SaaS Legal Boilerplate Generator
Generate legally compliant boilerplate documents for SaaS applications across multiple jurisdictions (GDPR, CCPA, PIPEDA, LGPD).
Important: Templates are for informational purposes only. Always consult with a qualified attorney for legal advice.
Quick Start
User Interactive Mode
Generate a complete legal package interactively:
cd skills/saas-legal-generator npx -y bun scripts/index.ts
Agent Mode
- •Analyze: Check user's source code/website to infer details (domain, tech stack, tracking).
- •Prompt: Ask user for key details (Company Name, Contact Email, Jurisdiction).
- •Configure: Create a config.json file with the details (see
example_config.json). - •Generate: Run
npx -y bun scripts/index.ts config.json.
The generator prompts for:
- •Company details (name, domain, contact)
- •Service information (features, type)
- •Billing setup (plans, refund policy)
- •Data practices (collection, cookies)
- •Jurisdictions (GDPR, CCPA, PIPEDA, LGPD)
- •Third-party services (payment, hosting, analytics)
Output: Ready-to-use documents in output/ directory.
Context-Aware Adaptation
After generating the boilerplate, use the agent's capabilities to refine the documents:
- •
Verify Tech Stack:
- •Scan the project's package.json or source code for analytics tools (Google Analytics, Mixpanel), payment providers (Stripe), email services (SendGrid).
- •Update the Third-Party Services section in the Privacy Policy accordingly.
- •
Check Tracking:
- •Inspect website source or
index.htmlfor tracking scripts/pixels. - •Update Cookie Policy to reflect actual cookies used.
- •Inspect website source or
- •
Validate URLs:
- •Ensure
[DOMAIN]placeholders match the actual project URL. - •Check if support/contact pages exist.
- •Ensure
Agent Usage Guidelines
- •Always prompt the user for the "Company Name" and "Jurisdiction" if not explicitly stated.
- •Do not invent legal contact emails; ask the user or default to
legal@[domain]. - •Review generated files: After generation, do a quick read of the Markdown
files to ensure no
[PLACEHOLDERS]remain for critical fields.
Document Types
Privacy Policy
When to use: Any website/app collecting personal data
Required sections:
- •Data collection practices
- •Purpose of processing
- •Legal basis (GDPR)
- •Data subject rights
- •International transfers
- •Retention periods
Jurisdictions: Global + GDPR (EU) + CCPA (California) + PIPEDA (Canada)
Terms of Service
When to use: Any web application or service
Essential clauses:
- •Service description and scope
- •User accounts and security
- •Payment terms and billing
- •Acceptable use policy
- •Intellectual property
- •Limitation of liability (crucial for SaaS)
- •Termination rights
- •Dispute resolution
- •Indemnification
- •Modification procedures
Cookie Policy
When to use: Using cookies, tracking pixels, local storage
Required by: ePrivacy Directive (EU), CCPA (California)
Categories:
- •Essential (authentication, security)
- •Analytics (usage tracking)
- •Functionality (preferences)
- •Marketing (ad targeting)
Data Processing Agreement (DPA)
When to use: Processing personal data on behalf of customers (GDPR Article 28)
Required clauses:
- •Processor acts on controller's instructions
- •Confidentiality obligations
- •Security measures
- •Subprocessor approval
- •Data subject rights assistance
- •Breach notification (72 hours)
CCPA "Do Not Sell" Opt-Out
When to use: California residents or targeting California market
Required:
- •"Do Not Sell or Share My Personal Information" link in footer
- •Consumer rights disclosure
- •Opt-out mechanism
- •Non-discrimination notice
Core Workflows
Workflow 1: Complete SaaS Launch Package
Generate all essential documents for a new SaaS product:
- •Privacy Policy - Global template with GDPR/CCPA addendums
- •Terms of Service - Service agreement with liability limitations
- •Cookie Policy - Tracking technology disclosure
- •Acceptable Use Policy - Usage guidelines
- •Data Processing Agreement - GDPR compliance (if processing user data)
Run: npx -y bun scripts/index.ts
Workflow 2: GDPR Compliance Only
For European markets:
- •Privacy Policy (GDPR-compliant)
- •Cookie Policy (ePrivacy Directive)
- •Data Processing Agreement (Article 28)
- •Records of Processing Activities
- •Breach Notification Procedure
Workflow 3: CCPA/CPRA Compliance
For California residents:
- •Privacy Policy (CCPA-compliant)
- •"Do Not Sell or Share" link
- •Consumer Rights Guide
- •Data Inventory Template
Template Placeholders
All templates use placeholders replaced during generation:
| Placeholder | Description |
|---|---|
[COMPANY_NAME] | Legal business name |
[DOMAIN] | Website domain |
[CONTACT_EMAIL] | Privacy/legal contact |
[JURISDICTION] | Governing law |
[EFFECTIVE_DATE] | Document date |
[CURRENCY] | Payment currency |
Jurisdiction Selection
Select based on target markets:
| Region | Law | Key Requirements |
|---|---|---|
| European Union | GDPR | Data subject rights, DPA, breach notification (72h) |
| California | CCPA/CPRA | "Do Not Sell" link, consumer rights, opt-out |
| Canada | PIPEDA | Consent, access, correction rights |
| Brazil | LGPD | Similar to GDPR, data subject rights |
| United Kingdom | UK GDPR | Post-Brexit, similar to EU GDPR |
Deployment Requirements
Website Footer (Required)
<footer> <a href="/privacy">Privacy Policy</a> <a href="/terms">Terms of Service</a> <a href="/cookies">Cookie Policy</a> <a href="/do-not-sell">Do Not Sell or Share</a> <!-- CCPA required --> </footer>
Cookie Consent Banner (GDPR Required)
<div id="cookie-banner">
<p>
We use cookies. By continuing, you agree to our
<a href="/cookies">Cookie Policy</a>.
</p>
<button onclick="acceptEssential()">Accept Essential</button>
<button onclick="acceptAll()">Accept All</button>
</div>
Common Mistakes to Avoid
❌ Copy-pasting without customization - Adapt to your specific data practices ❌ One-size-fits-all - Different jurisdictions need different terms ❌ Ignoring updates - Laws change regularly ❌ Buried clauses - Make key terms prominent ❌ Overreaching disclaimers - Unenforceable clauses undermine credibility
Best Practices
- •Keep documents current - Review at least annually
- •Make accessible - Link from footer, no login gate
- •Track consent - Record timestamps and IP addresses
- •Maintain records - Document processing activities
- •Prepare for enforcement - Designate DPO, establish breach response
Maintenance Schedule
Quarterly:
- •Review data collection changes
- •Update vendor/subprocessor lists
- •Check for law changes
Annually:
- •Full document review
- •Update effective dates
- •Audit consent mechanisms
As Needed:
- •Immediate update for major law changes
- •Update when adding new data-intensive features
- •Revise when expanding to new markets
Validation Checklist
Before deploying legal documents, verify:
- • All placeholder text replaced
- • Jurisdictions match target markets
- • Data collection accurately described
- • User rights clearly explained
- • Contact information current
- • Links work from footer
- • Document accessible (not login-gated)
- • Reviewed by attorney (recommended)
- • Translated for non-English markets
Resources
- •templates/ - Complete document templates by jurisdiction
- •scripts/index.ts - Interactive generation script
- •example_config.json - Non-interactive generation input
- •output/ - Generated document examples
Important Disclaimer
These templates are for informational purposes only and do not constitute legal advice. Laws vary by jurisdiction and change frequently. Always consult with a qualified attorney to review your legal documents before publication.