I launched my first SaaS in 2021 with zero legal documentation. No terms of service, no privacy policy, no refund clause. Just a Stripe checkout and a prayer. Six months in, a user threatened a chargeback because my product "didn't do what was advertised" — and I had nothing in writing to prove otherwise. Stripe sided with them. I lost the money and wasted two weeks of stress I didn't need.
That was my expensive education in SaaS compliance. This article is what I wish someone had handed me before I shipped.
Why Indie SaaS Founders Ignore Legal (And Why That's a Trap)
The typical indie dev mindset goes: I'm small, nobody's coming after me, I'll deal with legal stuff when I grow. I thought the same thing.
The problem is that legal exposure doesn't scale with revenue — it scales with users. The moment someone in the EU signs up for your free tier, you're subject to GDPR. The moment you charge a credit card, you need a refund policy. The moment a user loses data, you need a liability clause or you're personally on the hook.
Big companies have legal teams. You don't. That's precisely why you need written protections baked in before you have users, not after.
Terms of Service: Your First Line of Defense
A Terms of Service (ToS) agreement is a contract between you and your users. Without one, disputes default to whatever consumer protection law applies in the user's jurisdiction — which is almost never favorable to you.
At minimum, your ToS needs to cover:
- Acceptable use: what users can and cannot do with your product
- Account termination: your right to ban users who violate the rules
- Liability limitation: capping your financial exposure (e.g., "liability limited to the fees paid in the last 3 months")
- Dispute resolution: jurisdiction and governing law — pick your home country/state
- Changes to the service: your right to modify or discontinue features
A founder I know runs a small B2B analytics SaaS. He had a client who demanded a full year refund after 10 months because "the dashboard design changed." His ToS clearly stated: "We may modify features at our discretion; no refunds for feature changes." Case closed. Without that clause, he'd have been in a he-said-she-said fight with no documentation.
Privacy Policy: Not Optional, Not a Formality
If you collect any personal data — email addresses, IP addresses, usage analytics, payment info — you are legally required to publish a privacy policy in most jurisdictions. This includes the US (CalOPPA applies if any California resident uses your product), Canada (PIPEDA), and the EU (GDPR).
Your privacy policy should explain:
- What data you collect and why
- How long you retain it
- Who you share it with (payment processors, analytics tools, email platforms)
- How users can request deletion
- Your legal basis for processing (for GDPR: consent, legitimate interest, or contract)
Don't copy-paste from another SaaS. Their data flows aren't yours. If you use Plausible instead of Google Analytics, your policy should reflect that. If you use Supabase and data lives in Europe, say so.
GDPR for Bootstrapped Founders: What Actually Matters
GDPR compliance sounds like an enterprise problem. It's not. If a single EU resident uses your SaaS, it applies to you — regardless of where you're based.
The areas that actually bite small founders:
Data subject rights. Users have the right to access, correct, or delete their data. You need a way to handle these requests. Even a simple email workflow works — but you need something documented.
Cookie consent. Analytics cookies require explicit opt-in for EU users. If you're using a cookie banner that just says "we use cookies" without an actual reject option, you're not compliant.
Data Processing Agreements (DPAs). If you use third-party tools that process user data (Stripe, Mailgun, AWS), you technically need a DPA in place. Most major vendors offer these automatically — check your account settings.
Breach notification. If your database gets compromised, GDPR requires notifying affected users within 72 hours. This means you need to know what data you have and where it lives.
The practical approach for an indie SaaS: document your data flows in a simple spreadsheet (what data, where it's stored, who can access it). That alone puts you ahead of 90% of small products.
Liability and Refund Clauses: Protecting Your Revenue
Two clauses that prevent most payment disputes:
Limitation of liability. This caps what a user can sue you for. Standard language limits it to "the greater of $100 or the fees paid in the last 12 months." Without this, a user could theoretically argue consequential damages — lost business, lost clients — because your SaaS had downtime.
Refund policy. Be specific. "All sales are final" is fine for a $9/month tool. But "no refunds after 14 days" is more defensible than "no refunds, ever" because it shows good faith. Whatever you choose, put it in writing — in your ToS and in your checkout flow.
One bootstrapper I follow sells a $49 lifetime deal SaaS. He had a buyer claim they never received access, despite email confirmation. His refund policy stated: "Lifetime deal purchases are non-refundable after 30 days; access issues must be reported within 7 days." He sent the Stripe dispute team a screenshot of his policy and the delivery confirmation. Dispute won.
Startup Legal Requirements by Stage: A Practical Sequence
You don't need to do everything at once. Here's a sensible order:
Before launch:
1. Privacy policy (required the moment you go live)
2. Terms of service (required before you take any payment)
3. Cookie banner if you're running any tracking
At $1 MRR:
4. Refund/cancellation policy clearly displayed at checkout
5. GDPR data mapping if you have EU users
At $1k MRR or first enterprise inquiry:
6. Proper legal entity (LLC or equivalent)
7. Business bank account separated from personal
8. DPAs with your SaaS vendors reviewed
At $5k MRR:
9. Consider a proper attorney review of your ToS — $300–500 spent here can save thousands in disputes
The goal isn't perfection. The goal is having something written down that gives you a defensible position in a dispute.
Where to Go From Here
If this checklist feels overwhelming, you're not alone. Most indie founders have never read a terms of service — let alone written one.
The SaaS Legal Shield: Compliance Checklist covers everything above in a structured, actionable format built specifically for bootstrapped founders. It walks you through exactly what clauses to include, what EU-specific requirements apply to your product, and how to handle the most common dispute scenarios — without needing a lawyer for every decision. At 12€, it costs less than one lost Stripe dispute.
Legal work isn't glamorous. But it's a lot less painful to do it before something goes wrong than after.