Terms of Service and Privacy Policy Drafting for SaaS

AT A GLANCE

SaaS terms of service are not website terms and conditions — they govern an ongoing software subscription relationship covering uptime, feature changes, data ownership, termination, and liability. Generic website terms do not address any of these.
A privacy policy for a SaaS product must describe how the product specifically processes data — account data, usage logs, in-app data — not just how the company’s website uses cookies.
Enterprise clients routinely review terms of service and privacy policies during vendor due diligence — documents that are incomplete, use non-standard language, or contradict the DPA create friction in the sales cycle.
We draft all SaaS legal documentation specifically for the product, not from a generic template — the terms reflect how the software is actually delivered, priced, and terminated.
A complete SaaS documentation package — terms of service, privacy policy, cookie policy, acceptable use policy, and data processing addendum — is available as a bundled fixed-fee engagement.

Terms of service and privacy policy drafting for SaaS means producing the user-facing legal documents that govern the subscription relationship and describe data processing in plain, accurate, enforceable language. For SaaS companies, these documents serve two audiences simultaneously: end users who need to understand what they are agreeing to, and enterprise procurement teams who review them for legal compliance, liability exposure, and GDPR adequacy. We draft all documents specifically for the SaaS product — reflecting how the software is delivered, what data it processes, how pricing works, and how either party can exit the relationship — in English, with Lithuanian versions where required.

Why SaaS Terms and Privacy Policies Are Different

The most common mistake SaaS companies make with their legal documentation is using a generic template — either a website terms template adapted for software, or a template downloaded from a terms generator tool. Generic templates produce documents that are either too broad (covering activities the company does not engage in) or too narrow (missing the SaaS-specific provisions that matter when something goes wrong).

Terms of service: the contract that governs ongoing access

A SaaS terms of service is a fundamentally different document from an e-commerce terms and conditions. The e-commerce terms govern a one-time transaction: the customer buys a product, receives it, and the relationship is largely complete. The SaaS terms govern an ongoing relationship: the customer pays for continuous access to software, the company delivers the software continuously, and the relationship involves ongoing obligations on both sides — uptime, support, feature changes, data handling, and eventually termination. A terms document that does not address these ongoing dimensions — what happens when the software is unavailable, whether the company can change features unilaterally, who owns the data the customer enters, how much notice is required to terminate — fails at its fundamental commercial purpose.

Privacy policy: specific to the product, not the website

The privacy policy for a SaaS product must describe how the product itself processes personal data — not just the website. Most generic privacy policies describe cookie tracking, contact form submissions, and email marketing. A SaaS product processes far more: account registration data, profile information, user activity within the platform, documents or records uploaded by users, communications through the product, integration data from connected third-party tools, and analytics data about product usage. A privacy policy that does not accurately describe these processing activities is non-compliant with GDPR Article 13 (which requires transparency about all processing at the point of data collection) and creates misleading impressions about what the company actually does with user data.

Enterprise review: the commercial dimension

Enterprise procurement teams review SaaS terms and privacy policies as a standard part of vendor onboarding. They are looking for specific provisions: a clear liability cap (and its amount), a warranty disclaimer, data ownership clauses that confirm the customer owns their data, a data portability provision confirming data can be exported on request, a termination clause with adequate notice periods, and a change-of-terms provision that does not allow the company to change material terms unilaterally. A privacy policy reviewed by an enterprise DPO must accurately describe all sub-processors and contain a reference to the data processing agreement. Documents that fail these checks — through absence, ambiguity, or contradiction — are returned with comments, adding days or weeks to the sales cycle.

Documents We Draft for SaaS Companies

We prepare the complete suite of user-facing legal documents for SaaS products. Each is drafted specifically for the product — not from a generic template — and updated as the product and regulatory environment evolve.

SaaS Terms of Service

What it covers: The contract governing software access — what the company delivers, what it is liable for, who owns the data, and how either party can exit.

