If you offer SaaS (Software as a Service), it's essential to have a clearly written, comprehensive Privacy Policy on your website and app.
In most circumstances, a Privacy Policy is a legal requirement for SaaS businesses that process personal data. The delivery of online services almost always involves processing users' personal data, even if it's simply an email address.
Even if it's not legally required, a Privacy Policy builds trust with your customer base and demonstrates a commitment to handling their data responsibly.
This article will cover what your SaaS Privacy Policy should include, and how to display it with your SaaS app.
A Privacy Policy, or privacy notice, sets out how your organization handles users' personal data. It details how personal data is collected, protected, and used.
The policy needs to be written in clear, easy-to-understand language, while also being detailed enough that users can provide informed consent for you to process their personal data.
Personal data is any information that may identify an individual.
This includes but isn't limited to the following:
In most countries, a Privacy Policy is a legal requirement. Data protection legislation varies between countries and can be complex. But the best approach to ensure compliance with data protection legislation as a SaaS is this: If you collect, store, or use personal data, then you must have a Privacy Policy.
The purpose of data protection laws is to ensure transparency when it comes to personal information. An individual has the right to be notified that an organization intends to collect and use their data and make an informed decision as to whether they consent to this. Individuals also have the right to refuse to provide their data and not complete their purchase or registration.
A well-written, transparent Privacy Policy reassures users that your organization can be trusted with their personal data. It demonstrates that you take the issue seriously by detailing the steps you take when it.
Data protection legislation is generally applied based on your users' location, rather than the location of your business. For example, if your UK-based business has clients in the UK, America, Australia and China, your Privacy Policy needs to comply with the relevant legislation of these four countries.
You can adapt your Privacy Policy to comply with relevant legislative requirements and to suit your business needs. However, there are some standard clauses included in SaaS Privacy Policies across most jurisdictions including:
Let's look at these in more detail.
You must clearly set out the kind of personal data your SaaS may collect from users. This can be done by listing the various types with examples. The more detailed this is, the better. It's also important to explain exactly how this data is collected.
It's important to be specific about the types of data you collect so users clearly understand what they are consenting to share with you.
Users must be aware of how their personal data may be shared with third parties. A SaaS may share users' personal data for several reasons.
For example, the SaaS may outsource functions such as analytics or customer support and need to share user data to do so. A SaaS may also be required to provide personal data to government departments or law enforcement in certain circumstances.
You must notify your users of how you store their data and the period it's stored by including a data retention clause in your Privacy Policy.
This clause addresses issues such as:
Data protection is an important factor when a user comes to deciding whether to provide their personal information. They want to know it's kept securely. So you must include a clause in your Privacy Policy that outlines the steps your organization takes to protect the data it collects.
Users are reluctant to provide their personal data without being reassured of how it will be kept secure. So it's important to include a data protection clause in your Privacy Policy.
Almost all SaaS businesses use cookies to track and collect user data. You should explain this in your Privacy Policy so your users can consent to them.
Some SaaS companies have a separate cookies policy and include a link to this in their Privacy Policy.
Given the evolving nature of data protection law, you will need to update your Privacy Policy from time to time. Because of this, it's important to tell users how they will be notified of changes to your Privacy Policy.
WhatsApp takes a passive approach to this clause, making it the responsibility of users to visit the website for updates:
Google takes a more proactive approach, archiving previous versions of its Privacy Policy and notifying users by email of any significant changes to its Privacy Policy:
This clause is usually included at the end of a Privacy Policy.
Your Privacy Policy should include contact details in the event a user has a question or concern regarding your use of their personal information. In smaller companies, this may be an individual while in larger organizations, it may be the department responsible for data protection.
These contact details reinforce the transparency of your Privacy Policy.
If your SaaS platform collects any personal data from users (and most do), it must have a Privacy Policy. Your Privacy Policy needs to set out how you handle the data you collect from users, including how it's collected, what it may be used for, and how you protect it.
A Privacy Policy is necessary for compliance with data protection legislation. It also builds trust with your current and future users by transparently setting out how you process and protect their personal data.
Include all the relevant sections and make sure to display it properly, while getting clickwrap consent from your users.