Document constructor

A working basis for 152-FZ compliance: fill in the details, review the text and download the document without sign-up.

Privacy policy constructor

Fill in the operator details and processing parameters — the constructor builds a 152-FZ privacy policy for your site. Download DOC, HTML or plain text.

Benefits

Builds the document quickly while keeping key 152-FZ requirements in place

Legal structure
01
A matrix of purposes, data, legal bases, actions and retention periods is already reflected in the document.
No sign-up
02
Fill in the operator details right on the page. The constructor updates the document live.
DOC, HTML and text
03
Download a file for legal review, HTML for the website, or copy the final text immediately.
Ready to publish
04
Publish it at /privacy and link it from the footer and next to your forms.

Constructor

Fill in the details — the document updates live and is ready for DOC, HTML or text export.

OperatorOperator typeOperator nameE.g. Romashka LLC or sole proprietor Ivan Ivanov

OGRN / OGRNIPTIN

KPPRegistered addressResponsible person (full name)Roskomnadzor registry number (if any)

Site and contactsSite domainE.g. example.com

Contact email for data requests

Phone (optional)

Revision date

Processing parameters

The site uses cookiesThe site uses web analyticsDatabases are located in Russia (Art. 18(5))Cross-border data transfer is possible (Art. 12)

Analytics services

С 01.07.2025 при сборе персональных данных граждан РФ ч. 5 ст. 18 152-ФЗ не допускает запись, хранение и извлечение таких данных в зарубежных базах. Google Analytics обычно передаёт данные в иностранную инфраструктуру; за нарушение локализации по ч. 8-9 ст. 13.11 КоАП РФ для юрлиц возможен штраф 1-6 млн ₽, повторно 6-18 млн ₽. Лучше отключить GA или заменить его на российскую аналитику.

Third-party services (comma-separated)

CRM, payment service, email service, etc.Hosting provider

Request retention period

Purposes

Purpose 1Receiving and handling requests, feedback

Purpose 2Conclusion, performance and termination of contracts

Purpose 3Site operation, security and analytics

Purpose 4Compliance with the law

Personal Data Processing Policy

Revision dated 26 June 2026.

1. General provisions

This Personal Data Processing Policy (the “Policy”) defines how personal data is processed and secured by the operator: [operator name] (the “Operator”, legal entity), and applies to the website [site address] and its related subdomains (the “Site”).

The Policy complies with the Constitution of Russia, Federal Law No. 152-FZ of 27 July 2006 “On Personal Data” (“152-FZ”) and related regulations, and applies to all personal data the Operator may obtain in connection with the use of the Site.

By using the Site, the data subject confirms that they have read this Policy.

2. Terms and definitions

Personal data — any information relating to a directly or indirectly identified or identifiable individual (the subject).
Processing — any operation on personal data (collection, storage, use, transfer, deletion, etc.).
Operator — the entity that organises and/or carries out processing and determines its purposes and data.
Subject — the individual the personal data relates to.

3. Processing principles

lawfulness and fairness of processing;
processing only for predefined and lawful purposes;
data adequacy and minimisation relative to the stated purposes;
accuracy and relevance of data; storage no longer than necessary.

4. Categories of data subjects

Site visitors and users;
persons who submitted a request via Site forms;
prospective, current and former clients, and representatives of counterparties.

5. Purposes, legal bases, data, actions and retention

Purpose	Personal data	Legal basis	Processing actions	Retention
Receiving and handling requests, feedback	name, phone, email, message, selected service	consent; pre-contract steps	collection, recording, systematisation, storage, updating, use, deletion	up to 1 year from last contact
Conclusion, performance and termination of contracts	name, contact details, requisites, correspondence, order or project details	contract performance; pre-contract steps	collection, recording, storage, updating, use, processor transfer, deletion	contract term + statutory periods
Site operation, security and analytics	IP address, cookies, browser/device data, on-site actions, referral source	consent for analytics; legitimate interest for security	collection, recording, systematisation, storage, anonymisation, analysis, deletion	until consent withdrawal / cookie lifetime
Compliance with the law	data required by law, consent/request/action records	legal obligation imposed on the operator	collection, recording, storage, updating, disclosure to authorised bodies, destruction	statutory periods

6. Personal data processed

identification and contact data: name, phone number, email;
request data: selected service/project type, comment;
technical data: IP address, cookies, browser/device data, visit date/time, on-site actions, referral source;
correspondence data if the subject provides it.

Special categories of personal data (race, health, political views, etc.) and biometric data are not processed. Data of minors is not collected intentionally.

7. Processing conditions

Processing is carried out both with and without automation (mixed). The Operator keeps personal data confidential and does not disclose it to third parties without the subject’s consent, except as provided by law.

8. Data collection via the Site, cookies and analytics

The Site uses cookies and web analytics (Yandex Metrica). Analytics cookies and counters load only after the user’s consent given via the banner.

9. Database localisation

Collection, recording, systematisation, accumulation, storage, update and retrieval of personal data of Russian citizens are performed using databases located in the Russian Federation (Art. 18(5) 152-FZ).

10. Data transfer and processors

The Operator may engage third parties to process personal data under a confidentiality and data-protection agreement, including: Yandex Metrica. When engaging a processor, the Operator remains responsible to the subject.

No cross-border transfer of personal data is carried out. Disclosure to other third parties is possible only with the subject’s consent or at the request of authorised state bodies as provided by law.

11. Retention and destruction

Retention is determined by achievement of purposes, the consent term, and contractual/statutory periods. Once purposes are achieved or consent is withdrawn, data is destroyed or anonymised within the periods set by 152-FZ, unless retention is required by law.

12. Security measures

The Operator applies legal, organisational and technical measures (Art. 18.1, 19 152-FZ), including:

appointing a person responsible for processing;
access restriction and segregation;
secure channels (HTTPS) and backups;
harm assessment and incident response.

13. Subject rights and how to exercise them

The data subject has the right to:

obtain information about the processing of their data;
request rectification, blocking or destruction of incomplete, outdated or unlawfully obtained data;
withdraw consent to processing;
appeal the Operator’s acts to Roskomnadzor or a court.

A request can be sent to [contact email]. The Operator responds within the timeframes set by 152-FZ (typically 10 business days, extendable to 30 days).

14. Responsible person and contacts

Enquiries on personal data matters are accepted at [contact email].

15. Final provisions

The Operator may amend the Policy. A new version takes effect upon publication on the Site. This version is effective from 26 June 2026.

The document is a working basis for 152-FZ requirements. Before publishing, we recommend a lawyer’s review and checking the exact retention periods and responsible-person details.

Process

How it works

Fill in the details
01
Operator type, name, registered address and contact details for personal data requests.
Set the parameters
02
Cookies, analytics, localisation, purposes, data categories and third-party services are reflected in the right sections.
Review the text
03
The preview updates instantly, so you can quickly see how the document changes.
Publish it
04
Download DOC or HTML, publish the policy at /privacy and link it next to your forms.

Why it matters

A policy is needed for any website that collects requests, uses analytics or receives user contact data

A personal data processing policy is mandatory for any website that collects visitor data — even via a single contact form or analytics counter (Art. 18.1 of Federal Law No. 152-FZ). A missing or boilerplate policy is a common reason for Roskomnadzor complaints and fines.

The constructor builds a document using the structure we apply in our own projects: purposes and legal bases, data categories, retention, database localisation in Russia, subject rights and the request procedure. You provide the details — the rest is filled in automatically.

Document structure

A practical policy structure that can be reviewed by a lawyer or published on the site

What the document covers

General provisions and 152-FZ terms
Purpose matrix: data, legal bases, actions and retention
Data categories and retention periods
Database localisation in Russia (Art. 18(5))
Data transfer and processor engagement
Subject rights and request procedure
Security measures and final provisions

Rating

Help us understand how useful the constructor is in real work. Your rating is saved in our database and updates the tool score.

Views4Rating5.0Ratings1

FAQ

Answers to the main questions

Do I need a privacy policy if the site only has a contact form?

Yes. A name, phone or email in a form is personal data. As soon as the site collects it, the operator must publish a processing policy and obtain consent (Art. 18.1 152-FZ). This also applies to analytics counters collecting technical data.

Is the generated document ready to publish?

It is a correct working basis following the 152-FZ structure. Before publishing, check the exact retention periods and responsible-person data, and have a lawyer review it if needed — the policy must reflect the operator’s real processes.

Where should I place the policy on the site?

It must be permanently available online — usually at a URL like /privacy, linked from the footer and near forms. You can paste the text as a page or download it as a file.

Is it free?

Yes, the constructor is free and works without sign-up. Form data never leaves your browser — the document is built on your device.

Can I download the document as a Word file?

Yes. The constructor generates a DOC file that can be opened in Word, Pages or another editor, sent for legal review and adjusted if needed.

Can I publish the policy on the website right away?

Yes. In addition to DOC export, HTML download and plain-text copying are available. HTML is convenient for a separate site page, while text can be moved into a CMS.

What data should I prepare before filling it in?

You will need operator details, address, domain, contact email for data requests, analytics and cookie details, hosting provider and third-party services.

Does it work for sole proprietors and self-employed operators?

Yes. The form supports legal entities, sole proprietors, self-employed operators and individuals. The wording changes depending on the selected operator type.

Do I need to specify a Roskomnadzor registry number?

If the operator is included in the registry, it is better to specify the number. If there is no number, leave the field empty and the constructor will not add that line.

Can I use one document for several sites?

You can, but it is better to generate a separate version for each domain and the actual processes of that site: forms, analytics, purposes and third-party services.