How to Write a Privacy Notice for a SaaS Website (GDPR + CCPA)

Resource guide · Updated 2026 · 12 min read

Writing a privacy notice for a SaaS website isn’t about copying a generic legal template. It’s about mapping exactly what data you collect, why you process it, who you share it with, and what rights your users hold—then communicating that clearly in plain English.

If you sell to European or California customers, your privacy notice must satisfy GDPR and CCPA/CPRA simultaneously. Fortunately, the two frameworks overlap significantly. With the right structure, one well-crafted notice satisfies both while remaining readable for customers, vendors, and procurement teams.

This guide walks you through how to write a privacy notice for a SaaS website using a clause-by-clause annotated template. You’ll see exactly what to copy-paste, what requires customization, how to handle cookie consent, data retention, and international transfers, and how to align the notice with our PRI-003 Privacy Notice template.

Legal disclaimer: This guide provides operational and structural guidance for drafting privacy notices. It does not replace formal legal review. Always have counsel validate your final notice against your specific data flows, jurisdictional exposure, and contractual obligations.

Key findings

• You don’t need separate notices—one modular template with jurisdiction tags satisfies GDPR + CCPA/CPRA.
• Most SaaS privacy notices fail by using vague retention language or outdated vendor lists; specificity builds trust and passes audits.
• Cookie consent must be technically enforced (scripts blocked until consent); a notice alone doesn’t satisfy ePrivacy/GDPR.

Table of Contents

GDPR vs. CCPA: What Must Be Included

Most SaaS privacy notices fail because they treat all regions the same. The table below shows where requirements overlap and where you must add jurisdiction-specific language.

RequirementGDPR MandateCCPA/CPRA MandateSaaS Implementation
Identity & ContactController name, address, DPO/contact emailBusiness name, contact detailsCombine into single “About This Notice” section
Data Categories CollectedSpecific categories + identifiersCategories of personal info collectedUse a structured list mapped to your RoPA
Purpose of ProcessingClear, specific purposes per data typeBusiness or commercial purposeGroup by function: Account, Billing, Support, Analytics, Marketing
Legal Basis (GDPR) / Notice (CCPA)Article 6 lawful basis for each purpose“Categories of sources & purposes”Add a “Why We Process Your Data” table
Third-Party SharingCategories of recipients, subprocessors“Categories of third parties”List critical vendors + link to DPA/subprocessor page
International TransfersTransfer mechanism (DPF, SCCs)Not explicitly required, but recommendedDisclose US/EU data routing and safeguards
Data Subject/Consumer Rights8 explicit rights (access, erasure, portability, etc.)Right to know, delete, correct, opt-out, limit useCreate a unified “Your Privacy Rights” section with jurisdiction tags
Retention PeriodSpecific timeframe or criteriaNot strictly mandated, but required for transparencyAdd a retention schedule table
Cookie/Tracking DisclosureExplicit prior consent for non-essential cookiesOpt-out rights for sale/sharingLink to cookie banner & preference center
Updates/Effective DateRequiredRequiredAdd version history or “Last Updated” stamp

Bottom line: You don’t need separate notices. You need one modular privacy policy template founders can customize with jurisdiction tags, clear data mapping, and explicit rights language.

Annotated Privacy Notice Template (Clause-by-Clause)

Below is the standard structure for a modern B2B/B2B2C SaaS privacy notice. Each section includes clear [COPY-PASTE] and [CUSTOMIZE] callouts. Use our PRI-003 Privacy Notice template as your starting point.

0. Controller Identity & Contact Information

[COPY-PASTE READY]

This Privacy Notice explains how [Company Name] collects, uses, shares, and protects personal information when you use our website, SaaS platform, and related services (“Services”). We are committed to transparency and compliance with applicable privacy laws, including the GDPR and CCPA/CPRA.


Data Controller: [Company Legal Name]
Address: [Company Registered Address]
Privacy Contact: privacy@[company].com
Effective Date: [Date] | Last Updated: [Date]
Version History: [Link to change log or table]

[CUSTOMIZE REQUIRED]

  • Replace bracketed fields with your legal entity details
  • If you have an EU Representative or DPO, add: EU Representative: [Name/Address/Email]
  • If you act as both controller and processor, add: “For customer-uploaded data processed on behalf of our customers, we act as a data processor under a Data Processing Agreement (DPA).”

1. Information We Collect

[COPY-PASTE READY]

We collect personal information that you provide directly, information collected automatically through your use of our Services, and information from third-party sources.

[CUSTOMIZE REQUIRED]
List actual data categories tied to your RoPA (PRI-001):

  • Account & Profile: Name, email, company, job title, authentication credentials (stored in hashed or encrypted form where applicable)
  • Billing & Payments: Billing address, payment method token (processed by Stripe/Chargebee)
  • Usage & Technical Data: IP address, device type, browser, OS, feature usage, crash logs
  • Support & Communications: Ticket content, chat transcripts, email correspondence
  • Cookies & Tracking: Session cookies, analytics identifiers, marketing pixels (see Section 8)
  • Sensitive Personal Information (if applicable): [List only if you actually collect SSN, precise geolocation, biometric data, etc. If not, state: “We do not collect special category personal data as defined by GDPR or sensitive personal information as defined by CCPA. Please do not submit sensitive personal information through the Services unless specifically requested or supported by the platform.”]
  • Information from Third Parties: [If you enrich leads via Clearbit/ZoomInfo, receive data via SSO, or import CRM data, add: “In some cases, we receive personal information from third-party sources such as identity providers, CRM enrichment vendors, customer integrations, or referral partners. Where required by law, we provide appropriate notice regarding these indirect collection practices.”]

Tip: Group by source. Avoid vague phrases like “we may collect other information.”

2. How We Use Your Data & Legal Basis

[COPY-PASTE READY]

We process personal information only for specific, legitimate purposes outlined below. Under the GDPR, each purpose is tied to a lawful basis. Under CCPA/CPRA, these represent our business and commercial purposes.

[CUSTOMIZE REQUIRED]
Create a simple table or bulleted list:

  • Service Delivery & Account Management → Legal Basis: Contract Performance | Purpose: Provision, authentication, troubleshooting
  • Billing & Subscription Management → Legal Basis: Contract Performance | Purpose: Invoicing, fraud prevention, renewal processing
  • Security & Infrastructure Operations → Legal Basis: Legitimate Interest | Purpose: Threat detection, access control, system monitoring
  • Product Improvement & Analytics → Legal Basis: Legitimate Interest / Consent | Purpose: Feature development, usage analytics, performance optimization
  • Marketing & Communications → Legal Basis: Consent / Legitimate Interest (B2B) | Purpose: Newsletters, product updates, promotional offers

[ADD IF APPLICABLE: Automated Decision-Making]

Automated Decision-Making & Profiling: [If you use AI scoring, lead qualification, or fraud detection: “Certain analytics and fraud prevention systems may use automated scoring or behavioral analysis to detect suspicious activity. We do not use personal information for automated decision-making or profiling that produces legal or similarly significant effects without appropriate safeguards and, where required, your consent.”]

3. Sharing & Third-Party Processors

[COPY-PASTE READY]

We do not sell personal information for monetary compensation. However, certain analytics, advertising, or marketing activities may constitute “sharing” under California law. California residents may opt out via our “Do Not Sell or Share My Personal Information” mechanism. We share data only with trusted third-party service providers that process information on our behalf under strict contractual obligations.

[CUSTOMIZE REQUIRED]
List actual categories + examples. Use the sub-processor table from PRI-003:

  • Cloud Infrastructure: AWS, Vercel, Cloudflare
  • Payments & Billing: Stripe, Chargebee, PayPal
  • Customer Support: Intercom, Zendesk, HubSpot
  • Analytics & Performance: Mixpanel, Sentry, Datadog
  • Email & Communications: SendGrid, Postmark, Mailgun

For GDPR compliance, we execute Data Processing Agreements (DPAs) with all processors and maintain current transfer safeguards. View our full subprocessor list at [link to trust/security page].

[ADD: Law Enforcement & Business Transfers]

  • Legal Requirements: We may disclose personal information where required by law, subpoena, court order, or regulatory request, or where necessary to protect the rights, property, security, or safety of our users, customers, employees, or the public.
  • Business Transfers: If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of company assets, personal information may be transferred as part of that transaction, subject to applicable confidentiality and legal protections.

4. International Data Transfers & Data Residency

[COPY-PASTE READY]

Your personal information may be transferred to, and processed in, countries outside your region of residence, including the United States. These countries may have data protection laws that differ from your jurisdiction.

[CUSTOMIZE REQUIRED]
Add your actual transfer mechanism and residency options:

  • EU-US Data Privacy Framework (DPF): We transfer data to subprocessors certified under the EU-US DPF, including AWS, Google Cloud, Stripe, and Microsoft.
  • Standard Contractual Clauses (SCCs): For vendors not DPF-certified, we execute EU-approved SCCs and conduct Transfer Impact Assessments where required.
  • Supplementary Measures: We implement encryption in transit and appropriate encryption safeguards at rest where applicable, strict access controls, and contractual data protection obligations.
  • Data Residency: [If you offer regional hosting: “Customers may request EU-region data hosting where available.” If not: “Unless otherwise agreed contractually, customer data may be processed in the United States and other jurisdictions where our subprocessors operate.”]

