UK SaaS terms and conditions in 2026: what actually matters (and what doesn't)

UK SaaS terms and conditions in 2026: what actually matters (and what doesn't)

Your T&Cs matter less than you think and more than you've been avoiding. This is a practical UK SaaS builder's guide to terms and conditions in 2026 — what goes in, what you can skip, what costs you if you get it wrong, and what a realistic good-enough version looks like for a solo founder with under 100 customers.

This is not legal advice. It's a builder's map of the territory. Book an hour with a UK SaaS solicitor for your launch version — it's the best GBP 150-300 you'll spend in your first year.

The four documents you need, and the two you don't

There's a cottage industry of US SaaS templates that'll sell you 14 different "essential" legal documents. For a UK SaaS under 100 customers, you need four:

  • Terms of Service (Terms and Conditions) — the contract between you and your customer.
  • Privacy Policy — what personal data you collect, why, how long, who with.
  • Cookie Policy (often included in the privacy policy) — what cookies and tracking you use.
  • Acceptable Use Policy — what users can't do on your platform.

Optional documents you probably don't need yet:

  • Data Processing Agreement (DPA) — only needed if your customers are UK businesses processing their own customers' personal data through your tool. Most B2C SaaS doesn't need a separate DPA.
  • SLA (Service Level Agreement) — only needed if you're targeting mid-market or enterprise. Consumer and micro-business SaaS can wait.

The UK regulatory layer

Four regulations you need to understand at surface level:

UK GDPR (the post-Brexit version of EU GDPR). Applies to anyone processing UK personal data. ICO enforces. Fines up to GBP 17.5 million or 4% of global turnover. For a solo founder the real risk is not the fine — it's the reputational hit from an ICO investigation and the operational cost of responding.

Data Protection Act 2018 — works alongside UK GDPR. You'll mostly see this referenced in your privacy policy boilerplate.

Consumer Rights Act 2015 — governs the fairness of your terms for consumer (B2C) customers. Unfair or hidden terms aren't enforceable. This is why the US "binding arbitration, no class actions, no refunds, ever" clauses don't survive in UK B2C contracts.

PECR (Privacy and Electronic Communications Regulations) — governs cookies and direct marketing emails. This is why you need a cookie banner and why your newsletter needs a double-opt-in (or at least a clear opt-in at signup).

Terms of Service: what actually matters

For a UK SaaS, the clauses that do real work are:

1. Service description and availability. Say what you provide, clearly. Include a caveat that service is provided "as is" with best-effort availability unless you have a formal SLA. Don't promise specific uptime in percentage terms if you haven't instrumented it.

2. Pricing, billing, VAT. UK-specific:

  • State currency (GBP) and whether prices include VAT or not. For B2C, prices including VAT is the norm. For B2B, ex-VAT with "+ VAT where applicable" is common.
  • State billing cadence (monthly, annual), trial terms (if any), auto-renewal, and notice periods.
  • Your right to change prices (typically 30 days' notice, in line with Consumer Rights Act expectations).
  • Late payment and suspension terms.

3. Cancellation and refunds. For UK consumers, under the Consumer Contracts Regulations 2013, a 14-day cooling-off period applies to most purchases — but digital services are a special case. If you let the customer start using the service immediately, you can ask them to waive this right. Include the language your solicitor gives you.

Set clear, honest refund terms. "No refunds on annual subscriptions" is enforceable in the UK as long as it's clear at purchase and the cooling-off language is handled properly. Pro-rated refunds on cancellation are typical for mid-market; most indie hackers do "no refund, but cancel any time and use until end of billing period".

4. Acceptable use. What users can't do — abuse, spam, reverse engineering, reselling, using your service to do anything illegal. Short and specific.

5. Intellectual property. Your service is yours. Content a customer uploads is theirs, but you have a licence to store and process it to provide the service. If you're training AI on customer data, you need explicit consent — don't bury this in boilerplate.

6. Liability limitations. This is the clause you spend the most time on and the clause that gets scrutinised most in the UK. Unfair caps on liability aren't enforceable under the Consumer Rights Act for B2C. Typical acceptable B2B caps:

  • Liability capped at 12 months of fees paid
  • Exclusions for loss of profit, loss of data, indirect loss
  • Can't exclude liability for death, personal injury, fraud, or gross negligence

7. Termination. Who can terminate, with what notice, what happens to data. For UK GDPR, you need to be clear about data retention on termination — typically 30 days for restoration then deletion, unless legally required to keep longer.

8. Governing law and jurisdiction. England and Wales law, courts of England and Wales. Scotland and Northern Ireland if relevant. If your customers are in other jurisdictions, your T&Cs may not fully override their consumer protections — welcome to international SaaS.

