Free Legal Document Generator for Small Business Owners

Yes — if your website collects any personal information from visitors (including through contact forms, newsletter sign-ups, cookies, or analytics tools), you are legally required to have a privacy policy in most countries. This includes businesses in Canada (PIPEDA), the United States (CCPA for California users), the European Union (GDPR), the United Kingdom (UK GDPR), and Australia (Privacy Act). Even a simple website that uses Google Analytics is collecting personal data and needs a privacy policy.

The General Data Protection Regulation (GDPR) is the European Union's data privacy law. It applies to any business that offers goods or services to people in the EU or monitors the behaviour of EU residents — regardless of where the business is based. A Canadian, American, or Australian business with European customers is subject to GDPR. It requires businesses to have a lawful basis for collecting personal data, provide clear disclosures, honour user rights (including the right to access and delete data), and report certain breaches within 72 hours.

It depends on how your business operates, but most small businesses need at least a privacy policy (if your website collects any data) and terms of use (to set rules for how people use your site or service). If you sell products online, a refund and return policy is essential. If you work with freelancers or contractors, a contractor agreement protects both parties. If you share sensitive business information with partners or employees, an NDA is advisable. As you grow, policies like a code of conduct and remote work policy help set clear expectations for your team.

A privacy policy explains how you handle personal data — it is a legal disclosure required by privacy law in most jurisdictions. Terms of use (also called terms of service or terms and conditions) are a contract between you and your users that governs how they may use your website or service. They cover things like prohibited behaviour, intellectual property, liability limits, and dispute resolution. Most websites need both: the privacy policy for legal compliance, and the terms of use to protect the business and set expectations for users.

An NDA makes sense when you are sharing genuinely sensitive or proprietary information — such as a unique product formula, unpublished software, client lists, or detailed financial projections. For a general business idea, an NDA is less common in early conversations (many investors will decline to sign one at the exploration stage), but becomes more important once you are sharing real trade secrets or confidential plans. When in doubt, consult a lawyer about whether an NDA is appropriate for your specific situation.

The documents generated by DraftPolicy are drafts and starting points — they are not finished legal documents and should not be used as-is without review by a qualified attorney. Whether any legal document is binding depends on many factors including how it is presented, the jurisdiction involved, and whether it accurately reflects your actual practices. DraftPolicy is not a law firm and using this tool does not create a lawyer-client relationship. Always have your documents reviewed by a licensed lawyer in your jurisdiction before use.

Yes, completely free — no credit card, no account, no subscription. There is no catch. DraftPolicy is built and maintained by Sociable Studio as a useful tool for small business owners. Nothing you type is stored, tracked, or sent anywhere — all processing happens entirely in your browser. We don't run ads and we don't sell data. If you find it useful, the best thing you can do is share it with another business owner who might need it.

Review your legal documents at least once a year. You should also update them whenever something material changes — for example, if you add a new analytics tool, start a newsletter, introduce online payments, change how you handle refunds, or hire your first employee. For privacy policies in particular, any change in how you collect or use personal data should trigger a review. When you update a document, always change the effective date and, for significant changes, notify your users.