5. Data Retention Schedule

[COPY-PASTE READY]

We retain personal information only as long as necessary to fulfill the purposes outlined in this notice, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods are determined based on contractual obligations, legal requirements, security needs, dispute resolution requirements, and operational necessity.

[CUSTOMIZE REQUIRED]
Map to your actual retention policy (align with RoPA):

  • Active User Accounts: Duration of service + 90 days post-cancellation
  • Billing & Tax Records: 7 years (per IRS/EU tax compliance)
  • Support Tickets & Chat Logs: 3 years
  • Marketing & Consent Records: Until withdrawal + 30 days
  • Security & Audit Logs: 12–24 months

When retention periods expire, data is securely deleted, anonymized, or aggregated. Backup copies are removed according to our automated purge schedules.

6. Your Privacy Rights & Appeals Process

[COPY-PASTE READY]

Depending on your jurisdiction, you may have specific rights regarding your personal information. We honor these rights regardless of location, subject to applicable legal exemptions. If we deny your request, you may appeal the decision by replying to our response or contacting privacy@[company].com with “Appeal Request” in the subject line.

[CUSTOMIZE REQUIRED]
Split by framework for clarity:

Under GDPR (EEA/UK Residents):

  • Right of access, rectification, erasure, and restriction of processing
  • Right to data portability (receive your data in a structured, machine-readable format)
  • Right to object to processing based on legitimate interest or direct marketing
  • Right to withdraw consent at any time
  • Right to lodge a complaint with your local supervisory authority

Under CCPA/CPRA (California Residents):

  • Right to know what personal information we collect, use, share, or sell
  • Right to delete personal information (subject to legal/security exemptions)
  • Right to correct inaccurate personal information
  • Right to opt-out of the “sale” or “sharing” of personal information (we do not sell data)
  • Right to limit use and disclosure of sensitive personal information
  • Right to non-discrimination for exercising privacy rights

Additional US State Privacy Laws: Residents of certain US states may have additional privacy rights under applicable state privacy laws (e.g., Colorado CPA, Virginia VCDPA, Connecticut CTDPA). We extend substantially similar privacy rights workflows where operationally feasible.

How to Submit Requests: Email privacy@[company].com with “Privacy Request” in the subject line. We verify identity before fulfilling requests and respond within [30/45] days. For CCPA authorized agents, please provide signed consent and verification for both parties. See our DSAR Response Guide for fulfillment timelines. If you require this notice in an alternative format or need assistance exercising your privacy rights, contact privacy@[company].com.

7. Cookies, Tracking Technologies & Browser Signals

[COPY-PASTE READY]

We use cookies and similar tracking technologies to provide, secure, and improve our Services.

[CUSTOMIZE REQUIRED]
Link to PRI-005 and your consent manager:

  • Strictly Necessary: Authentication, security, load balancing, session management (no consent required)
  • Performance & Analytics: Usage tracking, error monitoring, feature optimization (consent required for non-essential tracking)
  • Marketing & Advertising: Campaign attribution, retargeting, preference storage (consent required)

You can manage your cookie preferences via our cookie consent banner template (PRI-005). Note that opting out of analytics or marketing cookies may impact certain non-essential features. Read our full Cookie Notice at [link].

Browser Signals: Some browsers offer “Do Not Track” (DNT) settings. Because there is no universally accepted standard for DNT signals, our Services may not respond to them except where legally required, such as Global Privacy Control (GPC) signals, which we honor.

8. Security Practices & Breach Notification

[COPY-PASTE READY]

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. While no system is 100% secure, we maintain encryption in transit and appropriate encryption safeguards at rest where applicable, role-based access controls, MFA enforcement, and regular security monitoring. In the event of a qualifying data breach, we will notify affected individuals and relevant authorities in accordance with applicable law.

9. Children’s Privacy & Updates

[COPY-PASTE REQUIRED]

Our Services are not directed to individuals under the age of 16 (or applicable local minimum). We do not knowingly collect personal information from children. If we learn we have inadvertently collected such data, we will delete it promptly.


We may update this Privacy Notice periodically. Material changes become effective on the date posted unless otherwise stated. Where required by law, we will provide advance notice or seek consent before material changes take effect. Continued use of our Services constitutes acceptance of the updated notice.

A privacy notice alone doesn’t satisfy GDPR/ePrivacy cookie requirements. You must implement prior, explicit consent for non-essential tracking.

Operational checklist:

  1. Deploy a compliant cookie banner that blocks scripts until consent is recorded
  2. Use PRI-005 Cookie Consent Banner Text for clear, granular opt-in language
  3. Categorize cookies as Strictly Necessary, Performance, Marketing, or Functional
  4. Log consent state in your consent management platform (CMP) with timestamp, IP region, and version
  5. Allow easy withdrawal of consent at any time (footer link to preference center)

Common SaaS mistake: Loading Google Analytics, Hotjar, or Meta Pixel before the banner renders. Even 1ms of pre-consent tracking violates GDPR. Use a tag manager (GTM, Segment) to fire scripts only after consent=granted.

Data Retention Schedules: How to Write Them Correctly

Regulators and procurement teams scrutinize retention claims. Vague language like “we keep data as long as needed” triggers audit findings.

Best practice structure:

  • State the specific timeframe or trigger event (e.g., “30 days after account deletion”)
  • Note legal exceptions (e.g., “Billing records retained for 7 years per tax law”)
  • Explain deletion mechanics (e.g., “Automated purge runs monthly; backups follow 90-day rotation”)
  • Link to your full retention policy or RoPA section

Example retention table for your notice:

Data CategoryRetention PeriodDeletion MethodLegal/Security Exception
User AccountsActive + 90 daysAutomated soft-delete → hard-purgeFraud prevention, litigation hold
Support Logs3 yearsAnonymization after 2 yearsOngoing investigations
Billing Records7 yearsSecure archival → deletionIRS/EU tax compliance
Marketing ConsentUntil withdrawal + 30 daysSuppression list flagAudit trail requirement

International Transfers Disclosure

If you’re a US startup serving EU customers, your data crosses borders. Your privacy notice must disclose:

  1. Where data is processed (e.g., “Primarily US-based infrastructure with EU endpoint routing”)
  2. The legal transfer mechanism (EU-US DPF, SCCs, or adequacy decision)
  3. Supplementary safeguards (encryption, access controls, contractual flow-downs)

What to avoid: Saying “we comply with all international transfer laws” without naming the mechanism. Regulators expect specificity.

Recommended wording:

We rely on the EU-US Data Privacy Framework for transfers to certified subprocessors (AWS, Stripe, Google). For other vendors, we execute EU Standard Contractual Clauses (SCCs) and implement technical safeguards including encryption in transit and appropriate encryption safeguards at rest where applicable, strict role-based access, and contractual data processing obligations.

Common SaaS Privacy Notice Mistakes

  • Copy-pasting enterprise templates with references to on-prem data centers, physical security guards, or legacy compliance frameworks you don’t use.
  • Hiding rights behind legalese like “users may exercise rights subject to our discretion.” GDPR/CCPA require clear, actionable instructions.
  • Forgetting B2B vs. B2C distinctions. B2B SaaS processes employee data on behalf of customers. Clarify your role: “We act as processor for customer data and controller for account/billing information.”
  • Not linking to a DPA or subprocessor list. Enterprise buyers will request this during procurement. Make it accessible from your footer or trust page.
  • Outdated vendor lists. If you switched from Intercom to Zendesk 8 months ago but your notice still names Intercom, it signals poor operational control. Review quarterly.

Frequently Asked Questions

Do I need a dedicated Data Protection Officer (DPO)?

Not necessarily. GDPR requires a DPO only for certain organizations (large-scale processing of sensitive data, public authorities, etc.). If you don’t have one, list “Privacy Team” or “Legal Counsel” as the contact.

What if I don’t collect any sensitive data?

Keep the relevant section as-is. Stating that you don’t collect special category data is a compliance safeguard.

How detailed should the sub-processor list be?

The template provides categories and examples. For a full, real-time list, you can link to a separate sub-processor page (common for SaaS companies).

Can I use the same privacy notice for GDPR and CCPA?

Yes, if you structure it modularly with jurisdiction-specific callouts. Our PRI-003 template is designed for this dual compliance.

How often should we update the privacy notice?

At minimum annually, or whenever you change data practices, add new vendors, or privacy laws evolve. Document each update in the version history.

Next Steps

  1. Download PRI-003 and customize using the guidance above
  2. Cross-reference with your RoPA (PRI-001) to ensure every data category and purpose is documented
  3. Deploy PRI-005 cookie banner text with a compliant consent manager
  4. Publish on your website with clear footer links: Privacy Policy | Cookie Preferences | DSAR Portal | Trust Center
  5. Review related guides: GDPR Compliance Checklist | DSAR Response Guide | DPA Guide | CCPA/CPRA Guide

Privacy Notice Template (PRI-003)

Pre-built, auditor-reviewed template with GDPR + CCPA alignment and customization guidance.

Download PRI-003 Privacy Notice →
Disclaimer: This guide provides educational and structural guidance for drafting SaaS privacy notices. It does not constitute legal advice. Always engage qualified counsel to review your final notice, validate jurisdictional requirements, and ensure alignment with your actual data flows, retention schedules, and contractual obligations. Privacy laws evolve; maintain an annual review cadence.