9. Changes to terms. State how you'll notify of changes and what constitutes acceptance. 30 days' notice by email is standard.

Privacy Policy: what actually matters

1. Data controller identity. Your legal name, registered address, ICO registration number. A PO Box is fine if you don't want to use a home address.

2. What data you collect. List it. Be specific. "Email address" not "contact information". If you use a third-party analytics tool that captures IP addresses, say so.

3. Why you collect it. For each category, state the purpose and the legal basis under UK GDPR — consent, contract, legitimate interest, legal obligation, vital interest, or public task. Most SaaS uses contract (for account data) and legitimate interest (for analytics).

4. Who you share it with. Name every data sub-processor — Stripe, Supabase, Vercel, Resend, whatever. Link to their privacy policies. Keep this list current; an outdated sub-processor list is a compliance flag.

5. Where you process it. UK-to-UK data stays in the UK. UK-to-EU has an adequacy decision. UK-to-US now uses the UK Extension to the EU-US Data Privacy Framework. You need to name this in your policy if you use US tools.

6. How long you keep it. For each category. Typical: account data for 30 days after cancellation then deleted; analytics for 14 months; billing records for 6 years (HMRC requirement).

7. User rights. The eight rights under UK GDPR — access, rectification, erasure, restriction, portability, objection, no automated decision-making, withdrawal of consent. Say how to exercise them — a specific email address.

8. Complaints. Right to complain to the ICO. Include the ICO's address and website.

UK Charity SORP 2026 Accounts Pre-Flight Tool

This Week's Free Business Idea

UK Charity SORP 2026 Accounts Pre-Flight Tool

Examiner-Ready in Under an Hour

7/10Read the full breakdown →

Cookie Policy and consent

The rules in 2026:

  • Strictly necessary cookies (session, auth, cart) — no consent needed. Must still be disclosed.
  • Analytics, preference, marketing cookies — explicit opt-in consent required. Opt-in, not opt-out.
  • Cookie banner — must offer "accept all", "reject all", and granular control. "Reject all" must be as prominent as "accept all".

Cookiebot, Osano, Iubenda, or a lightweight open-source banner all work. Budget GBP 0-20/month.

Cookie wall (block content until consent) is not compliant with ICO guidance for non-essential cookies.

What "good enough" looks like for a solo founder

You don't need bespoke legal for your first 100 customers. A good-enough setup:

  • GBP 20-30 template from Juro, Simply Docs, or Rocket Lawyer for T&Cs + privacy. UK-specific.
  • One hour with a UK SaaS solicitor (GBP 150-300) to review and customise the template for your specific product. Do this before the template goes live.
  • Annual review (GBP 150-300) once a year once you're past 100 customers, or on material product change.
  • Ad hoc review before major product features that change data handling (e.g. adding AI features that train on user data).

This stack costs GBP 150-600 across the first year. It's not a compromise — it's proportionate.

What "not good enough" looks like

Signals you're under-legal'd:

  • Your T&Cs were copy-pasted from a US template and reference "arbitration in California"
  • Your privacy policy doesn't name your sub-processors
  • You don't have ICO registration (most UK SaaS owes the GBP 40-60 fee)
  • Your cookie banner only has "accept all" as the prominent option
  • You can't point to the legal basis for any specific data collection
  • Your newsletter doesn't have a clear opt-in and unsubscribe link
  • You charge customers in GBP but your T&Cs reference USD

Any of these individually is fixable in an afternoon. All of them together is a reputational accident waiting to happen.

AI features: the 2026 wrinkle

If your SaaS includes AI features (and in 2026, most do), additional clauses matter:

  • Transparency — tell users which features use AI and what provider (OpenAI, Anthropic, Google, open source).
  • Data use — explicit consent before training any model on user data. Most builders use "don't train" API endpoints (Claude API, OpenAI no-retention) and state this in T&Cs.
  • Output disclaimers — AI output may be inaccurate; user responsible for verifying. Especially important for any AI output used in regulated contexts (legal, medical, financial).
  • Accuracy caveats — don't imply AI features are deterministic when they aren't.
  • Bias and fairness — for anything user-impacting (scoring, filtering, recommending), a brief statement about limitations.

This isn't a separate policy. It's a paragraph or two in your T&Cs and privacy policy.

What happens when you get a complaint

For a solo UK SaaS, the two realistic scenarios are:

1. An angry customer complains to the ICO about a data issue. You'll get a letter or email. Reply within the timeline they set (usually 28 days). Be cooperative. Most ICO investigations of small businesses end in guidance, not fines, if you respond properly.

2. A consumer dispute. Customer says they were charged unfairly, wants a refund. Handle it commercially first. Most UK consumer disputes settle at the first email if you engage seriously. If it escalates, the consumer can use MoneyClaim Online (Small Claims) — stay under GBP 10,000 and it's a low-stakes process.

