DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR and SaaS Onboarding: How to Collect User Data Compliantly From Day One

#gdpr #saas #privacy #startup

GDPR and SaaS Onboarding: How to Collect User Data Compliantly From Day One

Published: March 27, 2026 · 11 min read

Your signup flow is the first moment a user hands you their personal data. It's also one of the highest-risk GDPR touchpoints in your entire product — and the one most founders get wrong.

The good news: getting it right isn't complicated. It just requires understanding a few core principles and applying them deliberately. This guide walks through every privacy consideration in SaaS onboarding, from the signup form to what happens when a trial expires.

Why Onboarding Is a Critical GDPR Touchpoint

Under GDPR, every time you collect, store, or process personal data, you need a lawful basis. Onboarding is where that collection starts — and where the foundation of your data relationship with users is set.

Get it wrong here, and you're not just risking a fine. You're creating a pattern of non-compliance that compounds over time: users who never properly consented, data you collected without justification, marketing lists built on shaky legal ground.

Regulators increasingly focus on onboarding flows. The Irish Data Protection Commission and the UK ICO have both issued guidance and enforcement actions specifically related to how companies collect data at the point of account creation. Facebook, Google, and LinkedIn have all faced significant fines for dark patterns during signup.

For SaaS founders, this is especially relevant because your users are often themselves businesses that care about data protection. If your onboarding signals poor privacy hygiene, enterprise and mid-market prospects will notice.

What Data You're Allowed to Collect During Signup

The core GDPR principle here is data minimisation: you should only collect personal data that is adequate, relevant, and limited to what is necessary for the purpose.

In practice, apply this test to every field in your signup form: If we deleted this field tomorrow, would we be unable to provide the service? If the answer is no, you probably shouldn't be collecting it.

Typically justified at signup:

  • Email address (needed for account creation, login, communications)
  • Name or display name (needed to identify the user within the product)
  • Password (needed for authentication — though many products defer to SSO)
  • Company name (if your pricing or product is B2B-specific)
  • Country or timezone (if relevant to product functionality)

Typically not justified at signup:

  • Phone number (unless your product uses SMS for 2FA or core features)
  • Date of birth (unless age verification is legally required)
  • Job title, team size, industry (can be collected later via progressive profiling)
  • Payment information before a free trial has been accepted

There's a practical argument for asking enrichment questions at signup ("What's your biggest challenge?", "What's your team size?") — but these should be clearly optional and you need to have a lawful basis for processing them too.

Lawful Basis: Contract vs. Consent

This is the most important distinction in SaaS onboarding GDPR compliance.

Contract (Article 6(1)(b)) covers data processing that is necessary to perform a contract with the user or to take steps at their request before entering into a contract. When someone signs up for your SaaS product, your terms of service constitute a contract. Processing the email address, name, and account data necessary to provide the service falls under this basis.

You do not need a separate consent checkbox for data that's processed under the contract basis. Asking for consent where contract applies is misleading — and if users later withdraw that "consent," you'd be obligated to delete data you legitimately need to run the service.

Consent (Article 6(1)(a)) is appropriate for processing that goes beyond what's needed to deliver the service — most commonly, marketing communications. Consent must be freely given, specific, informed, and unambiguous. Bundling marketing consent into your terms of service acceptance is not valid.

The practical rule: separate these clearly. Account creation = contract basis, no extra checkbox needed. Marketing emails = consent, separate opt-in required.

Handling Marketing Opt-Ins at Signup

This is where many SaaS founders create compliance risk without realising it.

What's not allowed:

  • Pre-ticked checkboxes for marketing emails
  • Bundling marketing consent into "I agree to the Terms of Service"
  • Saying "By creating an account, you agree to receive product updates and marketing communications"
  • Opt-out framing ("Uncheck this box if you don't want to receive emails")

What is required:

  • A separate, clearly labelled opt-in checkbox for marketing
  • Unticked by default
  • Specific about what they're signing up for ("I'd like to receive product tips, case studies, and offers from Acme by email")
  • Stored consent records including timestamp, user ID, and the consent text shown

You should also distinguish between transactional emails (password resets, invoices, security alerts — these are covered by contract basis and don't need separate consent) and marketing emails (newsletters, product announcements, promotional offers — these need explicit opt-in from EU/UK users).

For US users, the standard is lower under CAN-SPAM, but best practice is to apply your highest standard globally.

Progressive Data Collection

One of the most effective compliance strategies is also good UX: collect data progressively, at the point where it becomes relevant, rather than front-loading your signup form.

Instead of asking for company size, industry, and use case during onboarding, ask during the "aha moment" — when users are setting up their first project, inviting teammates, or connecting an integration. The data is more accurate because it's contextual, and the collection is easier to justify because you can tie it directly to a product feature.

This approach also reduces friction and improves conversion. Shorter signup forms consistently outperform longer ones.

Progressive collection in practice:

  • Signup: email + password (or SSO) only
  • Step 2 (in-product): workspace name, invite teammates
  • Step 3 (contextual): role, team size — shown when relevant to feature setup
  • Upsell flow: billing details collected only when the user initiates upgrade

Each collection event should have its own clear justification and, where necessary, its own disclosure to the user.

What Goes in Your Signup Flow: ToS and Privacy Links

Under GDPR, you must provide users with privacy information at or before the point of data collection. This is known as the transparency obligation (Articles 13 and 14).

Your signup form must include:

  • A clear link to your Privacy Policy
  • A clear link to your Terms of Service
  • A statement explaining that creating an account means accepting those terms

Your Privacy Policy must cover (at minimum):

  • Who the data controller is (your company name and contact details)
  • What data you collect and why
  • The lawful basis for each type of processing
  • How long you retain data
  • Who you share data with (third-party processors, subprocessors)
  • User rights (access, erasure, portability, objection)
  • How to contact you about privacy matters
  • Your Data Protection Officer contact (if you have one)

The statement on your signup form doesn't need to be long. Something like: "By creating an account, you agree to our [Terms of Service] and acknowledge our [Privacy Policy]." What matters is that the links are prominent and the policies are accurate.

Trial User Data and Deletion Obligations

Free trials are a common source of GDPR risk. Many SaaS products collect user data during trials but don't have a clear policy for what happens when the trial ends without conversion.

Under GDPR's storage limitation principle, you should not retain personal data for longer than necessary for the purpose it was collected. If someone signs up for a 14-day trial and doesn't convert, the purpose (evaluating your product) has ended.

Best practice:

  • Define a retention period for unconverted trial accounts in your privacy policy
  • Common approaches: delete or anonymise 30, 60, or 90 days after trial expiry
  • Send a pre-deletion notification email ("Your trial data will be deleted in 14 days — download your data or upgrade to keep access")
  • Actually run the deletion job — many companies have the policy but not the automation

If a user explicitly requests deletion (a right to erasure request), you must honour that regardless of your standard retention period. Build a deletion pathway into your product from day one; retrofitting it is painful.

What about data generated during the trial? User-generated content — documents, configurations, reports, anything the user created — is also personal data if it contains personal information. It's subject to the same retention limits and deletion obligations.

Storing IP Addresses and Device Fingerprints During Onboarding

IP addresses and device fingerprints are personal data under GDPR. The Court of Justice of the EU has consistently held that IP addresses can identify natural persons, even dynamic ones, when combined with data held by an ISP.

If you log IP addresses during signup (which most web servers do by default), you need to:

  1. Disclose this in your privacy policy
  2. Have a lawful basis (legitimate interest is often appropriate for fraud prevention and security)
  3. Limit retention — there's no need to store raw IPs indefinitely; 30-90 days is typically defensible for security purposes
  4. Consider pseudonymisation — truncating the last octet of an IP (203.0.113.x) or hashing it reduces the privacy risk while preserving enough information for fraud detection

Device fingerprinting is more complex. If you're using fingerprinting for fraud prevention without alternative methods, legitimate interest may apply — but it requires a Legitimate Interests Assessment (LIA). If you're using fingerprinting for tracking or analytics, consent is likely required.

Many SaaS products collect device data through third-party analytics tools (Mixpanel, Amplitude, Segment) or fraud prevention services (Stripe Radar, Persona). These are data processors — you need Data Processing Agreements with each of them, and you need to disclose them in your privacy policy.

User-Generated Data and Who Owns It

This is less a compliance question and more a contractual one — but it matters for GDPR because it affects how you process data and what happens when a user leaves.

Under GDPR, the distinction is between:

Your users' personal data (their account information, usage data, billing data) — you are the data controller, and you have direct obligations to those users.

Personal data that users input into your product (customer records in a CRM, candidate data in an ATS, contact lists in an email tool) — here, your user is the data controller and you are the data processor. You have different obligations, including the requirement to process that data only on the user's documented instructions.

Your Terms of Service and Data Processing Agreement (DPA) need to reflect this distinction clearly. Enterprise customers will ask for a DPA before signing. Having one ready signals maturity.

The practical implication: when a user deletes their account, they're entitled to their data back (portability) and to have it deleted from your systems. For data they input as a controller (and you process as a processor), you must delete or return it on termination of the contract.

Practical Onboarding Compliance Checklist

Use this when auditing or building your signup flow:

Data collection

  • [ ] Signup form collects only what's necessary to create an account
  • [ ] Optional fields are clearly marked as optional
  • [ ] Enrichment questions (role, company size) are deferred to in-product onboarding

Legal basis

  • [ ] Account creation data is processed under contract basis — no separate consent checkbox
  • [ ] Marketing opt-in is a separate, unticked checkbox with clear description
  • [ ] Consent records are stored with timestamp, user ID, and consent text

Transparency

  • [ ] Signup form includes visible links to Privacy Policy and Terms of Service
  • [ ] Privacy Policy accurately describes what data is collected during signup
  • [ ] Privacy Policy lists all third-party processors used in the signup flow

Trial data

  • [ ] Retention period for unconverted trials is defined in the privacy policy
  • [ ] Automated deletion (or anonymisation) is in place after that period
  • [ ] Pre-deletion notification is sent to expiring trial users
  • [ ] Account deletion pathway is available from within the product

Technical measures

  • [ ] IP address logging duration is limited (30-90 days)
  • [ ] IP truncation or pseudonymisation is applied where possible
  • [ ] DPAs are in place with all third-party processors in the signup flow
  • [ ] Data Processing Agreement (DPA) is available for B2B customers

User rights

  • [ ] Account deletion is self-serve or responds within 30 days
  • [ ] Data export (portability) is available
  • [ ] Privacy contact email is listed and monitored

Next Step: Audit What Your Signup Flow Is Actually Sending

It's one thing to have the right policies. It's another to know what your signup flow is actually doing — which third-party scripts are loading, what data they're capturing, and whether any of it fires before consent is given.

Custodia scans your website and signup flow to identify every tracker, pixel, and third-party tool that's active — and flags anything that's loading without lawful basis. Free, no signup required, results in 60 seconds.

Scan your website free at app.custodia-privacy.com/scan

Top comments (0)