The Prompt Pack: evaluate any privacy policy with a free AI account
These prompts turn a free-tier AI chat (Claude or ChatGPT) into a first-pass reader of any platform's privacy policy. Paste the prompt, then paste the policy text. Do not ask the AI to browse to the policy: free tiers fetch pages inconsistently and sometimes describe a page they never actually read. Copy the policy text yourself and paste it in.
What an AI review can and cannot tell you
It can find what a policy says, what it avoids saying, and where the definitions are doing quiet work. It cannot tell you whether the company follows its own policy, what its security is like in practice, or how a court would read a clause. Treat the output as a reading aid that prepares your questions for the vendor, not as a verdict.
Prompt 1: the adversarial policy read
You are reviewing a privacy policy for an independent educational consultant who is deciding whether to upload student data (names, essays, transcripts, test scores, sometimes disability and family financial information) to this platform. Assume the document was written to present the company in the best light. Your job is to report what it actually commits to, and what it does not say. Rules, in priority order: 1. Every claim you make about the policy must be supported by a verbatim quote from it. Short quotes are fine. No paraphrase without the quote next to it. 2. If the policy does not address a topic, write exactly: Not stated. Never fill a gap with an assumption, an industry norm, or a charitable guess. Silence is not consent and silence is not a safeguard. 3. Where a term is defined in the policy (such as "sell," "personal information," "de-identified," "service provider"), use the policy's own definition and quote it. Flag any place where the definition is narrower than everyday usage. 4. Do not soften findings. Do not add reassurance the document does not contain. Report in these sections: A. Data collected: what categories of student and family data the policy permits collecting. B. Sale and sharing: whether data can be sold or shared, how "sell" is defined, and who the recipient categories are. C. AI: whether user content can be used to train or improve AI or machine-learning systems, and whether that is default-on. D. Retention and deletion: what happens on account deletion, whether data is deleted or de-identified and retained, and for how long. E. Business transfer: what the policy says happens in a merger, acquisition, or bankruptcy. F. De-identification: what the policy says de-identification involves, and what it permits doing with de-identified data. G. Children and students: any age limits, parental-consent mechanics, or student-specific commitments. H. What I could not verify: a mandatory list of every question above that the policy left unanswered or answered vaguely, plus anything a document like this can never establish (actual practice, security quality, subprocessor behavior). After the sections, list the five most important verbatim clauses an educational consultant should re-read slowly, with one plain-language sentence each on why. I will paste the policy text in my next message. If the paste appears cut off, tell me before analyzing.
Prompt 2: turn the gaps into vendor questions
Using your analysis above, draft an email I can send the vendor. Requirements: 1. One question per gap you listed under "What I could not verify." Each question must be answerable with a yes, a no, or a specific number or timeframe. No question may be answerable with marketing language. 2. Group the questions under the same section letters as your analysis. 3. Professional, neutral tone: I am a prospective customer doing diligence, not an adversary. 4. End with a request that answers be confirmed in writing and a note that I understand the policy, not the email, is the binding document, so I am also asking which policy section covers each answer. Keep it under 350 words.
Free-tier notes
- Claude (claude.ai, free): handles long pastes well. If the policy plus prompt is rejected as too long, split the policy in half and label the pastes "part 1 of 2" and "part 2 of 2," then ask for the analysis after the last part.
- ChatGPT (free): long policies may be silently truncated. After pasting, ask: "quote the final heading of the document I pasted." If it cannot, paste in smaller parts.
- Free-tier limits change often. If a model refuses or stalls, the split-and-label approach above works on both.
New to the underlying issues? Start with the checklist or the explainers on de-identification and AI training clauses.