Vibe Coder’s Guide to MVP
Resources · Craft & Compliance

Legal & compliance

Privacy policies, terms, DPAs, and which regulations actually apply to your MVP — without the lawyer-template panic.

Most MVPs over-comply on paperwork and under-comply on substance. They ship a generic 4,000-word privacy policy that name-drops services they don't use, claim HIPAA "compliance" when they've never seen PHI, and skip the consent checkbox on signup. This page covers what actually matters at MVP stage, which services help, and when to stop pretending and call a real lawyer.

GDPR (EU)

Applies the moment a single EU resident lands on your site and you process their personal data — which "personal data" reads broadly: IP address, cookies, account info, all of it. Practical MVP requirements: a privacy policy describing what you collect and why, a lawful basis for processing (usually consent or legitimate interest), the ability to export and delete a user's data on request, and a real way to reach you (a privacy contact email). Cookie banners are required only if you set non-essential cookies or run trackers like analytics.

Fines are theoretically up to 4% of global revenue. In practice, EU regulators target companies with traction; pre-revenue MVPs are not the target. That said: do the basics from day one because retrofitting is painful.

CCPA / CPRA (California)

Applies if you have California users and hit one of: $25M revenue, data on 100K+ Californians, or 50%+ revenue from selling personal info. Most MVPs don't hit those thresholds. We still recommend treating CCPA as the floor: a "Do Not Sell or Share My Personal Information" footer link, plus a way to delete an account, costs nothing to add and inoculates you against future scale problems.

COPPA (kids under 13)

If your product knowingly collects data from kids under 13, COPPA applies and the rules are stiff: verifiable parental consent, no behavioral ads to kids, additional record-keeping. The cleanest MVP move is a 13+ minimum age in your terms and a signup checkbox confirming the user is 13 or older. If your product is actually for kids, you need a lawyer, not a docs page.

HIPAA (health data)

Only applies if you handle PHI — protected health information from a covered entity (provider, plan, clearinghouse) or as their business associate. Building a fitness tracker is not HIPAA. Building a SaaS that hospitals upload patient data into is HIPAA, and you need a BAA with every sub-processor that touches that data. Don't claim HIPAA compliance unless you've actually executed BAAs and done a security review.

FERPA (education)

Applies if you handle student educational records under contract with a school. Like HIPAA, scope is narrow. If you're building consumer ed-tech that students sign up for directly, FERPA generally doesn't bind you (the school agreement does).

PCI-DSS (payments)

Applies if you touch cardholder data. The whole reason we recommend Stripe Checkout is that the card data lives on Stripe's domain — your servers never see it — and you fall under SAQ A, the lightest tier. As long as you don't roll your own card form, PCI is mostly handled.

Regulation snapshot

Regulation Triggers when MVP-stage burden
GDPR Any EU user Privacy policy, consent, export/delete
CCPA/CPRA CA users + scale thresholds "Do Not Sell" link, delete flow
COPPA Users under 13 Age gate, parental consent if kids
HIPAA PHI from covered entities BAAs, security review, real lawyer
FERPA School contracts for student records Contract negotiation
PCI-DSS Touching card data Use Stripe Checkout, you're SAQ A

TermsFeed

Free generators with paid upsells. The free templates are decent but generic. Paid plans start around $8/mo and add lawyer review for additional fees. Useful as a starting checklist; not a finished document.

Iubenda

Subscription-based ($27/mo for the standard plan in 2026), policies are hosted on their domain by default with auto-update when laws change, and includes a cookie consent banner. The selling point is "set it and forget it" — they amend your policy when the EU adds a new requirement. For founders who don't want a maintenance task, this is the cleanest paid option.

Termly

Free tier with limits (one site, basic templates, branded). Paid plans from ~$15/mo for unbranded and multi-site. Comparable to TermsFeed in quality. Reasonable for an early MVP if you want a click-through path and don't mind their footer badge.

Cookiebot

Cookie consent banner specifically. Free for sites under 50 monthly users (basically pre-launch); paid tiers from ~$15/mo. Scans your site for trackers and auto-categorizes them. Necessary if you've added GA4, AdSense, or any third-party analytics and you have EU traffic.

Osano

Cookie banner plus broader privacy ops (DSAR handling, vendor risk, etc.). Free banner tier; paid for the rest. Aimed at companies past MVP stage that need a data ops team's worth of tooling without hiring one.

Privacy Policies dot com

Cheap, template-based generator. Useful as a sanity-check second draft, not a primary source. Output reads as templated.

Service comparison

Service Cost (2026) Tailored to your stack Ongoing updates Lawyer review
Write your own (with our skill) $0 Yes, by definition When you regenerate Optional, separate
TermsFeed Free / paid add-ons Partial (questionnaire) No (paid: yes) Add-on
Iubenda $27/mo Partial Yes Add-on
Termly Free / $15+/mo Partial Paid tier No
Cookiebot Free / $15+/mo Cookie scope only Yes N/A
Privacy Policies .com $30 one-time Partial No No

DPAs and the sub-processor stack

A Data Processing Agreement (DPA) is the contract between you and any third party that processes personal data on your behalf. Under GDPR you're required to have one with every sub-processor, full stop. The good news: every reputable provider has a one-click DPA you accept in their dashboard.

A typical MVP stack and where to find each DPA:

Sub-processor What they process Where to accept the DPA
OpenAI / Anthropic Prompt + response data Settings → Compliance → DPA
Resend / Postmark / SES User email addresses Account → Legal / Compliance
Vercel / AWS / Cloudflare All site traffic Dashboard → Settings → DPA
Stripe Customer payment data Settings → Compliance
Google Analytics / AdSense Visitor analytics Admin → Account settings
Auth.js providers (GitHub OAuth, etc.) Identity data Built into the platform's terms

Once accepted, list each sub-processor in your privacy policy. Yes, all of them. Auditors care about this and so do EU users who actually read.

The minimum viable compliance surface

For an MVP shipping today, the actual list of artifacts:

  1. Tailored privacy policy at /privacy/ — naming the real services you use, the data each handles, retention, and contact info.
  2. Tailored terms of service at /terms/ — governing law, AS-IS warranty disclaimer, account termination, liability cap.
  3. Signup consent checkbox — "I agree to the Terms and Privacy Policy" — unchecked by default, required to submit.
  4. "Do Not Sell or Share" footer link — even if you don't sell data, the link demonstrates good faith and future-proofs CCPA scope creep.
  5. Privacy contact emailprivacy@yourdomain.com. Not a contact form. An actual email address GDPR users can reach.
  6. Data export and delete endpoints — minimum: a dashboard button that emails them their data, and an account-delete button that actually deletes.
  7. DPAs accepted with every sub-processor.

That's it. We covered the build sequence in /blog/minimum-compliance-mvp/ and the DIY policy approach in /blog/privacy-policy-yourself/.

When to call a real lawyer

Stop relying on generators when:

  • You're raising VC. Investors will read the policies and the cap-table-adjacent disclosures.
  • You're closing your first enterprise contract. Their procurement team will redline your terms.
  • You're moving past beta with regulated data — health, education, financial, kids.
  • You're being acquired. The acquirer's lawyers will audit everything.
  • You're getting cease-and-desist letters or DMCA notices regularly.

Until then, a tailored policy you understand and maintain is more useful than an expensive policy you don't read. A startup-friendly attorney runs $300–600/hr; a privacy + terms review for a simple SaaS is typically a $1,500–3,000 engagement.

What this site does

Vibe Coder's Guide to MVP ships its own tailored policies at /privacy/ and /terms/. They're governed by Oregon law (where the maintainer is based), name the actual sub-processors (Anthropic, AWS, Resend, Google Analytics, AdSense), and are written in plain language. The Vibe Coder's Guide skills and the starter project repos are MIT-licensed. None of that is legal advice for your business — but it's a working template you can read.

Our recommendation

Write your own tailored policy using the compliance skill in the Vibe Coder's Guide skills bundle. It walks an AI agent through the right questions about your stack, your data, your jurisdiction, and produces a policy that actually matches reality. The output is auditable and yours to maintain.

If maintenance is a real burden and the $27/mo isn't, use Iubenda. They handle the law-changes problem so you don't.

If you're shipping something experimental in the next 24 hours and want a passable placeholder, use Termly's free tier — but plan to replace it before launch.

Anti-patterns we keep seeing

  • Copy-paste templates that mention services you don't use. The single biggest tell of a template policy is "Mailchimp" or "Google Workspace" appearing when you don't use either. Auditors notice. Users notice.
  • Claiming HIPAA when you've never seen PHI. This invites scrutiny you don't want and creates contractual obligations you can't meet.
  • No privacy contact email. A contact form is not GDPR-compliant. You need a reachable address.
  • Missing the consent checkbox. "By signing up you agree to our Terms" buried in fine print isn't consent — it's an assertion. Use a real checkbox.
  • Cookie banner that does nothing. If "Reject" still loads GA4, your banner is theater and a fine waiting to happen.
  • Promising 30-day deletion with no flow to deliver it. Either build the flow or change the promise.
← Previous
Design systems & UI