diff --git a/Gemfile.lock b/Gemfile.lock
index a330277..2c2ea35 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -100,7 +100,7 @@
       activesupport (>= 4.2.0)
     hashdiff (0.3.7)
     hashie (3.5.7)
-    htmltoword (0.7.0)
+    htmltoword (1.0.0)
       actionpack
       nokogiri
       rubyzip (>= 1.0)
diff --git a/app/controllers/org_admin/phases_controller.rb b/app/controllers/org_admin/phases_controller.rb
index 827f4f3..ed47690 100644
--- a/app/controllers/org_admin/phases_controller.rb
+++ b/app/controllers/org_admin/phases_controller.rb
@@ -26,12 +26,9 @@
     def edit
       phase = Phase.includes(:template).find(params[:id])
       authorize phase
-      if !phase.template.latest?
-        flash[:notice] = _('You are viewing a historical version of this template. You will not be able to make changes.')
-      end
       section = params.fetch(:section, nil)
       # User cannot edit a phase if its a customization so redirect to show
-      if phase.template.customization_of.present?
+      if phase.template.customization_of.present? || !phase.template.latest?
         redirect_to org_admin_template_phase_path(template_id: phase.template, id: phase.id, section: section)
       else
         render('container',
diff --git a/app/controllers/org_admin/sections_controller.rb b/app/controllers/org_admin/sections_controller.rb
index 27e1b14..38bfd62 100644
--- a/app/controllers/org_admin/sections_controller.rb
+++ b/app/controllers/org_admin/sections_controller.rb
@@ -36,7 +36,8 @@
     def edit
       section = Section.includes({phase: :template}, questions: [:question_options, { annotations: :org }]).find(params[:id])
       authorize section
-      render partial: 'edit', 
+      # User cannot edit a section if its not modifiable or the template is not the latest redirect to show
+      render partial: (section.modifiable? && section.phase.template.latest? ? 'edit' : 'show'), 
         locals: { 
           template: section.phase.template, 
           phase: section.phase, 
diff --git a/app/controllers/org_admin/templates_controller.rb b/app/controllers/org_admin/templates_controller.rb
index bea37d6..826dcd1 100644
--- a/app/controllers/org_admin/templates_controller.rb
+++ b/app/controllers/org_admin/templates_controller.rb
@@ -96,13 +96,14 @@
                         order('phases.number', 'sections.number', 'questions.number', 'question_options.number').
                         select('phases.title', 'phases.description', 'sections.title', 'questions.text', 'question_options.text')
       if !template.latest?
-        flash[:notice] = _("You are viewing a historical version of this #{template_type(template)}. You will not be able to make changes.")
+        redirect_to org_admin_template_path(id: template.id)
+      else
+        render 'container', locals: { 
+          partial_path: 'edit', 
+          template: template,
+          phases: phases,
+          referrer: get_referrer(template, request.referrer) }
       end
-      render 'container', locals: { 
-        partial_path: 'edit', 
-        template: template,
-        phases: phases,
-        referrer: get_referrer(template, request.referrer) }
     end
     
     # GET /org_admin/templates/new
diff --git a/app/controllers/static_pages_controller.rb b/app/controllers/static_pages_controller.rb
index 0eca997..46509f0 100644
--- a/app/controllers/static_pages_controller.rb
+++ b/app/controllers/static_pages_controller.rb
@@ -16,7 +16,11 @@
     
   end
 
+  def privacy
+  end
+
+end
   def tutorials
     
   end
-end
\ No newline at end of file
+end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index c759af8..5482157 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -91,7 +91,7 @@
 
   def update_email_preferences
     prefs = params[:prefs]
-    authorize current_user, :update?
+    authorize User
     pref = current_user.pref
     # does user not have prefs?
     if pref.blank?
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index e55a870..4a3bc31 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -1,43 +1,52 @@
 class UserPolicy < ApplicationPolicy
+  attr_reader :signed_in_user
   attr_reader :user
 
-  def initialize(user, users)
-    raise Pundit::NotAuthorizedError, "must be logged in" unless user
+  def initialize(signed_in_user, user)
+    raise Pundit::NotAuthorizedError, "must be logged in" unless signed_in_user
+    @signed_in_user = signed_in_user
     @user = user
-    @users = users
-  end
-
-  def admin_index?
-    @user.can_grant_permissions?
   end
 
   def index?
     admin_index?
   end
 
+  def admin_index?
+    signed_in_user.can_grant_permissions?
+  end
+
   def admin_grant_permissions?
-    @user.can_grant_permissions? && ((@users.org_id == @user.org_id) || @user.can_super_admin?)
+    (signed_in_user.can_grant_permissions? && user.org_id == signed_in_user.org_id) || signed_in_user.can_super_admin?
   end
 
   def admin_update_permissions?
-    @user.can_grant_permissions?  && ((@users.org_id == @user.org_id) || @user.can_super_admin?)
+    (signed_in_user.can_grant_permissions? && user.org_id == signed_in_user.org_id) || signed_in_user.can_super_admin?
   end
 
   # Allows the user to swap their org affiliation on the fly
   def org_swap?
-    user.can_super_admin?
+    signed_in_user.can_super_admin?
   end
 
   def activate?
-    user.can_super_admin?
+    signed_in_user.can_super_admin?
   end
 
   def edit?
-    user.can_super_admin?
+    signed_in_user.can_super_admin?
   end
 
   def update?
-    user.can_super_admin?
+    signed_in_user.can_super_admin?
+  end
+
+  def update_email_preferences?
+    true
+  end
+
+  def acknowledge_notification?
+    true
   end
 
   class Scope < Scope
@@ -45,8 +54,4 @@
       scope.where(org_id: user.org_id)
     end
   end
-
-  def acknowledge_notification?
-    true
-  end
 end
diff --git a/app/views/layouts/_footer.html.erb b/app/views/layouts/_footer.html.erb
index 862d5c5..ecd75c0 100644
--- a/app/views/layouts/_footer.html.erb
+++ b/app/views/layouts/_footer.html.erb
@@ -13,7 +13,7 @@
       <li><a href="<%= about_us_path %>"><%= _('About') %></a></li>   
       <li><a href="<%= contact_us %>"><%= _('Contact us') %></a></li>
       <li><a href="<%= terms_path %>"><%= _('Terms of use') %></a></li>
-      <li><a href="#"><%= _('Privacy policy') %></a></li>
+      <li><a href="<%= privacy_path %>"><%= _('Privacy statement') %></a></li>
       <li><a href="#"><%= _('Accessibility') %></a></li>
       <li><a href="https://github.com/DMPRoadmap/roadmap"><%= _('Github') %></a></li>
     </ul>
diff --git a/app/views/plans/_overview_details.html.erb b/app/views/plans/_overview_details.html.erb
index b406da2..cd3fe05 100644
--- a/app/views/plans/_overview_details.html.erb
+++ b/app/views/plans/_overview_details.html.erb
@@ -20,6 +20,7 @@
     <% else %>
       <div class="panel-group" id="plan-overview-accordion" role="tablist" aria-multiselectable="true">
         <% plan.template.phases.each do |p| %>
+          <% questions_size = p.sections.map{|s| s.questions.size }.reduce(0){|sum,x| sum + x } %>
           <div class="panel panel-default">
             <div class="heading-button" role="button" data-toggle="collapse"
                  data-parent="plan-overview-accordion" 
@@ -32,8 +33,8 @@
                   <div class="pull-left">
                     <%= _("%{phase_title} (%{sections_size} %{sections}, %{questions_size} %{questions})") % {
                       :phase_title => p.title, :sections_size => p.sections.size, :sections => n_('section', 'sections', p.sections.size),
-                      :questions_size => p.sections.map{|s| s.questions.size }.inject(0){|sum,x| sum + x }, 
-                      :questions => n_('question', 'questions', p.sections.map{|s| s.questions.size }.inject(0){|sum,x| sum + x }) } %>
+                      :questions_size => questions_size, 
+                      :questions => n_('question', 'questions', questions_size) } %>
                   </div>
                   <div class="pull-right">
                     <i class="fa fa-plus pull-right" aria-hidden="true"></i>
diff --git a/app/views/shared/export/_plan_coversheet.erb b/app/views/shared/export/_plan_coversheet.erb
index 324909e..2b09113 100644
--- a/app/views/shared/export/_plan_coversheet.erb
+++ b/app/views/shared/export/_plan_coversheet.erb
@@ -30,7 +30,9 @@
 
   <p><%= _("Last modified: ") + l(@plan.updated_at.to_date, formats: :short) %></p> <br>
 
