You're about to launch. The product works. The website looks professional. Everything's ready.

Then someone asks: "Do you have all your legal documents in place?"

You panic. Privacy policy? Terms of service? Cookie policy? Refund policy? Shipping policy? Data processing agreement? Service level agreement? Acceptable use policy?

Deep breath. You don't need all of those. Not yet.

This guide shows you exactly which policies to create first, when to add more, and how to prioritize as you grow.

The Day-One Essentials

Before you accept your first customer, process your first payment, or collect your first email address, you need exactly two documents.

Privacy Policy (Legally Required)

A Privacy Policy is mandatory if you collect any personal information. And yes, that includes:

  • Email addresses (even for a simple newsletter signup)
  • Names and contact information
  • IP addresses (which every website automatically collects)
  • Payment information
  • Cookies and tracking data (Google Analytics counts)
  • Device information from mobile apps

In other words: if you have a website, app, or online presence, you need a Privacy Policy.

Why it's required:

  • GDPR (EU): Mandatory for anyone serving EU users
  • CCPA (California): Required if you meet revenue or data thresholds
  • State laws: Many US states now require privacy policies
  • Apple & Google: App stores require privacy policies for all apps, no exceptions
  • Ad platforms: Google Ads and Facebook Ads require them
  • Payment processors: Stripe and PayPal often require them

What it should include:

  • What data you collect and why
  • How you use and protect that data
  • Who you share it with (analytics tools, email providers, hosting)
  • User rights (access, deletion, opt-out)
  • Cookie usage
  • Contact information for privacy questions

Terms and Conditions (Highly Recommended)

While not always legally required, Terms and Conditions are your first line of defense against disputes, chargebacks, and legal issues.

What Terms and Conditions protect you from:

  • Liability: Limit your responsibility for product issues, service interruptions, or user mistakes
  • Disputes: Define how conflicts will be resolved (arbitration, mediation, governing law)
  • Misuse: Set rules for acceptable use of your product or service
  • IP theft: Protect your content, designs, and branding
  • Refund abuse: Define your policies on refunds, cancellations, and returns

What it should include:

  • Who can use your service (age restrictions, geographic limits)
  • Account registration and user responsibilities
  • Payment terms and pricing
  • Intellectual property rights
  • Limitation of liability and disclaimers
  • Termination rights (yours and theirs)
  • Governing law and dispute resolution
Quick Rule

Privacy Policy + Terms and Conditions are the absolute minimum for any online business. Create these before you launch. Everything else can wait.

When You Add Tracking or Analytics

Cookie Policy (Required for EU Visitors)

If you use any of these tools, you're using cookies and need a Cookie Policy:

  • Google Analytics
  • Facebook Pixel or TikTok Pixel
  • Hotjar or other heatmap tools
  • Intercom or chat widgets
  • Advertising platforms
  • Session replay tools

Under GDPR, you must:

  • Disclose what cookies you use
  • Explain why you use them
  • Get consent before setting non-essential cookies
  • Provide a way to opt out

When to add it: The moment you install Google Analytics, Facebook Pixel, or any tracking script on your website.

Pro tip: Many businesses combine their Cookie Policy into their Privacy Policy as a dedicated section. This is perfectly acceptable and reduces the number of separate documents to maintain.

If You Sell Physical or Digital Products

Refund and Return Policy (Required in Most Cases)

If you sell products (physical or digital), a refund policy is typically required by:

  • Consumer protection laws (especially in EU, UK, Australia)
  • Ecommerce platforms (Shopify, WooCommerce, BigCommerce)
  • Marketplaces (Amazon, Etsy, eBay)
  • Payment processors (Stripe and PayPal require clear refund terms)

What it should cover:

  • Return window (e.g., 30 days from delivery)
  • Conditions for returns (product must be unused, in original packaging)
  • Who pays return shipping
  • How refunds are processed (original payment method vs. store credit)
  • Non-returnable items (personalized products, digital goods, sale items)
  • Defective or damaged item policy
  • Processing time for refunds (e.g., 5-10 business days)
Important: EU Right of Withdrawal

In the EU, consumers have a legal right to return most goods within 14 days for any reason—even if your policy says "no returns." You cannot override this right. Plan your business model accordingly.

Shipping Policy (Recommended for Ecommerce)

A shipping policy sets expectations and dramatically reduces "Where is my order?" support requests.

What it should cover:

  • Processing time before shipment
  • Shipping carriers and methods available
  • Estimated delivery times (domestic and international)
  • Shipping costs (free thresholds, flat rate, calculated at checkout)
  • Order tracking process
  • Lost or delayed package policy
  • International shipping, customs, and duties

When to add it: As soon as you start shipping physical products. If you're digital-only (SaaS, courses, downloads), you don't need this.

If You Run a SaaS or Subscription Business

Service Level Agreement (Recommended for B2B SaaS)

An SLA defines what level of service customers can expect:

  • Uptime guarantees (e.g., 99.9% uptime)
  • Support response times
  • Maintenance windows
  • Compensation for downtime (service credits, refunds)

When you need it:

  • When selling to enterprise customers (they'll ask for it)
  • When you want to differentiate on reliability
  • When you're ready to commit to specific performance standards

Don't create an SLA until you're confident you can meet the commitments. An SLA you can't honor is worse than no SLA.