Licence grant — the scope of the software licence (seat-based, usage-based, or enterprise-wide); permitted uses; restrictions
Acceptable use — what users may and may not do with the software; consequences of violation
Service levels — uptime commitments (if any); what constitutes downtime; scheduled maintenance windows
Support terms — support tiers, response times, scope of support, exclusions
Fees and payment — subscription pricing, billing cycle, payment methods, late payment, price change provisions
Data ownership — who owns the data the customer enters into the platform; what the company can and cannot do with it
Data portability — customer's right to export their data; format and timeline
Intellectual property — company's ownership of the software; customer's ownership of their content
Liability cap — maximum aggregate liability of the company; exclusions of consequential and indirect loss
Warranty disclaimer — what the company does and does not warrant about the software
Modifications — company's right to modify the software and terms; notice period; customer's right to terminate if changes are material
Termination — grounds for termination by either party; notice period; effect of termination; data handling post-termination
Governing law — Lithuanian law; Lithuanian courts; EU consumer protection minimums preserved where applicable

The liability cap — the single most important clause

For a SaaS company, the liability cap in the terms of service is the single most commercially significant legal clause. Without a cap, a customer whose business was disrupted by a platform outage can claim unlimited damages — potentially orders of magnitude greater than the annual subscription value. A standard cap limits aggregate liability to 12 months of subscription fees paid. Some enterprise clients negotiate higher caps for specific risk categories; the starting position should always be a cap, never unlimited liability. We build a liability cap into every SaaS terms of service we draft, and advise on what cap level is commercially appropriate for the product's risk profile.

SaaS Privacy Policy

What it covers: The GDPR-required transparency document describing all personal data processing activities of the SaaS product — specific to the product, not a generic website policy.

Identity and contact details of the data controller — company name, registration number, registered address, data protection contact
Categories of personal data processed — account data, usage data, in-product data, integration data, support communications
Purposes and legal basis — what the data is used for; the lawful basis for each processing activity (contract, legitimate interest, consent, legal obligation)
Data retention periods — how long each category of data is retained; criteria for determining retention where no fixed period applies
Third-party sharing — who the data is shared with; sub-processors (AWS, Stripe, analytics tools); the basis for sharing
International data transfers — where data is processed geographically; transfer mechanisms for non-EEA processing
Data subject rights — list of rights; how to exercise them; timeframes for response; right to complain to the SDPI
Automated decision-making — whether any automated processing has significant effects on users; information required by Article 22
Cookie and tracking information — types of cookies set; purposes; link to the cookie policy for detail
Contact information for data protection queries and the DPO (if appointed)

Product-specific privacy policy vs. generic

A GDPR-compliant privacy policy must describe all personal data processing at the point of collection — meaning it must accurately reflect what the SaaS product actually does with user data. A policy that describes only website cookies and contact form submissions, but not the processing of data entered into the product by users, is non-compliant with GDPR Articles 13 and 14. Enterprise DPOs reviewing vendor privacy policies check whether the processing activities described match the actual data flows. Discrepancies between the policy and the actual processing are a GDPR finding and a commercial red flag. We draft privacy policies from an analysis of the actual product data flows, not from a generic template.

Cookie Policy and Consent Banner Specification

What it covers: The GDPR-required disclosure of cookie and tracking technology usage, plus technical specification for a compliant consent mechanism.

Cookie categories — strictly necessary, functional, analytics, marketing, and third-party cookies; listed with purpose and duration
Specific cookie list — named cookies with issuer, category, purpose, and expiry for each
Consent mechanism description — how consent is obtained for non-essential cookies; how to change or withdraw consent
Third-party cookie issuers — naming the analytics, advertising, and support tools that set cookies
Consent banner technical specification — GDPR-compliant consent implementation requirements for the developer
No pre-ticked boxes — specification confirming that consent banners do not use pre-selected options
Equal prominence requirement — reject button must be as easily accessible as the accept button
Consent record requirements — what consent data must be stored and for how long

Acceptable Use Policy (AUP)

What it covers: Defines what users may and may not do with the SaaS platform — protecting the company from liability for user-generated content and prohibited activities while establishing clear grounds for account suspension.

