
Ask HN: GDPR compliance for a systems-oriented SaaS - cuu508
I have a SaaS product that does not deal with personal data, it&#x27;s a systems monitoring service. However there are a few types of <i>potentially</i> personal data it has to collect:<p>* user email addresses (for signing in, and for password reset links)<p>* optionally, billing address<p>* it uses a third party service for recurring payments (Braintree). My service does not store users&#x27; credit card details but Braintree of course has to<p>The service does not use any analytics scripts. It currently only has generic Terms of Service and Privacy Policy documents, generated online by answering yes&#x2F;no questions and paying $20 or so for each.<p>For a SaaS service like mine, what are the minimum required things to be GDPR compliant? Are there walkthroughs, templates or recommended services for preparing GDPR-related documentation?<p>I&#x27;m sure many SaaS tools &#x2F; services are in similar situation as mine, and I&#x27;m sure many have already figured this out. Looking for friendly advice!
======
termsfeed
Email address + billing address is personal data.

The minimum requirements for SaaS would be:

\- Having a Privacy Policy. Among other things, specific identify the Data
Controller (you), inform users of their rights (there are 8 rights under
GDPR), whether you transfer data internationally (EU>US), and others.

\- Getting active consent from users. Under GDPR, you must request a "clear,
unambiguous affirmative consent" from users. The "clickwrap" method of design
might be good to follow.

We shared a quick "GPDR Compliance Plan" video on YouTube a while ago that
might be useful:
[https://www.youtube.com/watch?v=K2F9HEhTpSg](https://www.youtube.com/watch?v=K2F9HEhTpSg)

------
oceanbreeze83
can you let us know where you were able to generate that tod and privscy
policy? thank you

