Privacy Policy for a SaaS Business

Last updated on 25 September 2019
Privacy Policy for a SaaS Business

Software-as-a-service (SaaS) is one of the fastest-growing markets in the software industry. In a few short years, almost every major software company has jumped on board, creating a boom of new websites, programming, and mobile applications.

Amid the surge and excitement of a successful online business, however, it is easy to forget important details like your SaaS Privacy Policy.

Starting a new business may be a busy time, but this is one detail you won't want to let fall through the cracks. For any SAAS company collecting information for subscription and account services, a Privacy Policy is not only important, it's the law.

Privacy Policies for SaaS: What and Why

You've seen them around, but have you ever taken the time to read a Privacy Policy? If not, here's a general summary of what a standard Privacy Policy covers:

  • The types of personal information collected from users
  • How personal information is used
  • How personal information is protected
  • What rights users have in regard to their own information
  • Which cookies are used and why

In order to protect the rights and privacy of internet consumers around the world, a great many privacy laws exist that will directly affect your business. Some of the agencies that regulate the use of consumer privacy include:

To save you a lot of research and reading into consumer privacy law, let's put it this way: If you collect any information about your users, you need a Privacy Policy.

Even if you don't provide a physical product or ask for a physical address from customers, most SaaS businesses do require an email address, at the very least, and an email address is legally-protected personal information under privacy laws.

If you're collecting an email address, IP address, credit card number, or any other personal information, a Privacy Policy is required by law according to any of the organizations listed above.

Developing Your Privacy Policy for SaaS

Generic app login screen

SaaS businesses in general cannot function without collecting email and payment information in order to set up subscription or account plans.

Many services delve much deeper into users' personal information to access location and personal preferences that help to build a better customer experience - all of which must be included in the Privacy Policy.

Although the Privacy Policy will need to be customized to apply to your particular business, including the clauses below is a good way to start.

Types of Personal Information Collected

First and foremost, let users know specifically which personal information is collected about them. This goes for both the data they provide directly to you themselves and the data you collect automatically on the backend.

A short list might look something like this:

  • Name and email address
  • Billing address
  • Credit card or payment information
  • IP address and location
  • Usage of products and services
  • Device and browser information

Here's how Microsoft lays out the data it collects that's provided directly by its users. Another separate list is provided to outline data it collects automatically:

Microsoft Privacy Policy: Clause covering data collected from users

Most Saas businesses find it necessary to go into more detail.

For example, Pandora collects information about users' music preferences in order to improve their song recommendations.

Pandora's Privacy Policy includes details about this and other information that is collected automatically:

Pandora Privacy Policy: Information We Receive or Collect From You clause

A few examples of information you may be collecting automatically include:

  • IP address
  • Location
  • User preferences
  • Computer, browser, and software information
  • Date and time of user activity

Make sure to create an exhaustive list of each type of personal information that is collected about users. This will ensure that your Privacy Policy complies with privacy laws, and it creates an environment of transparency with your customers.

How Information is Collected and Used

After itemizing the types of data being collected, it is necessary to describe how it is collected. Whether through online forms, automated procedures on the backend, or communication with third party partners, you'll need to describe every method you use to collect information about users.

Amazon makes it very clear how it collects each type of information, be it through direct forms, automated software, mobile, email, or third party sources:

Amazon's Privacy Notice: Information Collected clause

Next, explain why you are collecting that data. Users want to know why you need to collect so much information about them, and what it is used for. In this section, explain clearly why data collection is necessary and why it is necessary to provide your services.

PBS Kids uses a bullet-point list to clearly disclose how it uses information it collects:

PBS Kids Privacy Policy: We use the information we collect to clause excerpt

Cookies

Cookies have become common tools for businesses to track how users interact with their websites and mobile applications. This technology is invaluable in understanding customer behavior in browsing, searching, and buying products, but it comes with privacy risks.

Since some cookies continue to track the movements of users even after they have left a company's website, cookies can create a legal risk with users who do not appreciate the attention.

To avoid any potential liability, you must create a detailed Cookies Policy, ideally on its own landing page.

LinkedIn uses a simple chart to help explain all the ways it uses cookies and why they're important:

LinkedIn Cookie Policy: What are Cookies Used For chart excerpt

The Cookies Policy should provide users with a list of each type of cookie that is used by your website or mobile app, as well as the cookies used by your third-party affiliates.

Third-party affiliates may include advertisers, analytics services, shopping carts and other common services. Many of these types of services use cookies to function, so make sure you list each of these third-party cookies as well.

