The Prompt Pack: evaluate any privacy policy with a free AI account

These prompts turn a free-tier AI chat (Claude or ChatGPT) into a first-pass reader of any platform's privacy policy. Paste the prompt, then paste the policy text. Do not ask the AI to browse to the policy: free tiers fetch pages inconsistently and sometimes describe a page they never actually read. Copy the policy text yourself and paste it in. One common trap: many platforms keep their AI or product-specific terms in a separate addendum from the main privacy policy. If there is more than one document, paste them all; the analysis is only as complete as what you feed it.

What an AI review can and cannot tell you

It can find what a policy says, what it avoids saying, and where the definitions are doing quiet work. It cannot tell you whether the company follows its own policy, what its security is like in practice, or how a court would read a clause. Treat the output as a reading aid that prepares your questions for the vendor, not as a verdict.

What you'll get back

Before you commit to the full read, here is a condensed illustration of the report format. This is a composite example in the site's usual style, not any real vendor's policy:

B. Sale and sharing: The policy states "we do not sell personal information as defined by applicable law" but defines "sell" narrowly; it separately permits sharing with "trusted partners" for "service improvement." Recipient categories: Not stated.
C. AI: "User content may be used to improve our services and models." Opt-out: Not stated. Default-on.
D. Retention and deletion: "We will delete or de-identify personal information upon request." Which of the two applies to a given record: Not stated.
H. What I could not verify: subprocessor list, retention period after a deletion request, whether "partners" includes ad networks.

The 60-second triage: three flags before the full read

Screening more than one platform? Run this first. It returns three red/yellow/green flags, then tells you whether the full read below is worth the time.

You are triaging a privacy policy for an independent educational consultant deciding whether a platform deserves a full review before uploading student data. Assume the document was written to present the company in the best light.

Answer with exactly three lines, one per topic, each formatted as: FLAG (RED, YELLOW, or GREEN), then one sentence quoting the decisive phrase from the policy verbatim in quotation marks.
1. Selling and sharing: is personal data sold or shared beyond operating the service, under the policy's own definition of "sell"?
2. AI training: can user content be used to train or improve AI or machine-learning systems, and is that default-on?
3. Deletion: on account deletion, is data deleted, or de-identified and retained?

Rules: every flag must be justified by a verbatim quote from the policy, and the flag must match its quote: if the quote is an explicit commitment against the risk, the flag cannot be RED. If the policy does not address a topic, the flag is YELLOW and the line ends with exactly: Not stated. A GREEN flag requires an explicit commitment, not silence, and if a commitment covers only some users (for example school accounts only), do not give GREEN for users outside that scope; use YELLOW and say what the scope is. Do not soften findings, and do not add reassurance the document does not contain.

Format each line exactly like this example: FLAG (YELLOW): 1. Selling and sharing: the policy permits sharing with "trusted partners" while promising "we do not sell personal information."

After the three lines, add one sentence saying whether the full section-by-section review is worth running, and which of the three topics to read first when it comes back.

I will paste the policy text in my next message (all documents, including any separate AI addendum). If the paste appears cut off, tell me before analyzing.

Prompt 1: the adversarial policy read

You are reviewing a privacy policy for an independent educational consultant who is deciding whether to upload student data (names, essays, transcripts, test scores, sometimes disability and family financial information) to this platform. Assume the document was written to present the company in the best light. Your job is to report what it actually commits to, and what it does not say.

Rules, in priority order:
1. Every claim you make about the policy must be supported by a verbatim quote from it. Short quotes are fine. No paraphrase without the quote next to it.
2. If the policy does not address a topic, write exactly: Not stated. Never fill a gap with an assumption, an industry norm, or a charitable guess. Silence is not consent and silence is not a safeguard.
3. Where a term is defined in the policy (such as "sell," "personal information," "de-identified," "service provider"), use the policy's own definition and quote it. Flag any place where the definition is narrower than everyday usage.
4. Do not soften findings. Do not add reassurance the document does not contain.

Report in these sections:
A. Data collected: what categories of student and family data the policy permits collecting.
B. Sale and sharing: whether data can be sold or shared, how "sell" is defined, and who the recipient categories are.
C. AI: whether user content can be used to train or improve AI or machine-learning systems, and whether that is default-on.
D. Retention and deletion: what happens on account deletion, whether data is deleted or de-identified and retained, and for how long.
E. Business transfer: what the policy says happens in a merger, acquisition, or bankruptcy.
F. De-identification: what the policy says de-identification involves, and what it permits doing with de-identified data.
G. Children and students: any age limits, parental-consent mechanics, or student-specific commitments.
H. What I could not verify: a mandatory list of every question above that the policy left unanswered or answered vaguely, plus anything a document like this can never establish (actual practice, security quality, subprocessor behavior).

After the sections, list the five most important verbatim clauses an educational consultant should re-read slowly, with one plain-language sentence each on why.

I will paste the policy text in my next message. If the paste appears cut off, tell me before analyzing.

Prompt 2: turn the gaps into vendor questions

Using your analysis above, draft an email I can send the vendor. Requirements:
1. One question per gap you listed under "What I could not verify." Each question must be answerable with a yes, a no, or a specific number or timeframe. No question may be answerable with marketing language.
2. Group the questions under the same section letters as your analysis.
3. Professional, neutral tone: I am a prospective customer doing diligence, not an adversary.
4. End with a request that answers be confirmed in writing and a note that I understand the policy, not the email, is the binding document, so I am also asking which policy section covers each answer.
Keep it under 350 words.

Free-tier notes

New to the underlying issues? Start with the checklist or the explainers on de-identification and AI training clauses.