Skip to main content
Aarunya AppsAarunya Apps
๐Ÿ”’ Security9 min readยทSeptember 30, 2026

GDPR Privacy Policy Requirements: What Your SaaS Website Actually Needs

Disclaimer: This article is for educational purposes. It is not legal advice. Consult a qualified lawyer for compliance requirements specific to your situation.

If you're launching a SaaS product and serving users in the EU or California, you need a privacy policy. Here's what the law actually requires โ€” in plain English.

What GDPR requires

The GDPR (General Data Protection Regulation) applies to any business that processes the personal data of people in the EU โ€” regardless of where your company is based. The core requirement is transparency: users must be told what data you collect, why you collect it, how long you keep it, and who you share it with.

Required sections in a GDPR-compliant privacy policy

  • 1. Data controller identity

    Your company name, registered address, and contact information. EU-based businesses may need to appoint a Data Protection Officer (DPO).

  • 2. What data you collect

    Be specific. 'Email address, name, IP address, cookies, usage data.' Avoid vague terms like 'personal information' without listing what that means.

  • 3. Legal basis for processing

    GDPR requires a legal basis: (a) consent, (b) contract performance, (c) legal obligation, (d) vital interests, (e) public task, or (f) legitimate interests. Most SaaS falls under (b) or (f).

  • 4. Purpose of processing

    Why you're collecting each type of data. 'Email to send account notifications and product updates.' Purpose must be specific.

  • 5. Data retention

    How long you keep data. 'Account data is retained for the duration of the subscription plus 30 days after cancellation.'

  • 6. Third-party sharing

    Every service that receives user data: analytics (Google Analytics, Mixpanel), payments (Stripe), email (Postmark, Resend), hosting (Vercel, AWS).

  • 7. User rights

    Right to access, rectify, erase, restrict processing, data portability, object to processing. Must include how to exercise these rights (usually an email address).

  • 8. International transfers

    If you transfer data outside the EU, you must describe the legal mechanism (Standard Contractual Clauses, adequacy decision, etc.).

  • 9. Cookie policy

    If you use cookies, describe them โ€” essential vs analytics vs marketing. Link to or include this in your privacy policy.

CCPA (California) differences

CCPA applies if you have California users AND meet one of these thresholds: annual gross revenue over $25M, buy/sell/share personal data of 100,000+ consumers/households per year, or derive 50%+ of revenue from selling personal data. Most early-stage SaaS doesn't meet the threshold โ€” but disclosing CCPA rights costs nothing.

CCPA adds: right to know what data is collected, right to delete, right to opt out of selling, and non-discrimination for exercising rights.

Common mistakes to avoid

  • โœ—Copying a policy template without customizing the company name, contact details, and third-party services
  • โœ—Listing services you don't actually use (creates a false impression)
  • โœ—Forgetting to add new services as you integrate them (add Intercom? Update the policy.)
  • โœ—Using a 'last updated' date that's years old โ€” regulators look at this
  • โœ—No contact mechanism for data subject requests (add a privacy@yourdomain.com email)

Generate a GDPR- and CCPA-compliant privacy policy for your specific stack with the Privacy Policy Generator โ€” fill in your company details, select your data types and third-party services, and get a complete Markdown policy in seconds. Not a substitute for legal advice.

Try the related tool

Privacy Policy Generator โ€” free, runs 100% in your browser.

Open Privacy Policy Generator โ†’

Enjoyed this? Get notified when Pro launches.