You're launching a SaaS product. You know you need legal policies. You Google "what policies does my website need."

The results are overwhelming: Privacy Policy, Terms of Service, Cookie Policy, GDPR DPA, CCPA Addendum, Accessibility Statement, Anti-Spam Policy, Copyright Notice, DMCA Policy, Refund Policy, SLA, AUP, EULA...

You close the tab. Maybe you'll deal with this later.

Here's the truth: most businesses need 2-4 policies. The rest are situational—required only if you fit specific criteria (selling physical goods, offering a public API, handling health data, etc.).

This guide breaks down 22 common business documents. Use it as a reference, not a checklist. Jump to the sections relevant to your business, ignore the rest.

You don't need all of these

Most online businesses start with just two: Privacy Policy + Terms of Service. Add others only when they apply to your specific business model or industry.

How to Use This Guide

Each document below includes:

  • What it does: Plain-English explanation
  • Who needs it: Industries, business models, or situations where it's required
  • Where it goes: Footer, checkout, signup flow, etc.

Click the category links below to jump to sections relevant to your business:

Core Documents

Start here. These are the documents most online businesses publish first—before marketing, onboarding users, or taking payment.

Privacy Policy

What it does: Explains what personal data you collect (emails, IP addresses, cookies), how you use it, who you share it with, and how users can exercise privacy rights.

Who needs it:

  • Any website with a contact form, newsletter signup, or analytics tracking
  • Apps collecting user data
  • Required by GDPR (EU), CCPA (California), and most modern privacy laws

Where it goes: Footer link on every page. Must be accessible before users submit data.

Bottom line: If you have a website, you need this. No exceptions.

Terms of Service (Terms & Conditions)

What it does: Sets the "house rules" for using your product—acceptable use, liability limits, what happens if someone violates the rules, how disputes are resolved.

Who needs it:

  • SaaS products and web apps
  • Online stores selling products or services
  • Platforms with user accounts
  • Any business that wants to limit legal liability

Where it goes: Footer link, signup flow (checkbox agreement), checkout page.

Bottom line: If you sell anything or offer software, you need this.

Non-Disclosure Agreement (NDA)

What it does: Protects confidential information when you share roadmaps, financials, code, or trade secrets with outsiders (investors, partners, contractors).

Who needs it:

  • Raising investment (sharing financials with VCs)
  • Partnering with other businesses
  • Hiring contractors with access to sensitive systems

Where it goes: Not on your website. Sent as a PDF for signature before sharing confidential info.

Bottom line: Optional until you're sharing something sensitive.

Web & Content Compliance

Documents that support cookie banners, content disclaimers, accessibility efforts, and copyright/takedown workflows.

Cookie Policy

What it does: Explains which cookies and tracking pixels you use (Google Analytics, Facebook Pixel, advertising cookies), what they do, and how visitors can manage consent.

Who needs it:

  • Websites with EU or UK visitors (GDPR requirement)
  • Sites using analytics, ads, or third-party tracking

Where it goes: Linked from cookie consent banner. Also footer or Privacy Policy.

Bottom line: Required if you use analytics/ads and have European visitors.

Disclaimer

What it does: Clarifies that your content is general information, not personal advice. Limits liability if someone relies on your blog post and things go wrong.

Who needs it:

  • Finance, investing, or crypto content
  • Health, fitness, or medical information
  • Legal, tax, or business advice content
  • "How-to" guides in regulated areas

Where it goes: Footer of blog posts, or sitewide footer.

Bottom line: If you publish advice-adjacent content, add this.

Accessibility Statement

What it does: Describes your commitment to WCAG/ADA accessibility standards, current accessibility status, known issues, and how users can request accommodations.

Who needs it:

  • Government contractors (legally required)
  • Education institutions
  • Large public-facing websites
  • Companies demonstrating DEI commitments

Where it goes: Footer link.

Bottom line: Not legally required for most businesses, but increasingly expected.

Anti-Spam Policy

What it does: Shows how you comply with CAN-SPAM (US) and GDPR email rules—how users opt in, how they unsubscribe, and that you don't sell email lists.

Who needs it:

  • Email marketing / newsletters
  • Transactional emails to customers

Where it goes: Email footer (small link), Privacy Policy, or standalone page.

Bottom line: Required if you send marketing emails.

Copyright Policy

What it does: States who owns your website content, how it may be used (or not), and what happens if someone infringes.

Who needs it:

  • Course creators and educational content
  • Media sites and publishers
  • Creative professionals (design, photography, writing)

Where it goes: Footer or legal page.

Bottom line: Optional for most. Useful if content theft is a concern.

DMCA Policy

What it does: Defines how copyright takedown requests are handled and lists your designated DMCA agent. Provides legal safe harbor in the US.

Who needs it:

  • User-generated content platforms (social networks, forums)
  • File hosting or media sharing sites
  • Marketplaces where users upload content

Where it goes: Legal page or Terms.

Bottom line: Critical if users upload content to your platform.

User Content Policy

What it does: Clarifies who owns uploaded content, what's prohibited, and how you may use it (display it, use it for AI training, etc.).

Who needs it:

  • Community platforms and forums
  • AI tools that train on user inputs
  • Any site where users upload files or text

Where it goes: Terms of Service or standalone page.

Bottom line: Required if users create content on your platform.

E-commerce & Payments

Policies that reduce support tickets and chargebacks by making money, delivery, and cancellations predictable.

Refund & Return Policy

What it does: Defines when customers can get a refund, what's non-refundable (digital products, services), timeframes, and how to initiate a return.

Who needs it:

  • Any business charging money
  • Required by law in EU, California, and many other jurisdictions

Where it goes: Checkout page (before purchase), product pages, footer.

Bottom line: Legally required in most places. Even if not, reduces disputes.

Shipping Policy

What it does: Covers delivery times, carriers, shipping costs, international shipping, and who's responsible for lost or damaged packages.

Who needs it:

  • E-commerce stores selling physical goods
  • Dropshipping businesses

Where it goes: Product pages, checkout, footer.

Bottom line: Required if you ship physical products.

Cancellation Policy

What it does: Explains how users can cancel subscriptions, notice periods (30 days?), prorated refunds, and what happens to their data after cancellation.

Who needs it:

  • SaaS with subscription billing
  • Membership sites
  • Booking/reservation platforms

Where it goes: Billing settings, Terms, or FAQ.

Bottom line: Required if you have recurring billing.

Warranty Policy

What it does: Sets expectations around product guarantees—what's covered, how long, and how claims are processed.

Who needs it:

  • Hardware manufacturers
  • Consumer electronics
  • Physical products with quality promises

Where it goes: Product packaging, support pages, legal section.

Bottom line: Only for physical products with quality guarantees.

SaaS & Technology

For software, APIs, and B2B services that make promises about uptime, data handling, and fair use.

Service Level Agreement (SLA)

What it does: Makes uptime guarantees explicit—99.9% uptime, response times for support tickets, credits/remedies if you miss targets.

Who needs it:

  • Enterprise SaaS products
  • Cloud infrastructure providers
  • B2B platforms where downtime costs customers money

Where it goes: Attached to contracts, linked from pricing page.

Bottom line: Optional for small SaaS. Required for enterprise customers.

Data Processing Agreement (DPA)

What it does: Required when you act as a GDPR "processor" for your customers' personal data. Defines data handling, security measures, subprocessors, breach notification.

Who needs it:

  • SaaS handling customer PII (CRMs, HR tools, marketing platforms)
  • Businesses with EU/UK clients

Where it goes: Signed document, often auto-signed on signup.

Bottom line: Legally required if you process EU customer data on behalf of clients.

Acceptable Use Policy (AUP)

What it does: Defines what's not allowed on your platform—spam, abuse, illegal content, automated scraping, running crypto miners.

Who needs it:

  • Cloud platforms and infrastructure
  • API providers
  • Multi-tenant SaaS apps

Where it goes: Linked from Terms of Service.

Bottom line: Useful for platforms where abuse could affect other customers.

API Terms of Service

What it does: Sets rules for programmatic access—rate limits, API keys, permitted use cases, attribution requirements, developer responsibilities.

Who needs it:

  • Public APIs
  • Developer platforms
  • Third-party integrations

Where it goes: Developer portal, API docs.

Bottom line: Required if you offer a public API.

End User License Agreement (EULA)

What it does: Governs downloadable software—what users can do with your desktop or mobile app, installation limits, reverse engineering prohibitions.

Who needs it:

  • Desktop applications
  • Mobile apps (especially paid)
  • Installable developer tools

Where it goes: Install flow, app store descriptions.

Bottom line: Required for downloadable software. Web apps use Terms instead.

Healthcare & HIPAA

For US healthcare providers and SaaS products that handle Protected Health Information (PHI).

HIPAA Privacy Policy

What it does: Internal/external policy describing how your organization collects, uses, and safeguards PHI under HIPAA regulations.

Who needs it:

  • Medical clinics and practices
  • Health insurance plans
  • Covered entities under HIPAA

Where it goes: Posted in office, given to patients, website legal page.

Bottom line: Legally required for HIPAA covered entities.

Notice of Privacy Practices

What it does: The patient-facing notice explaining how their health information may be used and shared, and their rights under HIPAA.

Who needs it:

  • HIPAA covered entities (clinics, hospitals, health plans)
  • Must be given to patients at first visit

Where it goes: Printed and displayed in waiting rooms, given to patients on intake.

Bottom line: HIPAA requires this for all covered entities.

Business Associate Agreement (BAA)

What it does: Required contract when a vendor (like a SaaS tool, cloud provider, or IT contractor) handles PHI on behalf of a covered entity.

Who needs it:

  • Healthcare SaaS products (EHRs, telemedicine, appointment schedulers)
  • Cloud hosting for healthcare clients
  • IT support for medical practices

Where it goes: Signed per client before accessing PHI.

Bottom line: Legally required if your SaaS touches healthcare data.

Quick Decision Tree

Not sure which of these you actually need? Start here:

If you... You need...
Have a website with a contact form Privacy Policy
Sell a product or service Privacy Policy + Terms of Service + Refund Policy
Run a SaaS product Privacy Policy + Terms of Service + Cancellation Policy
Sell to EU customers Above + Cookie Policy + GDPR disclosures
Process EU customer data (B2B SaaS) Above + Data Processing Agreement (DPA)
Users upload content to your platform Above + DMCA Policy + User Content Policy
Offer a public API Above + API Terms of Service + AUP
Handle healthcare data (US) HIPAA Privacy Policy + Notice of Privacy Practices + BAA

The Bottom Line

Most online businesses start with two policies:

  1. Privacy Policy (everyone needs this)
  2. Terms of Service (if you sell anything or offer software)

From there, add policies only when they apply to your specific situation:

  • Selling physical goods? Add Refund + Shipping policies
  • EU visitors? Add Cookie Policy and GDPR disclosures
  • User-generated content? Add DMCA + User Content policies
  • Healthcare data? Add HIPAA documents

Don't overcomplicate it. Start with the basics. Add others as your business grows and requires them.

Not sure what you already have?

Run a free scan to see which policies your website currently has, which are missing, and which need updates. Takes 30 seconds, no signup required.

Scan my website →