🔒 Privacy Policy Builder — GDPR + CCPA Compliant

Privacy Policy: B2B SaaS Customer Data Platform

A privacy policy structure produces GDPR + CCPA + state-law compliant document. NOT legal advice. Your situation — B2B SaaS with multi-region customer base, handling both customer + end-user data — requires comprehensive 8-section policy with DPA-readiness. This draft covers essential sections; FINAL policy requires privacy attorney review (est. $2-5K for compliance attorney, worth it given GDPR fines up to 4% of global revenue).

Overview Summary

Privacy policy must cover:

• What data collected + why
• How data used + shared
• User rights + how to exercise them
• Security measures + breach notification
• Multi-jurisdiction compliance (GDPR, CCPA, state laws)
• Children's data protection
• Cookie usage + consent
• DPA addendum for B2B customers

Section 1: Data We Collect

Customer Account Data:

• Names, email addresses of customer employees
• Job titles, company affiliations
• Account credentials (password hashes, not plaintext)
• Communication preferences

End-User Data (Our Customers' Data):

• Data our customers upload to our platform (names, emails, behavior data)
• We process this as a Data Processor under GDPR (our customers are the Data Controller)
• DPA addendum governs this relationship

Usage Data:

• Platform usage analytics (feature adoption, session data)
• IP addresses (de-identified within 30 days)
• Browser + device information
• Error logs

Marketing Data:

• Email engagement (opens, clicks)
• Website interaction
• Lead source attribution

Section 2: How We Use Data

Service Provision:

• Provide platform functionality
• Authenticate user access
• Customer support

Billing + Payment:

• Process subscription payments
• Invoice generation
• Tax reporting

Product Improvement:

• Analyze aggregated usage patterns
• Identify bugs + performance issues
• Feature development

Communication:

• Service announcements
• Support responses
• Marketing communications (with consent, unsubscribe available)

Legal + Security:

• Compliance with laws
• Fraud prevention
• Dispute resolution

Section 3: Third-Party Sharing

Service Providers (Sub-Processors):

Legal Compliance:

• Responses to legal requests (subpoenas, warrants)
• Enforcement of terms of service
• Protection of rights + safety

Business Transfers:

• Mergers, acquisitions, asset sales (with 30-day notice to users)

Does NOT sell data to third parties for advertising. GDPR + CCPA compliance.

Section 4: User Rights

GDPR + CCPA + State Law Rights:

Access: Request what data we hold about you. Response within 30 days.

Correction: Fix inaccurate data. Response within 30 days.

Deletion: Request data deletion. Exceptions for legal/compliance retention.

Portability: Receive your data in machine-readable format (CSV, JSON).

Object: Opt-out of processing (marketing, etc.).

Restriction: Limit how we process your data while concerns resolved.

Automated decision-making: Human review of automated decisions if significant.

How to exercise:

• Email: privacy@[company].com
• In-app: Settings → Privacy → Data Requests
• Written: [Physical address]

Verification: We verify identity before processing requests.

Timeline: 30 days standard (GDPR). Up to 45 days for complex requests.

Section 5: Cookies + Tracking

Essential Cookies (no consent required):

• Session management
• Authentication
• Security

Functional Cookies (consent required):

• User preferences
• Language settings
• Remember-me functionality

Analytics Cookies (consent required):

• Product usage analytics (Mixpanel)
• Performance monitoring
• A/B testing

Marketing Cookies (consent required):

• Lead attribution
• Email engagement tracking
• Advertising attribution

Consent management:

• Cookie banner on first visit
• Granular consent (accept all / reject all / customize)
• Preferences can be changed anytime (Settings → Cookies)
• EU users: no tracking cookies without explicit consent
• California users: 'Do Not Sell My Info' link

Section 6: Data Retention

Active Customer Data: retained for duration of customer relationship.

Inactive Accounts (90+ days no login):

• Warning email at 60 days
• Account deletion at 90 days unless legal hold
• Backups retained 30 days post-deletion

End-User Data (customer-uploaded):

• Governed by customer contract + DPA
• Deleted per customer instructions
• Default: 90 days post-contract termination

Billing Records: 7 years (legal/tax requirement).

Logs:

• Security logs: 1 year
• Access logs: 90 days
• Error logs: 30 days

Marketing Data:

• Until unsubscribe or 3 years of inactivity
• Whichever earlier

Section 7: Children's Data

Policy: Service not intended for individuals under 16.

If we learn we've collected child data:

• Delete immediately
• Parental notification if feasible
• Customer notification (B2B context)

Customer responsibility:

• Customers must not upload child data without parental consent
• Violation of customer agreement

COPPA compliance (under 13): not applicable to our B2B service but customers should implement on their end.

Section 8: Security + Breach Notification

Security Measures:

• Encryption at rest (AES-256) + in transit (TLS 1.3)
• SOC 2 Type II audit (annually)
• Access controls (role-based, SSO)
• Regular security assessments
• Employee privacy training
• Vendor security reviews

Breach Notification (GDPR):

• Regulatory notification within 72 hours of discovery
• User notification 'without undue delay' if high risk
• Notification includes: what happened, data affected, mitigation steps

Breach Notification (US state laws):

• Per applicable state requirements (usually within 30-60 days)
• Notification methods per state law

Contact + Data Subject Requests

Data Protection Officer (DPO):

• Name: [DPO Name]
• Email: dpo@[company].com
• Required under GDPR for processing EU data at scale

Privacy Team:

• Email: privacy@[company].com
• Typical response: 30 days
• Complex requests: up to 45 days

Regulatory Contact:

• EU data subjects: [Applicable supervisory authority]
• CA residents: California Attorney General
• Other states: relevant state attorney general

Physical Address:

• [Company legal address]

Attorney Review Triggers

Require legal review for:

1. Any multi-jurisdiction compliance — GDPR + CCPA + state laws interact

2. DPA language (Data Processing Agreement for B2B)

3. Cookie consent mechanism — technical + legal implications

4. Children's data — specific rules complex

5. Automated decision-making — Article 22 GDPR

6. International data transfers — SCCs (Standard Contractual Clauses)

7. Any breach notification language — timing + content critical

Cost: $2,000-5,000 for comprehensive privacy attorney review.

Budget justification: GDPR fines up to 4% of annual global revenue (€20M floor). Worth the review.

Key Takeaways

• Privacy policy is NOT set-and-forget. Update annually at minimum + when practices change. Your 3-year-old policy needs 2024+ regulations added (Colorado, Virginia, Connecticut, Texas laws).
• B2B SaaS with EU customers needs DPO + DPA capability. Your handling of customers' end-user data = Data Processor role (customers are Data Controllers). DPA addendum mandatory.
• List specific third parties + sub-processors. Vague 'partners' fails audits. Table format showing AWS + Stripe + HubSpot + etc with purposes + locations.
• User rights must be usable, not theoretical. Email + in-app request paths + 30-day response SLA. GDPR + CCPA both require real access.
• Attorney review mandatory before publishing. $2-5K investment prevents fines up to 4% of global revenue. NOT optional for compliant privacy policy.