Frequently Asked Questions

Yes. If you collect any personal data—email addresses, analytics cookies, IP addresses, or payment details—most jurisdictions require you to publish a clear privacy policy. Even if local law does not mandate one, platforms like Apple's App Store, Google Play, and Shopify require a published privacy policy before your product can go live.

At a minimum your policy should explain what personal data you collect, why you collect it, how you store and protect it, whether you share it with third parties, how long you retain it, and how users can exercise their rights (access, deletion, correction). If you use cookies or tracking technologies you should disclose that as well.

Under the GDPR your privacy policy must identify your legal basis for processing (consent, contract, legitimate interest, etc.), name your Data Protection Officer if one is required, explain cross-border data transfers and the safeguards used, and describe the right to lodge a complaint with a supervisory authority. The language must be clear, concise, and written in plain language—legalese alone will not satisfy the regulation.

The California Consumer Privacy Act requires you to disclose the categories of personal information collected and the business purpose for each category, state whether you sell or share personal information, and provide a 'Do Not Sell or Share My Personal Information' link. You must also describe how consumers can submit access and deletion requests and confirm that you will not discriminate against users who exercise their rights.

Review your privacy policy at least once a year and update it whenever you add new data collection methods, integrate new third-party services, expand into new jurisdictions, or change how you process or store data. Always display the 'Last updated' date prominently so users can see when the policy was last revised.

A generator is a great starting point because it tailors the draft to your specific data practices, tech stack, and target jurisdictions. However, the output is not legal advice. You should review the generated document carefully and have a licensed attorney check it before publishing, especially if you handle sensitive data such as health or financial information.

SaaS terms typically cover account registration and eligibility, subscription plans, billing and refund policies, acceptable use restrictions, intellectual property ownership, service availability and uptime commitments, data handling and security, limitation of liability, and termination provisions. If you offer a free trial or freemium tier, be explicit about what happens when the trial ends.

Yes. E-commerce terms should address order acceptance and pricing accuracy, shipping and delivery timelines, return and refund policies, product warranty disclaimers, and payment processing. Clear terms reduce chargebacks, prevent disputes, and set customer expectations before they complete a purchase.

A limitation of liability clause caps the maximum amount a user can recover in a legal claim against you. Common approaches include capping liability at the amount the user paid in the prior 12 months or excluding indirect, incidental, and consequential damages. Note that some jurisdictions restrict how much liability you can disclaim—consumer protection laws in the EU, for example, prevent excluding liability for gross negligence or fraud.

You can require binding arbitration (common in the United States), specify a jurisdiction and governing law for court proceedings, or include a step-by-step escalation process (negotiation, then mediation, then arbitration or litigation). Many SaaS companies include a class-action waiver alongside an arbitration clause. Choose the mechanism that matches your risk profile and user base.

Click-wrap agreements—where a user must check a box or click an 'I agree' button before proceeding—are generally enforceable in the United States, the EU, and most common-law countries. Courts look at whether the user had a reasonable opportunity to review the terms and took an affirmative action to accept. Simply linking to terms in a footer (browse-wrap) is much harder to enforce.

Yes, but you must notify existing users of material changes and, depending on your jurisdiction, give them an opportunity to review the new terms before they take effect. Best practice is to email users, display an in-app banner, and include a 'Last updated' date. For significant changes, consider requiring users to re-accept the updated terms.

A one-way (unilateral) NDA protects confidential information disclosed by one party only—common when hiring a contractor or consultant. A mutual (bilateral) NDA protects both sides and is standard in partnership discussions, joint ventures, or M&A due diligence where each party shares sensitive information.

Most NDAs remain in effect for one to five years from the date of signing or from the date confidential information is disclosed. The right duration depends on the nature of the information: trade secrets may justify a longer or even indefinite term, while marketing plans or pricing data may only need protection for one to two years.

Yes, provided the NDA is reasonable in scope, duration, and geographic reach. Courts may refuse to enforce an NDA that is overly broad (e.g., classifying all information as confidential) or that restricts a party's ability to work in their field. Clearly defining what constitutes confidential information and including standard carve-outs (publicly known information, independent discovery) strengthens enforceability.

Ask for an NDA before you share proprietary information in situations like hiring freelancers or contractors, discussing a business idea with potential investors or co-founders, entering partnership or acquisition talks, or giving a vendor access to your internal systems. The NDA should be signed before any confidential information changes hands.

Standard exclusions include information that is already publicly available, information the receiving party already knew before disclosure, information independently developed without reference to the disclosed material, and information received from a third party without a duty of confidentiality. These carve-outs prevent the NDA from being unreasonably broad.

You can start with the same base template, but employee NDAs often include additional clauses around invention assignment, non-solicitation, and post-employment obligations that do not apply to independent contractors. It is best to tailor each NDA to the specific relationship so that the obligations are clear and enforceable.

The GDPR (General Data Protection Regulation) applies to any organization that processes personal data of individuals in the European Economic Area, regardless of where the organization is based. The CCPA (California Consumer Privacy Act) applies to for-profit businesses that meet specific revenue or data-volume thresholds and handle the personal information of California residents. Both grant consumers rights over their data, but they differ in legal bases for processing, opt-in vs. opt-out models, and penalty structures.

You may transfer personal data outside the EEA only if the destination country has an EU adequacy decision, you use approved Standard Contractual Clauses (SCCs), or you rely on Binding Corporate Rules or an approved certification mechanism. The invalidation of the EU–US Privacy Shield in 2020 (Schrems II) means transfers to the US now require the EU–US Data Privacy Framework or SCCs with a supplementary transfer impact assessment.

If your website uses non-essential cookies (analytics, advertising, social media) and is accessible to users in the EU or UK, yes. The ePrivacy Directive requires prior informed consent before setting non-essential cookies. Under the CCPA you do not need prior consent for cookies, but you must disclose cookie usage in your privacy policy and honor opt-out requests for sale or sharing of personal information.

Under the GDPR you must notify your supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals, and notify affected individuals without undue delay if the risk is high. The CCPA does not have its own breach notification rule, but California's existing breach notification law (Civil Code 1798.82) requires notification to affected residents. Many other jurisdictions have their own timelines and thresholds.

The GDPR applies regardless of business size—if you process personal data of EEA residents, you must comply. The CCPA currently applies to businesses with annual gross revenue over $25 million, those that buy/sell/share personal information of 100,000 or more consumers or households, or those that derive 50% or more of revenue from selling personal information. Even if you are below these thresholds, having a privacy policy and good data practices builds user trust and reduces legal risk.

A DPA is a contract between a data controller (you) and a data processor (a vendor that handles personal data on your behalf, like an email service or cloud host). Under the GDPR a DPA is mandatory whenever you engage a processor. It should specify the scope and purpose of processing, data security measures, sub-processor approval procedures, and obligations when the contract ends. Many SaaS vendors offer a pre-signed DPA on request.