UK SaaS legal pages template for indie hackers (2026 edition)

Legal pages are the procrastination tax every indie hacker pays eventually -- usually right before launch, usually in a panic, usually at midnight. You'll spend three hours reading TermsFeed output and realise it's built for a Delaware LLC, not a UK Ltd.

This post is the one you bookmark and ship from. Five copy-paste templates, UK law only, updated for 2026. Not legal advice -- starting templates. But they cover everything a UK-based indie SaaS needs: UK GDPR, PECR, the DUA Act 2025 cookie exemption, Consumer Rights Act liability caps, and Companies Act disclosure rules.

Thirty minutes. Then you move on.

---

The UK legal stack for a SaaS in 2026

Before you copy anything, here is what you are actually complying with. Each law maps to a page.

Law	What it governs	Pages it affects
UK GDPR	Processing personal data	Privacy Policy, DPA if applicable
PECR	Cookies, marketing emails	Cookie Policy / banner
Data (Use and Access) Act 2025	First-party analytics cookie exemption	Cookie Policy
Consumer Rights Act 2015	Digital content quality, unfair terms	Terms of Service
Consumer Contracts Regulations 2013	B2C cancellation / cooling-off	Terms of Service
Companies Act 2006	Registered office disclosure	Imprint / footer
ICO registration	Data controller registration (£40-60/yr)	Privacy Policy

ICO registration: If you store email addresses, you process personal data. You must register as a data controller. Go to ico.org.uk/registration. Cost: £40/year for micro-organisations, £60 for small. Not optional.

---

Page 1 -- Terms of Service

Replace every [PLACEHOLDER] with your real details. Read every section once before you ship it -- you need to understand what you are agreeing to, even if you did not write it.

# Terms of Service

**Last updated:** [DATE]

These Terms of Service ("Terms") govern your use of [PRODUCT NAME] ("Service"),
operated by [COMPANY LEGAL NAME] ("we", "us", "our"), a company registered in
England and Wales (company number [12345678]) with registered office at [ADDRESS].

---

## 1. Definitions

- **Account** -- your registered user account on the Service.
- **Content** -- any data, text, files, or material you submit to the Service.
- **Subscription** -- a paid plan giving access to the Service for a billing period.
- **Consumer** -- an individual using the Service for personal, not business, purposes.

---

## 2. Eligibility

You must be at least 18 years old to create an Account. By accepting these Terms
you confirm you meet this requirement and have authority to enter into a binding
agreement.

---

## 3. Subscriptions and billing

Subscription fees are charged in GBP. Prices displayed on the pricing page are
[inclusive / exclusive] of VAT. VAT will be applied at checkout at the rate
applicable to your location.

Subscriptions renew automatically at the end of each billing period unless
cancelled. You will receive a reminder email at least [X] days before renewal.
We use Stripe for payment processing; your card details are held by Stripe and
never stored by us.

---

## 4. Cancellation and refunds (Consumer rights)

**Consumers only:** Under the Consumer Contracts Regulations 2013, you have the
right to cancel your Subscription within 14 days of purchase without giving any
reason ("cooling-off period").

**Waiver of cooling-off period:** If you ask us to start providing the Service
immediately after purchase, you acknowledge that your right to cancel under the
14-day cooling-off period is lost once we begin performance. You will be asked
to confirm this at checkout.

To cancel at any time after the cooling-off period, go to Account > Billing >
Cancel Subscription, or email [SUPPORT EMAIL]. We do not offer pro-rata refunds
for mid-period cancellations except where required by law.

---

## 5. Service quality (Consumer Rights Act 2015)

We warrant that the Service will be provided with reasonable care and skill, as
implied by the Consumer Rights Act 2015. If the Service materially fails to meet
this standard, you may be entitled to a repeat performance or, where that is
not possible, a price reduction.

We do not guarantee 100% uptime. We target [X]% monthly uptime (excluding
scheduled maintenance) and will publish status updates at [STATUS URL].

---

## 6. Acceptable use

You must not use the Service in breach of our Acceptable Use Policy, which forms
part of these Terms and is available at [/legal/acceptable-use].

---

## 7. Intellectual property

We retain all intellectual property rights in the Service. You retain ownership
of your Content. By uploading Content you grant us a limited licence to store,
process, and display it solely for the purpose of providing the Service.

---

## 8. Liability

To the fullest extent permitted by law, our total liability to you in connection
with the Service will not exceed the greater of: (a) the fees you paid to us in
the 12 months preceding the claim, or (b) £100.

Nothing in these Terms excludes or limits our liability for: death or personal
injury caused by negligence; fraud or fraudulent misrepresentation; or any
liability that cannot lawfully be excluded under the Consumer Rights Act 2015 or
any other applicable law.

---

## 9. Changes to these Terms

We may update these Terms from time to time. We will give you at least 30 days'
notice of material changes by email. Continued use after the notice period
constitutes acceptance of the updated Terms. If you do not accept the changes,
you may cancel your Subscription before the changes take effect.

---

## 10. Governing law and disputes

These Terms are governed by the laws of England and Wales. Any disputes will be
subject to the exclusive jurisdiction of the courts of England and Wales.

If you are a Consumer, you may also be entitled to use an alternative dispute
resolution (ADR) scheme. We are not currently members of an ADR scheme; if that
changes, we will update this section.

---

## 11. Contact

[COMPANY LEGAL NAME]
[REGISTERED OFFICE ADDRESS]
[SUPPORT EMAIL]
[WEBSITE URL]

---

Page 2 -- Privacy Policy

This covers your obligations as a UK GDPR data controller. Fill in the sub-processors section carefully -- if you add a new tool that touches user data, update this list.

# Privacy Policy

**Last updated:** [DATE]

[COMPANY LEGAL NAME] ("we", "us") is the data controller for personal data
collected through [PRODUCT NAME]. We are registered with the Information
Commissioner's Office (ICO), registration number [ZB######].

Registered office: [ADDRESS]. Contact: [PRIVACY EMAIL]

---

## 1. What data we collect

| Category | Examples | Lawful basis (UK GDPR Art. 6) |
|---|---|---|
| Account data | Name, email address, password hash | Contract (Art. 6(1)(b)) |
| Billing data | Name, billing address, last 4 digits (Stripe token) | Contract (Art. 6(1)(b)) |
| Usage data | Features used, session duration, error logs | Legitimate interests (Art. 6(1)(f)) |
| Support data | Messages you send us, attachments | Contract (Art. 6(1)(b)) |
| Analytics data | Page views, referrer, device type | Legitimate interests (Art. 6(1)(f)) -- first-party only |

We do not collect special-category data (health, ethnicity, biometrics, etc.)
and do not knowingly collect data from individuals under 18.

---

## 2. How long we keep your data

| Data type | Retention period | Reason |
|---|---|---|
| Account data | Until account deletion + 30 days | Service delivery |
| Billing records | 7 years from transaction | HMRC requirement |
| Usage / analytics | 14 months rolling | Trend analysis (DUA Act 2025 exempt) |
| Support correspondence | 24 months after ticket close | Quality assurance |
| Server logs | 90 days | Security and debugging |

---

## 3. Sub-processors

We share data with the following processors. Each is bound by a data processing
agreement.

| Processor | Purpose | Location | Privacy info |
|---|---|---|---|
| Stripe | Payment processing | US (UK-US IDTA) | stripe.com/privacy |
| Resend | Transactional email | EU (SCCs) | resend.com/privacy |
| Vercel | Hosting and CDN | EU / US (SCCs + IDTA) | vercel.com/legal/privacy-policy |
| Supabase | Database hosting | EU | supabase.com/privacy |
| [ADD OTHERS] | [PURPOSE] | [LOCATION] | [LINK] |

**International transfers:** Where data is transferred outside the UK (e.g., to
Stripe's US infrastructure), we rely on the UK International Data Transfer
Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses, as
applicable.

---

## 4. Your rights under UK GDPR

You have eight rights as a data subject:

1. **Access** -- request a copy of the data we hold about you.
2. **Rectification** -- ask us to correct inaccurate data.
3. **Erasure** -- ask us to delete your data (subject to legal retention obligations).
4. **Restriction** -- ask us to pause processing in certain circumstances.
5. **Portability** -- receive your data in a machine-readable format.
6. **Object** -- object to processing based on legitimate interests.
7. **Automated decisions** -- not to be subject to solely automated decisions that significantly affect you.
8. **Withdraw consent** -- where processing relies on consent, withdraw at any time.

To exercise any right, email [PRIVACY EMAIL]. We will respond within one calendar
month. You also have the right to lodge a complaint with the ICO (ico.org.uk).

---

## 5. Cookies

See our Cookie Policy at [/legal/cookies].

---

## 6. Changes to this policy

We will notify you by email of material changes at least 30 days before they
take effect.

---

Page 3 -- Cookie Policy and the DUA Act 2025 decision tree

This is where most indie hackers get it wrong. The Data (Use and Access) Act 2025, which came into force on 5 February 2026, changed PECR in one important way: first-party analytics cookies used purely for understanding how a website is used are now exempt from the consent requirement.

What this means in practice: if your analytics stack is Plausible, Umami, or Vercel Analytics -- with no third-party ad/tracking cookies -- you may not need a consent banner at all. You still need a cookie notice, but it can live quietly in your footer.