Many customers may not understand the necessity or benefits of cookies, so try to explain what they are and why they are used to create some understanding and trust with consumers.

Here's how Zendesk lists third-party cookies and what they are used for:

Zendesk Privacy Policy: Third Party Cookies list clause

While you don't have to use a chart format as in the above examples, this is a clear and easily-understandable way to break down complicated information like cookies in a way that's easy to comprehend and digest.

Third-Party Access to Information

Logo of Google AdSense

As mentioned previously, most SaaS businesses will employ the use of third party software to perform certain services on a website or mobile app. Google Adsense is one example of a common analytics provider.

Many such third party affiliates will require access to your customer database to perform their services, creating potential privacy problems.

You'll need to check each third-party's Terms and Conditions or Terms of Use agreements to see what you're required to do as part of using the service. Oftentimes you'll be required to have a Privacy Policy and disclose specific information within it.

Although your third party affiliates may have their own Privacy Policies in place, you will need to inform your users of their existence to retain transparency.

This third party access clause by Dropbox is simple and direct:

Dropbox Privacy Policy: Third Party Access clause

A simple clause like the one above may be all you need to legally inform customers about third party access to information collected through your website or app.

Data Retention

A data retention clause is important, especially when it comes to subscriptions and account management. In this clause you'll lay out the rights of users in regard to managing their own information, as well as your own rights in retaining personal information when necessary.

Pandora mentions that cancellation of account may not guarantee removal of all personal data from their database:

Pandora Privacy Policy: Cancellation or Deactivation of Accounts clause

In this clause you can mention:

  • Where personal data is stored and how users may access it to see or change details
  • Users' right to delete their accounts or personal information, and how this may affect their access to future services
  • Your right to delete accounts in the event that users do not comply with your own requirements for use of services
  • The necessity of retaining certain information saved in your database, such as transaction history or unpaid balances, etc.

Tesco has a short, simple data retention clause that lets users know general terms about how long data will be retained:

Tesco Privacy Policy: Data retention clause

Communications

Inevitably, you will need to contact your customers, whether for marketing, billing, or informational purposes. For this reason, it's a good idea to include a Communications Clause.

Slack explains which messages they send and why:

Slack Privacy Policy: Sending emails and Slack messages clause

A Communications clause simply informs users of which types of communication they can expect from you and why these are necessary. For example, if you send subscription details by email and promotional messages through text, make sure to include both of these in the list.

Also describe the process for opting-out of marketing communications in order to remain compliant with CAN-SPAM and other anti-spam laws.

This Communications clause from John Lewis describes exactly how to opt-out of direct marketing:

John Lewis Privacy Notice: Opt out of direct marketing clause with methods

Business Transfers

Especially in the SaaS industry, businesses are bought and sold almost as fast as they are created. Whether you have imminent plans to sell or not, it is a good idea to maintain a Business Transfer clause, just in case.

Dropbox summarizes what will happen in the event of a business transfer:

Dropbox Privacy Policy: Business Transfer clause

This is simply a reminder to customers that, in the event of business transfer or acquisition, the personal information of customers will be transferred to the new owners as well.

Amazon lets customers know that pre-existing privacy agreements will remain intact if a business transfer occurs:

Amazon Privacy Notice: Business Transfers clause

Children Under 13

Most SaaS businesses are targeted to adults, but that doesn't mean you should skip this type of 0clause. In the unlikely event that a child registers on your mobile app or website, you may be held liable under the Children's Online Privacy Protection Act (COPPA).

It's best to include a short paragraph like the one below, just to be safe. DocuSign states that its products and services are not intended for minors:

DocuSign Privacy Policy: Children's Privacy clause

On the other hand, if your business is targeted to minors, you will need to take extra measures to comply with COPPA regulations, including an additional and separate Privacy Policy just for kids.

Mojang, a company that offers online gaming for kids, maintains a separate policy for children under 13:

Mojang: Children's Privacy Policy

Changes to Privacy Policy

According to most standard regulations, you are entitled to make changes to your Privacy Policy at any time, but you are also required to inform your users of those changes.

Include a simple notice like this one inside your Privacy Policy:

Vimeo's Updates to Privacy Policy clause

Let users know that you will inform them of any future changes to your Privacy Policy and how you will communicate those changes. Whether the announcement is made via blog post, email, or other means, users must be informed in a timely manner whenever important and material Privacy Policy changes take place.

