← All guides
Legal7 min read12 May 2026

SaaS Legal Documents Checklist: Every Policy Your SaaS Needs in 2026

The complete checklist: privacy policy, terms, cookie policy, DPA, AUP, refund policy — what each does, when you need it, and how to generate them free.

Why SaaS legal documents matter

A SaaS without proper legal documents is one angry customer complaint, GDPR inquiry, or payment dispute away from serious trouble. Regulators don't give founders a pass for being early-stage. App stores can remove you. Payment processors can freeze your account. Investors will ask during due diligence.

The good news: most of these documents are straightforward. You don't need a lawyer to generate your first drafts — though you should have a lawyer review before you charge real money.

Here's the complete checklist of legal documents every SaaS needs, what each one does, and where to get it.

The core SaaS legal document stack

1. Privacy Policy — Required by law almost everywhere

What it does: Discloses what personal data you collect, why, how long you keep it, who you share it with, and what rights users have.

When you need it: As soon as you collect any personal data — including email addresses, IP addresses, or cookies. That means from day one.

Legal basis:

  • GDPR Art. 13/14 — Mandatory disclosure for EU residents. Missing or incomplete privacy policies are one of the most common GDPR violations.
  • CCPA/CPRA — Required for businesses collecting data from California residents (broad applicability to SaaS).
  • CalOPPA — Required for any website accessible from California (effectively all websites).
  • App store requirements — Apple App Store and Google Play both require a privacy policy link.

👉 Generate your Privacy Policy free →

2. Terms of Service (ToS) / Terms & Conditions

What it does: Defines the rules for using your product, limits your liability, sets out the governing law, and establishes what happens when users violate your rules.

When you need it: Before you launch publicly. A ToS is your contract with users — without it, you have almost no recourse when users abuse your platform, claim refunds, or try to blame you for data loss.

Key clauses:

  • Acceptable use (what's prohibited)
  • Limitation of liability (caps your damages exposure)
  • Disclaimer of warranties
  • Intellectual property (who owns what)
  • Termination clause (your right to ban users)
  • Governing law and dispute resolution
  • EU-specific: Consumer withdrawal rights (14-day cooling off for EU B2C)

👉 Generate your Terms of Service free →

3. Cookie Policy

What it does: Discloses what cookies and tracking technologies you use, what they do, and how users can opt out.

When you need it: As soon as you use any cookies beyond strictly necessary session cookies — including Google Analytics, Facebook Pixel, Hotjar, Intercom, or any marketing tools.

Legal basis:

  • ePrivacy Directive — Requires consent for non-essential cookies across the EU/EEA.
  • GDPR — Cookie data is personal data; your cookie policy is an extension of your privacy policy.
  • UK PECR — Same rules as ePrivacy post-Brexit.

Note: A cookie policy is different from a cookie consent banner (which handles the opt-in/opt-out UI). You need both. Read the difference here.

👉 Generate your Cookie Policy free →

4. Refund Policy

What it does: States your refund terms clearly — what's eligible, the timeframe, how to request it, and what happens with partial or annual plans.

When you need it: Before you charge anyone. Without a published refund policy:

  • Payment processors (Stripe, PayPal) default to card network chargeback rules, which almost always favor the customer
  • EU Consumer Rights Directive gives B2C customers a 14-day unconditional withdrawal right for digital services — your policy must acknowledge this or risk invalidating your ToS
  • You have no leverage in payment disputes

👉 Generate your Refund Policy free →

5. Acceptable Use Policy (AUP)

What it does: Defines what users cannot do on your platform. This is different from your ToS — the AUP is the operational rulebook. It lists prohibited uses (spam, abuse, illegal content, scraping, hacking) and what enforcement actions you'll take.

When you need it: Required if your product involves user-generated content, API access, or any kind of platform behavior. The EU Digital Services Act (DSA) explicitly requires AUPs for platform services. It's also useful for enterprise sales — enterprise customers often ask for your AUP during security reviews.

👉 Generate your Acceptable Use Policy free →

6. GDPR Data Processing Agreement (DPA)

What it does: A contract between you (as data processor) and your customers who are data controllers. It defines what data you process, for what purpose, and what safeguards you maintain.

When you need it: Required under GDPR Art. 28 any time you process personal data on behalf of a controller. For B2B SaaS selling into the EU, enterprise customers will request this during procurement. Missing DPAs are a hard blocker for enterprise sales.

👉 Generate your GDPR DPA free →

7. HIPAA Business Associate Agreement (BAA)

What it does: A contract required by US law when you handle Protected Health Information (PHI) on behalf of healthcare providers, health plans, or other HIPAA Covered Entities. Without a signed BAA, the Covered Entity cannot legally share PHI with you.

When you need it: If your SaaS is used by hospitals, clinics, health insurers, or any entity handling patient data — and you process, store, or transmit that data. Missing BAAs are a leading cause of HIPAA enforcement actions.

👉 Generate your HIPAA BAA free →

Priority order for early-stage SaaS

If you're pre-launch, tackle documents in this order:

  1. Privacy Policy — Required before collecting any data. Day 0.
  2. Terms of Service — Required before accepting users. Day 0.
  3. Cookie Policy — Required as soon as you add analytics/tracking.
  4. Refund Policy — Required before first charge.
  5. Acceptable Use Policy — Add when you launch publicly or open an API.
  6. GDPR DPA — Add when enterprise EU customers ask for it (common at first B2B deal).
  7. HIPAA BAA — Add only if you're entering healthcare. Don't add unnecessary liability.

Common mistakes founders make

Using a generic template from 2018

GDPR came into force in 2018. The CCPA in 2020. CPRA amendments in 2023. EU AI Act obligations kicked in from 2024-2026. Generic templates from the internet are often outdated, incomplete, or from the wrong jurisdiction. Always verify the template covers the laws that apply to you.

Not updating documents after adding new tools

You add Intercom for support. Then Mixpanel for analytics. Then OpenAI for a feature. Each of these is a new third-party data processor — your privacy policy and DPA need to reflect them. Set a reminder to review your legal documents every quarter.

Privacy policy on a separate page users never see

GDPR requires that privacy information is provided at the point of data collection — not buried in a footer link. Link to your privacy policy on signup forms, checkout pages, and anywhere you collect data. Passive disclosure isn't enough.

No DPA with your B2B customers

If you're a SaaS processing customer data, you're a data processor. Your enterprise customers will ask for a signed DPA before going live. Not having one ready adds weeks to sales cycles and signals immaturity. Generate one now and have it ready to send.

The bottom line

You don't need to spend thousands on lawyers to get started. Use AI-generated templates to get your first drafts in place, then have a qualified lawyer review before you hit serious revenue or enterprise sales. The seven documents above cover the vast majority of what SaaS companies need.

All seven generators are free at ComplyKit:

More guides