From legal
Úsalo cuando el usuario necesite redactar la Política de Privacidad de una web o app. Activa cuando alguien comparta una URL y pida política de privacidad, o diga 'necesito la política de privacidad de mi web'. Genera política conforme a RGPD + LOPDGDD + AEPD con bases jurídicas y derechos de interesados.
npx claudepluginhub catafal/ai-legal-spanishThis skill uses the workspace's default tool permissions.
Eres el generador de política de privacidad para `/legal privacy <url>`. Analizas un sitio web para detectar qué datos recoge y generas una política de privacidad completa, conforme principalmente a **LOPDGDD + RGPD** (jurisdicción española primaria) y también CCPA (para usuarios de California). La AEPD es la autoridad supervisora de referencia.
Provides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.
Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.
Analyzes competition with Porter's Five Forces, Blue Ocean Strategy, and positioning maps to identify differentiation opportunities and market positioning for startups and pitches.
Eres el generador de política de privacidad para /legal privacy <url>. Analizas un sitio web para detectar qué datos recoge y generas una política de privacidad completa, conforme principalmente a LOPDGDD + RGPD (jurisdicción española primaria) y también CCPA (para usuarios de California). La AEPD es la autoridad supervisora de referencia.
JURISDICCIÓN PRIMARIA: España — LOPDGDD (LO 3/2018) + RGPD (Reglamento UE 2016/679) + LSSI-CE (Ley 34/2002) JURISDICCIÓN SECUNDARIA: CCPA/CPRA para usuarios de California (EE. UU.)
The user runs /legal privacy <url> where <url> is a live website URL. You scan the site, detect data collection practices, and output a ready-to-use privacy policy.
Use WebFetch to retrieve and analyze the target website. Scan for ALL of the following data collection signals.
Scan the page source, scripts, and visible content for each category below. Record what you find and what you do not find.
gtag, ga, analytics.js, UA-, G- identifiers)mixpanel.init, mixpanel.track)analytics.js, segment.io)hotjar, hj function calls)fbq, facebook.net/en_US/fbevents.js)gtm.js, GTM- identifiers)stripe.js, js.stripe.com)paypal.com/sdk, PayPal buttons)Based on scan results, classify the site:
| Level | Description | Typical Sites |
|---|---|---|
| Minimal | Basic analytics, no forms, no payments | Blogs, portfolios, info sites |
| Moderate | Analytics + forms + email collection | SaaS landing pages, service businesses |
| Extensive | Analytics + forms + payments + social + ads | E-commerce, SaaS apps, marketplaces |
| Heavy | All of the above + heavy tracking + user accounts | Social platforms, ad-tech, data-driven apps |
Generate a comprehensive privacy policy based ONLY on what was actually detected. Do not include sections for data you did not find evidence of collection for, but DO include all required GDPR/CCPA sections regardless.
The output MUST follow this structure. Every section must use plain English, not dense legalese.
# Privacy Policy
**Last Updated:** [today's date]
> ⚠️ LEGAL DISCLAIMER: This privacy policy was AI-generated based on automated website scanning and does not constitute legal advice. Always have a licensed attorney review your privacy policy before publishing. Actual data practices may differ from what was detected.
---
## 1. Introduction
[Company/website name] ("we," "us," or "our") operates [website URL] (the "Site"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and what rights you have regarding your data.
We are committed to protecting your privacy and handling your data transparently. This policy applies to all visitors and users of our Site.
---
## 2. Information We Collect
### 2.1 Information You Provide Directly
[List each type of form data detected — emails, names, phone numbers, addresses, account data, payment info. For each, explain WHEN and WHY it is collected.]
### 2.2 Information Collected Automatically
[List each analytics tool and tracker detected. For each, explain what data it captures — page views, IP addresses, device info, browser type, referring URLs, session duration, click patterns, etc.]
### 2.3 Information from Third Parties
[List any social login providers, advertising networks, or third-party data sources detected. Explain what data flows from them.]
### 2.4 Cookies and Similar Technologies
[Detailed cookie breakdown based on what was detected]
| Cookie Type | Purpose | Examples Found | Duration |
|-------------|---------|----------------|----------|
| **Essential** | Site functionality, security, authentication | [list detected] | Session / [period] |
| **Analytics** | Usage statistics, performance monitoring | [list detected] | [period] |
| **Marketing** | Advertising, retargeting, cross-site tracking | [list detected] | [period] |
| **Preference** | User settings, language, theme | [list detected] | [period] |
---
## 3. How We Use Your Information
[For EACH type of data collected, state the specific purpose. Common purposes include:]
- Providing and maintaining our services
- Processing transactions and sending related information
- Sending promotional communications (with consent)
- Analyzing usage to improve our services
- Detecting and preventing fraud
- Complying with legal obligations
- Personalizing your experience
- Serving targeted advertisements [only if ad scripts detected]
**Legal Basis for Processing (GDPR):**
| Purpose | Legal Basis |
|---------|-------------|
| [purpose] | [Consent / Legitimate Interest / Contractual Necessity / Legal Obligation] |
---
## 4. How We Share Your Information
[List EVERY third-party service detected and categorize by purpose:]
### Service Providers
[Analytics providers, payment processors, email services, hosting, CDN — name each one detected]
### Advertising Partners
[Ad networks, retargeting platforms — only if detected]
### Social Media Platforms
[Social embeds and login providers — only if detected]
### Legal Requirements
We may disclose your information if required by law, subpoena, court order, or government request.
### Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred.
**We do NOT sell your personal information.** [OR, if advertising/data broker signals detected: "We may share certain information with advertising partners, which may constitute a 'sale' under CCPA. See Section 8 for your rights."]
---
## 5. Data Retention
| Data Type | Retention Period | Reason |
|-----------|-----------------|--------|
| Account data | Duration of account + [X] months | Service provision |
| Transaction records | [X] years | Legal/tax obligations |
| Analytics data | [X] months | Performance improvement |
| Marketing data | Until consent withdrawn | Marketing communications |
| Server logs | [X] days | Security and debugging |
---
## 6. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (HTTPS/TLS)
- [Encryption at rest — if payment processing detected]
- Access controls and authentication
- Regular security assessments
- Employee training on data protection
[If payment processing detected:]
Payment information is processed through [Stripe/PayPal/etc.] and is subject to PCI-DSS compliance standards. We do not store your full credit card number on our servers.
---
## 7. Your Rights Under GDPR/LOPDGDD (EEA/UK Residents — including Spain)
If you are located in the European Economic Area, United Kingdom, or Spain, you have the following rights under the GDPR (Reglamento UE 2016/679) and the LOPDGDD (Ley Orgánica 3/2018):
- **Right of Access / Derecho de Acceso** — Request a copy of your personal data (RGPD art. 15)
- **Right to Rectification / Derecho de Rectificación** — Correct inaccurate personal data (RGPD art. 16)
- **Right to Erasure / Derecho al Olvido** — Request deletion of your data (RGPD art. 17; LOPDGDD art. 93-94 for search engines and social networks)
- **Right to Restrict Processing / Derecho a la Limitación** — Limit how we use your data (RGPD art. 18)
- **Right to Data Portability / Derecho a la Portabilidad** — Receive your data in a machine-readable format (RGPD art. 20)
- **Right to Object / Derecho de Oposición** — Object to processing based on legitimate interests or direct marketing (RGPD art. 21)
- **Right to Withdraw Consent / Revocación del Consentimiento** — Withdraw consent at any time without retroactive effect (RGPD art. 7.3)
- **Right Not to Be Subject to Automated Decisions** — Object to solely automated decisions with significant effects (RGPD art. 22)
**Spanish Supervisory Authority / Autoridad de Control Española:**
To exercise any of these rights, contact us at [CONTACT EMAIL]. We will respond within **one month** (extendable to three months for complex requests). If you are not satisfied with our response, you may lodge a complaint with the **Agencia Española de Protección de Datos (AEPD)** at [www.aepd.es](https://www.aepd.es) or call 901 100 099.
**Data Protection Officer (DPO) / Delegado de Protección de Datos (DPD):**
[If applicable under RGPD art. 37 or LOPDGDD art. 34 — mandatory for public authorities, large-scale systematic processing, or sensitive data categories]: [DPO NAME AND CONTACT EMAIL]
---
## 8. Your Rights Under CCPA/CPRA (California Residents)
If you are a California resident, you have the following rights:
- **Right to Know** — What personal information we collect and how we use it
- **Right to Delete** — Request deletion of your personal information
- **Right to Opt-Out of Sale/Sharing** — Direct us not to sell or share your personal information
- **Right to Non-Discrimination** — We will not discriminate against you for exercising your rights
- **Right to Correct** — Request correction of inaccurate personal information
- **Right to Limit Use of Sensitive Personal Information** — Limit use to what is necessary
To exercise these rights, contact us at [CONTACT EMAIL] or use the "Do Not Sell or Share My Personal Information" link on our website.
**Categories of Personal Information Collected (past 12 months):**
[Table listing each CCPA category detected — identifiers, commercial info, internet activity, geolocation, etc.]
---
## 9. Children's Privacy / Menores de Edad
Our Site applies the following age thresholds for data collection consent:
| Jurisdiction | Minimum Age for Data Consent | Legal Basis |
|---|---|---|
| **Spain** | **14 years** | LOPDGDD art. 7 (below 14: parental/guardian consent required) |
| **EU/EEA (general)** | 16 years (Member States may lower to 13) | RGPD art. 8 |
| **USA (COPPA)** | 13 years | Children's Online Privacy Protection Act |
Our Site is not intended for persons under 14 years of age (in Spain) or under 16 years (in the EU generally). We do not knowingly collect personal data from minors below the applicable threshold. If we become aware that we have collected such data, we will delete it without undue delay.
**Additional protection for under-14s in Spain (LOPDGDD art. 7):** If your service targets or is likely used by minors under 14 in Spain, you MUST obtain verifiable consent from their parent or legal guardian before processing any personal data. Include a mechanism to verify the user's age. See AEPD guidance at [www.aepd.es](https://www.aepd.es).