Contact

Make it quick and easy for users to contact you with issues regarding their privacy. A dedicated email or phone number is a great place to start. Some businesses offer a separate department or web form for users to voice their privacy concerns to create a feel of open transparency for customers.

Translink offers both a dedicated email and physical address for privacy communications from users:

Translink Privacy Policy: Contact Us clause

How to Create Your Privacy Policy

PrivacyPolicies.com: Privacy Policy Generator - How to Create your Privacy Policy

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy."
  2. Select the platform/s where your Privacy Policy will be used.
  3. PrivacyPolicies.com: Privacy Policy Generator - Create your Privacy Policy - Step 1

  4. Answer the questions related to your entity type and location.
  5. PrivacyPolicies.com: Privacy Policy Generator - Answer questions - Step 2

  6. Answer the questions relating to what type of information you collect from your users.
  7. PrivacyPolicies.com: Privacy Policy Generator - Answer questions about type of information you collect - Step 3

  8. Select all the ways you wish to allow your users to contact you with questions regarding your Privacy Policy.
  9. PrivacyPolicies.com: Privacy Policy Generator - Select ways you wish to allow your users to contact you - Step 4

  10. Select what kind of Privacy Policy you want to create.
  11. PrivacyPolicies.com: Privacy Policy Generator - What kind of Privacy Policy you want - Step 5

  12. Enter your email address where you'd like your Privacy Policy sent and click Create Privacy Policy.
  13. PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 6

  14. Now you can copy or link to your hosted Privacy Policy.
  15. PrivacyPolicies.com: Privacy Policy Generator - Copy or link to your hosted Privacy Policy - Step 7

More Options

The above clauses are all essential to a Privacy Policy for a SaaS business. However, there are more options to include if you'd like to be extra thorough:

  • How to manage personal information - Some companies include a section that reminds users of their right to change and delete their personal information, along with brief instructions on how to do so.

    Microsoft briefly describes how users may access and edit personal information, as well as how to opt-out of advertising and receiving promotional messages:

  • Microsoft Privacy Statement: How to Access and Control your Personal Data clause

  • Dispute resolution - A dispute resolution clause lays out the protocol for users to take in the event of any conflict or disagreement over privacy.

    Pandora offers several avenues for dispute resolution:

  • Pandora Privacy Policy: Dispute Resolution clause

  • Security - It's a good idea to list the security measures your business takes to protect the personal information of users. You should also mention that despite every effort, no security is 100% effective and there are no guarantees.

    Here's an example of a fairly standard security clause that discloses that efforts are made to keep data secure but that no guarantees are made:

  • Jive Software Privacy Policy: Data Security clause

  • Compliance with laws and regulations - Here, you can explain the necessity of sharing personal data with the government in response to legal claims or subpoenas.

    Here's another example of a standard clause that mentions compliance with laws and how it may affect user data:

  • Vimeo Privacy Policy: Legal Situations clause

Placement and Access

Once you've written the Privacy Policy for your SaaS business, you'll need to make it easily accessible to consumers. Here's how to do so on common platforms.

Websites

For websites, the first step is to create a link within one of the main navigation bars. Most sites include this link in the footer so that it can be accessed from every page. Users also know to look here since it's such common practice:

Slack's website footer with policy links

It's also a good idea to include a link to your Privacy Policy within your account registration, log-in and contact forms for an added level of visibility.

For example, by continuing with the DocuSign sign-up form, a user is agreeing to the Privacy Policy. Note that the link to the Privacy Policy is included and visible.

DocuSign account signup page showing Privacy Policy link

In this scenario, a customer is provided with a prominent, clear link to the Privacy Policy and is required to actively accept it in order to proceed with the services.

Mobile Applications

A similar protocol works for mobile applications. Although it may not be possible to include a link to the Privacy Policy on every interface of the app, prominent links may be placed in the settings interface, for example.

Here you can see the Privacy linked within an app menu:

Netflix mobile app Settings menu

Like websites, it's also common for mobile apps to provide links to their Privacy Policies during the initial sign-in or registration process. This ensures that users not only see the Privacy Policy, but can also agree to its terms.

Audible provides a link to the Privacy Notice on the sign-in screen while also noting that users will be agreeing to the Privacy Notice if they continue:

Audible's mobile app sign-in screen

Following these guidelines and having a highly-detailed yet easy-to-read Privacy Policy will help your business comply with international privacy regulations and help create an open, trusting, relationship with your future consumers.

Remember to include all the necessary information in your Privacy Policy and make it easily available both on your website and mobile app.

Article categories