The decision tree

Do you use any non-exempt cookies?
    │
    ├── NO (first-party analytics only, or no cookies at all)
    │       └── No consent banner required.
    │           Add a short Cookie Notice page linked from the footer.
    │
    └── YES (any third-party tracker, ad pixel, session recording tool)
            └── Consent banner required.
                Use the Granted / Refused / Customise pattern.
                Buttons must be equal prominence -- no dark patterns.
                Do NOT drop non-exempt cookies before consent.

Tool-by-tool exemption status (as of April 2026)

Tool	Exempt under DUA Act 2025?	Notes
Plausible Analytics	Yes	First-party, no cross-site tracking
Umami	Yes	First-party, self-hosted or cloud
Vercel Analytics	Yes	First-party only mode
Google Analytics 4 (GA4)	No	Third-party, cross-site identifiers
Meta Pixel	No	Third-party ad tracking
HotJar	No	Session recording, third-party
PostHog	Conditional	Exempt if self-hosted + first-party only config; not exempt on cloud with cross-site features
Sentry	Conditional	Error tracking only = likely exempt; session replay = not exempt

If you need a banner

Use a CMP (Consent Management Platform) or build a simple one. The ICO's requirements:

• Consent and reject options must be equally prominent (same size, same colour weight)
• No pre-ticked boxes
• Do not drop non-essential cookies before the user responds
• Provide a "Manage preferences" route

Cookie table template

Add this to your Cookie Policy page:

# Cookie Policy

**Last updated:** [DATE]

[PRODUCT NAME] uses cookies and similar technologies. Below is the full list.

Cookies we use

Name	Purpose	Expiry	Exempt under DUA Act 2025?
[cookie_name]	[e.g. Session authentication]	[e.g. 30 days]	[Yes / No]
[cookie_name]	[e.g. First-party analytics (Plausible)]	[e.g. 1 year]	Yes

Managing cookies

You can clear cookies in your browser settings at any time. For cookies that require consent, use the [Manage preferences] link in our footer banner.

Questions: [PRIVACY EMAIL]

