Software as a Service (SaaS) is a delivery model for software. Whereas previously software was sold in a physical format with a one-off, up-front cost (think Windows 95 on CD-ROM), SaaS usually involves centrally-hosted software accessed via the web with an ongoing licence paid for via subscription. These are often available both via a browser and/or an app.

Examples include Office 365, Google Apps, and Dropbox.

There are significant advantages to delivering your product via SaaS. But it's a decision not to be taken lightly.

If your company wants to offer SaaS, you'll need to have a clear, concise and comprehensive Privacy Policy to ensure that you're legally compliant and providing all the necessary information to your users.


Your SaaS App Needs a Privacy Policy

Your SaaS App Needs a Privacy Policy

Any company or individual that processes personal data needs a Privacy Policy.

  • "Personal data" means any data that could conceivably be used to identify an individual, for example. their:
    • Full name
    • Email address
    • Credit card details
    • Browser information and cookies
  • "Processing" means doing, well, pretty much anything with that data. This includes:
    • Storing it
    • Sending an email
    • Sending credit card details to an eCommerce service
    • Collecting cookie data

A Privacy Policy is Required By Law

An increasing number of countries are implementing strict data protection laws which require companies to have a Privacy Policy. This is good news for individuals, as it means that their personal data is processed transparently - but it does introduce an additional burden for businesses.

  • The EU's General Data Protection Regulation (GDPR) applies when the personal information of EU citizens is processed. A Privacy Policy is mandatory under the GDPR and you don't need to be based in the EU to be subject to it.
  • Likewise, the California Online Privacy Protection Act (CalOPPA) privacy law requires a Privacy Policy, and applies to any individual or group that processes California residents' personal data.
  • The Australian Privacy Act 1988 requires any organization that handles personal data held in Australia to have a Privacy Policy. This law also applies to non-Australians.

What Your SaaS App Privacy Policy Should Include

What Your SaaS App Privacy Policy Should Include

There are countless ways to present your Privacy Policy, but there are some things that you must include.

Who You Are

Article 13(1)(a) of the GDPR requires a Privacy Policy to provide "the identity and the contact details of the controller." The word "controller" here means "data controller." Under Article 4(7) of the GDPR, the data controller is the person or organization which "determines the purposes and means of the processing of personal data." Because you're asking people to provide their personal data in order to use your SaaS app, your company is a data controller.

Here's how file sharing SaaS app providers Box provides its contact details in its Privacy Policy:

Box Privacy Policy: Contacting Us clause

You'll see that Box makes reference to the contact details of its Data Protection Officer (DPO), as well. If you're required under Article 37 of the GDPR to appoint a DPO, make sure to include contact information for this individual in your Privacy Policy.

What Data Your SaaS App Collects

Your SaaS app might collect a variety of personal data including:

  • Data provided by users on registration
  • Data collected automatically by the app
  • Data received from third parties

Article 14(1)(d) of the GDPR requires your Privacy Policy to provide information about "the categories of personal data" you're collecting.

CalOPPA also requires that a Privacy Policy "identify the categories of personally identifiable information that the operator collects."

Here's how Evernote breaks down the information about these broad types of personal data it collects and receives in its Privacy Policy:

Evernote Privacy Policy: What information does Evernote collect clause

Personal Data Your Users Provide

Much of the information your SaaS app collects about your users will be provided by them when they sign up for an account. This is likely to include their name, email address, and billing information.

Here's how Zendesk, a customer service software company which operates via SaaS, explains this in its Privacy Policy. Zendesk explain the difference between the types of information provided when signing up for a paid or trial account:

Zendesk Privacy Policy: Information That You Provide To Us - Account and Registration Information clause

Personal Data Your SaaS App Collects Automatically

SaaS apps often collect personal data via information such as log files as part of the app's functioning. Be aware that according to EU law cases such as Case C-582/14 Patrick Breyer v Bundesrepublik Deutschland, an IP address (and therefore a log file) can constitute personal data.

If your SaaS stores log files (for example, those that log errors or access) on a web server, this would need to be disclosed as part of your Privacy Policy.

Here's how collaborative SaaS company Slack explains its use of log files:

Slack Privacy Policy: Log data clause

Some SaaS apps choose to group information about log files along with information about other types of technical data such as cookies.

Here's how fundraising software company Salsa Labs presents this information in its SaaS Privacy Policy:

Salsa Labs SaaS Privacy Policy: Information We Collect Automatically clause

SaaS provider Salesforce informs its users about how it responds to Do Not Track (DNT) signals. This is a requirement under CalOPPA.

Salesforce UK Privacy Statement: Do Not Track DNT clau

Personal Data You Receive From Third Parties

Your company may receive data about its users from third parties.

Here's how LogMeIn (the company behind SaaS apps such as GoToMeeting) explains this to its users in its Privacy Policy:

LogMeIn Privacy Policy: Third Party Data clause

Be careful when processing third-party data about your users. The European Commission warns that to ensure GDPR compliance, if you're receiving data from another organization, that organization:

"must be able to demonstrate that the data was obtained in compliance with the General Data Protection Regulation and that it may use it for advertising purposes."

And that:

"your company/organisation must also ensure that the list or database is up-to-date and that you don't send advertising to individuals who objected to the processing of their personal data for direct marketing purposes."

Why You Need To Process This Data

Your Privacy Policy needs to explain not just what data your SaaS app is collecting, but also why your company needs to process that data.

Here's how video software company Piksel explains this in its SaaS Privacy Policy:

Piksel SaaS Privacy Policy: Uses made of the information clause

Keep in mind that one of the core principles of data protection under Article 5(1)(b) of the GDPR is "purpose limitation." You should only collect the personal data that you need in order to effectively operate your SaaS app (together with any broader purposes for which your company needs to process personal data, if there are any).

Your Lawful Basis

Under Article 6 of the GDPR, your company may only process personal data under one of six "lawful bases."

Here's how SaaS company DocuSign presents information about its lawful basis for processing its users data in its Privacy Policy:

DocuSign UK Privacy Policy: Lawful Basis for Processing Your Information clause

Who You'll Be Sharing Your Users' Data With

Your users need to know about who you'll be sharing their personal data with.

For example, you'll probably be taking payment information via your SaaS app. If you do this through an eCommerce platform, you'll need to make your users aware of this.

Under Article 13(1)(e) of the GDPR, you're required to provide information about "the recipients or categories of recipients of the personal data." You don't need to name each company you'll be sharing data with - only list each type of company you'll be sharing data with.

Here's how Adobe, which provides SaaS apps via its Creative Cloud software suite, explains this in its Privacy Policy:

Adobe Privacy Policy: Sharing with Data Processors - third party clause

Whether You'll Be Transferring User Data Overseas

SaaS apps typically rely on cloud storage. If you have users in the EU or Switzerland and you're hosting their personal data outside of this region (e.g. in the US), Article 13(1)(f) of the GDPR requires you to provide information about your intention "to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission."

The second part of that rule requires some explanation. The European Commission is one of the institutions of the EU. One of the Commission's jobs is to assess the adequacy of other countries' data protection regulations. So far, the Commission has endorsed the data protection regime of twelve countries including Canada and New Zealand. The US is included, but only where companies are signed up to the EU-US Privacy Shield framework.

Here's how marketing software company HubSpot explains this in its Privacy Policy:

HubSpot Privacy Policy: International Transfer of Information: EU-US Privacy Shield clause

How Long Your SaaS App Stores Users' Data

Storage limitation is one of the six privacy principles listed under Article 5(1)(e) of the GDPR, which states that personal data can be stored: "for no longer than is necessary for the purposes for which the personal data are processed."

This means that your company must consider how long it needs to keep each type of personal data it stores. It can do this by drawing up a "retention schedule."

Here's how document preparation software company The LaTeX Project presents information about how long it stores users' data in its Privacy Policy:

The LaTeX Project Data Privacy Policy: Access Data/Server Logs clause with retention schedule

Security software company Demisto even provides details of its retention schedule for different types of personal data in its Privacy Policy:

Demisto Privacy Policy: Data Retention clause chart

How Your Users Can Exercise Their Data Rights

Under Chapter 3 of the GDPR, individuals have certain rights over their personal data. If your company processes the personal data of EU citizens, it's up to you to help them exercise those rights.

SaaS company SurveyMonkey sets out all of these rights in its Privacy Policy:

SurveyMonkey Privacy Policy: Your Rights clause with GDPR rights

Cloud storage service Dropbox helpfully provides links to various areas of its site where users can exercise some of their data rights:

Dropbox Privacy Policy: Your right to control and access your information clause

Here's how Office 365 informes its users about how to exercise their right to data portability under Article 20 of the GDPR:

Microsoft's data portability notice

How You're Keeping Your Users' Data Safe

Because SaaS apps generally store user data in the cloud, you are responsible for keeping it secure. You should be completely transparent about the steps you've taken to ensure data security, and the systems that you have in place in case of a data breach.

Here's how Google puts it in relation to its G Suite series of SaaS apps:

Google G Suite UK Security and Trust Policy Overview paragraph

Here's how inventory management and eCommerce software company Skubana explains its commitment to data security in its Privacy Policy:

Skubana Privacy Policy: Information Security clause

How to Create a Privacy Policy

FreePrivacyPolicy: Privacy Policy Generator - Steps How to Create Privacy Policy

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.


Where to Add Your Privacy Policy in Your SaaS App

Where to Add Your Privacy Policy in Your SaaS App

CalOPPA requires that your company presents its Privacy Policy on its website and gives some very specific requirements as to how to do this. You should also make your Privacy Policy accessible via your SaaS app.

There are a couple of ways you can do this.

On Sign-up or Installation

Getting your Privacy Policy in front of your users as early as possible is a good idea. One opportunity to do this is at signup. If your SaaS app allows users to sign up when they install the app, you should give them the option to view your Privacy Policy at this point.

Here's the account setup screen from the Spotify Windows app:

Spotify mobile app for Windows: Join/Sign-up page

Note how the Privacy Policy is linked directly above the "Join Spotify" button and users are encouraged to read the policy. This allows users to read the policy before deciding to create an account.

A Menu Within Your App

You can also provide information about your Privacy Policy via a menu within your app.

Here's what the Evernote Windows app displays when the user chooses the "About" option from the "Help" menu:

Evernote Windows Mobile App: Help/About menu with Privacy Policy link highlighted

Here's a picture of the Settings menu on the Evernote Android app:

Evernote Android mobile app: Settings/About menu with Legal option highlighted

Here's what users see when they select the "Legal" option:

Evernote Android mobile app: Legal menu with Privacy Policy link highlighted

Ensuring Your SaaS App Complies With Privacy Law

Ensuring Your SaaS App Complies With Privacy Law

More and more companies are making SaaS their delivery model of choice. Whilst there are some additional privacy and data protection considerations to take into account, these are easily managed - and easily communicated via a clear and concise Privacy Policy.

Make sure that your Privacy Policy includes information about:

  • Who you are, and how you can be contacted.
    • Include the name and contact details of your Data Protection Officer if your company is required to appoint one.
  • The types of personal data that your SaaS app collects:
    • Data volunteered by your users when they sign up for or install your SaaS app
    • Data your SaaS app collects from your users such as log files
    • Data your company receives from third parties
  • Why it's necessary for you to process this data in order to offer your SaaS app.
  • If you're serving EU users, your company's lawful basis for processing data under Article 6 of the GDPR.
  • What types of organizations you'll be sharing data with.
  • If you're serving EU users, whether you'll be transferring their personal data overseas (i.e. to a non-EU country):
    • If so, whether the you'll be transferring to a country approved by the European Commission.
    • If transferring to the US, whether your company is signed up to the EU-US Privacy Shield.
  • How long your SaaS app will store your users' personal data.
  • If you're serving EU users, how your users can exercise their rights under Chapter 3 of the GDPR:
    • How your users can withdraw their consent
    • How your users can request a copy of their personal data
  • Consider how you'll present your Privacy Policy to your users within your SaaS app:
    • At sign-up or installation
    • Via a menu within your SaaS app