How Do I List Third-Party Tools in My Privacy Policy?

Why Disclose Third Parties?

Under Australian Privacy Principle 1.2, you must disclose any recipient of personal information — including third-party service providers. Users have a right to know which companies access their data and what those companies do with it. This transparency builds trust and ensures compliance with privacy law.

The OAIC (Office of the Australian Information Commissioner) regularly finds that businesses break privacy law by failing to disclose third-party tool usage. It's one of the most common non-compliance issues.

Which Tools Must You Disclose?

Analytics and tracking:

• Google Analytics 4 (or Universal Analytics)
• Hotjar, Crazy Egg, Microsoft Clarity (session recording and heatmaps)
• Mixpanel, Amplitude, Segment (analytics platforms)

Payment and commerce:

• Stripe, PayPal, Square, Shopify Payments, WePay
• Afterpay, Laybuy, other BNPL providers

Email and marketing:

• Mailchimp, ConvertKit, Klaviyo, ActiveCampaign
• SendGrid, Brevo (Sendinblue)
• Drip, GetResponse

Advertising and tracking pixels:

• Meta Pixel (Facebook/Instagram)
• Google Ads conversion tracking
• TikTok Pixel, LinkedIn Pixel
• Google Tag Manager

Customer support and chatbots:

• Zendesk, Intercom, Drift, Freshdesk
• HubSpot CRM
• Slack (if integrated with customer data)

Content and hosting:

• Hosting providers (AWS, Vercel, Netlify, etc.)
• CDN providers (Cloudflare)
• YouTube embedded videos

Video and recording:

• Loom, Wistia (video hosting)
• Google Meet, Zoom (if you record meetings)

How to Structure the Disclosure

Don't just list tools randomly. Create a structured section in your Privacy Policy with this format:

For each tool, include:

1. Name of the service: "Google Analytics 4"
2. What data it collects: "IP address, device type, page views, time on page, referrer"
3. Why you use it: "To understand visitor behavior, track traffic sources, and measure content performance"
4. Location of data: "Data stored in USA (Google servers)"
5. Link to their privacy policy: "See Google's Privacy Policy"

Template Disclosure Section

"We use third-party services that collect personal data on your behalf. Here's what each service does:

Google Analytics 4: Tracks website traffic, page views, and user behavior using cookies. Data is stored on Google servers in the USA. View Google's Privacy Policy

Stripe: Processes payment information during checkout. Card details are encrypted and never stored on our servers. View Stripe's Privacy Policy

Mailchimp: Stores email newsletter subscriber data and sends marketing emails on our behalf. View Mailchimp's Privacy Policy

Meta Pixel: Tracks conversions and user behavior for retargeting ads on Facebook and Instagram. View Meta's Privacy Policy

For each of these services, your data may be shared with other entities as described in their privacy policies. We only share data where necessary to provide our services."

Important Disclosure Tips

Be specific about location: Don't just say "the USA." Say "Google Analytics servers in the USA" or "Stripe's servers, hosted in multiple countries including Australia and the USA." The OAIC cares about geographic data flows.

Explain what "share" means: Users often misunderstand "sharing" data. Clarify that sharing with a payment processor means they see transaction data to process payments, not that they sell your customer list to third parties.

Link to their policies: You're required to disclose that third parties have their own privacy policies. Links help users understand what those services do independently of your policy.

Update regularly: When you add a new tool, update your Privacy Policy. The OAIC will check that your stated tools match your actual tools.

Don't hide it: Create a dedicated "Third-Party Services" or "Data Sharing" section. Don't bury it in fine print. Make it easy to find.

Common Mistakes to Avoid

Forgetting tools: Many businesses disclose Google Analytics but forget Meta Pixel, email signup services, or hosting providers that log IP addresses. Audit your entire tech stack.

Vague language: Saying "we may use third parties" is too weak. Be specific: "We use Google Analytics, Stripe, and Mailchimp."

No links to their policies: Users want to know what third-party companies do. Link to their privacy policies so they can investigate.

Not updating when tools change: If you switch from Mailchimp to ConvertKit, update your Privacy Policy. An outdated policy that lists services you no longer use looks sloppy and may expose you to OAIC complaints.