---

## Page 4 -- Acceptable Use Policy

Keep this short and enforceable. The point is to define what gets an account suspended and give you a legal basis to act on it.

```markdown
# Acceptable Use Policy

**Last updated:** [DATE]

This policy applies to all users of [PRODUCT NAME] ("Service"), operated by
[COMPANY LEGAL NAME].

---

## 1. Prohibited conduct

You must not use the Service to:

- Upload, store, or transmit content that is unlawful, harmful, defamatory,
  obscene, or infringes any third-party intellectual property rights
- Distribute malware, spam, or unsolicited commercial communications
- Impersonate any person or organisation, or misrepresent your affiliation
- Attempt to gain unauthorised access to our systems or another user's account
- Use automated tools to scrape, index, or extract data from the Service
  without our prior written consent
- Reverse-engineer, decompile, or disassemble any part of the Service
- Use the Service to process data on behalf of third parties in a way that
  violates their privacy rights or applicable data protection law
- Engage in any activity that places an unreasonable or disproportionate load
  on our infrastructure

---

## 2. Enforcement

We reserve the right to suspend or terminate your Account, with or without
notice, if we reasonably believe you have violated this policy. For serious or
repeat violations we will terminate immediately. For first-time, lower-severity
violations we aim to give [48 hours] written notice before suspension.

If your Account is suspended, you may appeal by emailing [ABUSE EMAIL] within
[14 days]. We will respond within [5 business days].

---

## 3. Reporting abuse

If you believe another user is violating this policy, email [ABUSE EMAIL] with
as much detail as possible. We investigate all credible reports.

---

## 4. Changes

We may update this policy. Material changes will be communicated with at least
14 days' notice.

---

Page 5 -- Imprint / Company Info block

Under the Companies Act 2006, if you operate through a limited company, certain information must appear on your website (and all business correspondence). This is not optional. Most indie hackers miss it.

The required elements for a UK Ltd:

• Company legal name
• Registered in England and Wales (or Scotland / Wales as applicable)
• Company registration number
• Registered office address
• VAT number (once VAT-registered)
• ICO registration number (good practice, sometimes required)

Here is the one-paragraph block for your footer:

[Trading Name] is a trading name of [COMPANY LEGAL NAME] Ltd. Registered in
England and Wales, company number [12345678]. Registered office: [FULL ADDRESS].
VAT number: [GB 123 4567 89]. ICO registration: [ZB######].

If you are not yet a limited company (trading as a sole trader), you do not need the Companies Act disclosure -- but you should still name yourself and provide a contact address.

---

Where each page lives

Footer link cluster: Put a /legal hub page with links to all five pages. The footer of every page should include at minimum: Terms | Privacy | Cookies | Acceptable Use.

Sign-up form: Add one line below the submit button:

"By creating an account you agree to our [Terms of Service] and [Privacy Policy]."

No checkbox required -- it is an acknowledgement, not a consent mechanism (consent under UK GDPR is not the right lawful basis for service delivery anyway).

Stripe Checkout: In your Stripe Dashboard > Settings > Business details, add your Terms of Service URL. Stripe displays it at checkout. Takes 30 seconds.

---

What you do NOT need

Knowing what to skip saves as much time as knowing what to include.

Cookie wall: A wall that blocks all content until the user accepts cookies is a dark pattern and non-compliant under PECR. Do not build one.

Newsletter pop-up on first page load: PECR requires prior consent for marketing emails. A pop-up that fires before someone has interacted with your product is not the right moment. Use a sign-up form with explicit opt-in instead.

Generic generator output without UK customisation: Tools like TermsFeed and Termly do not cover ICO registration numbers, DUA Act 2025 exemptions, CCR 2013 14-day cooling-off rules, or Companies Act footer disclosures. Do not use them as-is.

---

Common UK indie hacker legal mistakes

These are the ones that come up repeatedly. Fix them before you launch.

1. No ICO registration. Even a solo founder with 10 users is processing personal data (email addresses). Register at ico.org.uk. £40 a year. Takes 20 minutes.

2. US-style privacy policy. No lawful basis table, no eight UK GDPR rights, no ICO complaint route, no retention schedule. Rewrite it, do not copy-paste.

3. Cookie banner fires after cookies drop. PECR says consent must be obtained before non-exempt cookies are set. If GA4 fires on page load and your banner appears after, you are in violation. Set cookies only on "Granted."

4. Auto-renew with no CCR 2013 language. If you sell to consumers, you must either honour the 14-day cooling-off period or get an explicit waiver at checkout. Burying it in paragraph 14 of your terms does not count.

5. Liability cap set too high. "Not liable for any amount exceeding £1,000,000" in a £9/month product risks being struck out as an unfair contract term under the CRA 2015. Cap it at fees paid in the past 12 months.

6. No registered office in footer. Required by Companies Act 2006 for all Ltd companies. ICO can and does issue informal notices for missing company information.

---

Implementation in Next.js 16

The cleanest approach: MDX files, one per legal page, under app/legal/.

app/
  legal/
    layout.tsx          ← shared legal page wrapper (last updated, version link)
    terms/
      page.mdx
    privacy/
      page.mdx
    cookies/
      page.mdx
    acceptable-use/
      page.mdx

Each MDX file has a lastUpdated frontmatter field. Show it prominently at the top of every page. Link to your git history for a free version trail:

// app/legal/layout.tsx
export default function LegalLayout({ children }: { children: React.ReactNode }) {
  return (
    <div className="prose mx-auto max-w-2xl px-4 py-16">
      {children}
    </div>
  )
}

Your Imprint block belongs in your shared <Footer> component -- it needs to appear on every page of the site.

---

30-minute ship-it checklist

Work through this in order. Each item takes two to five minutes.

1. Register with the ICO at ico.org.uk/registration. Note your registration number (format: ZB######).
2. Fill in the Terms of Service template. Set the liability cap to fees paid in the last 12 months.
3. Fill in the Privacy Policy template. List every sub-processor you use.
4. Decide whether you need a cookie consent banner (use the decision tree above).
5. Fill in the Cookie Policy template. Populate the cookie table.
6. Fill in the Acceptable Use Policy template.
7. Add the Imprint block to your <Footer> component.
8. Create a /legal hub page linking all four pages.
9. Add "By creating an account you agree to our Terms and Privacy Policy" to your sign-up form.
10. Add your Terms of Service URL in Stripe Dashboard > Business settings.
11. Set lastUpdated dates on every legal page.
12. Read each page once as if you were a new user. Fix anything that reads like it was written by a robot.

Done. Ship it.

---

A note on legal advice

This is a starting template, not legal advice. If your SaaS handles special-category data (health, financial, biometric), processes children's data, has UK turnover above £50k, or operates a marketplace -- get a qualified UK solicitor to review your legal pages. For most pre-revenue indie SaaS, these templates are a defensible starting point that will keep you on the right side of the ICO and Consumer Rights Act while you focus on building.

---

Want data-backed UK SaaS ideas to build -- with competitive gaps already mapped? IdeaStack researches market niches, analyses search intent, and produces validated opportunity reports for indie hackers. Browse the reports library at ideastack.co/reports