SaaS Privacy Policy Template

If you offer SaaS (Software as a Service), it's essential to have a clearly written, comprehensive Privacy Policy on your website and app.

In most circumstances, a Privacy Policy is a legal requirement for SaaS businesses that process personal data. The delivery of online services almost always involves processing users' personal data, even if it's simply an email address.

Even if it's not legally required, a Privacy Policy builds trust with your customer base and demonstrates a commitment to handling their data responsibly.

This article will cover what your SaaS Privacy Policy should include, and how to display it with your SaaS app.

What is a Privacy Policy?

A Privacy Policy, or privacy notice, sets out how your organization handles users' personal data. It details how personal data is collected, protected, and used.

The policy needs to be written in clear, easy-to-understand language, while also being detailed enough that users can provide informed consent for you to process their personal data.

What is Personal Data?

Personal data is any information that may identify an individual.

This includes but isn't limited to the following:

  • Name
  • Email address
  • Physical address
  • Demographic information
  • Payment information
  • Photographs
  • Session data
  • IP address and location

Why Your SaaS Needs a Privacy Policy

In most countries, a Privacy Policy is a legal requirement. Data protection legislation varies between countries and can be complex. But the best approach to ensure compliance with data protection legislation as a SaaS is this: If you collect, store, or use personal data, then you must have a Privacy Policy.

The purpose of data protection laws is to ensure transparency when it comes to personal information. An individual has the right to be notified that an organization intends to collect and use their data and make an informed decision as to whether they consent to this. Individuals also have the right to refuse to provide their data and not complete their purchase or registration.

A well-written, transparent Privacy Policy reassures users that your organization can be trusted with their personal data. It demonstrates that you take the issue seriously by detailing the steps you take when it.

Data protection legislation is generally applied based on your users' location, rather than the location of your business. For example, if your UK-based business has clients in the UK, America, Australia and China, your Privacy Policy needs to comply with the relevant legislation of these four countries.

Examples of Data Protection Legislation

  • The General Data Protection Regulation (GDPR) states that a Privacy Policy is mandatory when the personal data of an EU citizen is processed, regardless of where the organization is based
  • In Australia, the Privacy Act requires an organization to have a Privacy Policy if it has more than $3 million in annual turnover, buys and sells personal information, or offers a health service
  • While there are no U.S. federal laws that require businesses to have a Privacy Policy, some states regulate the issue. For example, the Californian Privacy Rights Act (CPRA) makes Privacy Policies mandatory for any website or online service that collects the personal information of California residents.
  • The Personal Information Protection Act (PIPL) recently came into effect in China. This law applies to overseas organizations that process the personal data of Chinese citizens to provide goods and services or analyze their online behavior.

Sections to Include in Your Privacy Policy

You can adapt your Privacy Policy to comply with relevant legislative requirements and to suit your business needs. However, there are some standard clauses included in SaaS Privacy Policies across most jurisdictions including:

  • What personal data is collected, and how
  • How personal data may be used
  • How personal data may be shared
  • How personal data is stored and for how long
  • How data is protected
  • The use of cookies
  • Changes to the Privacy Policy
  • Relevant contact information

Let's look at these in more detail.

What Personal Data is Collected and How

You must clearly set out the kind of personal data your SaaS may collect from users. This can be done by listing the various types with examples. The more detailed this is, the better. It's also important to explain exactly how this data is collected.

It's important to be specific about the types of data you collect so users clearly understand what they are consenting to share with you.

How Personal Data is Shared

Users must be aware of how their personal data may be shared with third parties. A SaaS may share users' personal data for several reasons.

For example, the SaaS may outsource functions such as analytics or customer support and need to share user data to do so. A SaaS may also be required to provide personal data to government departments or law enforcement in certain circumstances.

How Data is Stored and How Long it's Kept For

You must notify your users of how you store their data and the period it's stored by including a data retention clause in your Privacy Policy.

This clause addresses issues such as:

  • Where the data is stored and how users can access it
  • The circumstances in which the data is deleted (either at the user's request or by your organization in the event of a user's access being suspended or terminated)
  • The requirement to retain certain data e.g. for tax purposes

Data Protection Measures

Data protection is an important factor when a user comes to deciding whether to provide their personal information. They want to know it's kept securely. So you must include a clause in your Privacy Policy that outlines the steps your organization takes to protect the data it collects.

Users are reluctant to provide their personal data without being reassured of how it will be kept secure. So it's important to include a data protection clause in your Privacy Policy.

Cookies

Almost all SaaS businesses use cookies to track and collect user data. You should explain this in your Privacy Policy so your users can consent to them.

Some SaaS companies have a separate cookies policy and include a link to this in their Privacy Policy.

Changes to the Privacy Policy

Given the evolving nature of data protection law, you will need to update your Privacy Policy from time to time. Because of this, it's important to tell users how they will be notified of changes to your Privacy Policy.

WhatsApp takes a passive approach to this clause, making it the responsibility of users to visit the website for updates:

WhatsApp Privacy Policy: Updates to our Policy clause

Google takes a more proactive approach, archiving previous versions of its Privacy Policy and notifying users by email of any significant changes to its Privacy Policy:

Google Privacy Policy: Changes to this Policy clause

This clause is usually included at the end of a Privacy Policy.

Relevant Contact Information

Your Privacy Policy should include contact details in the event a user has a question or concern regarding your use of their personal information. In smaller companies, this may be an individual while in larger organizations, it may be the department responsible for data protection.

These contact details reinforce the transparency of your Privacy Policy.

Summary

If your SaaS platform collects any personal data from users (and most do), it must have a Privacy Policy. Your Privacy Policy needs to set out how you handle the data you collect from users, including how it's collected, what it may be used for, and how you protect it.

A Privacy Policy is necessary for compliance with data protection legislation. It also builds trust with your current and future users by transparently setting out how you process and protect their personal data.

Include all the relevant sections and make sure to display it properly, while getting clickwrap consent from your users.