Does My SaaS Need to Be GDPR Compliant?
If anyone in the EU or UK can sign up for your app, the short answer is yes. Here is what that actually means for a small, AI-built SaaS, in plain English, and how to find the gaps before a regulator or a demand letter does.
If a person in the EU or the UK can sign up for your app, GDPR applies to you. It does not matter that your company is registered in Delaware, that you are a team of one, or that you never meant to sell in Europe. GDPR follows the user, not the business. The moment an EU resident can hand you their email, you are processing the personal data of someone GDPR protects, and the rules come with them.
Who does GDPR actually apply to?
GDPR applies to anyone who handles the personal data of people in the EU or UK, regardless of where the business is. Personal data is broader than most founders expect. It is not just names and card numbers. It is email addresses, IP addresses, cookie IDs, analytics events tied to a person, support messages, and anything that can single someone out. If your app collects any of that from an EU user, even passively through analytics, you are a data controller under GDPR.
- ▸You are almost certainly in scope if you have a signup form, a waitlist, a contact form, or analytics, and anyone in the EU or UK can reach your site.
- ▸Being outside the EU does not exempt you. GDPR specifically covers businesses outside the EU that offer goods or services to, or monitor, people in the EU.
- ▸Free does not exempt you either. Collecting emails for a free beta is still processing personal data.
What do I actually have to do?
You have to be honest and careful with people's data, and you have to be able to prove it. In practice, for a small SaaS, that comes down to a handful of concrete things rather than a binder of policies. Here is the short, real list.
- 1.Publish a real privacy policy that says what you collect, why, how long you keep it, who you share it with (your hosting, analytics, email tools), and how someone contacts you about their data. A generic template is a start, but it has to match what your app actually does.
- 2.Ask before you track. Non-essential cookies and analytics (Google Analytics, Meta Pixel, Hotjar) must not run until an EU visitor agrees. A banner that loads trackers before the click, or only has an 'Accept' button, is one of the most common and most flagged mistakes.
- 3.Let people see and delete their data. Users have the right to access what you hold and to ask you to delete it. You need a way to honor that, even if it is a clear email address and a manual process at first.
- 4.Have a lawful basis for what you do with data, and do not collect more than you need.
- 5.Say where data goes. Most SaaS tools use US-based hosting, analytics, and email. If EU data leaves the EU, your policy should say so and name the safeguard you rely on.
//Why AI-built apps trip on this so often
When you ask an AI tool to 'add analytics' or 'build a signup', it wires up working code. It does not pause to add a consent gate, write an honest privacy policy, or build a delete-my-data path, because none of that shows up on the screen. The app runs perfectly and quietly breaks the rules at the same time.
What happens if I ignore it?
The headline numbers (up to 20 million euros or 4 percent of global turnover) are real, but they are aimed at large companies that knew better. For a small founder, the realistic risk is more ordinary and still expensive: a complaint from a user that lands on a regulator's desk, a formal letter you have to respond to, or a bigger customer walking away because you could not pass their security and privacy questionnaire. Any one of those can cost you far more time and money than getting the basics right would have.
How do I check where my app stands?
You can check a surprising amount yourself, from the outside, the same way a regulator or a privacy-conscious user would. Open your site in a fresh private window and watch what happens before you touch anything.
- ▸Open the browser network tab and reload, logged out. If analytics or ad scripts fire before you click anything on a cookie banner, that is consent-before-permission, and it is a problem in the EU.
- ▸Look for a privacy policy link in your footer. Open it. Does it actually describe what your app collects, or is it a placeholder?
- ▸Look for a way to request data deletion. If there is no path and no contact for it, you cannot honor a basic right.
- ▸Check your cookie banner. Is 'Reject' as easy as 'Accept', or is reject hidden or missing?
If that list makes you wince, you are normal, and you are also exactly who this is fixable for. The gaps are common and most have small, concrete fixes.
Can I just have it scanned?
Yes, and that is what the Compliance check is for. It scans your SaaS the way a regulator would, across GDPR, the EU AI Act, accessibility, and US privacy rules, and hands you a private list of what to fix, with the actual rule each issue touches, written so you can paste it straight into your AI coding tool. The report is private and never published. It is an automated scan and a starting point, not legal advice, and for anything high-stakes you should still talk to a lawyer. But it turns a vague, scary worry into a short, concrete to-do list.
Not sure where your app stands on GDPR? Run a Compliance check and get a private, plain-English list of what to fix, with the rule behind each one.
Run a Compliance checkFrequently asked questions
Does GDPR apply to a US company with no office in Europe? ▾
Yes, if you offer your product to people in the EU or UK or monitor their behavior (for example with analytics). GDPR is based on whose data you handle, not where your company is. A US SaaS that any EU resident can sign up for is in scope.
Do I need to be GDPR compliant if my app is free? ▾
Yes. Collecting personal data, including just email addresses or analytics, is processing under GDPR whether or not money changes hands. A free beta with EU users still needs a privacy policy, consent for non-essential tracking, and a way to honor data rights.
What is the simplest way to start with GDPR for a small SaaS? ▾
Publish an honest privacy policy that matches what your app really does, stop non-essential cookies and analytics from running until the visitor consents, and set up a clear way for people to request access to or deletion of their data. Those three cover the most common gaps.
Can GDPR really fine a tiny startup millions? ▾
The maximum fines are aimed at large companies and serious violations. For a small founder, the practical risk is usually a user complaint reaching a regulator, a letter you must respond to, or losing a deal over a failed privacy review. Those are common and still costly, which is why the basics are worth getting right.
How do I know if my cookie banner is compliant? ▾
Open your site in a private window and check the network tab on first load. If analytics or ad cookies fire before you interact with the banner, that breaks EU consent rules. The banner should also make rejecting as easy as accepting. A compliance scan can confirm this from the outside.
Turn a scary worry into a short to-do list
A Compliance check scans your SaaS across GDPR, the EU AI Act, accessibility, and US privacy rules, and hands you a private fix list with the rule behind each issue. Automated scan, not legal advice. Nothing gets published.
Run a Compliance checkKeep reading
Do I Need a Cookie Consent Banner?
If you have EU or UK visitors and you run analytics or ads, yes, and it has to ask before anything tracks. Here is what a correct banner does, and the version that quietly breaks the rules.
What the EU AI Act Means for Your AI App or Chatbot
Most indie AI apps are not 'high-risk', so the heavy rules will not hit you. But one rule almost certainly does: if users talk to an AI, you have to tell them. Here is the plain version.
Do I Need a 'Do Not Sell My Info' Link? CCPA for Indie Founders
If you have California users and run ad or analytics tools that share data, you probably need a 'Your Privacy Choices' link, even if you do not think you 'sell' anything. Here is the plain version.
We put every SaaS through the same honest scorecard, then publish the result.