Compliance · May 2025

Your SaaS Needs a Privacy Policy Before Its First Paying Customer

GDPR, cookie consent, data deletion, Terms of Service — the minimal viable compliance checklist for indie builders who shipped fast and forgot the legal layer.

You built the product. You have users. Someone is about to pay you. And then you realise: you have no privacy policy, no terms of service, and no idea what your GDPR obligations are. This is extremely common in AI-built SaaS products, and it's also genuinely fixable in a day.

Why it actually matters (beyond just legal risk)

B2B customers — especially anyone in Europe, healthcare, or finance — will ask for your privacy policy and DPA (Data Processing Agreement) before signing. No document means no deal. Even consumer apps: App Store review requires a privacy policy. Google Ads requires one. And if something goes wrong with user data, “we didn't have a privacy policy” is not a defence — it's an aggravating factor.

The minimal viable compliance checklist

Privacy Policy pageBEFORE FIRST CUSTOMER

What data you collect, why you collect it, how long you keep it, and who you share it with. Must be publicly accessible — linked in your footer. If you collect email addresses, you need this.

Terms of ServiceBEFORE FIRST CUSTOMER

What users can and can't do, your liability limits, and how disputes are handled. Protects you, not them. Less urgent than privacy policy but needed before serious B2B customers.

Cookie consent banner

Required in the EU if you use analytics (Google Analytics, Posthog, etc.) or advertising cookies. Not required for strictly necessary cookies. If your users are anywhere in Europe, you need this.

Data deletion / right to erasure

Under GDPR, EU users can ask you to delete their data. You need a process for this — even if it's just an email address that triggers manual deletion. Must respond within 30 days.

Data Processing Agreement (DPA)

Required if you process EU personal data on behalf of business customers. Most SaaS products need this for B2B sales into Europe. Services like Stripe, Resend, and Vercel have their own DPAs you can reference.

The fastest way to get this done

You don't need a lawyer to get started. Generate a privacy policy with a tool like Termly or iubenda (takes 15 minutes), host it at /privacy, and link it in your footer. Do the same for /terms. That's the 80% done. VibeProd detects the absence of these pages and opens a PR that creates them for you.

Check your compliance gaps in 2 minutes

Free scan, no account needed. VibeProd checks for missing privacy policy, terms, and more.

Scan your repo free →