The Essential Legal Documents Checklist

You're about to launch. Someone asks: "Do you have all your legal documents in place?"

You freeze. "Which ones do I need?"

The answer: it depends. A simple marketing website needs different documents than a SaaS app. An e-commerce store needs different documents than a healthcare platform.

This guide breaks down what legal documents you need based on what your business actually does.

Every Website Needs These Three

If you have a website—any website—you need at minimum:

1. Privacy Policy (Required)

Explains how you collect, use, and protect user data.

You need this if you collect any personal information—even just email addresses or IP addresses. And if your site is online, you're collecting IP addresses.

Privacy policies are legally required by GDPR, CCPA, and most modern privacy laws. Apple and Google also require them for all apps in their stores.

2. Terms and Conditions (Required)

Sets the rules for using your website or service.

This protects your business from liability, establishes user expectations, and gives you legal grounds to ban abusive users or terminate accounts.

While not always legally mandated, it's essential for any business that wants to limit legal exposure.

3. Cookie Policy (Required if you use cookies)

Explains what cookies and tracking technologies you use.

If you use Google Analytics, Facebook Pixel, chat widgets, or any tracking tools, you need a cookie policy. GDPR makes this mandatory for EU visitors.

Short version: almost every modern website uses cookies. Which means almost every website needs a cookie policy.

SaaS Applications Need Additional Documents

If you're running software-as-a-service with user accounts, subscriptions, or recurring billing, you need:

Terms of Service (Required)

More detailed than basic Terms and Conditions. Defines how users can use your software, subscription terms, limitations, and what happens if someone violates the rules.

Data Processing Agreement / DPA (Required for EU customers)

Required under GDPR if you process customer data on behalf of EU businesses. Common for B2B SaaS.

Your customers (especially enterprise customers) will ask for this during the sales process. Have it ready.

Service Level Agreement / SLA (Recommended)

Promises uptime, support response times, and what happens if you fail to meet commitments.

Not legally required, but enterprise customers expect it. If you promise 99.9% uptime, document it in an SLA.

Acceptable Use Policy / AUP (Recommended)

Prevents abuse, spam, illegal activity, and misuse of your platform.

This gives you clear grounds to suspend accounts that violate the rules. Without it, you're arguing case-by-case.

E-Commerce Stores Need These Policies

If you sell physical or digital products online, add:

Refund Policy (Required)

Explains your return and refund process.

Required by law in many jurisdictions (especially the EU). Also required by payment processors like Stripe and PayPal.

Be specific: 30-day returns? Restocking fees? Final sale items? Spell it out.

Shipping Policy (Recommended)

Sets expectations for delivery times, shipping costs, and international shipping.

This prevents "Where's my order?" disputes. If shipping takes 7-10 business days, say so upfront.

Warranty Policy (Recommended)

Clarifies product warranties and what happens if items are defective.

Especially important if you sell electronics, appliances, or anything that can break.

Healthcare Businesses Have Strict Requirements

If you handle protected health information (PHI), you need:

HIPAA Privacy Policy (Required)

Mandatory if you handle PHI. Explains how you protect patient data and comply with HIPAA regulations.

Notice of Privacy Practices (Required)

Required HIPAA document that informs patients how their health information is used and their rights under HIPAA.

Business Associate Agreement / BAA (Required)

Required when sharing PHI with vendors like hosting providers, payment processors, or analytics tools.

Most healthcare SaaS providers sign BAAs with AWS, Stripe, and other infrastructure providers.

Service Businesses and Agencies

If you provide services to clients (consulting, design, development, etc.), you need:

Service Agreement / Contract (Required)

Defines scope of work, deliverables, payment terms, deadlines, and expectations.

This protects both you and your client. It prevents scope creep and clarifies what "done" looks like.

Non-Disclosure Agreement / NDA (Recommended)

Protects confidential information shared with clients, contractors, or partners.

Common in consulting, development, and any business where you see sensitive client data.

Independent Contractor Agreement (Recommended)

Defines the relationship with freelancers or contractors you hire.

This clarifies that they're contractors, not employees—important for tax and liability purposes.

Mobile Apps Require Specific Documents

If you have an iOS or Android app:

Privacy Policy (Required)

Apple App Store and Google Play Store require a privacy policy for all apps. No exceptions.

Terms of Use (Required)

Governs how users interact with your app and what's prohibited.

End User License Agreement / EULA (Recommended)

Grants users a license to use your software while protecting your intellectual property.

This clarifies that users are licensing the app, not buying it outright.

Quick Decision Tree

Still not sure what you need? Ask yourself these questions:

Do you collect any user data?
→ You need a Privacy Policy

Do you provide a service or sell products?
→ You need Terms and Conditions

Do you use cookies or analytics?
→ You need a Cookie Policy

Do you have EU users?
→ You need GDPR compliance (DPA, enhanced Privacy Policy)

Are you a SaaS company?
→ You need Terms of Service, SLA, AUP

Do you run an e-commerce store?
→ You need Refund and Shipping Policies

Do you handle health data?
→ You need HIPAA documents (Privacy Policy, BAA, Notice)

Don't Overthink It

Most businesses start with 2-3 documents and add more as they grow:

Day 1: Privacy Policy + Terms and Conditions

When you add tracking: Cookie Policy

When you serve EU customers: GDPR addendums + DPA

When you offer refunds: Refund Policy

As you scale: SLA, AUP, NDAs, contractor agreements

The key is to have the essentials in place from day one, then expand your legal coverage as your business evolves.

Where to Get These Documents

You have three options:

1. Use a template generator
Fastest and cheapest. Good for standard use cases. Just make sure to customize it—don't use it verbatim.

2. Hire a lawyer
Most thorough. Expensive. Worth it for complex businesses, regulated industries, or high-risk situations.

3. Hybrid approach
Start with a generator for the basics. Have a lawyer review when you reach significant revenue, enter new markets, or deal with complex compliance requirements.

Most startups use the hybrid approach. Generate the essentials to get started. Upgrade to legal review as the business grows.

Maintenance Matters

Legal documents aren't "set it and forget it." You need to update them when:

• You add new features that collect different data
• You integrate new third-party tools
• You change your refund or shipping policies
• You expand into new markets or jurisdictions
• Privacy laws change (happens frequently)

Set a calendar reminder to review your legal documents every 6-12 months. Add "last updated" dates so users (and you) know when they were last reviewed.

The Bottom Line

The legal documents you need depend on what your business does. But every online business needs at minimum:

• Privacy Policy
• Terms and Conditions
• Cookie Policy (if you use cookies)

Start there. Add more as your business grows and your needs become clearer.

Don't let legal documentation delay your launch. Get the basics in place, make them accurate, and iterate as you learn more about your business and your customers.

Just don't skip them entirely. That's how you end up scrambling when a customer asks for your DPA or a regulator asks about your privacy practices.