Software as a Service (SaaS) is a delivery model for software. Whereas previously software was sold in a physical format with a one-off, up-front cost (think Windows 95 on CD-ROM), SaaS usually involves centrally-hosted software accessed via the web with an ongoing licence paid for via subscription. These are often available both via a browser and/or an app.
Examples include Office 365, Google Apps, and Dropbox.
There are significant advantages to delivering your product via SaaS. But it's a decision not to be taken lightly.
If your company wants to offer SaaS, you'll need to have a clear, concise and comprehensive Privacy Policy to ensure that you're legally compliant and providing all the necessary information to your users.
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.
That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
- 1. Your SaaS App Needs a Privacy Policy
- 1.1. A Privacy Policy is Required By Law
- 2. What Your SaaS App Privacy Policy Should Include
- 2.1. Who You Are
- 2.2. What Data Your SaaS App Collects
- 2.2.1. Personal Data Your Users Provide
- 2.2.2. Personal Data Your SaaS App Collects Automatically
- 2.2.3. Personal Data You Receive From Third Parties
- 2.3. Why You Need To Process This Data
- 2.4. Your Lawful Basis
- 2.5. Who You'll Be Sharing Your Users' Data With
- 2.6. Whether You'll Be Transferring User Data Overseas
- 2.7. How Long Your SaaS App Stores Users' Data
- 2.8. How Your Users Can Exercise Their Data Rights
- 2.9. How You're Keeping Your Users' Data Safe
- 3. Where to Add Your Privacy Policy in Your SaaS App
- 3.1. On Sign-up or Installation
- 3.2. A Menu Within Your App
- 4. Ensuring Your SaaS App Complies With Privacy Law
Your SaaS App Needs a Privacy Policy
Any company or individual that processes personal data needs a Privacy Policy.
- "Personal data" means any data that could conceivably be used to identify an individual, for example. their:
- Full name
- Email address
- Credit card details
- Browser information and cookies
- "Processing" means doing, well, pretty much anything with that data. This includes:
- Storing it
- Sending an email
- Sending credit card details to an eCommerce service
- Collecting cookie data
A Privacy Policy is Required By Law
An increasing number of countries are implementing strict data protection laws which require companies to have a Privacy Policy.
This is good news for individuals, as it means that their personal data is processed transparently - but it does introduce an additional burden for businesses.
- The EU's General Data Protection Regulation (GDPR) applies when the personal information of EU citizens is processed. A Privacy Policy is mandatory under the GDPR and you don't need to be based in the EU to be subject to it.
- Likewise, the California Online Privacy Protection Act (CalOPPA) privacy law requires a Privacy Policy, and applies to any individual or group that processes California residents' personal data.
- The Australian Privacy Act 1988 requires any organization that handles personal data held in Australia to have a Privacy Policy. This law also applies to non-Australians.
What Your SaaS App Privacy Policy Should Include
There are countless ways to present your Privacy Policy, but there are some things that you must include.
Who You Are
Article 13(1)(a) of the GDPR requires a Privacy Policy to provide "the identity and the contact details of the controller." The word "controller" here means "data controller." Under Article 4(7) of the GDPR, the data controller is the person or organization which "determines the purposes and means of the processing of personal data." Because you're asking people to provide their personal data in order to use your SaaS app, your company is a data controller.
Here's how file sharing SaaS app providers Box provides its contact details in its Privacy Policy:
You'll see that Box makes reference to the contact details of its Data Protection Officer (DPO), as well. If you're required under Article 37 of the GDPR to appoint a DPO, make sure to include contact information for this individual in your Privacy Policy.
What Data Your SaaS App Collects
Your SaaS app might collect a variety of personal data including:
- Data provided by users on registration
- Data collected automatically by the app
- Data received from third parties
Article 14(1)(d) of the GDPR requires your Privacy Policy to provide information about "the categories of personal data" you're collecting.
CalOPPA also requires that a Privacy Policy "identify the categories of personally identifiable information that the operator collects."
Here's how Evernote breaks down the information about these broad types of personal data it collects and receives in its Privacy Policy:
Personal Data Your Users Provide
Much of the information your SaaS app collects about your users will be provided by them when they sign up for an account. This is likely to include their name, email address, and billing information.
Here's how Zendesk, a customer service software company which operates via SaaS, explains this in its Privacy Policy. Zendesk explain the difference between the types of information provided when signing up for a paid or trial account:
Personal Data Your SaaS App Collects Automatically
SaaS apps often collect personal data via information such as log files as part of the app's functioning. Be aware that according to EU law cases such as Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland, an IP address (and therefore a log file) can constitute personal data.
If your SaaS stores log files (for example, those that log errors or access) on a web server, this would need to be disclosed as part of your Privacy Policy.
Here's how collaborative SaaS company Slack explains its use of log files:
Some SaaS apps choose to group information about log files along with information about other types of technical data such as cookies.
Here's how fundraising software company Salsa Labs presents this information in its SaaS Privacy Policy:
SaaS provider Salesforce informs its users about how it responds to Do Not Track (DNT) signals. This is a requirement under CalOPPA.
Personal Data You Receive From Third Parties
Your company may receive data about its users from third parties.
Here's how LogMeIn (the company behind SaaS apps such as GoToMeeting) explains this to its users in its Privacy Policy:
Be careful when processing third-party data about your users. The European Commission warns that to ensure GDPR compliance, if you're receiving data from another organization, that organization:
"must be able to demonstrate that the data was obtained in compliance with the General Data Protection Regulation and that it may use it for advertising purposes."
And that:
"your company/organisation must also ensure that the list or database is up-to-date and that you don't send advertising to individuals who objected to the processing of their personal data for direct marketing purposes."
