Tool

Privacy policy generator for SaaS platforms

Tailored to multi-tenant SaaS: subprocessors, DPAs, audit logs, and enterprise data residency.

Generate SaaS privacy policy Free · no signup · hosted public URL

Controller vs processor — and why it matters

For most SaaS, your customer is the data controller and you are the processor. Your privacy policy should distinguish data about your customer (their contact, billing, login telemetry — you are the controller) from data they upload to your service (their end-users' data — you are the processor). This generator splits those into two clearly labelled sections so enterprise procurement reviewers can find what they need without filing a ticket.

Subprocessors page

Procurement teams will ask for a public list of subprocessors before signing. The generator outputs a separate, dated subprocessor table covering AWS / GCP / Azure, Stripe, Postmark or Resend, Datadog or New Relic, Intercom, and any custom subprocessors you add. Each row has the subprocessor name, purpose, region of processing, and a link to their security documentation.

Data Processing Agreement reference

Your privacy policy is not a DPA — but it should reference one. The generator includes a "Data Processing Agreements" section pointing customers to the URL where they can sign your DPA, with an optional Standard Contractual Clauses annex for EU-to-US transfers.

Ready to publish?

Answer six questions, get a hosted public URL the App Store, Google Play, and ad networks accept. No credit card.

Generate SaaS privacy policy

Frequently asked questions

Do I need a separate DPA from my privacy policy?

Yes. Privacy policy = what you disclose to all visitors. DPA = a signed contract between controllers and processors. The generator references both, but the DPA itself you draft separately (or use a standard template like the EU SCC 2021/914 module).

Should I publish my subprocessor list?

Strongly recommended. GDPR Article 28(2) requires you to authorise subprocessors with your customer. Publishing the list and notifying customers of changes meets that requirement at scale.

My SaaS is B2B-only. Do I still need GDPR consent?

GDPR applies to processing of personal data, including business contacts. You typically rely on legitimate interest or contract necessity rather than consent — the generated policy uses those legal bases by default for B2B.