If you are located in the US, be assured that the FTC isn’t afraid of enforcing punishments for companies that violate consumers’ privacy, regardless of size or prominence. They’ve taken action against many companies — even ones as big as Google and Facebook — for failing to properly disclose how they used their customer’s data.
It will also typically indicate your policy for storing customer data. How long you’re planning to store data is a big deal — are you storing someone’s info in perpetuity, or do you promise to delete it after 90 days? Privacy policies typically inform users how long their data will stay in your possession.
Depending on where your company is located, you might also have to include where the data is being stored. Even if you’re not storing it yourself, you’d need to disclose the physical data center (e.g. an AWS US-East server in northern Virginia).
Finally, privacy policies often include the security policy you use to protect the data you’re collecting. This usually means an outline of the security measures taken to safeguard customer data by you, or the vendors you use.
When writing a policy, it should be clear and explicit so any user can understand it.