I was looking at the HN legal page:
http://ycombinator.com/legal.html<p>The "terms of use" are extremely brief:<p><i>Terms of Use: When you click on a link, our server will send you the corresponding page.</i><p>Are you required to have a policy statement/legal page?<p>If so, what <i>needs</i> to be in there?
A good template is Automattic's Privacy policy which they have made available for anyone to copy and use.<p><a href="http://automattic.com/privacy/" rel="nofollow">http://automattic.com/privacy/</a>
IANAL, but here's what I did for SeqCentral.<p>1) Look around the web for the Terms and Policies from similar companies. (Since SeqCentral is SaaS provider, I looked at GitHub, 37 Signals, and our competitors.)<p>2) Look at the Wikipedia pages for more "official" references: <a href="http://en.wikipedia.org/wiki/Privacy_policy" rel="nofollow">http://en.wikipedia.org/wiki/Privacy_policy</a> and <a href="http://en.wikipedia.org/wiki/Terms_of_service" rel="nofollow">http://en.wikipedia.org/wiki/Terms_of_service</a><p>3) Draft your own terms such that if you were a user, that you would be comfortable with them. (I'm an idealist, and as such, the SeqCentral ToS centers around the right of the consumer rather than the tyranny of the provider.)<p>4) Iterate with a lawyer who will tell you what you need at a minimum. (e.g. Refunds, children (COPPA), health (HIPAA), EU or CA rules, etc.)<p>5) Sleep on it.<p>6) Post as a "draft", issue an RFC, and be ready to make changes as needed.<p>Best of luck.
Take the following advice with a grain of salt as I am not a lawyer and I have not had the privacy/security/TOS for my startup[1] reviewed by a lawyer.<p>I don’t believe you’re required (by US law) to have a policy statement or legal page, although things may be different depending on where you are located. That said, I would suggest outlining your privacy policies (e.g. who can see their data under what circumstances, how long the data is stored, etc.) and establishing a jurisdiction for any legal issues at the very least; if you store sensitive data, I’d suggest talking a bit about what you do to keep the data secure. Depending on your site, this might be something that hardly anyone looks at or something that is important to users before they use the site.<p>[1] Iron Money: <a href="https://ironmoney.com/" rel="nofollow">https://ironmoney.com/</a>
Happened across this just now too: <a href="http://blogs.computerworlduk.com/simon-says/2010/12/the-risky-cloud/index.htm" rel="nofollow">http://blogs.computerworlduk.com/simon-says/2010/12/the-risk...</a><p>It discusses how WikiLeaks got kicked off of AWS, PayPal, and other providers for violating the ToS.