Having clear T&Cs isn't about winning disputes. It's about having fewer, and resolving the ones you have faster.

The one-hour legal review: what to bring

When you book your solicitor hour, bring:

  • Draft T&Cs and privacy policy from your template
  • One-page product description — what does your SaaS do, who pays, how much
  • Sub-processor list — every third-party tool that touches user data
  • Data flow sketch — a rough diagram of where data goes (user → your server → Stripe, your server → analytics, etc.)
  • Specific questions — "Can I auto-renew annual subscriptions without re-consent?" "Is my AI feature disclosure enough?"

An hour with good prep beats three hours without. UK SaaS solicitors who work with indie founders: Ignition, Hamilton Pratt, JMW Solicitors (digital/SaaS), or local firms with a tech specialism. Fixed-fee packages exist at GBP 500-1,500 for a full launch bundle.

Key takeaways

  • Four legal documents cover 95% of UK SaaS needs: Terms, Privacy, Cookies, Acceptable Use.
  • UK-specific pillars to get right: VAT handling, Consumer Rights Act fairness, UK GDPR basis for each data point, PECR-compliant cookies and marketing.
  • Good-enough solo-founder spend is GBP 150-600 in year one: a UK template plus one solicitor hour plus annual review.
  • You cannot copy-paste US SaaS T&Cs into the UK; binding arbitration and blanket no-refund clauses aren't enforceable for UK consumers.
  • AI features need explicit disclosure, data-use consent, and output disclaimers; a paragraph in each document, not a separate policy.

FAQs

Can I just use a US template from Termly or similar? No, not for UK customers. US templates miss UK GDPR, Consumer Rights Act, and VAT specifics. Start from a UK template (Juro, Simply Docs) and customise.

Do I need a DPA for every customer? Only if you're B2B and your customers are processing their own customers' personal data through your tool. Most B2C SaaS doesn't need a separate DPA.

Is Cookiebot overkill for a solo founder? Cookiebot's free tier handles up to 100 pages and small traffic. For most indie SaaS in year one, that's fine. Upgrade when traffic or pages demand it.

How often should I update my T&Cs? Review annually or after any material change in the product (new data collection, new AI feature, pricing model change). Notify users 30 days in advance of changes by email.

What's the minimum ICO registration cost? GBP 40/year for most micro-organisations, GBP 60 for small organisations (turnover up to GBP 25.9m and up to 250 staff). Tier 1 or Tier 2 depending on your data processing scale.

[!info] Next step Want a fully researched UK SaaS idea with market data and builder prompts? Read this week's free report.

Related reading

More UK-focused guides from the IdeaStack blog.

DUA Act 2025 cookie exemption: when UK SaaS builders can legally drop the banner

DUA Act 2025 cookie exemption: when UK SaaS builders can legally drop the banner

The Data Use and Access Act 2025 quietly removed the cookie banner requirement for most first-party analytics on UK SaaS. Here is the exemption decision tree, the tool-by-tool status, and what your privacy policy still needs to say.

Read more →

Resend for UK indie hackers in 2026: the builder's email stack that actually delivers

Resend for UK indie hackers in 2026: the builder's email stack that actually delivers

Welcome emails hitting spam? Newsletter stuck at zero subscribers? Here is the UK-first Resend setup that lands in the inbox, with SPF/DKIM/DMARC, UK pricing, and a 30-minute ship plan.

Read more →

JSON-LD schema for a UK SaaS in 2026: the Next.js builder's walkthrough

JSON-LD schema for a UK SaaS in 2026: the Next.js builder's walkthrough

Shipped a UK SaaS in Next.js 16 without schema markup? Here is the exact JSON-LD stack (Organization, WebSite, Article, BreadcrumbList, ItemList) with TypeScript snippets, UK locale tweaks, and validation flow.

Read more →

Ship a UK micro-SaaS with Claude Code in a weekend: a UK-first playbook

Ship a UK micro-SaaS with Claude Code in a weekend: a UK-first playbook

The weekend-SaaS myth used to be exactly that. A myth. You'd read a breathless Twitter thread about some bloke in San Francisco who shipped a PDF summariser between his Friday oat flat white and his Sunday brunch, and you'd open your laptop

Read more →

From side project to UK Ltd company: the 2026 builder's walkthrough

From side project to UK Ltd company: the 2026 builder's walkthrough

So you spent a weekend with Claude Code, shipped a scrappy little SaaS to Vercel, wired Stripe into a Supabase-backed subscription flow, and this morning you woke up to a payout notification in GBP. Actual money. From a real human. For a pr

Read more →

Want data-backed business ideas every Thursday?

One validated UK business opportunity per week. Free.

Sign Up Free