Tutorial
How to Generate a Privacy Policy from Your Code in 30 Seconds
Published March 17, 2026 · 10 min read
Writing a privacy policy by hand takes 30 minutes on a good day. You need to audit every dependency, trace every data flow, list every third-party integration, and translate it all into legal language. Most developers skip steps, miss services, or copy a template that does not match their application.
There is a faster way. Codepliant scans your actual codebase — dependencies, imports, environment variables, and config files — and generates a privacy policy that reflects what your application really does. One command, 30 seconds, done.
This tutorial walks through the entire process. You will see exactly what happens when you run the command, what gets detected, and how to customize the output.
The problem with manual privacy policies
Most privacy policies are wrong. Not because developers are careless, but because manually auditing a codebase for data practices is tedious and error-prone. Consider what a thorough audit requires:
- Review every dependency in package.json, requirements.txt, Gemfile, or your ecosystem's equivalent to identify services that collect or process data
- Search source code for imports and API calls to analytics providers, payment processors, error trackers, email services, and AI APIs
- Check environment variables for API keys that reveal integrations not visible in dependencies
- Map each service to the specific data it collects: IP addresses, device info, payment details, usage patterns, or personal identifiers
- Write the disclosures in a format that satisfies GDPR, CCPA, and other applicable regulations
A typical SaaS application has 15 to 50 dependencies that touch user data. Developers add new integrations every sprint. The privacy policy falls out of date the moment it is published.
Template generators are not much better. They ask you to fill in checkboxes: "Do you use analytics? Do you process payments?" But they cannot tell you what your code actually does. They rely on your memory, which is unreliable for a codebase that changes weekly.
What Codepliant detects in your codebase
Codepliant uses deterministic pattern matching — no AI, no network calls, no data leaving your machine. It scans three layers of your project:
1. Dependency manifests
Package files like package.json, requirements.txt, Gemfile, go.mod, Cargo.toml, and pom.xml are parsed to identify services like Stripe, Sentry, Google Analytics, SendGrid, and hundreds more.
2. Source code imports
Import and require statements are scanned across your source files. This catches services used through SDKs that might not appear in the top-level dependency manifest — for example, using the OpenAI API through a wrapper library.
3. Environment variables
Your .env, .env.example, and .env.local files are checked for patterns like STRIPE_SECRET_KEY, SENTRY_DSN, or OPENAI_API_KEY. This catches integrations configured through environment variables even when the SDK is not a direct dependency.
Each detected service is mapped to its data collection categories: personal identifiers, payment information, device data, usage analytics, location data, and more. This mapping drives the generated privacy policy, ensuring every disclosure is grounded in what your code actually does.
Step 1: Run the command
Open your terminal, navigate to your project directory, and run:
npx codepliant goThat is it. No installation, no configuration, no account creation. The npx command downloads and runs Codepliant directly. If you prefer to install it globally:
npm install -g codepliant
codepliant goEverything runs locally. No data is sent anywhere. No network calls are made. Your source code never leaves your machine.
Step 2: Watch the scan
When you run npx codepliant go, you will see output like this:
$ npx codepliant go
Codepliant v1.1.0
Scanning project...
Detected ecosystem: Node.js (package.json)
Scanning dependencies... 34 packages analyzed
Scanning source imports... 128 files checked
Scanning environment variables... 3 env files found
Services detected:
- Stripe (payments) → payment details, billing info
- Google Analytics (analytics) → IP address, device info, usage data
- Sentry (error tracking) → error logs, device info, IP address
- OpenAI (AI/ML) → user prompts, generated content
- SendGrid (email) → email addresses, names
- AWS S3 (cloud storage) → uploaded files, metadata
- Mixpanel (analytics) → user behavior, device info
Generating documents...
✓ privacy-policy.md
✓ terms-of-service.md
✓ cookie-policy.md
✓ ai-disclosure.md
Done in 2.4s — 4 documents generated in ./compliance/The scan typically completes in 2 to 5 seconds. Larger monorepos may take slightly longer, but it is always under 30 seconds. Each detected service is shown with the data categories it collects, so you can immediately verify accuracy.
Step 3: Review the generated privacy policy
Open compliance/privacy-policy.md. Here is what a generated privacy policy looks like for the example project above:
# Privacy Policy
Last updated: March 17, 2026
## Information We Collect
### Information You Provide
- **Account information**: name, email address
- **Payment information**: processed by Stripe (we do not store
card numbers directly)
- **Communications**: emails sent through SendGrid
- **User content**: prompts and inputs submitted to AI features
### Information Collected Automatically
- **Usage data**: pages visited, features used, session duration
(via Google Analytics, Mixpanel)
- **Device information**: browser type, operating system, screen
resolution (via Google Analytics)
- **Error data**: application errors, stack traces, browser info
(via Sentry)
- **IP address**: collected by Google Analytics, Sentry
## Third-Party Services
| Service | Purpose | Data Shared |
|------------------|------------------|--------------------------|
| Stripe | Payments | Payment details |
| Google Analytics | Analytics | Usage data, IP address |
| Sentry | Error tracking | Error logs, device info |
| OpenAI | AI features | User prompts |
| SendGrid | Email delivery | Email addresses |
| AWS S3 | File storage | Uploaded files |
| Mixpanel | Analytics | User behavior data |
## AI-Powered Features
This application uses OpenAI to provide AI-powered features.
