I found this free website that will make for you the policy AND host it:

https://www.freeprivacypolicy.com/

Then add it to the play store under Store Listing - at the bottom add the public link for the policy that you got from https://www.freeprivacypolicy.com/

Currently some people are facing the same issue because of using 12.0.0 version of AdMob lib.

Update it to 12.0.1. This should fix it. You can read more here

Are you using AdSense or other ads in your app, or maybe Google Analytics ? I think if you do so, even if you don't have the android.permission.READ_PHONE_STATE in your manifest this is added by the ads library.

There are free templates that might help you create a privacy policy.

This is the email i received from Google about it :

Hello Google Play Developer, Our records show that your app, xxx, with package name xxx, currently violates our User Data policy regarding Personal and Sensitive Information. Policy issue: Google Play requires developers to provide a valid privacy policy when the app requests or handles sensitive user or device information. Your app requests sensitive permissions (e.g. camera, microphone, accounts, contacts, or phone) or user data, but does not include a valid privacy policy. Action required: Include a link to a valid privacy policy on your app's Store Listing page and within your app. You can find more information in our help center. Alternatively, you may opt-out of this requirement by removing any requests for sensitive permissions or user data. If you have additional apps in your catalog, please make sure they are compliant with our Prominent Disclosure requirements. Please resolve this issue by March 15, 2017, or administrative action will be taken to limit the visibility of your app, up to and including removal from the Play Store. Thanks for helping us provide a clear and transparent experience for Google Play users. Regards, The Google Play Team

It's third party library. You can find the culprit in build/outputs/logs/manifest-merger-release-report.txt

You should drop android.permission.READ_PHONE_STATE permission. Add this to your manifest file:

<uses-permission
    android:name="android.permission.READ_PHONE_STATE"
    tools:node="remove" />

If you're testing your app on a device > android 6.0 you have also to explicitely ask the user to grant the permission.

As you can see here READ_PHONE_STATE have a dangerous level.

If a permission have a dangerous level then the user have to accept or not this permission manually. You don't have the choice, you MUST do this

To do this from your activity execute the following code :

if the user use Android M and didn't grant the permission yet it will ask for it.

public static final int READ_PHONE_STATE_PERMISSION = 100;

  if (Build.VERSION.SDK_INT > Build.VERSION_CODES.M && checkSelfPermission(Manifest.permission.READ_PHONE_STATE)
                != PackageManager.PERMISSION_GRANTED) {
            requestPermissions(new String[]{Manifest.permission.READ_PHONE_STATE}, READ_PHONE_STATE_PERMISSION);
        }

then override onRequestPermissionsResult in your activity

@Override
    public void onRequestPermissionsResult(int requestCode, @NonNull String[] permissions, @NonNull int[] grantResults) {
        switch (requestCode){
            case READ_PHONE_STATE_PERMISSION: {
                if (grantResults[0] == PackageManager.PERMISSION_GRANTED){
                    //Permission granted do what you want from this point
                }else {
                    //Permission denied, manage this usecase
                }
            }
        }
    }

You should read this article to know more about it