The Privacy Policy Shakedown

You just launched your app. Maybe it's a simple tool, a newsletter, a side project with a contact form. You did the research. You know you need a privacy policy — GDPR in Europe, CCPA in California, and a dozen other frameworks make it a legal requirement the moment you collect so much as an email address. So you search "privacy policy generator" and click the first result.

The tool asks you a series of questions: your company name, your website URL, what data you collect, which third-party services you use. You answer. A document appears. It looks professional. It has sections about cookies, data retention, user rights, contact information. You're relieved — this is exactly what you needed.

Then you try to copy it. Or download it. Or link to it on your site. And that's when you find out: the document is locked behind a subscription. $10 a month, minimum. More if you want it to cover your mobile app as well as your website. More still if you want it to include certain jurisdiction-specific sections. And this repeats every month, forever — for a document that doesn't change.

You're being charged a monthly fee for a document you filled in yourself, built from template paragraphs a generator assembled on your behalf. This is the compliance fear tax.

What a privacy policy actually is

A privacy policy is a legal disclosure document. It tells your users what personal data you collect, why you collect it, how long you keep it, who you share it with, and what rights users have over that data. Laws like the GDPR (EU), CCPA (California), PIPEDA (Canada), and others require this disclosure if you collect personal information from residents in those jurisdictions.

For the vast majority of small websites and apps — a SaaS tool that collects email addresses for login, a blog with an email newsletter, a mobile app that stores user preferences — a privacy policy is a standardized document. The structure is the same everywhere: what you collect, why, how long, who sees it, your contact info, and a list of user rights. The legal language is largely boilerplate. Lawyers have been producing these from templates for decades. The generators simply automated the template.

That doesn't make compliance unimportant. You genuinely need these documents. GDPR enforcement is real — the Irish Data Protection Commission fined Meta €1.2 billion in 2023. CCPA complaints are processed by the California Privacy Protection Agency. The stakes exist. But the stakes are about what your policy says, not which platform generated it. A well-written template with your details accurately filled in covers the same ground as one produced by a $35/month SaaS tool.

How much do these generators actually charge?

The market for legal document generators is crowded and the pricing is, charitably, aggressive.

Termly

Termly charges $10 to $35 per month, per website. Their marketing leans heavily on "AI-powered" language — but what they're describing is conditional template logic. The system asks you questions, then selects pre-written paragraphs based on your answers. This is string interpolation. It is not artificial intelligence in any meaningful sense. The underlying paragraphs were written by lawyers once, years ago, and have barely changed since.

iubenda

iubenda, an Italian company popular in the EU market, charges $9 to $90 per month — and that's per site. If you have a main domain and a subdomain for your app, that may count as two products. If you have a mobile app, that's another subscription. The document itself is the same template filled in differently each time, but the per-property pricing structure ensures that anyone with more than one web property pays multiple times for the same underlying work.

Termageddon

Termageddon charges $12 to $50 per month and markets primarily on "auto-updating" policies: when laws change, they update your document automatically. This sounds compelling until you ask how often major privacy laws change. The answer is: rarely. GDPR went into effect in 2018. CCPA in 2020. Significant amendments come every few years, not monthly. You are paying $12 to $50 every month for an event that might occur once every two or three years — and when it does occur, updating a template document takes minutes. The "auto-update" feature is a subscription justification, not a service.

Others in the market

PrivacyPolicies.com charges one-time fees of $50 to $300 or ongoing subscriptions, with pricing tiers confusing enough that many users report not knowing what they actually paid for. Enzuzo offers a "free" tier — but that tier places their branding on your legal pages, which is an interesting proposition: pay us nothing and we advertise on the document you're legally required to display to your users. GetTerms.io charges $9 to $39 per month. The variation between tiers is largely cosmetic — more document types, removal limits — but the underlying template output is identical.

