The minimum compliance an MVP needs (and what you can defer)
Founders ask me two opposite questions about compliance:
Question 1: "Do I really need a privacy policy if I don't collect anything?"
Question 2: "I just talked to a lawyer about GDPR and now I'm paralyzed. Where do I start?"
Both questions have the same answer: identify the minimum surface that actually applies to your product, and ship exactly that. Compliance is a floor. You're not trying to win an audit. You're trying to not get sued, not get fined, and not lose your AdSense account.
Here's the actual minimum.
What you need depends on what you collect
Be honest about what your MVP collects. Walk through it:
- Account data (name, email)? You probably do.
- Behavior (page views, clicks, time-on-page via analytics)? Yes if you have GA or similar.
- User content (anything they type, upload, or generate)? Often yes.
- AI-routed user content (sent to OpenAI, Anthropic)? Yes if you have an AI feature.
- Payment data? Only if you take money. Use Stripe Checkout to make this their problem, not yours.
- Health data (PHI)? Triggers HIPAA. Almost certainly no for a typical MVP.
- Children under 13? Triggers COPPA. Block under-13 signups in the UI; you're done.
For a typical SaaS MVP, you're collecting: email, behavior via analytics, and possibly user content sent to AI providers. That's three categories, and the obligations are straightforward.
What you need who lives where
Two regulations cover ~95% of MVPs:
GDPR / UK GDPR applies if you have any EU/UK users. Even one. Don't assume "I'm not targeting Europe" gets you out of it — if a German user signs up via your form, GDPR applies to that processing.
CCPA / CPRA applies to California consumers. Strictly speaking, the thresholds for the law to require compliance are ~$25M revenue / 100K consumers / 50% revenue from data sales — but best practice is to comply anyway because the surface is small and Google AdSense's personalized ads are considered "sharing" under the CPRA, which triggers the "Do Not Sell or Share" obligation regardless of size.
For a US-only MVP with under 100K users and no revenue, formally CCPA doesn't require most of its surface, but you should still ship the "Do Not Sell or Share" footer link if you serve ads.
The minimum surface
Six items. Each is a one-time build.
1. Privacy Policy
A real one, tailored to what you actually collect. Not a template. The agent in sub-skill 08 of the skills bundle drafts this for you after asking what you collect, who uses it, and where they live.
Required sections:
- What data you collect (map 1:1 to the categories above).
- Why you collect it (legal basis under GDPR: consent, contract, legitimate interest).
- Who you share it with (list every sub-processor by name: OpenAI, Resend, Vercel, Stripe, Google Analytics, etc.).
- Retention periods.
- User rights (access, delete, export, correct, object, opt-out).
- How to exercise those rights (an email address).
- Cookies (separate strictly-necessary from analytics/marketing).
- A "Do Not Sell or Share" section under a
#ccpa-rightsanchor. - Contact email.
2. Terms of Service
Plain English, defensive. Required sections:
- Who you are.
- What the service does.
- Acceptable use.
- Disclaimer of warranties (AS-IS).
- Limitation of liability.
- Governing law (pick your state).
- Changes-notification mechanism.
- Contact email.
3. Signup-flow consent checkboxes
Two of them, separate:
- Required: "I agree to the Terms of Service and Privacy Policy." Form submission blocked without it.
- Optional, unticked by default: "I'd like product updates by email."
GDPR specifically requires the marketing checkbox to default to unticked. Pre-ticked consent is void.
Server-side, store each consent with timestamp + IP address + a version reference (the "last updated" date of the document at signup time).
4. Footer links
Three links, conspicuously available on every page:
- Terms
- Privacy
- "Do Not Sell or Share My Personal Information" →
/privacy#ccpa-rights
5. Data export and delete endpoints
Authenticated users can:
- Export: download all their rows from your tables as JSON.
- Delete: soft-delete the account; hard-delete PII within 30 days.
These two endpoints satisfy "Right to Access" (GDPR Art. 15) and "Right to Erasure" (GDPR Art. 17), plus their CCPA equivalents.
6. Sub-processor DPAs
For each third-party that processes user data on your behalf (OpenAI, Resend, Vercel, Stripe), you need a Data Processing Agreement. Each provider offers one in their dashboard settings — typically a one-click sign. Keep a list in your project notes:
# Sub-processors
- OpenAI (DPA signed 2026-04-17)
- Resend (DPA signed 2026-04-17)
- Vercel (DPA signed 2026-04-17)
- Stripe (DPA signed 2026-04-17)
What you can defer
These can wait until you have actual users / actual revenue / actual scale:
- Cookie banner. Only required if you have non-essential cookies. Best practice for MVP: don't set non-essential cookies. No analytics that track personal data. No marketing pixels. Then you don't need a banner.
- If you do add Google Analytics + AdSense (this site does), use Google's free Funding Choices banner — it covers both in one consent flow.
- Cross-border transfer agreements (SCCs). Mention them in your privacy policy. Don't sign formal contracts with each EU customer.
- DPO appointment. Required only at certain scale thresholds. You're not there.
- Annual security audits. v2 problem.
- SOC 2 compliance. Required by enterprise customers. If your MVP is selling to consumers or small businesses, defer.
What it's not a substitute for
The minimum surface gets you to beta. It is not a substitute for a lawyer review before:
- Going past beta to general availability.
- Taking VC money (your investors will require it).
- Selling to an enterprise customer.
- Doing anything regulated (healthcare, finance, education, children).
Budget $500–$2,000 for a one-time legal review at that point. Until then, the minimum surface from above covers you.
What this site does
Just so I'm not preaching what I don't practice — vibecodersguidetomvp.help has:
- Privacy policy at
/privacy/, tailored to this exact site. - Terms of service at
/terms/with Oregon governing law. - "Do Not Sell or Share" link in the footer pointing to the CCPA section of the privacy policy.
- AdSense disclosed in the privacy policy with the Google Ads opt-out link.
- Privacy contact email forwarded through SES + Lambda to my real inbox.
- No analytics that track PII (Google Analytics IPs are anonymized).
- No signup form yet — when there is one, it'll have the consent checkboxes described above.
The whole compliance pass took about 90 minutes including drafting both policies. Tailored, not templated. AdSense-friendly. CCPA-friendly.
That's the floor. It's lower than you think. Build it.