Payment processors, booking systems, and invoicing tools
AI tools, automation platforms, chatbots, and support systems
Cloud hosting, database, storage, and security providers
Phone, SMS, email, and call recording providers such as Twilio, SendGrid, or similar tools
Data warehouses, vector databases, document stores, or retrieval systems
Subprocessors and vendors that receive personal data, with links to their privacy terms
Your Answer:
Whether vendors are reviewed for security and privacy before approval
Whether data processing agreements, subprocessors lists, or vendor contracts are signed and maintained
Who owns vendor oversight and vendor risk review inside the business
5

Cookies, Pixels, And Tracking

Identify tracking technologies so the policy can explain what is used and why.

Essential cookies needed for site operation
Analytics cookies and event tracking
Advertising pixels and retargeting audiences
Session replay, heatmap, or conversion tracking tools
UTM parameters, click IDs, referral URLs, and attribution data
Do Not Track, Global Privacy Control, or consent-preference handling
Cookie categories used, such as essential, analytics, advertising, personalization, and functional cookies
Whether cookie consent logs are stored and how long consent records are retained
Whether visitors can change cookie preferences after their first choice
Cookie consent banner behavior, if used
Opt-out links or preference tools available to visitors
6

Sharing, Selling, And Disclosures

Clarify who receives information and whether any sharing may count as a sale or targeted advertising disclosure.

Service providers and vendors that process data for the business
Advertising partners or analytics partners
Payment, shipping, fulfillment, and professional service providers
Legal, security, fraud-prevention, or compliance disclosures
Business transfer scenarios such as merger or acquisition
Whether personal information is sold or shared for cross-context behavioral advertising
Whether data is transferred across state or country borders for hosting, support, analytics, or AI processing
Whether standard contractual clauses, data processing agreements, or vendor contracts are used for international transfers
Whether affiliates, franchisees, contractors, or agencies can access customer data
Financial incentives, loyalty programs, discounts, rewards, referral programs, or benefits offered in exchange for data
7

Privacy Rights And Requests

Define how people can contact the business and which rights may apply based on location.

Request email address or web form for privacy inquiries
Whether privacy requests can be submitted by phone, email, web form, or postal mail
Whether the business uses a vendor or privacy portal to manage data subject requests
Access, correction, deletion, portability, and opt-out request process
Identity verification process for requests
Authorized agent process, if applicable
California, Virginia, Colorado, Connecticut, Utah, GDPR, or other regional rights
Right to opt out of sale, sharing, targeted advertising, profiling, or automated decisions
Appeal process for denied privacy requests, if required by state law
Non-discrimination statement for users who exercise privacy rights
Expected response timelines and escalation owner
Your Answer:
8

Retention And Security

Describe how long information is kept and the basic safeguards used to protect it.

How long lead, customer, billing, support, and analytics records are retained
How long logs, backups, call recordings, chat histories, and AI prompts are retained
Whether data is anonymized, aggregated, deleted, archived, or kept for legal obligations
Security controls such as access limits, encryption, monitoring, or backups
Internal Data Access ControlsWhat this means: Identify every team or role inside your company that has access to live customer data logs or profiles.
Your Answer (Select all that apply):
Role-based access controls, admin permissions, and employee or contractor access rules
Vendor review process for systems that handle personal information
Incident response contact and escalation path
Data deletion process when records are no longer needed
Breach notification process and who is responsible for notifying users or regulators
Specific purposes of use, including service delivery, billing, security, analytics, personalization, marketing, AI improvement, fraud prevention, legal compliance, and customer support
Legal bases for processing under GDPR or UK GDPR, such as consent, contract, legitimate interests, legal obligation, vital interests, or public task
Email and SMS marketing consent, newsletters, promotional messages, abandoned-cart messages, transactional notices, and unsubscribe process
9

AI Core & Model Governance

Document how your AI system processes data, handles model training, and protects user inputs.

Model Training & Opt-OutsWhat this means: Clarify if customer prompts, uploaded documents, or chat histories are used to train, retrain, or fine-tune your internal AI models. Note whether you provide a clear toggle or settings menu for users to opt out of training.
Third-Party AI Subprocessors & Data RetentionWhat this means: List the upstream AI platforms or LLM providers your system relies on (e.g., OpenAI, Anthropic, Google Vertex, AWS Bedrock). State whether your commercial agreements with them guarantee "Zero Data Retention" (meaning they don't store or use your users' data to train their public models).
Prompt and Input RetentionWhat this means: Specify exactly how long user inputs, conversation strings, or file uploads live on your database before they are permanently purged or anonymized.
Data Scrubbing & PII SanitizationWhat this means: Identify if your system automatically scans and strips out personally identifiable information (like social security numbers, credit cards, or names) before sending data to an AI model or storing it in a vector database.
Output OwnershipWhat this means: Explicitly state who owns the legal intellectual property rights to the AI-generated results (the text, code, or synthetic media)—whether ownership belongs entirely to the user who generated it or if your platform claims a license.
Automated Decision-Making (GDPR/CCPA Compliance)What this means: Note if your AI automatically approves, denies, or scores users in a way that has legal or significant impacts (e.g., automated hiring, credit checks, or dynamic tier pricing). If it does, you must explain how a user can request a human review of that decision.
Synthetic Content & AI TransparencyWhat this means: Disclose whether you flag, label, or digital-watermark AI-generated images, audio, or text so end-users know they are interacting with or viewing synthetic content.
Human Review & EscalationWhat this means: Explain when AI outputs are reviewed by a person, when users can request human assistance, and who handles escalations involving incorrect or harmful outputs.
Vector Database & Retrieval SourcesWhat this means: List whether uploaded files, website content, CRM data, call transcripts, or support documents are embedded into a vector database or retrieval system for AI responses.
AI Incident HandlingWhat this means: Document how users can report problematic AI responses, privacy incidents, hallucinations, bias, or unauthorized disclosures.
10

Final Policy Sections To Draft

Use the discovery answers to draft policy sections that match the actual operation of the business.

Introduction and scope
Information collected
How information is used
Cookies and tracking
How information is shared
Privacy choices and rights
Data retention and security
International transfers and region-specific privacy rights
AI systems, model training, subprocessors, and automated decision-making
Contact details, request process, policy updates, and effective date
Children, international users, changes, and contact information

Step 11

🚀 Generate Your Custom Master Prompt

Ready to draft your policy? Enter your email below to bundle your active checklist selections into a perfectly formatted master prompt. You can copy and paste this directly into Cursor, ChatGPT, or Claude to write your tailored Privacy Policy in seconds.

⚠️ Reminder: While this custom prompt will help you generate a highly detailed and structured starting draft in your AI editor, please remember that AI is not an attorney. Always review your generated draft with qualified legal counsel before publishing it live.

Privacy note: this generator runs entirely in your browser. Your checklist selections are not sent to PrimeAxiom, saved to a database, or submitted to any server.

By entering your email and clicking Generate, you agree that PrimeAxiom may contact you about this privacy policy checklist and your generated prompt.

Next Step

🎥 Join Our Live AI & Compliance Workshops

Got your master prompt? Before you go off and deploy your new privacy policy, join us for our next live workshop. We regularly host live deep-dives and open Q&A sessions covering:

  • Upstream AI vendor secrets (OpenAI, Anthropic, AWS Bedrock compliance)
  • Step-by-step walk-throughs for user opt-out workflows
  • Live data-mapping teardowns for scaling platforms
View All Upcoming Webinars & Claim Your Seat