WhatDoTheyCollect
All articles
Privacy Guide·6 min read·

How to Read a Privacy Policy: What Companies Don't Want You to Know

Privacy policies are designed to be ignored — but they contain critical information about how your data is used. Here's what to look for, what red flags to spot, and how to protect yourself.

Most people have never read a privacy policy. Companies know this, and they design their policies accordingly — long, dense, and full of legal language that obscures more than it reveals.

But buried inside every privacy policy is a disclosure of exactly how a company collects, uses, and shares your personal data. If you know what to look for, you can cut through the noise in minutes.

This guide will show you exactly how.

Why You Should Read Privacy Policies (At Least Occasionally)

You've probably clicked "I agree" on hundreds of privacy policies without reading a word. We all have.

But these documents are legally binding disclosures. When a company suffers a data breach, sells your data to advertisers, or uses your content to train an AI model, they can point to their privacy policy and say: "We told you."

You don't need to read every policy in full. But for apps and services that touch your finances, health, messages, or location — it's worth spending five minutes.

The 5 Things to Look For First

1. What data do they collect?

Look for a section titled "Information We Collect," "Data We Collect," or similar. Privacy policies typically describe three categories:

  • Data you provide directly — name, email, payment info, profile photos
  • Data collected automatically — device type, IP address, browsing behavior, location
  • Data from third parties — information bought from data brokers, or shared by partners

The third category is often the most surprising. Many companies receive data about you from sources you've never interacted with directly.

2. Who do they share it with?

Look for "How We Share Your Information" or "Third-Party Sharing." The key terms to watch:

  • Service providers — companies they hire to run their service (usually acceptable)
  • Business partners — companies they share data with for mutual benefit (more concerning)
  • Affiliates — related companies under the same corporate umbrella (broad)
  • Advertising partners — ad networks that receive your behavioral data (worth scrutinizing)

A policy that says "we may share your data with our affiliates and trusted partners" is giving itself enormous latitude.

3. How long do they keep it?

Look for "Data Retention" or "How Long We Keep Your Information." Many companies keep your data indefinitely unless you explicitly delete your account — and sometimes even after deletion.

Watch for phrases like "as long as necessary for business purposes" with no specific time limit stated.

4. What are your rights?

Depending on where you live, you may have legal rights including:

  • Right to access — see what data they hold about you
  • Right to deletion — request they delete your data
  • Right to opt out — of sale of your data (CCPA in California)
  • Right to portability — export your data

Look for a section on "Your Rights" or "Your Choices." If a company buries this section or makes it hard to find, that's telling.

5. Can you opt out of anything meaningful?

Some data collection is optional. Look for sections on:

  • Marketing emails (usually easy to opt out)
  • Targeted advertising (often opt-out, sometimes buried)
  • Sale of your data to third parties (CCPA right in California)
  • Use of your data to train AI models (increasingly common, not always opt-outable)

If no opt-outs are offered for sensitive uses, make note of that.

Red Flag Language to Watch Out For

These phrases appear in real privacy policies and should make you pause:

"We may share your information with our affiliates." "Affiliates" can mean dozens of companies under the same corporate parent. For large tech conglomerates, this can be very broad.

"We may combine your information with data from other sources." This means they're building a richer profile of you by merging data from multiple places — often including data brokers.

"We may use your information for any purpose consistent with this policy." Circular language that essentially says "we can do whatever we want as long as we update this document."

"Non-personally identifiable information." This phrase is often used to justify sharing data that, in practice, can be re-identified. Anonymized data is frequently not as anonymous as claimed.

"We reserve the right to change this policy at any time." All companies include this. The question is whether they notify you and require consent for material changes.

What Common Data Types Actually Mean

Privacy policies use technical terms that can obscure what's really being collected:

TermWhat it means
Location dataYour precise GPS coordinates, or coarse location from IP/WiFi
Behavioral dataWhat you click, how long you spend on content, your scrolling patterns
Inferred dataProfiles the company builds about you — interests, personality, income bracket
Biometric dataFingerprints, face geometry, voice prints
Sensitive dataHealth, financial, political, religious, or sexual orientation information

Inferred data is particularly worth watching. Facebook's privacy policy, for example, discloses that they build interest and behavioral profiles even from actions you take off-platform.

How to Exercise Your Rights

If a company has your data and you want to do something about it:

GDPR (EU/UK residents): You have the right to submit a Data Subject Access Request (DSAR). The company must respond within 30 days with a copy of all data they hold about you.

CCPA (California residents): You can opt out of the sale of your personal information, and request deletion of your data.

For everyone else: Most major companies now offer self-service data download and deletion tools even for users outside the EU/California, because building separate systems is expensive. Look in account settings under "Privacy" or "Your Data."

The Honest Bottom Line

Privacy policies are not written to inform you — they're written to protect companies legally while giving them maximum flexibility. This is why they're long, vague, and full of passive voice.

But once you know the patterns, you can scan a privacy policy in a few minutes and get a clear picture of whether a company is being responsible with your data — or not.

Too busy to read them yourself? That's exactly why WhatDoTheyCollect exists. We've analyzed hundreds of privacy policies and broken them down into plain-language summaries so you can understand what a company collects in minutes, not hours.

Search for any app or website →

Too busy to read privacy policies yourself?

WhatDoTheyCollect analyzes privacy policies for hundreds of apps and services — so you get a plain-language breakdown in seconds, not hours.

Analyze any app or website