AesirX CMP Guide: How to Generate a Privacy Policy with AI
Manually writing a Privacy Policy is time-consuming, prone to errors, and often out of sync with what your site actually does. This guide walks you through generating a tailored draft using the AesirX CMP AI Privacy Advisor – based on real scan data, not assumptions. It saves time, supports global privacy law alignment, and gives you a reliable foundation to edit and publish with confidence.
Follow this step-by-step guide to generate your Privacy Policy draft automatically using the built-in AI tool.
Step 1: Log In to the AesirX AI Privacy Advisor
- Log in to your website’s WordPress admin panel.
- Navigate to AesirX CMP in the left-hand menu.
- Click AI Privacy Advisor.
This page gives you access to configure tracking transparency through the Domain Categorization feature, and to generate AI privacy documentation, such as the Cookie Declaration, Privacy Policy, and Consent Request.
From here you can also enable 1-click AI Auto-Blocking and configure third-party and domain/path blocking to support privacy compliance.
Step 2: View Your AI Privacy Policy
How to create a privacy policy using the AesirX CMP AI tool
What to do:
- Once you open the AI Privacy Advisor, scroll down to Privacy Policy.
- Your Privacy Policy text is already populated based on your site’s scan results.
- Go through the headed sections, read the draft carefully and update any language to reflect your actual data handling practices.
- Make sure it’s accurate, especially if your business has multiple domains, operates in specific sectors, or collects sensitive data.
Note: Some sections may include placeholder text (e.g. vendor names or contact details) depending on your site scan. Make sure to review and edit these before publishing your Privacy Policy.
Here’s a breakdown of each section:
Step 3: Set the Effective Date
The effective date marks when your privacy policy becomes valid. Under laws like GDPR and CCPA, this helps demonstrate transparency and informs users which version of your terms is currently in effect. It also serves as a reference point for when changes were last made.
Example text:
[Your Company Name] (\'we\', \'us\', or \'our\') operates the website [Your Website URL] (the \'Site\'). We take your privacy seriously and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information. It complies with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the ePrivacy Directive.
Disclaimer: This privacy policy is a draft and must be reviewed by a legal professional to ensure full compliance.
What to do:
- Add the date your privacy policy takes effect (e.g. today’s date or the planned publication date).
- Enter your company name exactly as it should appear in legal documents.
- Update this section each time the privacy policy is revised.
Step 4: Confirm the Identity of the Data Controller
Create privacy policies automatically: Data Controller section
This section identifies who controls the personal data collected on your site and how to contact them. Laws like GDPR and CCPA require clear details to ensure accountability and give users a direct privacy contact.
Example text:
The data controller responsible for your personal data is:
[Company Name]
Address: [Company Address]
Email: [Email Address]
Phone Number: [Phone Number]
What to do:
- Fill in:
- Your company’s legal name
- Full address
- Contact email
Step 5: Review Types of Personal Data Collected
This section lists the types of personal data your site collects through cookies, beacons, and tracking technologies. The information is based on your site’s privacy scan and reflects what is actively detected in use, helping you meet legal requirements under GDPR, ePrivacy Directive, CCPA, and similar laws that mandate transparency about data collection.
Example text:
Cookies and Tracking Technologies:
We use cookies, beacons, and tracking pixels to collect certain information when you visit our Site:
- Cookies: Small data files stored on your device. Essential cookies like PHPSESSID ensure basic functionality, while others like tk_or, tk_lr, tk_r3d, and session-based sbjs_* cookies collect data post-consent for analytics and preference purposes.
- Beacons and Tracking Pixels: These tools help us measure engagement levels and improve our services.
What to do:
- Double-check the list of cookies and trackers mentioned. Confirm these match your actual site setup. Examples may include:
- PHPSESSID for session tracking
- tk_or, tk_lr, tk_r3d for analytics
- sbjs_* cookies for behavioral tracking post-consent
Step 6: Use of Cookies and Similar Technologies
How to generate a privacy policy with AI: Use of Cookies section
This section lists cookies and similar technologies used for advertising or cross-site tracking. These always require active user consent.
Example text:
Cookies and similar technologies are used to:
Enhance user experience through personalized content.
Monitor site performance and usage patterns.
Support marketing campaigns and optimize ad delivery.
What to do:
- Review and update this section based on your actual use of cookies and tracking tools.
Step 7: Legal Basis for Processing
AesirX AI Privacy Advisor: Legal Basis for Processing section
This section explains the legal grounds your organization relies on to process personal data. Privacy laws require you to clearly state why data is collected and under what conditions. Many site owners mistakenly claim legitimate interest for analytics or marketing cookies under GDPR, thinking it's sufficient. However, under ePD 5(3), placing any non-essential cookie requires prior consent.
Example text:
We rely on the following legal bases for processing your personal data:
- Consent: For non-essential cookies and marketing activities (GDPR Art. 6(1)(a)).
- Legitimate Interests: For enhancing site performance and gathering analytics (GDPR Art. 6(1)(f)).
What to do:
- Only include the legal bases that apply to your actual use of personal data.
- Consent is required for any non-essential cookies or tracking technologies.
- Only include Legitimate Interests if you’ve completed a proper assessment and avoid starting any tracking before consent is given.
Step 8: Third-Party Services Involved
AI privacy policy generator: Third-Party Services section
This section lists external providers that handle personal data on your behalf. Privacy laws require you to disclose which third parties are involved, especially if they process data for analytics, advertising, or other business functions. Naming them helps users understand how their data is shared and with whom.
Example text:
Our Site works with third-party service providers for analytics and marketing purposes. These third parties comply with strict data protection standards:
[Analytics Provider's Name]: Responsible for collecting site usage data.
[Marketing Services Provider's Name]: Helps deliver targeted advertising.
What to do:
- Review the detected third-party services from your site scan.
- List the services actively involved in analytics, marketing, or other data processing.
- Where possible, name each provider and briefly describe their role.
- Double-check that relevant and currently used services are included before publishing.
Step 9: Data Retention Periods
WordPress privacy policy template: Data Retention Periods section
This section explains how long personal data is stored before it’s deleted or anonymized. Privacy regulations require that data is not kept longer than necessary. Being transparent about retention periods shows responsible data management and helps build user trust.
Example text:
Your personal data is retained only as long as necessary to fulfill the purposes for which it was collected, in accordance with legal requirements.
What to do:
- Confirm how long personal data is stored based on your actual data handling practices and legal obligations.
- If you have defined retention periods (e.g. 30 days for server logs, 6 months for analytics), include them here.
- If not, use a general statement like the example, but ensure it reflects your internal policy and is legally sound.
Step 10: Sharing of Data
How to write a privacy policy: Sharing of Data section
This section outlines which third parties may receive user data. Privacy laws require transparency about how and with whom personal data is shared. Clear disclosure supports accountability and helps users understand how their data flows beyond your site.
Example text:
Your personal data may be shared with:
Service Providers: To assist with site analytics and marketing.
Legal Authorities: When required by law or to protect our rights.
What to do:
- List the types of third parties you share data with, such as analytics providers or marketing platforms.
- Including those relevant to your actual setup, edit the vendor placeholder list before publishing.
Step 11: User Rights
How to get a privacy policy for your website: User Rights section
This section outlines the rights individuals have regarding their personal data. Privacy laws require you to inform users of their rights and how they can exercise them. Including this builds trust and demonstrates transparency.
Example text:
Under the GDPR and CCPA, you have the following rights concerning your personal data:
Right of Access: Request access to personal data we hold about you.
Right to Rectification: Request correction of any inaccuracies in your personal data.
Right to Erasure: Request deletion of your personal data.
Right to Data Portability: Request transfer of your personal data to another provider.
Right to Object: Object to certain types of data processing activities, including direct marketing.
CCPA Opt-Out: Request to opt-out of the sale of your personal data.
What to do:
- Review and adapt the list of rights to reflect the data protection laws relevant to your audience.
- Only include rights your business can support in practice.
- Make sure you have procedures in place for handling rights requests, and consider linking to them or referencing how users can submit a request.
Step 12: International Transfers
AesirX CMP AI tool: International Transfers section
This section explains if and how personal data is transferred to other countries. Many privacy laws require you to disclose cross-border data transfers and explain the measures in place to protect that data. Including this builds trust and shows awareness of global data protection responsibilities.
Example text:
Your personal data may be transferred to, and processed in, countries other than your country of residence. We take steps to ensure that appropriate safeguards are implemented to protect your privacy and personal data.
What to do:
- Review whether your website or services involve transferring personal data across borders (e.g. to third-party providers or cloud platforms).
- If transfers occur, update this section to reflect your actual data flows.
- Describe the safeguards you rely on, such as Standard Contractual Clauses (SCCs), adequacy decisions, or binding corporate rules.
Step 13: Contact Us
WordPress privacy policy generator: Contact Us section
This section provides users with a direct point of contact for privacy-related questions or concerns. A monitored and accessible contact builds trust and demonstrates accountability.
Example text:
If you have any questions or concerns regarding this Privacy Policy or our practices, please contact us at [Email Address].
Note: This draft privacy policy should be reviewed and finalized by a legal professional to guarantee compliance with applicable regulations.
What to do:
- Replace the placeholder with a valid, monitored email address (ideally role-based, like privacy@yourdomain.com).
- Double-check that the contact point is appropriate for handling data protection queries and that it’s accessible to users in all regions you serve.
Step 14: Copy and Preview
Click the copy icon to export the generated text. Review and edit it to reflect your actual data practices before adding it to your site’s Privacy Policy or legal pages.
For better readability, consider numbering the sections and including a table of contents.
Step 15: Re-Generate If Tracking Changes
At the end of the Privacy Policy section, you’ll see a Regenerate button.
What to do:
- If you update your website by adding or removing tracking technologies like ad pixels, analytics scripts, or embedded media, or adding new tools, tags, or plugins, you should revisit the AesirX AI Privacy Advisor to check for any Privacy Policy changes. Keeping it accurate isn’t a one-time task.
- Clicking Regenerate will run a fresh scan and update the Privacy Policy to reflect the latest setup. It’s the easiest way to keep your documentation compliant over time.
- To make this easier, you can use AesirX Privacy Monitoring, which automatically scans your site on a regular schedule and flags any new scripts or trackers that could affect your compliance. This means your documentation stays up to date without relying on manual checks.
Done! Your Privacy Policy Draft Is Ready
You’ve successfully generated a Privacy Policy tailored to your site’s actual behavior using the AesirX Consent Management Platform AI tool. This draft supports alignment with major data protection laws by addressing key transparency and consent obligations.
Not sure what’s loading on your site?
If internal resources are limited, our Alliance for Compliance offers a path to fast-track
implementation, privacy monitoring, and continuous privacy validation.
