GDPR Compliance Checklist for SaaS Apps (2026)
GDPR fines can reach €20M or 4% of global revenue. Here's the practical checklist for indie SaaS founders — not the 50-page legal guide, just what you actually need.
Does GDPR apply to you?
GDPR applies if you process personal data of people in the EU — regardless of where your company is based. If you have EU users, GDPR applies to you. Personal data includes email addresses, IP addresses, names, and any data that can identify a person.
Most AI-built SaaS apps collect email addresses at minimum. That's enough to trigger GDPR obligations.
The 7-point GDPR checklist
1. ✅ Privacy Policy
You must have a privacy policy that explains:
- What data you collect and why
- How long you keep it
- Who you share it with (Razorpay, Supabase, OpenAI, etc.)
- How users can request deletion
- Your contact information
Link to it from your footer, signup page, and checkout flow.
2. ✅ Cookie Consent
If you use analytics (Google Analytics, Plausible, Mixpanel) or marketing cookies, you need explicit consent before setting them for EU users. A cookie banner that defaults to "accept all" is not compliant — users must actively opt in.
Simpler option: use privacy-first analytics like Plausible or Fathom that don't require consent banners.
3. ✅ Data Deletion (Right to Erasure)
Users have the right to request deletion of their data. You need a way to handle this — at minimum, an email address they can contact. Better: a self-service deletion button in account settings.
// Example: account deletion endpoint
export async function DELETE(request: NextRequest) {
const session = await getSession()
if (!session) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
// Delete user data from all tables
await prisma.user.delete({ where: { id: session.userId } })
// Cancel Razorpay subscription if active
if (session.razorpayCustomerId) {
// Cancel Razorpay subscription
}
return NextResponse.json({ deleted: true })
}4. ✅ Data Portability
Users can request a copy of their data in a machine-readable format. A JSON export of their account data satisfies this requirement.
5. ✅ Data Processing Agreements (DPAs)
If you use third-party services that process user data on your behalf, you need a DPA with them. The good news: most major services have standard DPAs you can sign online:
- Razorpay: automatically covered by their terms
- Supabase: available in their dashboard under Settings → Legal
- OpenAI: available at platform.openai.com/privacy
- Vercel: available in their dashboard
6. ✅ Lawful Basis for Processing
You need a legal reason to process data. For most SaaS apps:
- Contract: Processing email to send login links is necessary to fulfill the service
- Legitimate interest: Security logging, fraud prevention
- Consent: Marketing emails, analytics
7. ✅ Security Measures
GDPR requires "appropriate technical measures" to protect data. This means:
- HTTPS everywhere (HSTS header)
- Encrypted data at rest (Supabase and most managed databases do this by default)
- Access controls (RLS, auth middleware)
- Breach notification within 72 hours if data is compromised
What Vezraa checks for GDPR
Vezraa's Legal scanner checks for the presence of a privacy policy, terms of service, cookie consent mechanism, and contact information. The Security scanner checks for the technical measures GDPR requires — HTTPS, security headers, and access controls.
Check your GDPR compliance gaps — scan in 30 seconds.
Start Scanning →