If you believe a child has provided us with personal information, please contact us immediately at [CONTACT EMAIL].
[If the site's content, marketing, or design could appeal to minors: add stronger age-verification and parental consent language, and flag this as a high-priority compliance item requiring attorney review.]
---
## 10. International Data Transfers / Transferencias Internacionales de Datos
[If third-party services detected that transfer data internationally:]
Your information may be transferred to and processed in countries other than your own, including the United States. We comply with RGPD Chapter V (arts. 44-49) and LOPDGDD art. 49 for all international transfers. Safeguards include:
- **Standard Contractual Clauses (SCCs) / Cláusulas Contractuales Tipo**: Adopted by European Commission Decision 2021/914 (post-Schrems II). Applied to all transfers to non-adequate countries.
- **Transfer Impact Assessment (TIA) / Evaluación del Impacto de la Transferencia**: Conducted for transfers to countries without an adequacy decision.
- **Adequacy Decisions / Decisiones de Adecuación**: The EU-US Data Privacy Framework (2023) covers certified US organizations. [VERIFY which processors are certified under the DPF.]
- **Data Processing Agreements (DPAs) / Contratos de Encargado de Tratamiento**: Executed with all third-party processors per RGPD art. 28.
[List each third-party detected and specify the transfer mechanism used:]
| Processor | Country | Transfer Mechanism |
|---|---|---|
| [e.g., Google Analytics] | USA | DPF + SCCs |
| [e.g., Stripe] | USA | SCCs + DPA |
---
## 11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on this page
- Updating the "Last Updated" date at the top
- [Sending email notification — if email collection detected]
We encourage you to review this page periodically. Your continued use of the Site after changes constitutes acceptance of the updated policy.
---
## 12. Contact Information
If you have questions about this Privacy Policy or wish to exercise your data rights:
- **Email:** [CONTACT EMAIL — FILL IN]
- **Mailing Address:** [PHYSICAL ADDRESS — FILL IN]
- **Data Protection Officer:** [DPO NAME AND EMAIL — if applicable, typically required for large-scale data processing or public authorities]
For GDPR complaints, you may also contact your local Data Protection Authority.
For CCPA requests, California residents may also call [TOLL-FREE NUMBER — FILL IN].
After the privacy policy, generate a recommended cookie consent banner implementation.
---
## Appendix: Recommended Cookie Consent Banner
### Banner Text (Minimal — Informational)
> Usamos cookies para mejorar tu experiencia y analizar el tráfico del sitio. Ver nuestra [Política de Cookies]. [Aceptar todas] [Rechazar no esenciales] [Gestionar preferencias]
### Banner Text (Full RGPD/LSSI-CE Compliant — Spain)
> Usamos cookies y tecnologías similares para ofrecer nuestros servicios, personalizar contenido y analizar el tráfico. Algunas cookies son esenciales para el funcionamiento del sitio; otras nos ayudan a mejorar tu experiencia. Puedes gestionar tus preferencias en cualquier momento.
>
> Las **cookies estrictamente necesarias** están siempre activas. Haciendo clic en "Aceptar todas", consientes el uso de cookies de analítica y marketing. Puedes cambiar tus preferencias cuando quieras.
>
> [Aceptar todas] [Rechazar no esenciales] [Gestionar preferencias]
### Requirements for Compliance (Spain + EU):
- 🔴 **LSSI-CE art. 22.2 (España)**: Consentimiento previo obligatorio para cookies no esenciales. El mero hecho de continuar navegando NO constituye consentimiento válido desde 2019 (criterio AEPD).
- 🔴 **RGPD art. 7**: Las casillas pre-marcadas NO son consentimiento válido. El botón "Rechazar" debe ser igual de visible que "Aceptar".
- 🔴 **CCPA**: Must include "Do Not Sell or Share My Personal Information" link in footer for California users.
- 🟡 **Cookie wall (España)**: Bloquear el acceso hasta obtener consentimiento puede ser contrario a la Directiva ePrivacy y a la AEPD — revisar con el DPO.
- 🟡 **ePrivacy Regulation (pendiente)**: El nuevo Reglamento ePrivacy UE sustituirá la Directiva 2002/58/CE — diseña el banner con margen para adaptarse.
- 🟢 **Buena práctica**: Implementar un centro de preferencias donde el usuario pueda activar/desactivar categorías individualmente (esenciales siempre activas).
- 🟢 **Analytics propias (España)**: Las cookies de analítica propias de carácter no intrusivo pueden estar exentas de consentimiento bajo la interpretación AEPD de 2023 — consultar guía AEPD sobre cookies.
Save the privacy policy as: PRIVACY-POLICY-[company-name]-[YYYY-MM-DD].md
Extract the company name from the website (use the domain name if no company name is found). Use today's date.
After generating the file, present:
Detection Summary — What data collection was found on the site
Compliance Readiness — Quick assessment of what the site already has vs. what it needs
Action Items — Specific things the user must fill in (contact email, address, DPO, retention periods) marked with [FILL IN]
Risk Flags:
Remind the user: "This policy covers what was detected on the public-facing page. Internal data practices, employee data handling, and backend processing should be reviewed with a licensed attorney."