Terms of Use & Privacy Policy for SaaS

Last updated on 01 July 2022 by Legal Research Team at TermsFeed

Terms of Use & Privacy Policy for SaaS

Do SaaS (Software as a Service) applications need a Terms and Conditions, Privacy Policy, EULA and Cookies Policy?

Generally, yes.

However, it ultimately depends on what kind of SaaS application you're developing. You'll need different legal agreements depending on what exactly your SaaS app does.

Dropbox, for example, allows users to upload and share files such as text files, movie files, and image files. This means that Dropbox should have a legal agreement that covers user-generated content.

Mailchimp allows users to send email marketing messages through its app. This means that Mailchimp should have a legal agreement in place that places restrictions on what types of emailing its users can do (such as no spamming).

Regardless of how your SaaS app functions, you should have both a Privacy Policy and a Terms of Use/Terms and Conditions agreement for your app. Each of these agreements serves different purposes.

Terms of Use for SaaS apps

A Terms of Use (also know as a Terms and Conditions or Terms of Service) isn't required by law. It's completely optional to have one for your SaaS app, but it's strongly recommended to have one.

A Terms of Use agreement acts as a legally binding contract between you and your customers. It's where you set the rules and guidelines that your customers must follow in order to access the service you provide as a SaaS app.

There's no practical difference between a Terms of Use, a Terms of Service and a Terms and Conditions agreement aside from the names.

Spotify calls it a Terms and Conditions of Use.

Spotify Terms and Conditions of Use Table of Contents updated

Here are just a few ways that having a Terms of Use for your SaaS app can benefit you:

  • If a paying customer starts spamming other users from your app, you can terminate the spammer's account based on the Terms of Use they agreed to.

    A Termination clause in your Terms of Use can inform users that abusive behaviors will not be tolerated and that accounts of abusive users will be terminated at your sole discretion.

  • If users start posting content that they do not own rights to and this content is made public online, you will reserve the right to remove that content if it infringes copyright.

  • The Terms of Use would inform users what laws and regulations apply (between you and your customers) through a Governing Law clause.

Clauses for the Terms of Use

The following points should be addressed in clauses in your SaaS app's Terms of Use:

  1. Restrictions and limitations of use of your app
  2. Licensing information
  3. Limitations of your liability and disclaimers of warranties
  4. Specifics about your payment terms
  5. Information about what will happen if either party violates the Terms of Use
  6. How the customer can end the service contract and any penalties regarding ending a contract early
  7. What laws govern the contract
  8. Intellectual property and copyright rights
  9. How users will be notified about changes to your terms
  10. How user-generated content is handled
  11. Your business' contact information

A good way to approach your Terms of Use agreement is to imagine a number of potentially rare but still possible situations that may arise between you and a customer, and include how such situations should be handled in the agreement.

For example, how will you handle a customer who misses payments for your SaaS app subscription? Will you revoke access immediately, or will there be a grace period? Will you allow customers to end the contract in the middle of a billing cycle and obtain a refund, or will there be a monetary penalty for interrupting the cycle?

Always be very clear in the language used in your Terms of Use. Using too much technical or legal jargon can be confusing to your users, and in the event of a legal case arising, a judge may find that your agreement is too unclear to be upheld.

Examples of Terms of Use for SaaS apps

SurveyMonkey's Your Responsibilities clause spells out what requirements users have while using the service. These responsibilities include general things such as not circumventing account limitations, using the service to build a competitive product or scraping data from interfaces or websites:

Surveymonkey Terms of Use: Excerpt of Your Responsibilities clause

It's also important to disclose what type of license you're granting to your users, which Buffer's Terms of Use includes right before its Restrictions clause:

Buffer Terms of Use: Licenses - Permissions and Restrictions to Use clauses

SurveyMonkey has a very detailed clause that outlines how accounts can be suspended or terminated, and what the results of such will be.

