Skip to content

GDPR Compliance Checklist for SaaS Apps (2026)

GDPR fines can reach €20M or 4% of global revenue. Here's the practical checklist for indie SaaS founders — not the 50-page legal guide, just what you actually need.

Does GDPR apply to you?

GDPR applies if you process personal data of people in the EU — regardless of where your company is based. If you have EU users, GDPR applies to you. Personal data includes email addresses, IP addresses, names, and any data that can identify a person.

Most AI-built SaaS apps collect email addresses at minimum. That's enough to trigger GDPR obligations.

The 7-point GDPR checklist

1. ✅ Privacy Policy

You must have a privacy policy that explains:

  • What data you collect and why
  • How long you keep it
  • Who you share it with (Razorpay, Supabase, OpenAI, etc.)
  • How users can request deletion
  • Your contact information

Link to it from your footer, signup page, and checkout flow.

2. ✅ Cookie Consent

If you use analytics (Google Analytics, Plausible, Mixpanel) or marketing cookies, you need explicit consent before setting them for EU users. A cookie banner that defaults to "accept all" is not compliant — users must actively opt in.

Simpler option: use privacy-first analytics like Plausible or Fathom that don't require consent banners.

3. ✅ Data Deletion (Right to Erasure)

Users have the right to request deletion of their data. You need a way to handle this — at minimum, an email address they can contact. Better: a self-service deletion button in account settings.

// Example: account deletion endpoint
export async function DELETE(request: NextRequest) {
  const session = await getSession()
  if (!session) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })

  // Delete user data from all tables
  await prisma.user.delete({ where: { id: session.userId } })

  // Cancel Razorpay subscription if active
  if (session.razorpayCustomerId) {
    // Cancel Razorpay subscription
  }

  return NextResponse.json({ deleted: true })
}

4. ✅ Data Portability

Users can request a copy of their data in a machine-readable format. A JSON export of their account data satisfies this requirement.

5. ✅ Data Processing Agreements (DPAs)

If you use third-party services that process user data on your behalf, you need a DPA with them. The good news: most major services have standard DPAs you can sign online:

  • Razorpay: automatically covered by their terms
  • Supabase: available in their dashboard under Settings → Legal
  • OpenAI: available at platform.openai.com/privacy
  • Vercel: available in their dashboard

6. ✅ Lawful Basis for Processing

You need a legal reason to process data. For most SaaS apps:

  • Contract: Processing email to send login links is necessary to fulfill the service
  • Legitimate interest: Security logging, fraud prevention
  • Consent: Marketing emails, analytics

7. ✅ Security Measures

GDPR requires "appropriate technical measures" to protect data. This means:

  • HTTPS everywhere (HSTS header)
  • Encrypted data at rest (Supabase and most managed databases do this by default)
  • Access controls (RLS, auth middleware)
  • Breach notification within 72 hours if data is compromised

What Vezraa checks for GDPR

Vezraa's Legal scanner checks for the presence of a privacy policy, terms of service, cookie consent mechanism, and contact information. The Security scanner checks for the technical measures GDPR requires — HTTPS, security headers, and access controls.

Check your GDPR compliance gaps — scan in 30 seconds.

Start Scanning →

Related articles

GDPR Compliance Checklist for SaaS Apps (2026) | Vezraa