SaaS Agreements – Data Protection – Customer Privacy Policy

SaaS Customers often ask or expect SaaS supplier’s to provide them with a privacy policy for use in conjunction with their SaaS products. SaaS suppliers should firmly refuse such requests. Firstly, as they could face liability claims from the customer if the privacy policy is in appropriate and secondly while you will have no adequate knowledge of the issues set out below, which will need to be covered in the privacy policy.

Personal Data Practices

The customer’s privacy statement should reflect its personal data practices. For example, it should include details of:

  • The type of data being collected;
  • Why the data is collected;
  • How the data is used and why;
  • If and why personal data will be disclosed to third parties;
  • How and where data is stored;
  • How complaints or queries about personal data will be dealt with.

Compliance with Applicable Laws

SaaS customers will also need to review their compliance with any applicable laws relating to the collection and use of personal data. The laws that apply will depend upon a number of factors. If the SaaS customer is selling or providing services to people under the age of 18 additional laws applicable to the protection of children will apply.

The type of products or services being sold and the countries in which they are being sold will also be relevant – as this will determine whether national, EU and/or international laws will apply. Depending on the business sector in which your SaaS customer is operating, the rules of self-regulatory schemes may also apply. For example, if your customer is providing email marketing services they will need to comply with applicable email marketing and advertising rules.

Where on a Website should the Privacy Policy Appear

This will usually be on your SaaS customer’s home page and/or at the point that they obtain consent to collection of the data. It is also advisable to have links between the privacy policy and all references made to it on the customer website. For example, if your SaaS customer is providing online recruitment services they should place their privacy policy on their home page. Also, when users register to use services there should be a link to the privacy policy and a process for users to accept the terms of the privacy policy.

Practical Issues

If your SaaS customer insists on you assisting in the creation of a privacy policy you should charge for this additional service, as this is a consultancy service. In addition you should try to limit your assistance to simply providing a template for your customer to customise and adapt. You should always limit your liability for any omissions or errors in the template and state that the template is provided on an “as is” basis.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: