This type of legal agreement is used to disclose how you'll collect, keep and process the personal information of your users.
It's not only required by third parties that you may use, but it's also required by law.
In the US, CalOPPA demands it. In Canada, it's PIPEDA. In Australia, it's the Privacy Act of 1998. In the UK, it's the DPA. In the EU, it's the GDPR.
If you collect personal data, such as email addresses, mailing addresses, full names, job titles and other types of information, you have to mention your practices and procedures on collecting and using personal data in this legal agreement.
Clause 1. What Personal Information You Collect
Be as specific as possible in this clause. Don't forget to include data you collect directly (such as through account sign-up forms) as well as indirectly (such as through analytics services).
Clause 2. Data Protection
Users need to know that you make efforts to protect the personal information they provide to you. Include a clause that mentions that you have security measures in place.
You can also mention that no security system is 100% perfect and that data breaches still may occur, even with your best efforts being made to protect the data.
Clause 3. Data Sharing
Disclose your data sharing practices. Let users know when and why you may share information with third parties and others.
Here's how Shopify does it:
Clause 4. Business Transfers
Because you're a commercial entity, the possibility of an acquisition by another company exists. Users should be informed that their personal information might be transferred to a new entity.
If you intend to sell your business make sure to include a Business Transfer clause in your agreement before you do so.
Clause 5. How You Use Personal Information
Disclose your practices so your users are aware of how their information will be used. Be thorough and accurate.
Clause 6. Cookies Clause
Include a clause to notify users if cookies are used by you or by third parties that you partner with.
Clause 7. Communications Clause
You must make sure that each email you send out has an unsubscribe link and that you provide methods for users to opt out of communications.
Clause 8. Contact Information