The compliance fear tax

Every legal document generator leads with the same marketing: fines. "GDPR violations can cost up to 4% of global annual revenue!" "California law requires this!" "Don't risk a lawsuit!" The fear is real — penalties for non-compliance exist and have been enforced against large companies. But that fear is being used to sell you something that doesn't match the threat.

Regulators pursuing GDPR enforcement against small businesses are not asking whether you used Termly or iubenda or wrote your policy yourself. They are asking what your policy says — whether your disclosed data practices match your actual practices, whether users have the rights they're legally entitled to, whether your contact information is accurate. The generator is irrelevant. The content is everything.

What these generators are actually selling is not compliance. It is the feeling of compliance — a branded, hosted document with a professional layout that signals legitimacy. That feeling has value. But it's priced as if it were ongoing legal counsel, when it's actually a one-time template fill that gets cached and served.

The monthly subscription model persists not because privacy law changes monthly, but because it's far more profitable than a one-time fee. If Termly charged $30 once, customers would pay once and leave. At $10 per month, the average customer pays $120 in year one, $240 by year two, and keeps paying indefinitely — because cancelling feels risky when a legal document is involved.

What the generator is actually doing

Strip away the branding and every privacy policy generator does the same thing. It asks you a series of questions:

• What is your business name?
• What is your website or app URL?
• What data do you collect? (email, name, IP address, payment info, location, usage data...)
• Which third-party services do you use? (Google Analytics, Stripe, Mailchimp, Facebook Pixel...)
• Which jurisdictions apply? (EU, California, Canada...)
• What is your contact email address?

Based on your answers, the system selects pre-written paragraphs and concatenates them into a document. Your business name is interpolated into the header. Your contact email goes in the footer. The data types you checked get their own boilerplate disclosure paragraph. The third-party services you selected pull from a library of pre-written service-specific clauses ("We use Google Analytics to collect usage information..."). Jurisdiction toggles add or remove sections for GDPR, CCPA, COPPA, and PIPEDA.

This is, at its core, string interpolation and conditional rendering. It is the most basic programming operation that exists. A developer could build a functional version of this in an afternoon. The template paragraphs took a lawyer time to write — but they wrote them once. The generator has been collecting subscriptions on that same work ever since.

Who gets hurt

The practical consequence of this pricing model falls on the people least able to absorb it.

Indie developers launching their first app are legally required to have a privacy policy before they have a single paying user. They're told to get compliant before launch. So they pay $10 to $35 a month — sometimes more than their actual hosting costs — for a document their handful of early users will never read.

Small business owners with a single website and no technical background search for a solution, find a polished generator at the top of the search results, and assume the subscription price is the cost of compliance. It isn't. It's the cost of convenience dressed as necessity.

Nonprofits collecting email addresses for a mailing list, running a donor portal, or operating any website with a contact form technically need these documents. Many are paying $20 a month for a template because they don't know there's an alternative.

Bloggers and creators who added an email newsletter to their site now collect personal data — email addresses — which brings them into the scope of privacy law in most jurisdictions. They're being funneled into subscription products built for SaaS companies, at SaaS company prices.

Developers in emerging markets building products for global audiences face the same compliance requirements as companies in San Francisco, but at a fraction of the purchasing power. A $20/month subscription is a trivial line item in a US startup's budget. It is a meaningful expense for a solo developer in Brazil, India, or Nigeria building something real.

The per-site pricing trap

iubenda's per-property pricing deserves specific attention because it's the most aggressive example of a pattern several generators use. The premise is that each website or app is a separate product requiring a separate subscription. In practice, this means:

• A main website and a blog on a subdomain: two subscriptions.
• A website and a mobile app that does the same thing: two subscriptions.
• An iOS app and an Android app: potentially two more subscriptions.
• A staging environment you want covered: another subscription.

In each case, the underlying document is the same template filled in with slightly different details. The URL is different. Perhaps the app-specific section varies. But the legal substance — the data practices, the rights disclosures, the contact information — is identical across all your properties. You're paying per URL for a document that differs by a handful of fields.

