diff --git a/policies/README.md b/policies/README.md
index e8d932c..9f6f0dd 100644
--- a/policies/README.md
+++ b/policies/README.md
@@ -11,6 +11,7 @@ The CF is committed to complying with all applicable laws and regulations relate
 - [Conflict of Interest Policy](./conflict-of-interest.md)
 - [Continuity and Administrative Access Policy](./succession-plan.md)
 - [Intellectual Property Policy](./ip-policy.md)
+- [Privacy Policy](./privacy-policy.md)
 - [Trademark Policy](./trademark-policy.md)
 
 ## Policy change process
diff --git a/policies/privacy-policy.md b/policies/privacy-policy.md
new file mode 100644
index 0000000..950fd5e
--- /dev/null
+++ b/policies/privacy-policy.md
@@ -0,0 +1,93 @@
+# Privacy Policy
+
+The Commonhaus Foundation (CF) is committed to respecting your privacy and protecting your personal information.
+This Privacy Policy explains how we collect, use, and share information when you engage with our services, websites, and projects.
+
+- [Information We Collect](#information-we-collect)
+- [How We Use Your Information](#how-we-use-your-information)
+- [Information Sharing and Disclosure](#information-sharing-and-disclosure)
+- [How We Protect Your Information](#how-we-protect-your-information)
+- [Data Security and Cross-border Transfers](#data-security-and-cross-border-transfers)
+- [Data Retention](#data-retention)
+- [Your Rights](#your-rights)
+- [Changes to This Policy](#changes-to-this-policy)
+- [Contact Us](#contact-us)
+- [Additional Information for EEA, UK, and California Users](#additional-information-for-eea-uk-and-california-users)
+
+## Information We Collect
+
+We collect only the data necessary to operate our services effectively.
+
+1. **Authentication and Identity Data**: We use GitHub for authentication and collect basic identity data, including your GitHub login and user ID.
+    If you serve on a CF committee, we may display your GitHub login, name, and profile bio publicly.
+    Members may also opt to provide an alternate display name or bio.
+
+2. **Email Forwarding Data**: For members using the [ForwardEmail service](https://forwardemail.net/en/privacy), we link your GitHub login to the forwarding email address(es) specified.
+    ForwardEmail stores the target address; CF does not retain this information.
+
+3. **Session Cookies and Analytics**: Our member section uses temporary session cookies solely for GitHub authentication.
+    We also collect anonymous, aggregated analytics to improve website performance and usability.
+
+4. **Legal and Contributor Data**: For legal agreements (e.g., asset transfers, fiscal hosting) and contributor verification (e.g., Contributor License Agreements or commit messages), we collect names, contact details, and any relevant contribution history.
+
+## How We Use Your Information
+
+We use your information to:
+
+- **Authenticate Access**: GitHub data is used to verify and provide secure access to CF services.
+- **Public Display for Committees**: We publicly display committee members’ names and GitHub logins during their tenure.
+- **Communication**: The ForwardEmail service facilitates communication via forwarding addresses provided by members.
+- **Website Improvement**: Analytics help us assess website performance without identifying individual users.
+- **Project and Contribution Oversight**: Contributor information supports project management and monitors adherence to contribution requirements, such as CLAs or DCOs.
+
+## Information Sharing and Disclosure
+
+We do not sell or rent your personal information.
+Information may be shared under the following circumstances:
+
+- **Third-party Services**: We share your information with third-party services only when you opt-in, such as by using ForwardEmail, and only as necessary for those services to function.
+- **Legal Requirements**: We may disclose information as required by law or in response to a valid legal request.
+
+## How We Protect Your Information
+
+We take reasonable measures necessary to protect your personal data from unauthorized access, alteration, or destruction; maintain data accuracy; and help ensure the appropriate use of your personal data.
+
+## Data Security and Cross-border Transfers
+
+We take reasonable measures to protect your personal data from unauthorized access, alteration, or destruction.
+Your data may be processed in various countries, including the U.S. and regions where we or our providers operate.
+For transfers from the EU, UK, or Switzerland, we rely on Standard Contractual Clauses to ensure your data’s protection.
+
+## Data Retention
+
+We retain data as long as necessary to fulfill the purposes outlined in this policy or as required by law.
+Session cookies are temporary and expire when your session ends.
+
+## Your Rights
+
+You have the right to request access to, correction of, or deletion of your personal information.
+To exercise these rights, please email the [`legal` mailing list][CONTACTS.yaml].
+
+## Changes to This Policy
+
+We may update this Privacy Policy to reflect changes in our practices or legal obligations.
+Significant updates will be posted on our website.
+
+## Contact Us
+
+If you have any questions or concerns about this Privacy Policy, send an email to the [`legal` mailing list][CONTACTS.yaml].
+
+## Additional Information for EEA, UK, and California Users
+
+Users in the European Economic Area (“EEA”), United Kingdom (“UK”), and California have specific rights under their respective data protection laws.
+These rights include, among others, access, correction, deletion, restriction of processing, and data portability in certain circumstances.
+
+1. **EEA and UK Users**: We process your data only where legally justified, including under contract fulfillment, legitimate interest (balanced against your privacy rights), consent, or legal compliance.
+    You may exercise rights to access, rectify, delete, or restrict your data, and you may object to processing or request data portability where applicable.
+    You also have the right to lodge a complaint with your local supervisory authority.
+
+2. **California Users**: Under the California Consumer Privacy Act (“CCPA”), you have the right to opt-out of data “sales” (CF does not sell personal data), and to access, delete, and correct your personal data.
+    CF will not discriminate against you for exercising these rights.
+    You may also make a request via an authorized agent; in such cases, CF may request additional verification to confirm your identity.
+
+[CONTACTS.yaml]: https://github.com/commonhaus/foundation/blob/main/CONTACTS.yaml