Permitted uses — the categories of lawful, intended use of the software
Prohibited activities — specific list of prohibited uses: illegal content, harassment, spam, IP infringement, reverse engineering, security testing without authorisation
Security obligations — what users must do to protect their account credentials and prevent unauthorised access
Content standards — requirements for user-generated content where the platform allows it
Reporting obligations — how users should report violations by other users or security incidents
Consequences of violation — company's rights on violation: warning, suspension, termination; preservation of legal claims
Enforcement provisions — company's right to investigate suspected violations and cooperate with legal authorities

Data Processing Addendum (DPA) for B2B Terms

What it covers: The GDPR Article 28 processor agreement embedded in or attached to the SaaS terms — covering all processing of client user data by the SaaS platform, satisfying the mandatory requirement for a documented processing agreement with every B2B client.

Subject matter and duration — what data is processed and for how long
Nature and purpose of processing — the specific processing activities performed by the SaaS platform on behalf of the client
Type of personal data and categories of data subjects — identifying what data categories the platform processes
Processor obligations — the full Article 28(3) list: process only on instructions; confidentiality; security measures; sub-processor management; assist with data subject rights; breach notification; deletion or return; audit cooperation
Security annex (Technical and Organisational Measures) — the security framework applied to client data
Sub-processor provisions — current sub-processor list; notification procedure for additions; client objection mechanism
International data transfer clause — Standard Contractual Clauses for processing outside the EEA
Data return and deletion schedule — timeline and format for returning or deleting client data on termination

End-User Licence Agreement (EULA)

What it covers: For SaaS products with a downloadable or installable component — a desktop application, mobile app, browser extension, or locally installed software — an EULA governs the licence to use that specific software element alongside the web-based subscription.

Software licence — the specific licence grant for the downloadable/installable component; permitted platforms and devices
Installation and system requirements — what the user must have to install the software
Restrictions on use — no reverse engineering, decompilation, or modification of the software
Updates and versions — company's right to issue updates; automatic update provisions; version support lifecycle
Termination — how the licence terminates; obligation to delete the software on termination
Relationship to subscription terms — how the EULA interacts with the overarching SaaS subscription agreement
Warranty and liability — limited warranty for the software; consistent with the main terms liability cap

What Enterprise Clients Check in Your Terms and Privacy Policy

Enterprise procurement teams and their legal counsel follow a consistent review pattern when evaluating a new SaaS vendor’s legal documentation. Understanding what they check — and ensuring it is present and clearly drafted — reduces legal review time and accelerates contract closure.

What They Check	In Terms of Service	In Privacy Policy
Liability cap	Is there a cap? What is the amount? Are there any uncapped categories?	N/A
Data ownership	Does the company claim any rights to customer data? Can it use data for its own purposes?	Is customer data used for model training, analytics, or product improvement?
Data portability	Can the customer export their data? In what format? Within what timeframe?	What format is data provided in for portability requests?
Termination	What notice is required? What happens to data after termination? Is there a grace period?	What is the data retention period after account closure?
Service level	Is there an uptime commitment? What is the remedy for downtime?	N/A
Change of terms	Can the company change terms unilaterally? What notice is given? Can the customer exit?	Does the company update the privacy policy? How is notice given?
Sub-processors	N/A	Are sub-processors listed? Are international transfers covered by SCCs?
DPA cross-reference	Is there a DPA or DPA addendum referenced in the terms?	Does the privacy policy reference the DPA for B2B processing?
Governing law	Which law? Which courts? Are EU consumer minimums preserved?	Which supervisory authority? SDPI identified?

What Generic Templates Get Wrong for SaaS

Generic terms and privacy policy templates — whether from a generator tool, a legal template library, or borrowed from another company’s website — consistently fail SaaS companies in predictable ways. Here are the most common problems we find when reviewing existing documentation.

No liability cap

The most common gap in generic SaaS terms. Most website terms templates do not include a liability cap because they were written for lower-stakes commercial relationships. A SaaS company operating under terms with no liability cap is exposed to claims unlimited by subscription value — which can be catastrophic in the event of a significant incident. We add or replace this provision in every terms review engagement.

