My problem is mostly that I lack the legal expertise to be able to a) write up a coherent policy with full coverage, and b) follow up on changing legislation, of which there has been quite a lot in recent years (at least in Europe).

The best option until now have been generators found online, which mostly seem to have pivoted to lead generators or demos for paid products now. Considering that in Germany, for example, any website affiliated with a company or pursuing any economic purpose is required to have both a proper imprint and privacy policy, this is something you have to care about. There are even lawyers writing specialised crawlers to find websites with linked Google Fonts but no privacy policy notice, and send automated litigation to the owners. This only became possible after a court decided (as shortsighted as stupidly) loading fonts from Google's servers constituted a privacy violation, given that visitors had no way to consent.

Following these changes and reacting in a timely way is a continuous effort, and a framework to automate this is very welcome IMHO.