Legal agreements are very important for all apps, but perhaps especially so for a SaaS app.

These agreements will be where you include information about things like subscription costs, payment terms, user privacy, restrictions on the use of your app, and a range of other topics.

SaaS apps operate by providing a license to a user to interact with and use the software interface in exchange for the purchase of a subscription plan.

Because of this relationship, there are two main legal agreements that are found in SaaS apps: Terms and Conditions, and a Privacy Policy.

Terms and Conditions, also known as a Terms of Use or a Terms of Service, is where you will include all of the terms, such as termination of accounts, arbitration, payment policies, and disclaimers of warranty can be found here.

Here's an example of a table of contents from a Terms and Conditions of Use that shows common categories found within these agreements.

Note: You don't need to include a table of contents with your Terms and Conditions. This image is just to show a visual summary of topics commonly included in a policy.

Table of contents from Spotify Terms and Conditions

Note how this table of contents from Spotify's Terms and Conditions of Use page includes categories like:

  • Rights we grant you,
  • Rights you grant us,
  • Third Party Rights,
  • User Guidelines, and
  • Payments, cancellations, etc.

SaaS apps are almost always required to have a Privacy Policy because by nature they collect user data to create a user account within the service, store this personal information, and use this information for, at a minimum, user identification purposes.

Typical components of a Privacy Policy include information about:

  • What kind of information is collected,
  • How that information is collected, stored and used,
  • Third party information,
  • Choices users have for limiting this data collection/use,
  • International issues (some countries have specific privacy requirements that need to be met), and
  • How to report a violation, etc.

Here's an example of a typical Privacy Policy table of contents page.

Note: You don't need to include a table of contents with your Privacy Policy. This image is just to show a visual summary of topics commonly included in a policy.

Table of Contents of Terms & Conditions of LivingFor

Clauses for Terms and Conditions of SaaS

The following clauses are incredibly important and commonly found in Terms and Conditions agreements for SaaS apps across industries:

  • Limitation of Liability
  • Termination of Use
  • Fees and Payments
  • Acceptable Use
  • Copyright Policy
  • Mandatory Arbitration

Limitation of Liability clause

Limitation of Liability clause

This clause lets users know that you will not be liable for certain things that can happen as the result of using the app, such as lost profits, lost data, computer failures and other types of damages.

It's an important clause to include so that your users will agree to not hold you responsible or attempt to hold you responsible if something happens.

Here's an example of a clause in the Salesforce's Terms of Service page that limits liability:

Salesforce Terms of Service: Liability of Services clause

Here's another example of a liability limiting clause from Oracle's Terms of Use page. Note the common inclusion of certain terms like indirect, special, consequential, incidental, and other types of damages.

Oracle Terms of Use: Limitation of Liability

Termination of Use clause

Termination of Use clause

It's important for you to maintain control over your SaaS app, and part of this control is in your "Termination of Use" or "Termination" clause.

This clause is where you reserve the right to terminate any account or any user's access to your app. You can include information about what user activity would trigger a termination, as well as reserve a general right to terminate for any cause you deem fit.

Here's an example of a "Termination of Use" clause from Oracle's Terms of Use page again:

Oracle Terms of Use: Termination of Use clause

Note how Oracle states that it "may, in its sole discretion, at any time, terminate or limit" account access. Issues that specifically trigger a potential termination are listed, including infringement of copyrights.

The "Termination" clause in Dropbox's Terms of Service page lets users know that Dropbox can terminate a user's account at any time and that a user can also stop using the services at any time and terminate her account.

Specific information that could affect a user's account activation is included like letting a user know that if an account goes unused for 12 consecutive months, it may be deleted.

Dropbox Terms of Service: Termination clause

DocuSign has a "Term and Termination" clause where information is further broken down by category. Termination by subscribers is separate from termination by DocuSign, which helps draw attention to each section:

DocuSign Terms of Use: Term and Termination clauses

A section about when a term begins as well as how automatic term renewals work are included in this section:

DocuSign Terms of Use: The Term of Agreement clause

The final paragraph in this clause informs users about what will happen to their accounts upon termination, including information about fees, accessibility, and rights and responsibilities of both parties:

DocuSign Terms of Use: Effect of Termination clause

The most important thing to include in this clause is your right to terminate an account at your discretion.

