Skip to main content
Pike is not a lawyer. We share legal information — not legal advice.Privacy policy
PIKE
Launch

SaaS launch pack

Terms of Service, Privacy Policy, and a Refund / Cancellation policy so your indie SaaS can take its first paying user.

3 documentsAbout 15 minutes7 questions to answer
What's in the pack
Terms of Service
Website doc
01
Privacy Policy
Website doc
02
Refund & cancellation policy
Website doc
03
Pike doesn't sign for you.These documents are drafted from the facts you provide. You read them, you sign them, you send them. Pike never claims to be your lawyer.
Save and come back any time.

Stripe will not turn on for an indie SaaS without a Terms of Service and a Privacy Policy. The first paying user is on the other side of three boring documents most founders put off for months.

Who this pack is for

You're shipping an indie SaaS, web tool, or paid digital product and you're trying to take your first paying customer. Stripe wants links to your TOS, Privacy Policy, and Refund Policy before they'll let you accept live payments. Apple and Google's app stores want the same. GDPR and CCPA require a Privacy Policy regardless of whether you're collecting payments. You don't have $3,000 to spend on a lawyer to draft three documents that 80% of small SaaS companies copy from a template anyway.

When to use it

Use this pack the day you wire up Stripe live mode. The TOS, Privacy Policy, and Refund Policy go up at /terms, /privacy, and /refunds (or whatever URLs you prefer) before you flip the switch on payments. They also need to be linked from your signup flow — most SaaS payment integrations require a checkbox at signup that explicitly references these documents. If you're already taking payments without them, write them this week; running without a TOS and Privacy Policy is a Stripe-account-suspension risk and a real legal liability if a user disputes a charge or a regulator asks about your data practices.

What it doesn't cover

These are starter-quality documents for a US-based indie SaaS with a normal subscription model. They are not enterprise-grade contracts negotiated against Fortune 500 procurement teams (those are bespoke). They do not include EU-specific data processing addenda required by GDPR Article 28 (DPA) when you're processing data on behalf of a B2B customer — you'll need a separate DPA, often a CCPA addendum for California enterprise customers, and a UK GDPR equivalent if you're selling into the UK. They do not include healthcare BAAs (required if you're handling PHI), HIPAA-specific disclosures, or PCI-DSS compliance language for direct card storage. They do not cover specific industries like education (FERPA), children's services (COPPA), or financial services (Reg E, Truth in Lending).

State-specific notes

Rules vary by jurisdiction. Below are notes for the states where saas launch pack runs into the most variance. If your state isn't listed, default to your state's tenant-rights handbook or local legal aid.

California (CA)
California's CCPA / CPRA (Cal. Civ. Code § 1798.100 et seq.) requires specific Privacy Policy disclosures: categories of personal information collected, sources, business purposes, sharing, sale, retention. Add a 'Do Not Sell My Personal Information' link if you sell or share data, and respond to user rights requests within 45 days. Out-of-state SaaS companies with California customers must comply.
Virginia (VA)
Virginia's CDPA (effective 2023) imposes CCPA-like requirements with some differences: no private right of action, opt-out for targeted ads, and a 45-day response window. Privacy Policies must specifically address Virginia residents.
Colorado (CO)
Colorado's CPA (effective 2023) is similar to Virginia's, with specific universal opt-out mechanism requirements (Global Privacy Control by July 2024). Treat Colorado residents like California for safety; one consolidated Privacy Policy section covering all state-specific rights is cleaner than separate policies.

Common questions

Is the TOS enforceable if I just have a click-through?
Yes, generally — 'clickwrap' agreements (where the user explicitly checks a box or clicks 'I agree' before signing up) are enforceable in every state. 'Browsewrap' (a small footer link without affirmative consent) is enforceable in fewer cases. Use clickwrap with the TOS link visible adjacent to the checkbox at signup; that's the standard pattern Stripe and modern SaaS use. Avoid burying the TOS in the footer or relying on 'continued use means agreement.'
What's the limit on liability clause actually doing?
It caps the maximum amount you'd owe a customer in a dispute — typically the fees they paid in the last 12 months. Without a cap, you could in theory be on the hook for consequential damages many multiples of revenue. Limit-of-liability clauses are enforced in most US states for B2B contracts, more conditionally for consumer contracts (some state consumer protection laws prevent caps on certain claims). Stripe doesn't require this clause but every functional SaaS TOS has one.
Do I really need a separate Refund Policy?
Stripe asks for one and credit card networks expect it. A Refund Policy that's clearly published is your defense against chargebacks — when a customer disputes a charge, the card network looks at whether you communicated your refund terms. A clear policy ('no refunds on monthly subscriptions; prorated refunds on annual within 30 days of renewal') in writing wins more chargeback disputes than 'we never said.'
What's GDPR and do I need to comply?
GDPR (the EU's General Data Protection Regulation) applies if you have users in the EU, regardless of where you're based. Compliance has many layers, but the privacy-policy floor is: be transparent about data collection, lawful basis (consent, contract, legitimate interest), user rights (access, deletion, portability), and DPO contact. The Privacy Policy in this pack handles transparency; full GDPR compliance also requires data processing agreements, breach notification within 72 hours, and possibly a Data Protection Officer if you process at scale.
Should I require arbitration?
It's a strategic choice. Mandatory arbitration clauses prevent customers from filing class actions against you and tend to favor the company in disputes. Recent US court rulings have made arbitration clauses harder to enforce when consumers don't have meaningful notice or when the arbitration would be prohibitively expensive. The default TOS in this pack does not include mandatory arbitration; if you want it, add a separate arbitration section with reasonable cost-sharing. Don't bury it.
What about cookies and tracking?
If you use any third-party tracker (Google Analytics, Posthog, Plausible, Stripe, Sentry, Crisp), the Privacy Policy needs to disclose it. Cookie consent banners are required in the EU under ePrivacy + GDPR; California requires opt-out for sale or sharing of personal information including via cookies in many cases. The pack mentions analytics tools generically; you should fill in the specific subprocessors you actually use.
What if I add features later that change my data practices?
Update the Privacy Policy and TOS, post the new versions, change the 'last updated' date, and notify active users via email or in-app banner if the changes are material. Material changes (new data uses, new sharing, new payment terms) require active notice; cosmetic changes don't. Some states (CA in particular) require advance notice of material changes.

Pike provides plain-language legal information, not legal advice. State and local rules change. If money, custody, or your housing is on the line, talk to a licensed attorney or your local legal aid office.