The Legal Pages Generator. Privacy, Cookies, Terms, Accessibility, Disclaimer, Refund, DPA in One Pass

Most indie sites ship two legal pages (Privacy Policy, Terms of Service), copied from a previous project, years out of date, and missing half of what GDPR and CCPA actually require. The rest — Cookie Policy, Accessibility Statement, Disclaimer, Refund Policy, DPA — are either absent or buried. The Legal Pages Generator produces a tailored baseline for all of them in one pass.

This post walks through what the tool generates, why each document exists, which jurisdictions drive which clauses, and the hard caveat: this is a template you ship to counsel for review, not a finished product. Especially if your site is past a few hundred dollars of monthly revenue or handles sensitive data.

What the tool generates

Seven documents, gated by your inputs:

1. Privacy Policy — always generated. Lists data collected, purposes, third-party services named individually, rights per jurisdiction (GDPR Art. 13–22, CCPA § 1798.100–155, PIPEDA, Australian Privacy Act, LGPD), retention, international transfers, children's data handling.
2. Cookie Policy — always generated. Categorizes cookies (necessary / functional / analytics / advertising), names each third-party service with its specific policy URL, covers Do-Not-Track + CCPA opt-out.
3. Terms of Service — always generated. Acceptable use, IP ownership, user-submitted content, third-party links, warranty disclaimer, limitation of liability, indemnification, governing law.
4. Accessibility Statement — always generated. Names the standard (WCAG 2.2 AA), lists what you do, acknowledges known limitations, provides a feedback channel with a 5-business-day response commitment.
5. Disclaimer — always generated, with content gated by business type: medical ("not medical advice"), financial ("not investment advice, past performance…"), legal (attorney advertising + not legal advice), affiliate (FTC 16 CFR § 255), newsletter (CAN-SPAM footer), local service (license + insurance notice), or a general fallback.
6. Refund / Return Policy — generated if you select e-commerce (physical or digital). Covers eligibility windows, process, processing time, defective-item handling, and EU 14-day withdrawal if applicable.
7. Data Processing Addendum (DPA) — generated if you select SaaS. Covers controller/processor roles, processing purposes, sub-processor obligations, Article 32 security measures, breach notification within 48 hours, audit rights, and termination obligations.

Each document is produced in both Markdown (for your SSG content folder) and a single-click "Copy as HTML" variant (for CMSes and legacy stacks).

What the tool does NOT do

• It does not generate a Notice of Privacy Practices (HIPAA NPP). If you're a covered entity, that's a separate document with specific required language under 45 CFR § 164.520 — have counsel produce it.
• It does not generate a children's privacy notice distinct from the main policy. If you're COPPA-subject, you need specialized counsel; the baseline text includes a COPPA section but it's a starting point, not a finished compliance product.
• It does not handle contractual B2B terms (MSAs, SOWs, SLAs, licensing). These are relationship-specific.
• It does not produce jurisdiction-specific clauses for every country — it covers US general, California (CCPA/CPRA), EU (GDPR), UK (UK-GDPR), Canada (PIPEDA + Quebec Law 25), Australia (Privacy Act), and Brazil (LGPD). If you operate in Japan, China, South Korea, India, or the Middle East, the output is a starting point — not compliant for those specific regimes.
• It does not replace a lawyer. It reduces the hours a lawyer needs to produce your initial pack, which reduces cost. A one-hour review of a baseline template is cheaper than four hours of from-scratch drafting.

The master AI customize prompt

Next to the "Generate" button is a "Copy master AI customize prompt" button. Click it, paste into Claude or GPT, and the model produces a deeper, more jurisdiction-specific draft based on the same inputs. The prompt includes the business context and explicit instructions: plain language, jurisdiction citations, concrete response-time commitments, "changes" clause, and an "attorney review recommendations" section at the bottom flagging every clause the model considered that requires counsel review.

This is the workflow we actually use on client sites: generate baseline here → refine via Claude with the master prompt → have counsel review the refined version. Total turnaround: 2 hours of work versus 8 hours of from-scratch drafting.

Decision flow by business type

Blog / content site

Ships: Privacy Policy, Cookie Policy, Terms of Service, Accessibility Statement, General Disclaimer (or affiliate disclaimer if relevant).

Why: even a pure-content blog that runs Google Analytics is processing IP addresses under GDPR definitions — a Privacy Policy is not optional. CCPA applies if you generate $25M in revenue OR sell personal info of 100K California residents OR derive 50% of revenue from data sales; most blogs are under the first two thresholds but should still have the policy.

Affiliate / review site

Adds: FTC affiliate disclosure is non-negotiable. The FTC has actively enforced 16 CFR § 255 against influencers and review sites — fines in the $100K+ range for large accounts, takedowns for smaller ones. The disclosure must be "clear and conspicuous," near the claim, and on the same page.

Newsletter / email-first site

Adds: CAN-SPAM footer with physical mailing address. This is strict-liability in the US; a missed footer on a single campaign can technically be $51,744 per recipient (2024 FTC cap). Processors like Mailchimp force the footer on you, which is partly why they're popular.

E-commerce (physical goods)

Adds: Refund Policy, Return Policy, Shipping Policy. Google Merchant Center requires them to approve your product listings; Stripe and PayPal expect them; state attorneys general inspect them during consumer-protection investigations.