Fees and Payments clause

Fees and Payments clause

Most SaaS apps have some sort of fee and payment structure where users can pay different prices depending on which subscription level they've selected or signed up for.

For example, Dropbox lets users get billed yearly or monthly:

Screenshot of Dropbox subscription plan types

Dropbox also has a business plan with different prices per month, with different prices per user:

Screenshot of Dropbox Business subscription plans

Offering different plans and subscriptions to your SaaS service means that you'll want to make sure your users know exactly what their responsibilities are when it comes to paying your fees. This will keep your customers happy and keep your income flowing.

Box Logo

Box includes a "Fees and Payments" clause where there's a separate section for fees and one for payments.

The "Fees" section includes information about how changes in fees will affect a user, what cancelling an account means when it comes to fees that still remain, and other relevant information:

Box Terms of Service: Fees clause

The "Payment" section discusses when billing will occur, what form of payment is accepted, refund information, late fees and collections:

Box Terms of Service: Payment clause

This clause is where you let your users know how they should pay when they should pay, and what happens if they don't pay.

Acceptable Use clause

Acceptable Use clause

A Terms and Conditions agreement provides information to your users so they're aware of what their rights, restrictions, and obligations are.

An "Acceptable Use" clause is where you can explicitly let your users know what actions and activities they're expected to not do when it comes to your SaaS app.

Here's an example of an "Acceptable Use" clause from Box:

Box Terms of Service: Acceptable Use clause

As you can see, these clauses tend to be very in-depth, long and robust. Some common things included in these clauses include a ban on the following:

  • No modifying, altering, reverse engineering or tampering with the software,
  • No harassing other users
    • No spam, solicitation, etc.
  • No posting inappropriate content
    • No hate speech, inflammatory or derogatory content, etc.
  • No unlawful behavior,
  • No attempting to circumvent the payment policy to obtain free services

While you don't have to include absolutely everything that you forbid, it's a good idea to include a very thorough list and then also include a sentence that retains your right of discretion to decide if something is acceptable or not if a question arises.

Dropbox includes a clause titled "Your Responsibilities" where users are informed that they must comply with Dropbox's Acceptable Use Policy:

Dropbox Terms of Service: Your Responsibilities

This separate policy is simply a list of what uses Dropbox doesn't allow. It's similar to the material that Box includes in its "Acceptable Use" clause.

While Dropbox could have included this text directly within an "Acceptable" Use clause, keeping it separate helps it stand out and draws attention to it.

Screenshot of Dropbox Acceptable Use Policy

Oracle takes the opposite approach and just includes a short and simple clause that forbids unlawful and prohibited use, and that has users agree to not use Oracle or Oracle content for any purpose that is either illegal or prohibited by the rest of the Terms of Use:

Oracle Terms of Use: Prohibited Use clause

Copyright Policy

Your Copyright Policy clause will protect your own property rights and the rights of your users.

Make it clear that users cannot "post, modify, distribute or reproduce in any way copyrighted or other proprietary materials without obtaining the prior written consent of the copyright owner."

You should also provide a way for users to report claims of copyright infringement to you.

Cisco includes a list of what needs to be provided, in writing, in order to report a copyright infringement violation, and also includes a mailing and email address where the notice can be sent:

Cisco Terms & Conditions: Copyright Policy and DMCA

While some copyright clauses may be short and basic, other SaaS apps require more in-depth and extensive information to be provided.

Oracle, for example, has a "Copyright/Trademark" clause in its standard Terms of Use.

However, there are additional separate sections linked here for Oracle trademarks information, and for information on making a claim of copyright infringement.

This lets Oracle keep its Terms of Use to a manageable and minimum length while still providing thorough, important information to its users through links and linked pages.

Oracle Terms of Use: Screenshot on Copyright/Trademark information

Arbitration clause

Arbitration clause

Many businesses prefer arbitration over litigation for a number of reasons. If you wish to be able to enforce mandatory arbitration in the event that someone sues you, you will need to include an arbitration clause in your Terms and Conditions.

DocuSign includes information about arbitration and other legal issues in its Terms and Conditions in a "Mandatory Arbitration" clause with a number of sub-sections.