-  <p><%= _("Copyright information:") %></p>
-  <div style="margin-left: 15px;"><p><%= _(" The above plan creator(s) have agreed that others may use as much of the text of this plan as they would like in their own plans, and customise it as necessary. You do not need to credit the creator(s) as the source of the language used, but using any of the plan's text does not imply that the creator(s) endorse, or have any relationship to, your project or proposal") %></p></div>
+  <% if @public_plan %>
+    <p><%= _("Copyright information:") %></p>
+    <div style="margin-left: 15px;"><p><%= _(" The above plan creator(s) have agreed that others may use as much of the text of this plan as they would like in their own plans, and customise it as necessary. You do not need to credit the creator(s) as the source of the language used, but using any of the plan's text does not imply that the creator(s) endorse, or have any relationship to, your project or proposal") %></p></div>
+  <% end %>
 </div>
 <hr class="bottom" />
\ No newline at end of file
diff --git a/app/views/static_pages/privacy.html.erb b/app/views/static_pages/privacy.html.erb
new file mode 100644
index 0000000..22f50c4
--- /dev/null
+++ b/app/views/static_pages/privacy.html.erb
@@ -0,0 +1,33 @@
+<div class="row">
+  <div class="col-md-12">
+    <h1><%= _('Privacy statement') %></h1>
+  </div>
+</div>
+<div class="row">
+  <div class="col-md-12">
+    <div>
+      <h3><%= _("Information about you: how we use it and with whom we share it") %></h3>
+      <p><%= _("The information you provide will be used by the %{org_name} to offer you access to and personalisation of the %{application_name} service.") %
+             { :application_name => Rails.configuration.branding[:application][:name], :org_name => Rails.configuration.branding[:organisation][:name] } %></p>
+      <p><%= _("The %{org_name} processes the personal data of %{application_name} users in order to deliver and improve the %{application_name} service in a customised manner and to ensure each user receives relevant information.") %
+             { :application_name => Rails.configuration.branding[:application][:name], :org_name => Rails.configuration.branding[:organisation][:name]  } %></p>
+      <p><%= _("The processing of your personal data by the %{org_name} is necessary for pursuing the following legitimate interests:") %
+             { :application_name => Rails.configuration.branding[:application][:name], :org_name => Rails.configuration.branding[:organisation][:name]  } %></p>
+      <ul>
+        <li><%= _("To provide access to the %{application_name} service and personalisation of your user experience e.g. provision of relevant templates and guidance for your organisation.") %
+                { :application_name => Rails.configuration.branding[:application][:name] } %></li>
+        <li><%= _("To keep you up to date with news about %{application_name} such as new features or improvements, or changes to our Privacy Policy.") %
+                { :application_name => Rails.configuration.branding[:application][:name] } %></li>
+        <li><%= _("For network and information security purposes.") %></li>
+      </ul>
+      <p><%= _("We will hold the personal data you provided us for as long as you continue using the %{application_name} service. Your personal data can be removed from this service upon request to the %{application_name} team within a period of 30 days.") %
+             { :application_name => Rails.configuration.branding[:application][:name] } %></p>
+      <p><%= raw _("If you have any questions, please contact the %{application_name} team at: <a href='mailto:%{helpdesk_email}'>%{helpdesk_email}</a>") %
+                 { :application_name => Rails.configuration.branding[:application][:name], :helpdesk_email => Rails.configuration.branding[:organisation][:helpdesk_email] } %></p>
+      <h3>Revisions</h3>
+
+      <p><%= _("This statement was last revised on %{revdate} and may be revised at any time with prior notice.") %
+             { :revdate => "May 21st, 2018" }%></p>
+    </div>
+  </div>
+</div>
diff --git a/config/routes.rb b/config/routes.rb
index 2c6276e..b5599fe 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -86,6 +86,7 @@
     get "help" => 'static_pages#help'
     get "roadmap" => 'static_pages#roadmap'
     get "terms" => 'static_pages#termsuse'
+    get "privacy" => 'static_pages#privacy'
     get "tutorials" => 'static_pages#tutorials'
     get "public_plans" => 'public_pages#plan_index'
     get "public_templates" => 'public_pages#template_index'
diff --git a/test/functional/org_admin/phases_controller_test.rb b/test/functional/org_admin/phases_controller_test.rb
index b7d4263..211959d 100644
--- a/test/functional/org_admin/phases_controller_test.rb
+++ b/test/functional/org_admin/phases_controller_test.rb
@@ -32,6 +32,14 @@
     assert_nil flash[:alert]
   end
 
+  test 'get phases#edit redirects to #show when template is not latest' do
+    new_version = @template.generate_version!
+    sign_in @org_admin
+    get(edit_org_admin_template_phase_path(@template.id, @template.phases.first.id))
+    assert_response :redirect
+    assert_redirected_to org_admin_template_phase_path(@template.id, @template.phases.first.id)
+  end
+  
   test "unauthorized user cannot access the preview phase page" do
     get preview_org_admin_template_phase_path(@template, @phase)
     assert_unauthorized_redirect_to_root_path
diff --git a/test/functional/org_admin/templates_controller_test.rb b/test/functional/org_admin/templates_controller_test.rb
index d09ff86..d778889 100644
--- a/test/functional/org_admin/templates_controller_test.rb
+++ b/test/functional/org_admin/templates_controller_test.rb
@@ -104,12 +104,12 @@
     assert_nil flash[:notice], 'expected no warning messages'
   end
 
-  test 'get templates#edit returns ok with flash notice when template is not latest' do
+  test 'get templates#edit redirects to #show when template is not latest' do
     new_version = @org_template.generate_version!
     sign_in @org_admin
     get(edit_org_admin_template_path(@org_template.id))
-    assert_response :success
-    assert_not_nil flash[:notice], 'expected a warning message'
+    assert_response :redirect
+    assert_redirected_to org_admin_template_path(@org_template.id)
   end
 
   test "unauthorized user cannot access the template#new page" do