Incorrect or missing data ownership clause

Generic templates frequently contain vague language about data — ‘we may use your data to improve our services’ — without being specific about whether this means the customer’s data is used to train models, benchmark performance, or build aggregate insights. Enterprise clients read these clauses carefully. Ambiguous language triggers requests for clarification that delay contracts. A clear, specific data ownership clause — confirming that customer data belongs to the customer and describing precisely what the company does and does not do with it — eliminates this friction.

No data portability provision

Users have a right under GDPR to receive their personal data in a structured, commonly used, machine-readable format. For SaaS products, this means the customer must be able to export their data when they want to leave — not just at account closure. Terms that are silent on data portability leave the company exposed to GDPR data portability requests and enterprise procurement questions about lock-in. We include a specific portability clause in every SaaS terms engagement.

Privacy policy describes the website, not the product

The most common privacy policy problem for SaaS companies. The privacy policy was written to describe the company’s website — cookies, contact forms, email marketing — and then repurposed as the product privacy policy without being updated to reflect what the product actually does. An enterprise DPO reviewing the policy against the actual product data flows will identify the discrepancy immediately. We draft privacy policies from an analysis of the product’s actual data processing activities.

Terms and privacy policy contradict the DPA

For B2B SaaS companies that have a separate DPA, the terms and privacy policy must be consistent with it. If the terms say the company may use customer data for analytics, but the DPA says the company processes data only on the customer’s instructions — the documents contradict each other. Enterprise legal teams flag contradictions because they create ambiguity about which document controls. We draft all documents as an integrated set — ensuring terms, privacy policy, and DPA are internally consistent.

Document Drafting Prices

All documents are priced at fixed fees — delivered in English in editable format, ready for review and publication. Lithuanian versions are provided for any document required by Lithuanian law to be in Lithuanian. Documents are drafted specifically for the SaaS product — not from a generic template.

Document / Service	Price
SaaS terms of service — standard (B2B) Full subscription terms including licence, SLA, liability cap, data ownership, termination; English + Lithuanian	€900
SaaS terms of service — B2C (consumer-facing) Standard terms plus EU Consumer Rights Directive mandatory provisions; withdrawal rights and consumer protections	€1,250
SaaS terms of service — freemium model Covering both free and paid tiers; upgrade and conversion provisions; feature restrictions between tiers	€1,200
Privacy policy — SaaS product-specific Full product data mapping input; GDPR Articles 13/14 compliant; sub-processor list referenced; English + Lithuanian	€700
Cookie policy + consent banner specification Named cookie list; consent banner technical requirements for compliant GDPR implementation	€550
Acceptable use policy (AUP) Prohibited activities, content standards, security obligations, enforcement rights	€650
Data Processing Addendum (DPA) — B2B embedded Article 28-compliant; security annex; sub-processor provisions; SCC clause — as schedule to subscription terms	€600
End-User Licence Agreement (EULA) For SaaS products with downloadable or installable components	€700
Existing terms review and gap report Written analysis identifying missing provisions, template problems, and priority amendments	€700
Terms amendment — adding liability cap and data ownership Adding the two highest-priority missing provisions to existing terms	€600
Annual document review and update Reviewing existing documents against current regulatory guidance and product changes	€200–€350 per document
Enterprise terms redline response Reviewing and responding to client-proposed changes to the standard terms; written commentary	€650
SaaS standard documentation package (ToS + privacy policy + cookie policy + AUP + DPA) Five core documents for a compliant B2B SaaS product launch — saving of €500 vs. individual prices	€3,100
Full SaaS documentation suite (all 6 documents including EULA) All six documents — saving of €550 vs. individual prices; includes EULA for products with downloadable components	€3,500

SaaS standard documentation package — what’s included
The €3,100 package delivers the five documents every B2B SaaS company needs before onboarding clients: terms of service with liability cap and data ownership clause, a product-specific privacy policy, a cookie policy with consent banner specification, an acceptable use policy, and a data processing addendum. All five are drafted as an integrated set — internally consistent, specifically tailored to the product’s actual data processing, and formatted for immediate publication. Commissioning them separately costs €3,600. The package saves €500.