One section discusses how users can terminate their own accounts and how refunds will be handled. A separate section discusses SurveyMonkey's rights to terminate or suspend accounts for different reasons, and how the company will go about this:

Surveymonkey Terms of Use: Suspension and Termination of Services clause

As a separate clause, SurveyMonkey notes how it will handle inactive accounts by emailing users first and then possibly terminating the accounts:

Surveymonkey Terms of Use: Account Inactivity termination clause

Buffer includes a clause that addresses how users can cancel subscription services and accounts:

Buffer Terms of Use: Subscription Service and Cancellation Policy clause

Similarly to how SurveyMonkey includes a separate clause for how it handles inactive accounts, Buffer has one to address delinquent accounts:

Buffer Terms of Use: Delinquent Accounts clause

One of the great benefits of having a Terms of Use is that you can limit your legal liability through the agreement. Here's how SurveyMonkey includes a standard Limitation of Liability clause:

Surveymonkey Terms of Use: Limitation of Liability clause

When SurveyMonkey updates any of these clauses or makes changes to its services, it's covered by the following clauses that reserve the right to make the changes. Users are also told how they'll be notified of any relevant changes:

Surveymonkey Terms of Use: Changes to Terms and Changes to Services clauses

Your Terms of Use is ideal for protecting your proprietary intellectual property. These clauses come with a variety of different names, but they all work in the same way: to protect your product.

Here's an example from Buffer:

Buffer Terms of Use: Ownership Proprietary Rights clause

You can also include a clause that acknowledges copyright infringement to protect both you and your users. Here's the clause from the Dropbox Terms of Service:

Dropbox Terms of Service: Copyright clause

If your SaaS app allows customers to upload content - pictures, text, documents, videos, audio and so on - you should address copyright, intellectual property and any limited licenses you wish to reserve in the user-generated content.

Buffer lets users know that they retain any copyright and proprietary rights in their content.

However, Buffer also grants itself a "worldwide, non-exclusive, royalty-free, fully paid right and license (with the right to sublicense) to host, store, transfer, display, perform, reproduce, modify for the purpose of formatting for display, and distribute your User Content, in whole or in part, in any media formats and through any media channels now known or hereafter developed."

Buffer Terms of Use: User Content - Generally and Limited License Grant to Buffer clause excerpt

If Buffer didn't disclose this, the company would likely run into legal problems if it started using user content for such wide-ranging purposes as it reserves.

Speaking of legal problems, make sure your Terms of Use includes clauses that set forth your choice of governing law. This will be the law that will be applied in any legal issues that arise over your Terms.

Here's how Dropbox does this in a clearly-labeled Controlling Law clause:

Dropbox Terms of Service: Controlling Law clause

SurveyMonkey discloses the governing law as well as the jurisdiction and its legal name in a clause:

Surveymonkey Terms of Use: Governing Law and Jurisdiction clause

If you want to limit legal actions to arbitration, you'll need to include this in your Terms of Use, as such:

Buffer Terms of Use: Arbitration Notice clause

Having a Terms of Use agreement can help keep your users informed about what you expect from them, and what they should expect from you. Even though this agreement isn't legally mandatory, it's clear how having one is a smart choice.

Our Terms and Conditions Generator makes it easy to create a Terms and Conditions agreement for your business. Just follow these steps:

  1. At Step 1, select the Website option or the App option or both.
  2. TermsFeed Terms and Conditions Generator: Create Terms and Conditions - Step 1

  3. Answer some questions about your website or app.
  4. TermsFeed Terms and Conditions Generator: Answer questions about website - Step 2

  5. Answer some questions about your business
  6. TermsFeed Terms and Conditions Generator: Answer questions about business practices - Step 3

  7. Enter the email address where you'd like the T&C delivered and click "Generate."

    TermsFeed Terms and Conditions Generator: Enter your email address - Step 4

    You'll be able to instantly access and download the Terms & Conditions agreement.