The very first sentence of this clause is in all capital letters and very clearly and concisely states that "any controversy or claim arising out of or relating to this agreement, DocuSign signature or the site will be resolved by binding arbitration conducted before one arbitrator, rather than in court."

DocuSign Terms and Conditions: Mandatory arbitration

Remember, the Terms and Conditions is where you put forth as much information as possible that your user needs to know and needs to agree to abide by when using your app.

Clauses for Privacy Policy of SaaS

A Privacy Policy is required by law for SaaS apps if you collect, store, or use any personal information from your users. Personal information can be something as simple as an email address.

The nature of SaaS is that you're likely collecting and using a lot of personal information from your users including payment information, home address, and full name details, and so on.

Your Privacy Policy will be where you let users know:

  • What information you collect and how you collect it,
  • How you/third parties use it (sharing), and
  • Information about cookies, web beacons and other tracking tools in use.

Collecting Personal Information

Collecting Personal Information

Salesforce breaks down its Privacy Policy into basic summarized sections for each topic, then provides a link at the end of the summary where users can find more information about that specific section:

Salesforce Privacy Policy: Information collected

The summaries give a general overview of the topic, letting a user know that "when you purchase salesforce.com's applications or services, the Company will ask you to provide billing information," and that "salesforce.com may use the information collected to improve the Company's Web sites and Services."

When a user clicks on the links to find out additional information, she's given more detailed information about the summarized points, such as:

"When purchasing the Services or registering for an event, Salesforce may also require you to provide the Company with financial qualification and billing information such as billing name and address, credit card number, and the number of employees within the organization that you will be using the Services. Salesforce may also ask you to provide additional information, such as company annual revenues, the number of employees, or industry."

Salesforce Privacy Policy: Information collected extended as additional information

You can see the difference there between the summary version and the full version. However, so long as you are letting users know what information you collect and how you do so, even in basic and simple, straightforward terms, you'll be compliant.

Using Personal Information

Using Personal Information

Oracle's Privacy Policy lets users know how their information is used and shared with other parties by providing a short summary phrase with additional details after it. This makes it very easy for users to scan through this policy for information they're seeking.

Oracle Privacy Policy: How we use and share information

Box creates a simple and easy-to-read list within its Privacy Policy of all of the ways collected information may be used, including to "process and deliver contest or sweepstakes entries and rewards," "send you technical notices, updates, security alerts and support and administrative messages," and to "provide, operate, maintain and improve the Box services."

Box Privacy Policy: Use of information

Dropbox lets users know with whom information is shared with by providing a short summary phrase and additional details.

The first sentence says that information will not be sold to advertisers or other third parties, but that information may be shared with parties including others working for Dropbox (including third parties), other users, other applications, and for legal compliance:

Dropbox Privacy Policy: With whom we share information

Remember to not only let users know how you will be using their information but how any third parties will be, as well.

Cookies and Do Not Track

Cookies and Do Not Track

If your SaaS app engages in tracking via cookies or other tracking technologies, or allows a third party to do so, CalOPPA (The California Online Privacy Protection Act) requires that you disclose this tracking to your users, as well as provide a way for a user to opt out of this tracking.

This Do Not Track requirement helps provide transparency for your users who wish to maintain a greater control over their privacy.

Oracle lets users know that they are able to opt out of certain types of cookies through the cookies preference tool, and that these preferences must be set again on different browsers or computers. A link is then provided to their Cookie Preferences page:

Oracle Privacy Policy: Cookies and Do Not Track

DocuSign provides opt-out links for a number of different services that help users remove cookies and tracking.

Their "California Do Not Track Disclosure" information is included in its own clearly-titled section where users are informed that no browser-initiated Do Not Track signals are recognized at the moment due to industry standards not being finalized yet.

DocuSign Privacy Policy: Do Not Track and links to opt-out

Those are the 9 basic legal clauses that no SaaS app legal agreement collection should be without.

These 6 belong in your Terms and Conditions:

  • Limitation of Liability
  • Termination of Use
  • Fees and Payments
  • Acceptable Use
  • Copyright Policy
  • Mandatory Arbitration

These 3 belong in your Privacy Policy:

  • What information you collect and how you collect it,
  • How you/third parties use it (sharing), and
  • Information about cookies, web beacons and other tracking tools in use

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy