What Counts as Personal Data?
More than most founders realise. Personal data includes:
- Email addresses
- Names
- IP addresses
- Usage data (which features a user clicks on, how long they're in the app)
- Payment information
- Location data
- Device identifiers
If your product collects any of these — and your product almost certainly does — you are legally required to tell your users about it.
Why the Law Requires It
In the UK, the UK GDPR (and its predecessor, the EU GDPR) requires any business collecting personal data to publish a clear, accessible privacy policy. This applies to:
- SaaS products with UK or EU users
- Mobile apps available in the UK or EU App Stores
- Any website with a contact form, sign-up form, or analytics
The Information Commissioner's Office (ICO) in the UK can issue fines of up to £17.5 million or 4% of global annual turnover for serious breaches. While enforcement against small startups is rare, a missing privacy policy is an immediate red flag to enterprise customers, investors, and anyone doing due diligence on your product.
Beyond fines — users notice. A product without a privacy policy looks unfinished. It undermines trust at the exact moment you're asking someone to hand over their personal information.
What Your SaaS Privacy Policy Needs to Cover
A proper privacy policy for a SaaS product should include:
1. Who you are
Your company name, trading name, and contact details. If you're a sole trader, this can be your name and email.
2. What data you collect
Be specific. "We collect your email address when you sign up" is better than "we may collect certain information."
3. Why you collect it
The legal basis for each type of data. Under UK GDPR, you need a valid reason — contract performance, legitimate interests, or consent.
4. Who you share it with
If you use Stripe for payments, Mixpanel for analytics, Intercom for support — these third parties need to be named.
5. How long you keep it
You can't keep data indefinitely. Set out your retention periods clearly.
6. User rights
UK users have the right to access, correct, delete, and export their data. Your policy needs to acknowledge this and tell users how to exercise these rights.
7. Cookies
If your SaaS uses cookies — and it almost certainly does — your privacy policy should reference your cookie policy or cover cookies directly.
The Problem With Generic Templates
There are free privacy policy generators online that produce generic, placeholder-filled documents. The problem is they're not personalised to your product.
A privacy policy that says "we may collect [INSERT DATA TYPES]" or "we use [INSERT THIRD PARTIES]" is worse than useless. It signals to users and regulators that you copied a template without reading it. It also may not accurately reflect what your product actually does.
Your privacy policy needs to be specific to your product, your data practices, and your jurisdiction.
How to Get One Without Hiring a Lawyer
You don't need to spend £500 on a solicitor to get a proper privacy policy.
InkTerms generates a fully personalised privacy policy based on answers to a short questionnaire about your product. It covers your specific data types, your third-party tools, your jurisdiction, and your user rights obligations. You answer 14 questions. We generate the document. You edit, download, and publish.
From £9. Ready in minutes.
Generate your SaaS privacy policy →
InkTerms provides AI-assisted document generation and is not a substitute for professional legal advice. We recommend reviewing any generated document with a qualified legal professional before relying on it for your business.
Originally published on InkTerms Blog
Top comments (0)