Skip to Content Skip to Navigation

Many apps today are delivered as Software as a Service, or SaaS for short.

SaaS is a distribution model where software is hosted online and accessed on demand in exchange for a subscription fee. Common examples of SaaS web applications are Dropbox, Xero, Microsoft Office 365 and Mailchimp. There’s more, of course. So many more. This delivery model offers unprecedented levels of convenience, productivity and collaboration to customers, hence webapps have quickly become a daily part of our personal and professional lives.

But these applications also come with a unique set of privacy considerations not many people understand. Such considerations should be accounted for in a SaaS business’s privacy policy, covering what data is collected, how it’s used, and how the business protects its users’ privacy.

What are the privacy risks of SaaS?

According to a survey conducted by SaaS management software company BetterCloud, “73% of organisations say nearly all their apps will be SaaS by 2020”. This is an exciting projection, but also signals the need for caution. Sensitive information such as company finances, confidential processes and personal data about customers (like addresses and credit card numbers) are all prime targets for data theft, which makes security a top concern for businesses shopping around for a SaaS product.

Given that these apps and their users’ data are typically hosted on remote servers around the world, it can be unclear where exactly data is located at any point in time, potentially limiting the control and authority customers (and governments) have over the security and authority of their data. Sometimes, when a customer travels outside of their home country and needs to access their data, the SaaS provider may need to transfer this information to corresponding servers due to specific regional data protection laws in place — some offering more security than others.

Another key consideration is the level of access a SaaS company is given to customer data. To facilitate a key function of the app or provide client support, SaaS employees and other third parties may need greater access to sensitive data. This leaves customers vulnerable to potential abuses or even phishing attacks targeted at employees who already have access to important private information.

Web apps like Facebook have become the subject of public scrutiny since it was revealed that multiple tech firms were given special access to private user data. When even the biggest names in the tech industry are clear of privacy violations, where does that leave the rest of us?

What should be included in a SaaS privacy policy?

Like any other privacy policy, SaaS providers must explain what information they collect about customers and why. Based on the privacy risks mentioned previously, there are three key areas of focus for a SaaS business’s customers:

1. How data is used

The policy must clearly explain what the app owners do with user data once it has been collected.

2. Where data is stored

Customers should be made aware of where their data is stored, and the security measures taken to protect it.

3. Third parties

If a SaaS business collects and processes data about customers using third-party sources, it must be disclosed and proven that these sources do so in compliance with applicable privacy laws.

To prevent any conflict and confusion between providers and customers, a web app privacy policy should also outline data ownership rights and describe how customers will be alerted of any changes to the policy.

Generate your web app privacy policy with

Our privacy policy generator can create a Terms of Service and Privacy Policy for your SaaS webapp within seconds. Create your free policy now.