

Ask HN: How do you write a privacy policy/legal page for your site? - tickle_me_elmo

I was looking at the HN legal page:
http://ycombinator.com/legal.html<p>The "terms of use" are extremely brief:<p><i>Terms of Use: When you click on a link, our server will send you the corresponding page.</i><p>Are you required to have a policy statement/legal page?<p>If so, what <i>needs</i> to be in there?
======
albahk
A good template is Automattic's Privacy policy which they have made available
for anyone to copy and use.

<http://automattic.com/privacy/>

~~~
cheald
This was going to my reply, as well. The provision of a legally-drafted
contract is quite a service to the community. You'll want to modify it to fit
your product, but it's a great place to start and hits all the high points.

------
jsarch
IANAL, but here's what I did for SeqCentral.

1) Look around the web for the Terms and Policies from similar companies.
(Since SeqCentral is SaaS provider, I looked at GitHub, 37 Signals, and our
competitors.)

2) Look at the Wikipedia pages for more "official" references:
<http://en.wikipedia.org/wiki/Privacy_policy> and
<http://en.wikipedia.org/wiki/Terms_of_service>

3) Draft your own terms such that if you were a user, that you would be
comfortable with them. (I'm an idealist, and as such, the SeqCentral ToS
centers around the right of the consumer rather than the tyranny of the
provider.)

4) Iterate with a lawyer who will tell you what you need at a minimum. (e.g.
Refunds, children (COPPA), health (HIPAA), EU or CA rules, etc.)

5) Sleep on it.

6) Post as a "draft", issue an RFC, and be ready to make changes as needed.

Best of luck.

------
rendezvouscp
Take the following advice with a grain of salt as I am not a lawyer and I have
not had the privacy/security/TOS for my startup[1] reviewed by a lawyer.

I don’t believe you’re required (by US law) to have a policy statement or
legal page, although things may be different depending on where you are
located. That said, I would suggest outlining your privacy policies (e.g. who
can see their data under what circumstances, how long the data is stored,
etc.) and establishing a jurisdiction for any legal issues at the very least;
if you store sensitive data, I’d suggest talking a bit about what you do to
keep the data secure. Depending on your site, this might be something that
hardly anyone looks at or something that is important to users before they use
the site.

[1] Iron Money: <https://ironmoney.com/>

------
jsarch
Happened across this just now too: [http://blogs.computerworlduk.com/simon-
says/2010/12/the-risk...](http://blogs.computerworlduk.com/simon-
says/2010/12/the-risky-cloud/index.htm)

It discusses how WikiLeaks got kicked off of AWS, PayPal, and other providers
for violating the ToS.