Frequently Asked Questions

You can — but the terms must address both tiers clearly. The most common approach is a single terms document with provisions that distinguish between free plan users and paid subscribers: the licence grant section defines what features are available on each tier; the payment section applies only to paid plans; the SLA section confirms that free plans have no uptime guarantee while paid plans do (if applicable); and the support section specifies that free users have community support only. Alternatively, separate terms for free and paid tiers are cleaner but require maintenance of two documents. We draft freemium terms as a single document with clearly delineated tier-specific provisions — which is the most transparent approach for users and the most practical to maintain.

For B2B sales to business clients internationally, English terms are generally acceptable — there is no legal requirement for Lithuanian-language B2B contracts. However, if Lithuanian businesses are among your clients (even a minority), Lithuanian-language terms reduce friction in those relationships. For B2C sales — if your SaaS product has any consumer-facing tier available to Lithuanian residents — Lithuanian consumer protection law requires that material terms be accessible in a language the consumer understands. We provide all documents in English as the primary version and in Lithuanian where required, at no additional charge for the Lithuanian version.

A DPA addendum is a schedule or exhibit appended to or embedded in the subscription terms — every client who accepts the subscription terms simultaneously accepts the DPA. This is the most efficient approach for standard SaaS B2B sales: one document, one acceptance, everything covered. A standalone DPA is a separate document — clients who require their own separate signed DPA (which most large enterprises do) can use this. Most SaaS companies need both: a DPA addendum embedded in the standard terms for SME and mid-market clients who accept terms online, and a standalone DPA template for enterprise clients who require a separately signed version. We provide both as part of the standard documentation package.

Terms of service should be reviewed and updated when: the product adds material new features that affect the commercial relationship (new data processing, new pricing model, new SLA obligations); when the company’s liability exposure changes; or when significant new legislation comes into force. Privacy policies must be updated when the actual data processing activities change — adding a new analytics tool, a new integration, or a new category of data collection requires an update before the processing begins. We recommend an annual review of all documentation as standard practice, and proactive updates when product or regulatory changes occur. We provide an annual document review service at €200–€350 per document.

Enterprise clients frequently propose their own vendor agreement rather than accepting the SaaS company’s standard terms. This is a commercial negotiation, not a legal requirement — the SaaS company is not obligated to accept the client’s terms. The practical question is whether the client’s proposed terms are acceptable, and if not, which provisions require negotiation. Common enterprise-proposed terms that are commercially problematic for SaaS companies include: unlimited liability clauses, indemnification obligations for third-party IP claims, audit rights that are too broad, and source code escrow requirements. We review enterprise-proposed terms, identify the material concerns, and provide a negotiating strategy — with a marked-up version for response.

A change-of-terms provision defines the process by which the SaaS company can modify the terms of service. Without one, changing the terms requires agreement from every existing customer — commercially impractical for a SaaS company with hundreds of clients. With a well-drafted change-of-terms provision, the company can update the terms by giving advance notice (typically 30 days) and allowing customers who object to material changes to terminate without penalty. The enterprise review concern is that a change-of-terms provision that allows the company to change material terms unilaterally without adequate notice or exit rights is unfair to customers. The standard approach — 30 days notice, material changes flagged specifically, right to terminate if customer objects — satisfies both the company’s commercial need for flexibility and the customer’s expectation of fair treatment.

Urgent — though the specific priority depends on your current situation. If you have enterprise clients reviewing or asking about your terms, the gap is creating active sales friction and should be addressed immediately. If you are pre-fundraising, investor due diligence will include a legal documentation review and inadequate terms will be flagged. If you are operating without any terms at all, every customer relationship is governed entirely by implied terms and applicable law — which leaves the company without the liability cap, warranty disclaimers, and data ownership provisions that protect it in disputes. The cost of drafting proper terms now is fixed and predictable. The cost of operating without them becomes visible only when something goes wrong — at which point the remedy is significantly more expensive.

Ready to get your SaaS documentation in order?

Contact us to discuss your product, current documentation status, and immediate priorities. We will confirm which documents are most urgent, provide fixed-fee quotes, and begin drafting within 24 hours of your instruction. The SaaS standard documentation package — five core documents — is available at €3,100.