Start your 7-day free trial - Full platform access
AI-Powered Privacy Policy Review

Check your privacy policy
before regulators do.

Missing cross-border disclosure. Collection purposes too vague. No complaint handling process. Kontractually reviews privacy policies against your applicable obligations - Australian Privacy Principles (AU), UK GDPR, or CCPA (US) - before you publish.

Review your privacy policySee what we check

No credit card required. First 3 reviews free.

Privacy policy checklist

6 required elements every privacy policy must include.

Privacy regulations prescribe what a policy must contain. Kontractually checks every requirement against your jurisdiction before you publish.

1
Identity and contact details
Entity name, ABN (if applicable), and contact details for privacy enquiries must be clearly disclosed. APP 1.4(a) requirement.
2
Categories of personal information
APP 1 requires specific disclosure of what personal information is collected and held. Vague language ('information you provide') is insufficient.
3
Collection methods and sources
Primary sources (directly from individuals) and secondary sources (third parties, cookies, analytics) must be identified.
4
Purpose of collection and use
Each purpose for which personal information is collected, used, and disclosed must be stated. Catch-all purposes don't satisfy APP 1.
5
Cross-border disclosure
If personal information is disclosed overseas (including to cloud providers), APP 8.1 requires countries to be identified. Regulators scrutinise this post-Optus/Medibank.
6
Access, correction, and complaint rights
Individuals have rights to access and correct personal information (APP 12-13). The policy must explain how to exercise these rights and how to make a privacy complaint.
FAQ

Privacy policy questions.

More questions? Email us.

APP 1 prescribes a minimum set of disclosures: entity identity and contact details, categories of personal information collected, how information is collected (primary and secondary sources), purposes of collection and use, cross-border disclosure countries, individual access and correction rights, complaint handling process including escalation to the OAIC, and data breach response process. Kontractually checks all of these against the APP 1 requirements.

Yes. If your business handles personal information of EU residents (including Australian businesses with EU customers), you may have GDPR obligations. You can configure a dual-compliance playbook that checks Australian APP requirements and GDPR requirements: lawful basis for processing, data subject rights (access, erasure, portability, objection), data retention limits, and Data Protection Officer requirements.

Both cover privacy policy review. The privacy-policy-compliance page focuses on the compliance angle - using Kontractually as part of a compliance program. This page focuses on the review tool itself - using Kontractually as a privacy policy checker before publication.

Review your privacy policy when: data collection practices change, a new third-party processor is added, you start operating in a new jurisdiction, privacy legislation changes, or you experience a data incident. The Australian Privacy Act review is expected to introduce significant changes - policies should be reviewed once reforms are enacted.

Yes. Separate playbooks exist for cookie policies (GDPR ePrivacy directive requirements, consent management) and terms and conditions (consumer law obligations, limitation of liability, jurisdiction). Review each document against the relevant playbook.

Also useful

Privacy policy compliance
Privacy policies reviewed against Australian Privacy Act and OAIC APP requirements.
Terms and conditions review
Website terms and conditions reviewed for consumer law compliance and liability exposure.
MSP contract review
Data processing agreements and privacy obligations for managed service providers.

Review your privacy policy before you publish.

Set up your privacy compliance playbook in 10 minutes. First 3 reviews free.

Start free trial