Why You Need To Process This Data
Your Privacy Policy needs to explain not just what data your SaaS app is collecting, but also why your company needs to process that data.
Here's how video software company Piksel explains this in its SaaS Privacy Policy:
Keep in mind that one of the core principles of data protection under Article 5(1)(b) of the GDPR is "purpose limitation." You should only collect the personal data that you need in order to effectively operate your SaaS app (together with any broader purposes for which your company needs to process personal data, if there are any).
Your Lawful Basis
Under Article 6 of the GDPR, your company may only process personal data under one of six "lawful bases."
Here's how SaaS company DocuSign presents information about its lawful basis for processing its users data in its Privacy Policy:
Who You'll Be Sharing Your Users' Data With
Your users need to know about who you'll be sharing their personal data with.
For example, you'll probably be taking payment information via your SaaS app. If you do this through an eCommerce platform, you'll need to make your users aware of this.
Under Article 13(1)(e) of the GDPR, you're required to provide information about "the recipients or categories of recipients of the personal data." You don't need to name each company you'll be sharing data with - only list each type of company you'll be sharing data with.
Here's how Adobe, which provides SaaS apps via its Creative Cloud software suite, explains this in its Privacy Policy:
Whether You'll Be Transferring User Data Overseas
SaaS apps typically rely on cloud storage. If you have users in the EU or Switzerland and you're hosting their personal data outside of this region (e.g. in the US), Article 13(1)(f) of the GDPR requires you to provide information about your intention "to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission."
The second part of that rule requires some explanation. The European Commission is one of the institutions of the EU. One of the Commission's jobs is to assess the adequacy of other countries' data protection regulations. So far, the Commission has endorsed the data protection regime of a number of countries including Canada and New Zealand. Companies in the US used to have the option to sign up to the EU-US Privacy Shield framework, which has since been invalidated.
It is being replaced with the EU-U.S. Data Privacy Framework, which is not fully finalized yet.
How Long Your SaaS App Stores Users' Data
Storage limitation is one of the six privacy principles listed under Article 5(1)(e) of the GDPR, which states that personal data can be stored: "for no longer than is necessary for the purposes for which the personal data are processed."
This means that your company must consider how long it needs to keep each type of personal data it stores. It can do this by drawing up a "retention schedule."
Here's how document preparation software company The LaTeX Project presents information about how long it stores users' data in its Privacy Policy:
Security software company Demisto even provides details of its retention schedule for different types of personal data in its Privacy Policy:
How Your Users Can Exercise Their Data Rights
Under Chapter 3 of the GDPR, individuals have certain rights over their personal data. If your company processes the personal data of EU citizens, it's up to you to help them exercise those rights.
SaaS company SurveyMonkey sets out all of these rights in its Privacy Policy:
Cloud storage service Dropbox helpfully provides links to various areas of its site where users can exercise some of their data rights:
Here's how Office 365 informes its users about how to exercise their right to data portability under Article 20 of the GDPR:
How You're Keeping Your Users' Data Safe
Because SaaS apps generally store user data in the cloud, you are responsible for keeping it secure. You should be completely transparent about the steps you've taken to ensure data security, and the systems that you have in place in case of a data breach.
Here's how Google puts it in relation to its G Suite series of SaaS apps:
Here's how inventory management and eCommerce software company Skubana explains its commitment to data security in its Privacy Policy:
Where to Add Your Privacy Policy in Your SaaS App
CalOPPA requires that your company presents its Privacy Policy on its website and gives some very specific requirements as to how to do this. You should also make your Privacy Policy accessible via your SaaS app.
There are a couple of ways you can do this.
On Sign-up or Installation
Getting your Privacy Policy in front of your users as early as possible is a good idea. One opportunity to do this is at signup. If your SaaS app allows users to sign up when they install the app, you should give them the option to view your Privacy Policy at this point.
Here's the account setup screen from the Spotify Windows app:
Note how the Privacy Policy is linked directly above the "Join Spotify" button and users are encouraged to read the policy. This allows users to read the policy before deciding to create an account.
A Menu Within Your App
You can also provide information about your Privacy Policy via a menu within your app.
Here's what the Evernote Windows app displays when the user chooses the "About" option from the "Help" menu:
Here's a picture of the Settings menu on the Evernote Android app:
Here's what users see when they select the "Legal" option:
Ensuring Your SaaS App Complies With Privacy Law
More and more companies are making SaaS their delivery model of choice. Whilst there are some additional privacy and data protection considerations to take into account, these are easily managed - and easily communicated via a clear and concise Privacy Policy.
Make sure that your Privacy Policy includes information about:
- Who you are, and how you can be contacted.
- Include the name and contact details of your Data Protection Officer if your company is required to appoint one.
- The types of personal data that your SaaS app collects:
- Data volunteered by your users when they sign up for or install your SaaS app
- Data your SaaS app collects from your users such as log files
- Data your company receives from third parties
- Why it's necessary for you to process this data in order to offer your SaaS app.
- If you're serving EU users, your company's lawful basis for processing data under Article 6 of the GDPR.
- What types of organizations you'll be sharing data with.
- If you're serving EU users, whether you'll be transferring their personal data overseas (i.e. to a non-EU country):
- If so, whether the you'll be transferring to a country approved by the European Commission or that has some compliance framework.
- How long your SaaS app will store your users' personal data.
- If you're serving EU users, how your users can exercise their rights under Chapter 3 of the GDPR:
- How your users can withdraw their consent
- How your users can request a copy of their personal data
- Consider how you'll present your Privacy Policy to your users within your SaaS app:
- At sign-up or installation
- Via a menu within your SaaS app