GDPR Privacy Policy Requirements: What Your SaaS Website Actually Needs
Disclaimer: This article is for educational purposes. It is not legal advice. Consult a qualified lawyer for compliance requirements specific to your situation.
If you're launching a SaaS product and serving users in the EU or California, you need a privacy policy. Here's what the law actually requires โ in plain English.
What GDPR requires
The GDPR (General Data Protection Regulation) applies to any business that processes the personal data of people in the EU โ regardless of where your company is based. The core requirement is transparency: users must be told what data you collect, why you collect it, how long you keep it, and who you share it with.
Required sections in a GDPR-compliant privacy policy
1. Data controller identity
Your company name, registered address, and contact information. EU-based businesses may need to appoint a Data Protection Officer (DPO).
2. What data you collect
Be specific. 'Email address, name, IP address, cookies, usage data.' Avoid vague terms like 'personal information' without listing what that means.
3. Legal basis for processing
GDPR requires a legal basis: (a) consent, (b) contract performance, (c) legal obligation, (d) vital interests, (e) public task, or (f) legitimate interests. Most SaaS falls under (b) or (f).
4. Purpose of processing
Why you're collecting each type of data. 'Email to send account notifications and product updates.' Purpose must be specific.
5. Data retention
How long you keep data. 'Account data is retained for the duration of the subscription plus 30 days after cancellation.'
6. Third-party sharing
Every service that receives user data: analytics (Google Analytics, Mixpanel), payments (Stripe), email (Postmark, Resend), hosting (Vercel, AWS).
7. User rights
Right to access, rectify, erase, restrict processing, data portability, object to processing. Must include how to exercise these rights (usually an email address).
8. International transfers
If you transfer data outside the EU, you must describe the legal mechanism (Standard Contractual Clauses, adequacy decision, etc.).
9. Cookie policy
If you use cookies, describe them โ essential vs analytics vs marketing. Link to or include this in your privacy policy.
CCPA (California) differences
CCPA applies if you have California users AND meet one of these thresholds: annual gross revenue over $25M, buy/sell/share personal data of 100,000+ consumers/households per year, or derive 50%+ of revenue from selling personal data. Most early-stage SaaS doesn't meet the threshold โ but disclosing CCPA rights costs nothing.
CCPA adds: right to know what data is collected, right to delete, right to opt out of selling, and non-discrimination for exercising rights.
Common mistakes to avoid
- โCopying a policy template without customizing the company name, contact details, and third-party services
- โListing services you don't actually use (creates a false impression)
- โForgetting to add new services as you integrate them (add Intercom? Update the policy.)
- โUsing a 'last updated' date that's years old โ regulators look at this
- โNo contact mechanism for data subject requests (add a privacy@yourdomain.com email)
Generate a GDPR- and CCPA-compliant privacy policy for your specific stack with the Privacy Policy Generator โ fill in your company details, select your data types and third-party services, and get a complete Markdown policy in seconds. Not a substitute for legal advice.
Try the related tool
Privacy Policy Generator โ free, runs 100% in your browser.
Open Privacy Policy Generator โEnjoyed this? Get notified when Pro launches.
