If you run a SaaS product, your Privacy Policy requirements are more complex than a typical business website. You're collecting data at multiple touchpoints — onboarding, product usage, billing — and likely processing it in multiple jurisdictions. Here's what you need.
Why SaaS Privacy Policies are different
A SaaS product typically processes personal data at multiple layers:
- Account registration — names, emails, company names, job titles
- Product usage — in-app behaviour, feature usage, session data
- Payment processing — billing details, subscription history
- Support communications — emails, chat logs, support tickets
- Customer data — data your customers upload or create inside your product (you may be a processor for this)
- Analytics and performance — error tracking, usage analytics, A/B test data
⚠ Critical distinction: For data your customers store in your product, you're typically acting as a data processor, not a controller. This needs to be disclosed separately, often in a Data Processing Agreement (DPA), not just your Privacy Policy.
What laws apply to SaaS products?
CCPA / CPRA (California)
If any of your users or their customers are California residents, the CCPA applies. For SaaS companies, the "service provider" exemption may apply to some data you process on behalf of customers — but your own user data (account holders, employees) is fully subject to CCPA as a controller.
GDPR / UK GDPR
If you have users in the EU or UK, GDPR applies regardless of where your company is based. For SaaS, you'll need both a Privacy Policy (for user data) and a Data Processing Agreement with customers whose data flows through your platform.
COPPA
If your SaaS could be used by or marketed to children under 13, COPPA applies and requires explicit parental consent mechanisms.
What your SaaS Privacy Policy must include
1. Dual role disclosure
Explain that you act as:
- A data controller for your own users' account and billing data
- A data processor for data your customers store in your product
These are legally distinct roles with different obligations, and your policy must address both.
2. All data categories
Be specific about every type of data you collect. Common SaaS data categories:
- Account data (name, email, company, role)
- Usage data (features used, session duration, click patterns)
- Technical data (IP address, browser type, device, error logs)
- Billing data (payment method, subscription tier, invoices)
- Communications data (support emails, in-app messages)
- Customer content (data users create or upload in your product)
3. Sub-processors
Every third-party service that touches your users' data must be named. For a typical SaaS this includes:
- Cloud infrastructure — AWS, Google Cloud, Azure
- Payment processing — Stripe, Paddle
- Email delivery — SendGrid, Postmark
- Error tracking — Sentry, Bugsnag
- Analytics — Mixpanel, Amplitude, Segment
- CRM — HubSpot, Salesforce
- Support — Intercom, Zendesk
4. International data transfers
If your servers are in the US but you have EU/UK users, you must disclose international data transfers and the safeguards in place (Standard Contractual Clauses, adequacy decisions, etc.).
5. Data retention by category
Unlike a simple website, SaaS products typically retain different categories of data for different periods. Your policy should specify retention periods for each category — account data, billing records, usage logs, support communications.
6. Account deletion and data portability
Users have the right to delete their accounts and export their data. Your Privacy Policy should explain how to exercise these rights and your timeline for fulfilling them.
Under CCPA and GDPR, you must respond to verified access, deletion, and portability requests within 45 days (CCPA) or 30 days (GDPR). Your Privacy Policy must explain how users can submit these requests.
Do you also need a DPA?
Yes, if your customers are EU/UK businesses. A Data Processing Agreement sets out the terms under which you process your customers' data on their behalf. Under GDPR Article 28, EU/UK businesses are required to have a DPA with every processor they use — which includes your SaaS product.
Many enterprise customers will require a DPA before signing up. Having one ready removes a common sales friction point.
The bottom line
A SaaS Privacy Policy is significantly more complex than a basic website policy. It needs to address your dual role as controller and processor, name all your sub-processors, cover international transfers, and explain user rights in detail. DataShark generates personalised, compliant Privacy Policies and Data Processing Agreements for SaaS companies — from $19.
Ready to generate your GDPR policy?
Answer a few questions about your business and get a personalised, legally-structured document in minutes.
Start free — from £29 →