Privacy Policy for SaaS apps

A Privacy Policy is required by law if your SaaS app collects personal data. This is required in most countries around the world, including the following locations and laws:

Almost all SaaS applications collect at least one piece of personal information from their users: an email address. Collecting email addresses is enough to make having a Privacy Policy a requirement.

Your Privacy Policy must include the following information to be compliant with most privacy directives:

  • What personal data your SaaS app is collecting and using
  • How personal data is collected and used
  • How personal data is stored
  • If personal data is shared with third parties
  • How users can limit what data is collected/used, withdraw consent to have any data collected/used, and have the collected and stored data deleted
  • If cookies are being used, which ones are being used, and why

If you aren't sure if you need a Privacy Policy, ask yourself this question: Does your SaaS app collect any of the following types of personal data from users?

  • Email addresses
  • First and last names
  • Credit card information (usually stored by payment processor, e.g. PayPal, Stripe, Braintree)
  • Social logins, e.g. users can sign-up with Facebook, Google+
  • Mailing addresses
  • Anything that can be used to identify an individual

If the answer is yes, you're required to have a Privacy Policy.

Clauses for the Privacy Policy

The following clauses should be included in most SaaS app Privacy Policies:

  • Cookies: If your app uses cookies, include a clause to disclose this.

    Note that in some cases a Cookies Policy is required to comply with the the EU Cookies Directive.

  • Links to Other Sites: You can use this type of clause to inform users that any links you post to external websites that are not operated by you (your company) don't necessarily follow the guidelines of your own Privacy Policy, and that users are encouraged to read the Privacy Policy of each external website they visit.
  • Changes/Updates to the Privacy Policy: Specify how you plan to notify users about any changes to your policy. You should always notify users before a change becomes effective.
  • Communications: Inform your app users that they may receive promotional emails from you, but that they can unsubscribe from communications.

    There are legal requirements in place to let users unsubscribe from promotional emails, such as CAN-SPAM in the US and CASL in Canada.

  • Business Transactions or Transfers: Let your users know that if your app ever merges with or gets bought by another business, users' personal information would be transferred to the new owner.

Let's take a look at some clauses in action.

Examples of Privacy Policies for SaaS apps

Your Privacy Policy should disclose what personal information you collect, as well as how you collect it.

SurveyMonkey's Privacy Policy includes an "Information we collect about you" clause that does this:

SurveyMonkey Privacy Policy: Excerpt of Information we collect about you clause

If you collect personal information in different ways, such as both directly from users and through more automated means, disclose both.

Logo of Buffer

Buffer's Privacy Policy breaks down the different types of personal information it collects through various methods. First, it has a clause to cover personal information provided directly by users:

Buffer Privacy Policy: Excerpt of Personal Information Provided by You clause

It includes a clause sub-section that addresses personal information collected through connected social media accounts:

Buffer Privacy Policy: Excerpt of Personal Information Collected from Connected Social Media Accounts clause

The next sub-section discloses the personal information that's automatically collected when users interact with the Buffer service:

Buffer Privacy Policy: Excerpt of Personal Information Automatically Obtained from Your Interactions with the Service clause - Log Data and Cookies

While it isn't necessary to create separate clauses like this, it definitely helps break the information down in an easy-to-understand way.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.
  2. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  3. Answer some questions about your website or app.
  4. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  5. Answer some questions about your business.
  6. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  7. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

Logo of Moz

Moz discloses what information it collects and how it does so in one concise, bullet-pointed clause:

Moz Privacy Policy: Excerpt of Information We Collect About You and How We Collect it clause with GDPR

If you fall within the scope of the GDPR, you'll need to provide your lawful bases for processing personal data. Here's how Moz does this in a short but compliant clause:

Moz Privacy Policy: GDPR Lawful Bases for Prcessing Personal Data of Data Subjects clause

Be as clear, concise and specific as possible when letting users know what information you collect and for what purpose.

