Polisio
← Blog
EN

GDPR Privacy Policy for SaaS 2026 — Complete Guide

If you're building a SaaS product and accepting users from the European Union, GDPR compliance is not optional. A privacy policy is the starting point — but it needs to be specific to your actual data practices, not a generic template copied from another company's website.

This guide covers everything SaaS founders need to know about GDPR privacy policy requirements in 2026.

Who Does GDPR Apply To?

GDPR (General Data Protection Regulation, EU 2016/679) applies to:

  • Any company established in the EU, regardless of where their users are located
  • Any company outside the EU that offers goods or services to EU residents
  • Any company that monitors behavior of people in the EU (analytics, tracking)

If you're a US-based SaaS startup with EU customers, GDPR applies to you. Full stop.

What Must a SaaS Privacy Policy Include?

Under GDPR Article 13, your privacy policy must include:

1. Identity of the Data Controller

Your company's full legal name, registered address, email address, and if applicable, the Data Protection Officer (DPO) contact details.

2. Purposes and Legal Basis

Every processing activity needs a legal basis under Article 6:

  • Art. 6(1)(a) — Consent (for marketing, optional analytics)
  • Art. 6(1)(b) — Performance of contract (account management, service delivery)
  • Art. 6(1)(c) — Legal obligation (invoicing, tax records)
  • Art. 6(1)(f) — Legitimate interests (fraud prevention, security)

3. Data Categories

Be specific about what you collect:

  • Account data: name, email, password hash
  • Payment data: billing address, last 4 card digits (if you use Stripe, they handle the rest)
  • Usage data: feature usage, session data, API calls
  • Technical data: IP addresses, browser type, device identifiers
  • Support data: chat logs, bug reports, email communications

4. Third-Party Processors

Every third-party tool you use is a data processor. You must disclose them all:

Common SaaS stack disclosures:

  • Stripe — payment processing (DPA available, US-based)
  • AWS / Google Cloud — infrastructure (DPA available, Standard Contractual Clauses for EU transfers)
  • Intercom / Crisp — customer support chat
  • Mixpanel / Amplitude / PostHog — product analytics
  • Segment — data pipeline
  • Mailchimp / Customer.io / Brevo — transactional and marketing email
  • Cloudflare — CDN and DDoS protection
  • Sentry — error tracking (may contain PII in stack traces)
  • HubSpot / Salesforce — CRM

5. International Data Transfers

If your processors have servers outside the EEA (which most US SaaS tools do), you must disclose this and state the transfer mechanism:

  • Adequacy Decision — for countries deemed adequate (UK, Canada, Israel)
  • Standard Contractual Clauses (SCCs) — most common for US transfers
  • Data Privacy Framework (DPF) — US-EU framework, Stripe, Google, AWS participate

6. Retention Periods

GDPR requires specific retention periods. Don't write "as long as necessary." Common SaaS retention periods:

  • Account data: until account deletion + 30 days (for recovery), then permanent deletion
  • Payment records: 7 years (legal obligation in most EU countries)
  • Usage logs: 12 months
  • Support tickets: 3 years after resolution
  • Marketing opt-ins: until consent is withdrawn

7. User Rights

Your privacy policy must list all GDPR rights:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure / "right to be forgotten" (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)

Include instructions on how to exercise these rights (e.g., email privacy@yourcompany.com).

8. Supervisory Authority

Inform users of their right to lodge a complaint with a supervisory authority. If your company is established in the EU, list your lead supervisory authority. If outside the EU, list a relevant EU authority (often the authority in the country of your EU representative).

SaaS-Specific Privacy Considerations

Customer Data vs. User Data

In B2B SaaS, you have two layers of data subjects:

  1. Your customers (the companies) — who have accounts and pay you
  2. End users (their employees) — who use the product on behalf of your customers

Your privacy policy covers your customers. Your customers' privacy policies cover their end users. You are the data controller for your customers' data; for end user data, you are typically a data processor for your customer (who is the data controller).

This matters for your DPA (Data Processing Agreement), which B2B SaaS companies must have with their customers.

Free Trial Users

Free trial users are still data subjects with full GDPR rights. Don't assume you can process trial data without compliance — you still need a legal basis (typically contract performance or legitimate interests).

Analytics and Product Telemetry

If you collect usage analytics (feature flags, error tracking, performance monitoring), this is personal data if it can be linked to individual users. You need:

  • A legal basis (usually legitimate interests for product improvement)
  • Disclosure in your privacy policy
  • An opt-out mechanism in some cases

Common GDPR Mistakes SaaS Founders Make

Using someone else's privacy policy — copying a template from another SaaS violates GDPR if it doesn't reflect your actual practices. Regulators check.

Listing "legitimate interests" as the basis for everything — legitimate interests requires a balancing test. It's not a catch-all justification.

No data processing agreements with sub-processors — if you use third-party tools to process customer data, you need DPAs with each of them.

Ignoring Sentry and error tracking — these tools capture stack traces that often contain PII (user IDs, email addresses, API payloads). Treat them as processors.

Not having a process to fulfill DSARs (Data Subject Access Requests) — you have 30 days to respond. Build this into your support process from day one.

Getting Compliant Without a Legal Team

Most early-stage SaaS companies can't afford a privacy lawyer. Here's a pragmatic path to compliance:

  1. Generate a customized privacy policy using an AI tool that understands your specific tech stack (not a generic template).
  2. Add a cookie consent banner — use a tool like Cookiebot, Axeptio, or build your own.
  3. Sign DPAs with all sub-processors — most major tools have a standard DPA in their settings.
  4. Set up a privacy@yourcompany.com email — and commit to responding within 30 days.
  5. Add a privacy policy link to your footer — visible on every page.

Conclusion

A GDPR-compliant privacy policy for SaaS in 2026 is specific, complete, and honest about your data practices. It's not a legal formality — it's a signal to your enterprise customers that you take data protection seriously.

For early-stage founders, the fastest path to a compliant document is using an AI-powered generator that knows your tech stack and generates documents specific to your business — not generic templates.

Generate your SaaS privacy policy in 3 minutes →

Sprawdź swoją zgodność z RODO

Wypełnij formularz i dowiedz się, jakie luki prawne ma Twoja strona. Za darmo.

Sprawdź za darmo →