privacy-policy
Privacy Policy
When to Use
Activate when a founder needs to create a privacy policy for a new product launch, update an existing policy for new data practices or features, expand into a new jurisdiction (EU, California, etc.), or assess whether current data handling is properly disclosed. Also activate when the user asks about GDPR, CCPA, CPRA, or general data privacy compliance.
Context Required
- From startup-context: product type, platform (web/mobile/API), target customer segments, geographic markets, business model, tech stack.
- From the user: product name and URL, company legal name and address, contact email for privacy inquiries, what personal data is collected and how, which third-party services process data (analytics, payment processors, CRMs, AI providers), applicable jurisdictions, whether the product targets minors, and any existing privacy documentation.
Workflow
- Research the product -- Visit the product website or review the product description. Identify all data collection methods, third-party integrations, and primary features that involve personal data.
- Map data collection -- Categorize all data into: directly provided (forms, account creation), automatically collected (cookies, device info, usage data, IP addresses), third-party sources, and special/sensitive categories. Build a structured data inventory.
- Identify applicable laws -- Based on where users are located and where the company operates, determine which privacy frameworks apply: GDPR, CCPA/CPRA, state privacy laws, COPPA, industry-specific regulations. Note specific obligations per jurisdiction.
- Structure the policy -- Organize using the 15-section template below. Write in plain language at an 8th-grade reading level. Be specific about actual practices -- say "We collect your email address when you sign up" rather than "We may process identifiers."
- Flag legal review areas -- Mark sections requiring attorney review with
[LEGAL REVIEW REQUIRED]notation. These include legal basis determinations, international transfer mechanisms, and jurisdiction-specific rights. - Provide implementation context -- Explain why each section matters, what company decisions are needed, and what compliance considerations apply. Include a pre-publication checklist.
- Generate compliance summary -- Produce a separate document with data inventory table, jurisdiction applicability matrix, risk flags, and implementation checklist.
More from shawnpang/startup-founder-skills
terms-of-service
When the user needs to draft, review, or update terms of service for their SaaS product or web application.
65pitch-deck
When the user wants to create, review, or restructure a fundraising pitch deck for seed or Series A. Also activates when the user mentions "deck", "pitch", "investor presentation", or "slide structure".
55competitive-analysis
When the user needs to evaluate competitors, understand the competitive landscape, or position their product against alternatives.
53review-mining
When the user wants to research customer pain points, complaints, or sentiment using review platforms like Trustpilot, G2, Capterra, or app stores. Also use when the user mentions "what are users saying", "competitor reviews", "pain points", or "voice of customer research".
53data-room
When the user wants to prepare a due diligence data room for fundraising, or when an investor has requested additional materials after a pitch. Also activates for "data room", "due diligence", "DD checklist", or "what documents do investors need?".
51prd-writing
When the user needs to define a product feature, write a product requirements document, or translate an idea into a structured spec.
49