SaaS Privacy Policies — What Your Policy Must Cover

Effective overview last updated: January 2026

Why SaaS Companies Face Unique Privacy Challenges

A standard website collects data from its own visitors. A SaaS company does that too, but it also processes data that belongs to its customers' users — people who may never interact with the SaaS provider directly. This distinction creates a set of privacy obligations that most website privacy policy templates don't account for.

Several architectural and business realities make SaaS privacy more complex:

• Multi-tenancy: Most SaaS platforms run multiple customers on shared infrastructure. Data from different organizations is logically separated but physically co-located. Your privacy policy needs to address how you isolate and protect data across tenants.
• Sub-processors: SaaS companies rarely operate in isolation. You likely use cloud hosting (AWS, GCP, Azure), email delivery services, payment processors, analytics tools, and support platforms. Each of these is a sub-processor that handles some portion of your customers' data. You have an obligation to disclose them and, under GDPR, to notify customers before adding new ones.
• International data flows: If you have customers in the EU, the UK, or other jurisdictions with data transfer restrictions, you need to explain where data is stored and processed, and under what legal mechanism it crosses borders.
• Data processing on behalf of others: When a business customer uploads their end users' data into your platform, you are typically a data processor (under GDPR) or a service provider (under CCPA). This means you operate under your customer's instructions, not your own purposes — and your privacy policy needs to reflect that distinction clearly.

Which Frameworks Commonly Apply to SaaS

Not every framework applies to every SaaS company, but the following come up most often:

GDPR (as a data processor)

If any of your customers have users in the EU or EEA, GDPR likely applies to you. As a processor, you must process data only on documented instructions from your controller (the customer), implement appropriate security measures, assist with data subject requests, and maintain records of processing activities. Your public-facing privacy policy should explain your role as both a controller (for your own website visitors and account holders) and a processor (for customer data).

SOC 2

SOC 2 is not a legal requirement, but it has become a de facto standard for SaaS companies selling to other businesses. Enterprise buyers routinely request SOC 2 Type II reports before signing contracts. While SOC 2 itself is an audit framework rather than a privacy regulation, the Trust Services Criteria include a Privacy category. Your privacy policy is one of the artifacts that auditors examine to assess whether you meet the criteria around notice, choice, and disclosure.

CCPA / CPRA

If you have customers or users in California and meet the revenue or data volume thresholds, CCPA applies. For SaaS companies, the key distinction is whether you are a "business" (making decisions about how data is used) or a "service provider" (processing data on behalf of your customer). Your privacy policy must accurately describe your role and include the required CCPA disclosures — categories of personal information collected, purposes of collection, and consumer rights.

Other frameworks

Depending on your industry and customer base, you may also need to consider HIPAA (if you handle protected health information), PCI DSS (if you process payment card data), and ISO 27001 (if customers require certification of your information security management system). Each of these has implications for what your privacy policy should say about data handling, retention, and security.

What a SaaS Privacy Policy Must Include

A SaaS privacy policy covers everything a standard website privacy policy does — categories of data collected, purposes, rights, cookies, contact information — but it must also address several areas that are specific to the SaaS model:

• Your role as a data processor: Clearly state that when customers use your platform to process their end users' data, you act as a processor or service provider. Explain that you process this data according to your customers' instructions and the terms of your data processing agreement.
• Sub-processor disclosures: List your sub-processors or provide a link to a maintained sub-processor list. Under GDPR, this is effectively required. Even outside the EU, transparency about third-party vendors builds trust with business customers evaluating your product.
• Data hosting and transfer: State where data is stored (regions, cloud providers) and what mechanisms govern international transfers (Standard Contractual Clauses, the EU-US Data Privacy Framework, adequacy decisions, etc.).
• Data retention and deletion: Describe your retention periods and what happens to customer data after contract termination. SaaS customers need to know whether their data is deleted, returned, or retained — and on what timeline.
• Security measures: While you don't need to detail your full security architecture, your privacy policy should summarize the technical and organizational measures you use to protect data. This is a GDPR Article 32 obligation and a common expectation from enterprise buyers.
• Data subject request handling: Explain how you handle requests from end users (such as access or deletion requests). In most cases, the SaaS provider directs these requests to the customer (the data controller), but your policy should explain this process.

Common Mistakes SaaS Companies Make

These are errors that come up repeatedly in SaaS privacy policies:

• Treating all data as first-party data. Many SaaS privacy policies describe data collection as if the company is the sole controller of all data on the platform. If your customers upload their users' data, you need to distinguish between data you control and data you process on behalf of others.
• Missing or outdated sub-processor lists. GDPR requires that processors inform controllers about sub-processors and provide a mechanism to object to changes. A privacy policy that says "we may share data with third-party service providers" without specifics is insufficient for B2B customers subject to GDPR.
• No mention of data processing agreements. If you offer a DPA to customers (and you should, if you process EU personal data), your privacy policy should reference it. Many SaaS companies have a DPA buried somewhere on their site but never mention it in the privacy policy itself.
• Vague data retention language. Statements like "we retain data as long as necessary" without defining what "necessary" means provide no real information. Specify retention periods for different categories of data, or at minimum, describe the criteria you use to determine them.
• Copying a template without adapting it. Generic privacy policy generators produce policies designed for simple websites. They typically omit processor obligations, sub-processor disclosures, data transfer mechanisms, and post-termination data handling — all of which are critical for a SaaS business.
• Conflating the privacy policy with the DPA. These are separate documents with different audiences and purposes. Trying to combine them creates a document that serves neither function well.

Privacy Policy vs. Data Processing Agreement

SaaS companies often need both a privacy policy and a data processing agreement, and confusion between the two is common. They serve different purposes:

Privacy policy

Your privacy policy is a public-facing document directed at individual users — people who visit your website, create accounts, or interact with your product. It explains what personal data you collect, why you collect it, how you use it, and what rights users have. This is a controller-facing document: you are the controller, and your users are the data subjects.

Data processing agreement (DPA)

A DPA is a contract between you (as a data processor) and your business customer (as a data controller). It governs how you process personal data on behalf of the customer. Under GDPR Article 28, a DPA must include specific provisions: the subject matter and duration of processing, the nature and purpose of processing, the types of personal data and categories of data subjects, and the obligations and rights of the controller.

Why both matter

A SaaS company that only has a privacy policy but no DPA is missing a legally required document under GDPR. A SaaS company that only has a DPA but no privacy policy is failing to provide transparency to its own users. Both documents need to be accurate, consistent with each other, and kept current as your data practices evolve.

How Privacy Policy Review Helps

Privacy Policy Review checks your SaaS privacy policy against the specific frameworks that apply to your business — GDPR processor requirements, CCPA service provider obligations, SOC 2 privacy criteria, and others. The review identifies gaps like missing sub-processor disclosures, unclear controller/processor distinctions, and incomplete data transfer descriptions. Each review is verified by an attorney and delivered as a signed Record of Review that you can share with customers and auditors.