E-commerce (digital goods)

Adds: Refund Policy with EU 14-day withdrawal language. Under Directive 2011/83/EU the buyer can withdraw for 14 days — unless they expressly waived the right to receive the download immediately. The tool's template includes both paths.

SaaS

Adds: DPA + Subprocessor list. B2B buyers — especially enterprise — will ask for your DPA during procurement. Having one ready cuts weeks off sales cycles. The DPA template here is based on the 2021/914 EU Standard Contractual Clauses (SCCs) pattern plus UK IDTA provisions for British customers.

Consulting / agency / local service

Adds: Engagement-scope clarity in Terms + license/insurance notice in Disclaimer if you're a licensed profession (contractor, attorney, medical, CPA, real estate).

Health / medical

Adds: Medical disclaimer ("not medical advice, consult your healthcare provider"). If you're actually a covered entity (provider, health plan, clearinghouse) handling PHI, the baseline Privacy Policy is not enough — you need a HIPAA-compliant Notice of Privacy Practices, a Business Associate Agreement process, and a separate security program. Talk to HIPAA counsel.

Financial / investing

Adds: Financial disclaimer ("not investment advice, past performance…"). If you're a registered investment adviser or broker-dealer, your SEC/FINRA obligations are far beyond this template; use compliance counsel. The disclaimer here is for the general "educational content about finance" audience.

Legal services

Adds: Attorney advertising + not-legal-advice disclaimer. State bar rules vary; most require the "Attorney Advertising" label prominently. Some states (New York, Florida) have filing requirements for attorney websites. Check your state bar.

Jurisdiction specifics the tool handles

United States (general) — FTC guidance on privacy disclosures, CAN-SPAM for email, COPPA for children's data, state laws (California, Virginia, Colorado, Connecticut, Utah are active in 2026; New Jersey, Indiana, Iowa, Montana, Tennessee, Oregon, Texas, Florida, Delaware have laws coming into force or active as of 2026).

California (CCPA / CPRA) — specific disclosures, "Do Not Sell or Share" opt-out link, Sensitive Personal Information handling, per-category data listing.

EU (GDPR) — Article 13 disclosures at collection, Article 15–22 rights enumerated, consent (Art. 7) must be as easy to withdraw as to give, Art. 32 security measures in the DPA, international-transfer clauses using SCCs.

UK (UK-GDPR) — essentially GDPR with ICO as supervisory authority. IDTA (International Data Transfer Agreement) replaces the EU SCCs for UK-to-non-adequate transfers.

Canada (PIPEDA + Quebec Law 25) — access, correction, withdrawal of consent, complaint to OPC. Quebec adds specific DPO appointment requirements and breach-notification timelines.

Australia (Privacy Act + APPs) — 13 Australian Privacy Principles, complaint process via OAIC.

Brazil (LGPD) — similar scope to GDPR; ANPD is the supervisory authority.

Ship it, then have it reviewed

The workflow we recommend:

1. Run the generator — 5 minutes of form-filling, pick your business type, jurisdictions, data, services
2. Skim the output — fix obvious mismatches (wrong mailing address, missing service)
3. Run the master AI prompt in Claude or GPT for a deeper pass — maybe 10 minutes
4. Have counsel review the refined draft — 30–60 minutes of attorney time for most indie businesses
5. Publish

Total cost: $150–$400 in attorney time (varies by jurisdiction and attorney) vs. $1,500–$3,000 for a from-scratch engagement. The template gets you 80% of the way; the attorney makes it specifically-yours for the last 20%.

The complete indie defense stack

This tool completes the legal-layer piece of the Content and Tool Protection Playbook:

• Layer 1: Serverless Posture Audit — function guards (origin allowlist, rate limit)
• Layer 2: Watermarks — clone detection
• Layer 3: Legal Pages Generator — terms, privacy, all the legal pages
• Layer 4: DMCA Playbook — takedown procedure
• Layer 5: Mega Analyzer — checks all of the above at runtime and flags gaps

For the full strategic picture of running a monetized indie site — free tools as top-of-funnel, a book funnel as monetization, and a defense stack that doesn't require a full-time security team — The $20 Dollar Agency covers the GTM plus defense stack end to end.

Fact-check notes and sources

• GDPR Articles 13, 15–22 (rights + disclosures): gdpr-info.eu.
• CCPA / CPRA statute text: oag.ca.gov/privacy/ccpa.
• UK-GDPR and ICO guidance: ico.org.uk.
• PIPEDA (Canada): priv.gc.ca.
• LGPD (Brazil): planalto.gov.br.
• FTC 16 CFR § 255 (Endorsement Guides): ecfr.gov.
• CAN-SPAM enforcement and penalties: ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business.
• EU Directive 2011/83/EU (14-day withdrawal): eur-lex.europa.eu.
• Standard Contractual Clauses (EU 2021/914): eur-lex.europa.eu.
• WCAG 2.2 AA + accessibility regulation references: w3.org/TR/WCAG22/, ada.gov, w3.org/TR/EN-301-549/.
• COPPA: ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312.

Related reading

• The Content Protection Playbook
• DMCA Takedowns and Terms of Use for Developers
• HTML Watermark Tokens for Clone Detection
• Serverless Posture Audit
• Mega Analyzer

Template only, not legal advice. For anything past a hobby site, have a licensed attorney review before publishing.