User inputs may be sent to OpenAI's API for processing. Please
review OpenAI's privacy policy for details on how they handle
data.
...Notice how every section is driven by actual detections from your code. Stripe was in your dependencies, so payment disclosures appear. OpenAI was detected, so the AI features section is included. If your application did not use AI, that section would not exist. Nothing is assumed. Nothing is generic.
The generated document also includes sections for data retention, user rights (GDPR and CCPA), cookie disclosures, and contact information placeholders. Codepliant generates 123+ document types across privacy policies, terms of service, cookie policies, AI disclosures, EULAs, and more.
Step 4: Customize and publish
The generated privacy policy needs a few additions before you publish it:
- Company details: add your legal entity name, address, and contact email where indicated by placeholders
- Data retention periods: specify how long you keep each category of data (Codepliant flags this but cannot determine your retention policy from code alone)
- Legal basis: confirm the legal basis for each processing activity (consent, legitimate interest, contractual necessity)
- DPO contact: if you have a Data Protection Officer, add their contact details
- Legal review: have a qualified attorney review the document before publishing, especially if you handle health data, financial data, or children's data
To generate a specific document type or output format, use the scan command with options:
# Generate only the privacy policy
npx codepliant scan --type privacy-policy
# Get JSON output for programmatic use
npx codepliant scan --json
# Use the interactive wizard for guided customization
npx codepliant wizardManual vs automated: the real comparison
Here is what the two approaches look like side by side:
| Task | Manual approach | Codepliant |
|---|---|---|
| Audit dependencies | 10-15 min: read through package.json, cross-reference each package | Automatic: parsed and matched in under 1 second |
| Find source code integrations | 5-10 min: grep for API calls, search for SDKs | Automatic: all imports scanned in seconds |
| Check env variables | 2-3 min: review .env files for API keys | Automatic: pattern-matched against known services |
| Map data categories | 5-10 min: research what each service collects | Automatic: pre-mapped for all recognized services |
| Write the document | 10-15 min: draft disclosures, format sections | Automatic: generated in Markdown, ready to convert |
| Accuracy | Depends on memory; easy to miss services added months ago | Deterministic: detects everything in the codebase |
| Total time | 30-50 minutes | Under 30 seconds |
The manual approach is not just slower. It is less accurate. Developers forget services they added three sprints ago. They overlook transitive dependencies. They miss environment variables in staging configs. Code-based scanning catches everything because it reads the source of truth: your code itself.
Keeping your privacy policy up to date
A privacy policy that was accurate at launch becomes inaccurate the moment you add a new integration. The solution is to run Codepliant as part of your development workflow:
name: Compliance Check
on:
pull_request:
paths:
- 'package.json'
- 'requirements.txt'
- '.env.example'
- 'src/**'
jobs:
compliance:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npx codepliant scan --json > compliance-report.json
- run: npx codepliant diff
# Shows what changed since last generationThe codepliant diff command compares your current scan results against the last generated documents and shows exactly what changed. New service added? It flags the missing disclosure. Dependency removed? It marks the now-unnecessary section.
This turns compliance from a one-time chore into a continuous process. Your privacy policy stays in sync with your code, automatically. No more quarterly audits. No more "I think we added Mixpanel last month but I am not sure if the privacy policy covers it."
Frequently asked questions
Does Codepliant send my code anywhere?
No. Codepliant makes zero network calls. Everything runs locally on your machine. Your source code, dependencies, and environment variables are never transmitted. This is a core design principle, not a feature that can be toggled off.
What if a service is not recognized?
Codepliant recognizes hundreds of services across 13 ecosystems. If a service is not in the database, the generated privacy policy will not include it — which is why you should still review the output. You can also open an issue or contribute to add new service signatures.
Can I use Codepliant with a monorepo?
Yes. Run it from the root of your monorepo and it will scan all workspace packages. For Turborepo and Nx workspaces, it detects the workspace structure and scans each package's dependencies.
Do I still need a lawyer?
Yes. Codepliant generates an accurate starting point based on your code, but privacy law has nuances that automated tools cannot fully address: jurisdiction-specific requirements, industry regulations, data transfer agreements, and edge cases in your business model. A legal review of the generated document is strongly recommended, especially before launch. If you need help understanding GDPR requirements or writing a broader SaaS privacy policy, we have guides for those too.
Related reading
Generate your privacy policy now
One command scans your codebase and generates a privacy policy that reflects your actual data practices. No account needed.
Works with Node.js, Python, Ruby, Go, Rust, Java, PHP, .NET, Elixir, Kotlin, and Terraform. Read the docs or learn more about the privacy policy generator.