The "auto-updating" justification

Termageddon's core value proposition is that they monitor privacy law changes worldwide and update your policy automatically when regulations change. This is the most sophisticated argument for a recurring subscription in the space, and it deserves a direct examination.

Major privacy legislation that affects most small businesses:

• GDPR — effective May 2018
• CCPA — effective January 2020, amended by CPRA effective January 2023
• PIPEDA / Bill C-27 (Canada) — Bill C-27 was introduced in 2022 and had not received royal assent as of early 2026
• Virginia CDPA, Colorado CPA, Connecticut CTDPA — all effective 2023, and largely modeled on CCPA with minor variations

The pattern is clear: major changes come infrequently — measured in years, not months. Smaller regulatory guidance updates happen more often, but they rarely require changes to a boilerplate privacy policy for a typical small website or app. The auto-update feature is real in the sense that Termageddon does track regulatory changes. But you are paying for a service that triggers a meaningful output roughly once every one to three years. The subscription model extracts $144 to $600 per cycle for what amounts to one document update.

When a significant law does change, the information about what changed is publicly available immediately, covered extensively in legal and tech press. Updating a template document takes minutes, not a managed service.

The free alternative

We built the nah legal document generator because the barrier to a basic privacy policy shouldn't be a monthly subscription.

The tool works the same way every generator works: you answer questions about your business, toggle the data types you collect and the third-party services you use, select which jurisdictions apply, and a document generates. It covers privacy policies, terms of service, cookie policies, and DMCA notices. Jurisdiction-specific sections for GDPR, CCPA, COPPA, and PIPEDA are included. You can export as plain text, Markdown, HTML, or PDF.

Everything happens in your browser. No account, no subscription, no per-site fees, no branding on your documents, no email required. The generation is a client-side operation — your business details never touch our servers.

The point is not to replace lawyers. It is to replace the template generators sitting between you and the legal work you could have gotten from a real attorney for what you would have spent on subscriptions in four months.

What to actually do about your privacy policy

Whether you use our tool or any other, here is a practical approach.

1. Determine which laws apply to you. GDPR applies if you have users in the EU — regardless of where your company is located. CCPA applies if you're a California business or have California users and meet certain thresholds (generally, businesses doing over $25M in revenue, handling data of 100,000+ consumers annually, or deriving 50%+ of revenue from selling personal information). COPPA applies if your service is directed at children under 13. Most small sites primarily need to address GDPR if they have any EU visitors.
2. Be accurate about what you actually collect. The policy is only as good as its accuracy. If you say you don't collect IP addresses but your analytics tool does, that's the problem — not which generator you used. Know your third-party services and what data they collect on your behalf.
3. Host it yourself. A privacy policy is a text document. You can paste it into a page on your site. You do not need a hosted service to serve it. Generators that host your policy and charge for that hosting are charging you for a static text file.
4. Update it when your practices change. If you add a new analytics tool, add the disclosure. If you stop collecting something, remove it. This takes five minutes and requires no subscription.
5. If your situation is genuinely complex, hire a lawyer for an hour. A $200 attorney consultation for a business processing sensitive data, handling payments with complex arrangements, or operating in multiple regulated industries is money well spent. It is not money well spent for a simple SaaS tool or a personal website with a mailing list.

Legal document generators are one of the cleaner examples of compliance anxiety converted into recurring revenue. The anxiety is legitimate — privacy law is real and enforcement exists. But the solution being sold doesn't match the problem being feared. What most small sites need is accurate template text filled in correctly and kept up to date. That has never required a monthly subscription. It has required someone to tell you that clearly.

We're building nah as a set of free browser-based utilities that replace software that charges subscription prices for one-time work. A privacy policy is text. Generating it is a solved problem. The ongoing fee is manufactured leverage — fear that cancelling might leave you non-compliant, when in reality you'd still have the document you downloaded on day one.

Compliance is required. The subscription isn't.