- Inclusion of email processor: The email service processing all email data(eg. Protonmail) can be clearly specified with the personal policy of use and retention of communications.
- Hosting provider agreement: The VPS the website is hosted on would be provided by some company which would often collect some data for purposes of DDos mitigation.
- Third Party Data Processors: Thirdy party services like google analytics must be mentioned in the policy( I am quite astonished law doesn’t mandate this)
I am not a lawyer but saying this from a transparency and ethics perspective, I understand that designing a legally accurate policy is best left to lawyers of the IFF.