SaaS Terms and Conditions & SaaS Privacy Policy

Do SaaS (Software as a Service) applications need a Terms and Conditions, Privacy Policy, EULA and Cookies Policy?

Generally, yes.

However, it ultimately depends on what kind of SaaS application you're developing. You'll need different legal agreements depending on what exactly your SaaS app does.

Dropbox, for example, allows users to upload and share files such as text files, movie files, and image files. This means that Dropbox should have a legal agreement that covers user-generated content.

Mailchimp allows users to send email marketing messages through its app. This means that Mailchimp should have a legal agreement in place that places restrictions on what types of emailing its users can do (such as no spamming).

Regardless of how your SaaS app functions, you should have both a Privacy Policy and a Terms and Conditions/Terms and Conditions agreement for your app. Each of these agreements serves different purposes.

Terms and Conditions for SaaS apps

The following points should be addressed in clauses in your SaaS app's Terms and Conditions:

  1. Restrictions and limitations of use of your app
  2. Licensing information
  3. Limitations of your liability and disclaimers of warranties
  4. Specifics about your payment terms
  5. Information about what will happen if either party violates the Terms and Conditions
  6. How the customer can end the service contract and any penalties regarding ending a contract early
  7. What laws govern the contract
  8. Intellectual property and copyright rights
  9. How users will be notified about changes to your terms
  10. How user-generated content is handled
  11. Your business' contact information

A good way to approach your Terms and Conditions agreement is to imagine a number of potentially rare but still possible situations that may arise between you and a customer, and include how such situations should be handled in the agreement.

For example, how will you handle a customer who misses payments for your SaaS app subscription? Will you revoke access immediately, or will there be a grace period? Will you allow customers to end the contract in the middle of a billing cycle and obtain a refund, or will there be a monetary penalty for interrupting the cycle?

Always be very clear in the language used in your Terms and Conditions. Using too much technical or legal jargon can be confusing to your users, and in the event of a legal case arising, a judge may find that your agreement is too unclear to be upheld.

Privacy Policy for SaaS apps

If you aren't sure if you need a Privacy Policy, ask yourself this question: Does your SaaS app collect any of the following types of personal data from users?

  • Email addresses
  • First and last names
  • Credit card information (usually stored by payment processor, e.g. PayPal, Stripe, Braintree)
  • Social logins, e.g. users can sign-up with Facebook, Google+
  • Mailing addresses
  • Anything that can be used to identify an individual

If the answer is yes, you're required to have a Privacy Policy.

Clauses for the Privacy Policy

The following clauses should be included in most SaaS app Privacy Policies:

  • Cookies: If your app uses cookies, include a clause to disclose this.

    Note that in some cases a Cookies Policy is required to comply with the the EU Cookies Directive.

  • Links to Other Sites: You can use this type of clause to inform users that any links you post to external websites that are not operated by you (your company) don't necessarily follow the guidelines of your own Privacy Policy, and that users are encouraged to read the Privacy Policy of each external website they visit.
  • Changes/Updates to the Privacy Policy: Specify how you plan to notify users about any changes to your policy. You should always notify users before a change becomes effective.
  • Communications: Inform your app users that they may receive promotional emails from you, but that they can unsubscribe from communications.

    There are legal requirements in place to let users unsubscribe from promotional emails, such as CAN-SPAM in the US and CASL in Canada.

  • Business Transactions or Transfers: Let your users know that if your app ever merges with or gets bought by another business, users' personal information would be transferred to the new owner.

Examples of Privacy Policies for SaaS apps

Your Privacy Policy should disclose what personal information you collect, as well as how you collect it.

If you collect personal information in different ways, such as both directly from users and through more automated means, disclose both.

Moz discloses what information it collects and how it does so in one concise, bullet-pointed clause:

Moz Privacy Policy: Excerpt of Information We Collect About You and How We Collect it clause with GDPR

Cookies are often used for advertising purposes such as personalized marketing. If you participate in personalized marketing or remarketing, let your users know that you do this and how they can opt out.

SurveyMonkey includes a separate Personalized Marketing clause that does this:

SurveyMonkey Privacy Policy: Personalized marketing clause with out-out information

Along with personalized marketing, you should disclose if you participate in direct marketing or commercial communications. This can be sending emails, text message, mobile push notifications and other forms of direct communication.

Here's how Unbounce does it in its Privacy Policy:

Unbounce Privacy Policy: Excerpt of clause about opting out of commercial messages and contact

Let users know how they can opt out of these communications if they want to, as Buffer does here:

Buffer Privacy Policy: Excerpt of clause about how to update preferences and remove accounts

Sometimes a SaaS app will be sold or merged. This can be concerning for your users, as they may not be ok with their personal information being transferred to someone else.

Even if your app by chance doesn't collect any personal data, you should still have a Privacy Policy available because your users will expect one.

Here's the intro of the Startpage Privacy Policy that discloses that no personal information is collected:

Screenshot of the introduction section of Startpage Privacy Policy

Check out the rest of the agreement to see how Startpage handles individual clauses.

In sum, you're likely required by law to have a Privacy Policy. While you aren't required to have a Terms and Conditions, it's a smart move to have one to protect your SaaS app.