Surveymonkey discloses the use of cookies in a robust Cookies clause. The full Cookies Policy is linked, and users are informed about why cookies are used:

SurveyMonkey Privacy Policy: Excerpt of Cookies clause

Moz includes its cookies information within a clause that also covers usage details, IP addresses and "other technologies:"

Moz Privacy Policy: Excerpt of Usage Details, IP Addresses, Cookies, and Other Technologies clause

ConvertKit's Privacy Policy has a clause called "Cookies and Other Tracking Technologies" that addresses cookies, web beacons and third-party tracking for advertising:

ConvertKit Privacy Policy: Cookies and Other Tracking Technologies clause with links for changing preferences

As long as the information is there, it's ok to create either a separate cookies clause or include the information in a more broad but relevant clause.

Cookies are often used for advertising purposes such as personalized marketing. If you participate in personalized marketing or remarketing, let your users know that you do this and how they can opt out.

SurveyMonkey includes a separate Personalized Marketing clause that does this:

SurveyMonkey Privacy Policy: Personalized marketing clause with out-out information

Along with personalized marketing, you should disclose if you participate in direct marketing or commercial communications. This can be sending emails, text message, mobile push notifications and other forms of direct communication.

Here's how Unbounce does it in its Privacy Policy:

Unbounce Privacy Policy: Excerpt of clause about opting out of commercial messages and contact

Let users know how they can opt out of these communications if they want to, as Buffer does here:

Buffer Privacy Policy: Excerpt of clause about how to update preferences and remove accounts

Sometimes a SaaS app will be sold or merged. This can be concerning for your users, as they may not be ok with their personal information being transferred to someone else.

Let your users know that a business transfer may happen and how their personal information will be affected by it. You can do this in a simple Business Transfers clause.

Here's how Buffer discloses that this may happen and lets users know they'll have the opportunity to opt out of the transfer of their information. This clause is placed immediately before a clause that discusses third party sharing of information, which also addresses the topic of sharing data with other businesses:

Buffer Privacy Policy: Business Transfers and Other Third Parties clauses

Unbounce discloses this in a very short and basic clause. It's simple, but it's adequate:

Unbounce Privacy Policy: Change of Ownership clause

Your app users will care greatly about the security of their data. SaaS apps are commonly used by businesses to process a lot of important and confidential data.

While you don't need to get specific about the security protocols you have in place with your app, let users know that you do take measures to keep their data safe.

ConvertKit notes that security protocols are in place to help keep data secure. It places the responsibility of protecting account security on the users, and provides contact information for reporting unauthorized account uses or security breaches:

ConvertKit Privacy Policy: Data Security clause

Unbounce has a more detailed Security clause that doubles almost like a disclaimer of liability for security. It notes that Unbounce is not responsible for unauthorized use of information, and that the company is released from liability in connection with the use of personal data:

Unbounce Privacy Policy: Updated Security clause

Asana has a Data Security clause that mentions the GDPR, includes a link to its audit data document and also links directly to its complete Security Statement page where additional information can be found.

Asana Privacy Policy: Data Security clause - GDPR

A very common and important clause in most legal agreements is the clause that reserves the right to change the legal agreement in the future.

Baremetrics encourages users to frequently check its Privacy Policy page to find out about any changes that have been made.

Baremetrics Privacy Policy: Updated Privacy Policy Changes clause

Moz lets its users know that changes will be posted to the Privacy Policy page, but that any material changes will come with notifications. The notifications will be either through email or a notice (such as a banner notice) on the site's homepage:

Moz Privacy Policy: Changes to Our Privacy Policy clause for updates

Even if your app by chance doesn't collect any personal data, you should still have a Privacy Policy available because your users will expect one.

Here's the intro of the Startpage Privacy Policy that discloses that no personal information is collected:

Screenshot of the introduction section of Startpage Privacy Policy

Check out the rest of the agreement to see how Startpage handles individual clauses.

In sum, you're likely required by law to have a Privacy Policy. While you aren't required to have a Terms of Use, it's a smart move to have one to protect your SaaS app.

Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.

Get started today ⇢

Legal Research Team at TermsFeed

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.