Privacy Policy for SaaS Products: What Australian Law Requires

Why SaaS is Higher-Risk for Privacy Law

SaaS platforms collect and store significantly more personal data than typical websites. Unlike a static blog or landing page, your SaaS product continuously collects and processes user information — account details, payment data, user-generated content, behaviour data, and often sensitive business information. This creates higher legal obligations under the Privacy Act 1988.

Data types SaaS companies typically collect:

• Account data: names, email addresses, passwords (hashed), account settings
• Payment information: credit card data (via payment processor), billing addresses, invoice history
• Usage data: login times, features accessed, IP addresses, device information
• User-generated content: documents, files, messages, project data stored on your servers
• Communication logs: support tickets, email history, chat transcripts
• Analytics data: behavioural patterns, feature usage, session duration

Each of these creates specific privacy obligations you must disclose in your Privacy Policy.

Cross-Border Data Transfers: The Privacy Act Requirement

Most SaaS companies host their infrastructure on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, or similar. These services often store data outside Australia — typically in the US, Europe, or Asia.

Australian Privacy Principle 1 (APP 1) requires that you:

• Take reasonable steps to ensure overseas service providers comply with the Privacy Act (or equivalent law)
• Disclose that you transfer data overseas
• Tell users which countries their data may be transferred to

You must explicitly state in your Privacy Policy where your servers are located. If you use AWS US East, say so. If you use GCP across multiple regions, disclose that too. Users have the right to know their data is leaving Australia.

Third-Party Integrations & Service Disclosures

SaaS platforms typically integrate with multiple third-party tools. Each integration means data flows to external services. You must disclose all of these in your Privacy Policy.

Common SaaS integrations that handle personal data:

• Stripe, PayPal, or Square: Payment processing — they store payment method data and transaction history
• Intercom or Zendesk: Customer support tools — they receive customer emails and support tickets
• Segment, Mixpanel, or Amplitude: Analytics SDKs — they collect detailed usage data and behavioural patterns
• HubSpot or Klaviyo: If integrated for marketing, they receive customer contact data
• SendGrid or Twilio: Transactional email — they send account confirmation, password reset, and billing emails
• Slack API: If your app integrates with Slack, user accounts and message data flow to Slack
• Google Analytics: Visitor IP addresses and behaviour tracking

For each integration, your Privacy Policy must clearly state what data is shared and link to the third party's privacy policy so users can understand how their data is handled downstream.

What Your SaaS Privacy Policy Must Specifically Address

Beyond the basic Privacy Policy requirements, SaaS platforms must also cover:

• Account deletion: Explain what happens when a user deletes their account. Is data permanently deleted? Do you keep backups? For how long? (APP 1.2)
• Data export: If users request their data in a portable format, how do you respond and in what timeframe? (This is a user right under APP 1)
• Retention on cancellation: When a subscription ends, how long do you keep the user's data? Many SaaS platforms delete after 30 days, but some keep for compliance or chargebacks. Be explicit.
• Sub-processors: If you hire other vendors to process data (e.g., a payment processor or data warehouse), disclose them
• Data security measures: Encryption in transit (TLS/SSL), encryption at rest, access controls, backup procedures
• Breach notification: Your process for notifying users if their data is compromised

APP 1 Obligations for SaaS Entities

Australian Privacy Principle 1 (APP 1) governs how you collect and use personal information. For SaaS, this specifically means:

• Open and transparent management: Your Privacy Policy must be open and transparent. Users should easily understand your data practices.
• Purpose limitation: You can only use data for the purposes you disclosed. If you collect usage data "to improve the service," you can't then sell it to third parties or use it for marketing without explicit consent.
• Individual participation: Users have the right to access their data and correct it. Your Privacy Policy must explain how they request this (typically via a privacy@yourcompany.com email or an in-app settings page).
• Data quality and accuracy: You must take reasonable steps to keep user data accurate. This includes allowing users to update their own information.

If You Have EU Customers

Many Australian SaaS companies have customers in Europe. If you do, GDPR applies in addition to the Privacy Act 1988. GDPR is stricter than Australian law:

• GDPR requires explicit opt-in consent before collecting most data (unlike Australia, which allows collection with later disclosure)
• Right to be forgotten: EU users can demand complete deletion, not just correction
• Data Processing Agreements (DPA): If you process data on behalf of customers, you typically need a DPA in place
• 72-hour breach notification: You must notify GDPR authorities within 72 hours of a breach (Australia's threshold is higher)

If you have EU customers, your Privacy Policy should clearly state you comply with both Privacy Act 1988 and GDPR. This usually means following GDPR's stricter standards, which covers you for Australian users too.

Information to Prepare Before Generating

• Your company name and ABN
• Primary business address (required under Privacy Act)
• A privacy contact email (e.g., privacy@yourcompany.com)
• Your hosting provider and regions where data is stored (AWS US East, GCP Multi-Region, etc.)
• Complete list of third-party integrations: payment processors, analytics, email, support tools, etc.
• Account deletion and data retention policies: How long you keep data after cancellation
• Data security practices: Encryption types, access controls, backup procedures
• Data breach notification process: How you'll respond if user data is compromised
• Any specific data categories: Health data, financial records, government IDs — these have extra obligations