Data Processing Agreement (Required for EU B2B SaaS)

If you process customer data on behalf of your B2B customers (especially EU-based ones), you need a DPA. This includes:

  • CRM systems
  • Email marketing platforms
  • Analytics tools
  • Project management software
  • Any SaaS that handles end-user data

When to add it: When you land your first B2B customer, especially enterprise or EU-based customers. Many will ask for it during the sales process. Have it ready.

Acceptable Use Policy (Recommended for SaaS)

An AUP defines what users can and can't do with your service. It protects you from:

  • Spamming through your platform
  • Illegal activity (piracy, phishing, malware distribution)
  • Abuse or harassment
  • Excessive resource usage that impacts other users

When to add it: Once you have active users and want to define boundaries for acceptable behavior. Not day one, but soon after launch.

Decision Framework: What Do You Need Right Now?

Business Type Day 1 Essentials Add Soon
Basic Website / Blog Privacy Policy, Terms & Conditions Cookie Policy (if using analytics)
Ecommerce Store Privacy Policy, Terms & Conditions, Refund Policy Shipping Policy, Cookie Policy
SaaS (B2C) Privacy Policy, Terms of Service AUP, Cookie Policy
SaaS (B2B) Privacy Policy, Terms of Service, DPA SLA, AUP, Cookie Policy
Mobile App Privacy Policy, Terms of Service EULA (if selling the app), AUP
Online Course / Digital Products Privacy Policy, Terms & Conditions, Refund Policy Cookie Policy
Service / Agency Privacy Policy, Terms & Conditions Service Agreement, NDA

Common Mistakes When Creating Your First Policies

Copying Generic Templates Without Customization
A generic template won't reflect your actual business practices. If you collect email addresses but your Privacy Policy doesn't mention it, you're not compliant.

Solution: Use templates as a starting point, but customize them to your specific tools, data practices, and business model.

Creating Too Many Policies at Once
New founders sometimes create 10+ legal documents before launching, thinking it's necessary. This wastes time and creates maintenance overhead.

Solution: Start with Privacy Policy + Terms and Conditions. Add more policies only when you actually need them.

Not Updating Policies as You Grow
Your Privacy Policy from launch day won't be accurate after you add Google Analytics, Facebook Pixel, email marketing, and a CRM.

Solution: Review policies every 6 months or whenever you add new tools or change how you handle data.

Making Policies Hard to Find
Policies buried in a hidden corner of your site don't count as "accessible."

Solution: Link to policies in your website footer, signup forms, checkout pages, and email footers.

Using Legal Jargon Customers Don't Understand
Policies should be written in plain language. If customers can't understand them, they're less effective at building trust.

Solution: Write policies in simple, clear language. Save the legalese for contracts with lawyers.

Policy Evolution Roadmap

Here's how most businesses evolve their legal documents over time:

Month 1: Pre-Launch

  • Privacy Policy
  • Terms and Conditions

Month 2-3: First Customers

  • Refund Policy (if selling products)
  • Cookie Policy (if using analytics)

Month 4-6: Scaling

  • Shipping Policy (if ecommerce)
  • DPA (if B2B SaaS)
  • Update Privacy Policy for new tools (CRM, email marketing, etc.)

Month 7-12: Professionalization

  • SLA (if enterprise customers ask for it)
  • AUP (if you need to define user behavior rules)
  • Custom client contracts (if service-based)
  • NDA templates (if working with partners or contractors)

Year 2+: Maturity

  • GDPR addendums and enhanced compliance
  • Accessibility statements
  • Vendor agreements and master service agreements
  • Employment agreements (if hiring)
Pro Tip

Don't wait until a customer or partner asks for a policy. Create them proactively so you're ready when opportunities arise. Nothing kills a deal faster than "we'll need a few weeks to prepare that document."

Where to Display Your Policies

Privacy Policy:

  • Footer of every page on your website
  • Signup and registration forms (with checkbox: "I agree to the Privacy Policy")
  • App store listings (Apple, Google)
  • Email footer (for newsletters)

Terms and Conditions:

  • Footer of every page
  • Checkout pages (with checkbox: "I agree to the Terms & Conditions")
  • Account creation forms
  • First-time login screens (for apps)

Refund and Shipping Policies:

  • Product pages
  • Checkout flow
  • Order confirmation emails
  • Footer navigation

DPA and SLA (for B2B):

  • Dedicated legal page (e.g., yoursite.com/legal/dpa)
  • Include in sales proposals and contracts
  • Make available for download in customer dashboards

The Bottom Line

Legal policies aren't just checkboxes for compliance—they're trust signals. When customers see that you have clear, professional policies in place, it signals that you're a legitimate, trustworthy business.

Start simple. Privacy Policy + Terms and Conditions will get you through launch. As you grow, add policies that match your business reality—not what you think you "should" have.

And remember: policies aren't set-it-and-forget-it. Review them quarterly, update them when you add new tools or services, and keep them accessible.

Your future self (and your customers) will thank you.