Software-as-a-service (SaaS) is one of the fastest-growing markets in the software industry. In a few short years, almost every major software company has jumped on board, creating a boom of new websites, programming, and mobile applications.
- 1. Privacy Policies for SaaS: What and Why
- 2.1. Types of Personal Information Collected
- 2.2. How Information is Collected and Used
- 2.3. Cookies
- 2.4. Third-Party Access to Information
- 2.5. Data Retention
- 2.6. Communications
- 2.7. Business Transfers
- 2.8. Children Under 13
- 2.10. Contact
- 3.1. More Options
- 4. Placement and Access
- 4.1. Websites
- 4.2. Mobile Applications
Privacy Policies for SaaS: What and Why
- The types of personal information collected from users
- How personal information is used
- How personal information is protected
- What rights users have in regard to their own information
- Which cookies are used and why
In order to protect the rights and privacy of internet consumers around the world, a great many privacy laws exist that will directly affect your business. Some of the agencies that regulate the use of consumer privacy include:
- The United States Federal Trade Commision
- California Department of Justice
- Office of the Australian Information Commissioner
- United Kingdom Information Commissioner's Office
- The European Commisson that enforces the GDPR
Even if you don't provide a physical product or ask for a physical address from customers, most SaaS businesses do require an email address, at the very least, and an email address is legally-protected personal information under privacy laws.
SaaS businesses in general cannot function without collecting email and payment information in order to set up subscription or account plans.
Types of Personal Information Collected
First and foremost, let users know specifically which personal information is collected about them. This goes for both the data they provide directly to you themselves and the data you collect automatically on the backend.
A short list might look something like this:
- Name and email address
- Billing address
- Credit card or payment information
- IP address and location
- Usage of products and services
- Device and browser information
Here's how Microsoft lays out the data it collects that's provided directly by its users. Another separate list is provided to outline data it collects automatically:
Most Saas businesses find it necessary to go into more detail.
For example, Pandora collects information about users' music preferences in order to improve their song recommendations.
A few examples of information you may be collecting automatically include:
- IP address
- User preferences
- Computer, browser, and software information
- Date and time of user activity
How Information is Collected and Used
After itemizing the types of data being collected, it is necessary to describe how it is collected. Whether through online forms, automated procedures on the backend, or communication with third party partners, you'll need to describe every method you use to collect information about users.
Amazon makes it very clear how it collects each type of information, be it through direct forms, automated software, mobile, email, or third party sources:
Next, explain why you are collecting that data. Users want to know why you need to collect so much information about them, and what it is used for. In this section, explain clearly why data collection is necessary and why it is necessary to provide your services.
PBS Kids uses a bullet-point list to clearly disclose how it uses information it collects:
Cookies have become common tools for businesses to track how users interact with their websites and mobile applications. This technology is invaluable in understanding customer behavior in browsing, searching, and buying products, but it comes with privacy risks.
Since some cookies continue to track the movements of users even after they have left a company's website, cookies can create a legal risk with users who do not appreciate the attention.
To avoid any potential liability, you must create a detailed Cookies Policy, ideally on its own landing page.
The Cookies Policy should provide users with a list of each type of cookie that is used by your website or mobile app, as well as the cookies used by your third-party affiliates.
Many customers may not understand the necessity or benefits of cookies, so try to explain what they are and why they are used to create some understanding and trust with consumers.
Here's how Zendesk lists third-party cookies and what they are used for:
While you don't have to use a chart format as in the above examples, this is a clear and easily-understandable way to break down complicated information like cookies in a way that's easy to comprehend and digest.
Third-Party Access to Information
As mentioned previously, most SaaS businesses will employ the use of third party software to perform certain services on a website or mobile app. Google Adsense is one example of a common analytics provider.
Many such third party affiliates will require access to your customer database to perform their services, creating potential privacy problems.
Although your third party affiliates may have their own Privacy Policies in place, you will need to inform your users of their existence to retain transparency.
This third party access clause by Dropbox is simple and direct:
A simple clause like the one above may be all you need to legally inform customers about third party access to information collected through your website or app.
A data retention clause is important, especially when it comes to subscriptions and account management. In this clause you'll lay out the rights of users in regard to managing their own information, as well as your own rights in retaining personal information when necessary.
Pandora mentions that cancellation of account may not guarantee removal of all personal data from their database:
In this clause you can mention:
- Where personal data is stored and how users may access it to see or change details
- Users' right to delete their accounts or personal information, and how this may affect their access to future services
- Your right to delete accounts in the event that users do not comply with your own requirements for use of services
- The necessity of retaining certain information saved in your database, such as transaction history or unpaid balances, etc.
Tesco has a short, simple data retention clause that lets users know general terms about how long data will be retained:
Inevitably, you will need to contact your customers, whether for marketing, billing, or informational purposes. For this reason, it's a good idea to include a Communications Clause.
Slack explains which messages they send and why:
A Communications clause simply informs users of which types of communication they can expect from you and why these are necessary. For example, if you send subscription details by email and promotional messages through text, make sure to include both of these in the list.
Also describe the process for opting-out of marketing communications in order to remain compliant with CAN-SPAM and other anti-spam laws.
This Communications clause from John Lewis describes exactly how to opt-out of direct marketing:
Especially in the SaaS industry, businesses are bought and sold almost as fast as they are created. Whether you have imminent plans to sell or not, it is a good idea to maintain a Business Transfer clause, just in case.
Dropbox summarizes what will happen in the event of a business transfer:
This is simply a reminder to customers that, in the event of business transfer or acquisition, the personal information of customers will be transferred to the new owners as well.
Amazon lets customers know that pre-existing privacy agreements will remain intact if a business transfer occurs:
Children Under 13
Most SaaS businesses are targeted to adults, but that doesn't mean you should skip this type of 0clause. In the unlikely event that a child registers on your mobile app or website, you may be held liable under the Children's Online Privacy Protection Act (COPPA).
It's best to include a short paragraph like the one below, just to be safe. DocuSign states that its products and services are not intended for minors:
Mojang, a company that offers online gaming for kids, maintains a separate policy for children under 13:
Make it quick and easy for users to contact you with issues regarding their privacy. A dedicated email or phone number is a great place to start. Some businesses offer a separate department or web form for users to voice their privacy concerns to create a feel of open transparency for customers.
Translink offers both a dedicated email and physical address for privacy communications from users:
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
How to manage personal information - Some companies include a section that reminds users of their right to change and delete their personal information, along with brief instructions on how to do so.
Microsoft briefly describes how users may access and edit personal information, as well as how to opt-out of advertising and receiving promotional messages:
Dispute resolution - A dispute resolution clause lays out the protocol for users to take in the event of any conflict or disagreement over privacy.
Pandora offers several avenues for dispute resolution:
Security - It's a good idea to list the security measures your business takes to protect the personal information of users. You should also mention that despite every effort, no security is 100% effective and there are no guarantees.
Here's an example of a fairly standard security clause that discloses that efforts are made to keep data secure but that no guarantees are made:
Compliance with laws and regulations - Here, you can explain the necessity of sharing personal data with the government in response to legal claims or subpoenas.
Here's another example of a standard clause that mentions compliance with laws and how it may affect user data:
Placement and Access
For websites, the first step is to create a link within one of the main navigation bars. Most sites include this link in the footer so that it can be accessed from every page. Users also know to look here since it's such common practice:
Here you can see the Privacy linked within an app menu:
Audible provides a link to the Privacy Notice on the sign-in screen while also noting that users will be agreeing to the Privacy Notice if they continue: