You built an AI tool. Maybe it's a writing assistant, a chatbot, an image generator, or a SaaS product with AI features baked in. You spent months on the product — the model, the prompts, the UI, the onboarding. The legal pages? They're an afterthought. Or worse, completely missing, or lifted from some unrelated SaaS template that says nothing about AI at all.
AI tools launched in or after 2024 must comply with the EU AI Act's Article 50 transparency requirements: you must disclose when users are interacting with an AI system, when content is AI-generated, and when deepfakes are used. You also need updated Terms of Service covering AI limitations, a Privacy Policy addressing AI training data, and an AI Transparency Notice. Penalties for non-compliance reach €15 million or 3% of global annual turnover.
The EU AI Act changed this. As of August 2025, several AI transparency obligations are already in force across the European Union. More provisions are rolling in through 2026. And the critical part: if your AI tool reaches EU users — any EU users — you're subject to these obligations regardless of where your company is based, where your servers live, or where you incorporated your LLC.
This isn't a distant legal concern. Regulators are actively building enforcement infrastructure. And unlike GDPR's slow early rollout, the EU AI Act has the benefit of a decade of GDPR enforcement lessons already baked into its design. The fines are real, the extraterritorial reach is real, and the compliance expectations are specific.
This guide covers exactly which legal pages your AI tool needs, what each one must say, why each one matters legally, and how to generate all of them free at the end.
The 6 Legal Pages Every AI Tool Needs
1. AI Transparency Notice (NEW — Required by EU AI Act Article 50)
This is the newest requirement and the one most AI tool builders are missing entirely. Article 50 of the EU AI Act creates specific transparency obligations that didn't exist in GDPR. They're not general privacy rules — they're AI-specific disclosures.
Here's what Article 50 actually requires:
- Chatbots and AI virtual assistants must disclose to users that they are interacting with an AI system, unless it is obvious from context that they are talking to a machine
- Providers of AI systems that generate synthetic content — text, images, audio, or video — must ensure that outputs are labeled as AI-generated in a machine-readable format
- AI systems that process biometric data to infer emotions must disclose this to users before processing begins
Who this applies to: any provider whose AI system is used by people in the EU. This includes US-based SaaS tools, UK companies, and any global product that serves EU users. There is no minimum threshold. One EU user makes you subject to these rules.
Your AI Transparency Notice must include:
- A clear statement that users are interacting with an AI system, not a human
- The type of AI use in your product (chatbot, content generation, recommendations, document analysis, etc.)
- Whether human oversight or human review is available, and how to request it
- The known limitations of your AI system — things it can get wrong, areas where outputs may be unreliable
- How users can flag errors, report issues, or request correction of AI outputs
- A contact point specifically for AI-related concerns
This isn't a one-line disclaimer buried in your footer. It's a dedicated page, and it should be linked prominently from your product interface, not just hidden in your legal section.
Up to €15 million or 3% of global annual turnover for violations of Article 50 transparency obligations, whichever is higher. For an early-stage SaaS doing $2M ARR, that's up to $60,000. For a growth-stage company, the numbers scale fast.
2. Terms of Service (AI-Specific Clauses Required)
A standard Terms of Service template isn't enough for an AI product. The clauses that govern user relationships for a typical SaaS don't address the specific issues that arise when AI is in the loop. Your ToS needs to be specifically written or adapted for an AI product.
The additional clauses your AI tool's ToS must address:
AI output limitations and disclaimers. Explicitly state that AI-generated outputs may be inaccurate, incomplete, outdated, or inappropriate for specific uses. Users must understand that outputs are not professional advice and cannot be relied upon without independent verification. Courts in multiple jurisdictions have looked at whether product companies adequately warned users about AI hallucinations — and found ToS language that said nothing about it to be inadequate.
User input and training data. This is the clause that has caused the most regulatory and PR problems for AI companies. Does your AI use user inputs (prompts, uploaded documents, conversations) to train or improve your models? If yes, you must disclose this explicitly in your ToS, and you must give users a way to opt out. Several major AI companies have faced regulatory investigations and user backlash specifically for using customer data for training without clear ToS language and proper consent.
Prohibited uses. Specify what users cannot do with your AI: generating harmful content, impersonating real people, circumventing safety measures, using outputs for illegal purposes, generating content that violates the EU AI Act's prohibited practices list. This section also protects you from liability when users abuse your tool.
Intellectual property of AI outputs. Who owns what the AI generates? This is an open legal question in most jurisdictions, but your ToS needs to take a position. Most AI companies claim a license to AI outputs while granting users rights to use them. Whatever position you take, state it clearly.
AI model updates and version changes. If you update your underlying model or change the AI system's behavior, what notice do you give users? What happens to outputs generated under a previous version? Your ToS should address this.
If you need AI-specific SaaS terms, the FreeTOS SaaS Terms generator covers all of these clauses and lets you configure the training data disclosure, prohibited uses, and output ownership positions.
3. Privacy Policy (AI Data Processing Disclosures)
Standard privacy policies don't adequately cover AI products. The data flows in an AI tool are different from a typical web application — inputs go to model inference endpoints, may be logged, may be used for evaluation, may flow through third-party AI APIs — and your privacy policy needs to reflect these specific flows.
Your privacy policy must specifically address:
User inputs and prompts. Are they stored? For how long? Who has access? Are they reviewed by humans for quality assurance or safety monitoring? Are they used to train or fine-tune models? These disclosures are required under GDPR, and they're also required under several US state privacy laws (CPRA, Virginia CDPA, Colorado CPA).
Third-party AI APIs. If you use OpenAI, Anthropic, Google Gemini, or any other AI provider's API, you must disclose this in your privacy policy. User data passes through these providers' systems. Their data retention and processing practices apply. You need to name the providers and link to their privacy policies or describe their data handling in your own policy. This is required by GDPR's transparency principle — users have a right to know who their data goes to.
Automated decision-making. GDPR Article 22 creates specific rights for users who are subject to automated decisions that produce legal or similarly significant effects. If your AI tool makes any decisions about users — recommendations, eligibility assessments, risk scoring — you need to disclose this and explain the logic involved.
Profiling and inference. If your AI makes inferences about users — inferring mood from text, inferring intent from usage patterns, inferring preferences from interaction history — this is profiling under GDPR and must be disclosed.
Generate an AI-ready GDPR privacy policy that covers all of these disclosures, or use the general privacy policy generator with the AI product configuration options.
4. Data Processing Agreement (DPA)
This one is specific to B2B AI tools, but it's non-negotiable if you sell to business customers in the EU.
Under GDPR Article 28, if your product processes personal data on behalf of another company (your customer), you are acting as a data processor. Your customer is the data controller. The law requires a written contract — a Data Processing Agreement — between the two of you before any processing begins.
Here's the part AI tool builders miss: your tool almost certainly processes personal data if users can input any real-world information. A user who pastes a customer's name and email into your AI for drafting an email? That's processing personal data. A company that uploads HR files to your AI document tool? Definitely processing personal data.
Your DPA must specify:
- The subject matter and duration of processing
- The nature and purpose of the processing
- The type of personal data involved
- The categories of data subjects
- Your obligations and rights as processor
- Data security measures you have in place
- Sub-processor disclosures (including your AI API providers)
- Procedures for data subject rights requests, breach notification, and deletion
Without a DPA, your EU business customers are out of GDPR compliance by using your product. Many enterprise procurement teams now require a signed DPA before they'll approve any vendor. Not having one ready costs you deals.
Generate a complete Data Processing Agreement configured for AI SaaS products.
5. Cookie Policy + Consent Banner
AI tools are still software products. They still use cookies for authentication sessions, analytics, feature flags, and A/B testing. The GDPR and ePrivacy Directive cookie requirements apply the same as they do for any other website.
Your cookie policy must list every cookie your site sets — first-party and third-party — with the cookie name, purpose, provider, and expiry. Your consent banner must appear before any non-essential cookies are set, and it must collect genuine opt-in consent. Pre-ticked boxes, dark patterns, and making rejection harder than acceptance are all violations under current EU guidance.
One thing specific to AI tools: analytics you use to understand how users interact with your AI (session recordings, heatmaps, event tracking) almost certainly require consent. Don't assume that because data collection is for product improvement purposes, it's exempt from cookie consent requirements.
Generate a cookie policy that lists all required cookie information in the format regulators expect.
6. Acceptable Use Policy (AUP)
An Acceptable Use Policy is important for any platform, but it's especially critical for AI tools because of how the EU AI Act categorizes certain AI uses.
The EU AI Act defines a list of prohibited AI practices — uses that are banned outright. It also defines a "high-risk" category with strict requirements. Your AUP is the document that explicitly prohibits your users from using your tool in ways that fall into these categories.
Your AI tool's AUP must explicitly prohibit:
- Generating content depicting violence, sexual abuse, or material exploiting minors
- Impersonating real, identifiable people without their consent
- Generating content designed to spread disinformation or manipulate elections
- Using the tool for illegal surveillance, stalking, or harassment
- Circumventing safety features or attempting to jailbreak the underlying model
- Using AI outputs to make high-stakes decisions about people without appropriate human oversight (hiring, credit, medical treatment, legal matters)
- Any use that violates the EU AI Act's prohibited practices list
The AUP also gives you contractual grounds to terminate accounts that violate these rules, which is important both for platform safety and for maintaining a defensible legal posture if your tool is ever misused.
Generate an AI-specific Acceptable Use Policy that aligns with EU AI Act prohibited practices.
EU AI Act Risk Categories — Where Does Your Tool Fall?
The EU AI Act sorts AI systems into four risk tiers. Understanding where your tool sits tells you exactly which obligations apply beyond the Article 50 baseline.
| Risk Level | Examples | Requirements |
|---|---|---|
| Unacceptable (Banned) | Social scoring, real-time biometric surveillance in public spaces, subliminal manipulation | Prohibited entirely — these uses are illegal |
| High Risk | CV screening, medical diagnosis AI, credit scoring, education assessment, law enforcement tools | Conformity assessment, registration in EU database, mandatory human oversight, extensive documentation |
| Limited Risk | Chatbots, AI writing tools, deepfake generators, emotion recognition systems | Transparency obligations (Article 50) — disclose AI nature, label generated content |
| Minimal Risk | AI-powered spam filters, recommendation engines, AI in video games | No specific obligations under the Act, though GDPR and other laws still apply |
Most SaaS tools with AI features — writing assistants, chatbots, content generators, summarization tools, AI search — fall into the Limited Risk tier. That means Article 50 transparency obligations apply, and your AI Transparency Notice is legally required. It doesn't mean you're subject to the heavier conformity assessment requirements of the High Risk tier.
If your AI tool touches hiring decisions, credit decisions, educational assessments, or medical recommendations in any way, read the High Risk requirements carefully. You may be in a more regulated tier than you assume.
The risk category applies to the use case, not just the technology. A general-purpose AI chatbot is Limited Risk. The same underlying model deployed specifically for candidate screening in hiring becomes High Risk because of how it's used. What your tool does and who it affects determines your tier, not what's under the hood.
Your AI Tool Legal Compliance Checklist
Use this checklist to audit your current legal setup. Every item in the first section is a legal requirement, not a nice-to-have.
Must Have — Legal Requirements
Must Have — If You Sell to Businesses (B2B)
Recommended
Where to Generate Each Document Free
Every document in this checklist can be generated free at FreeTOS.org — no signup, no credit card, no trial that ends with a paywall. Here's the direct link for each one:
| Document | Generator |
|---|---|
| AI Transparency Notice | AI Transparency Notice Generator |
| Terms of Service (SaaS / AI) | SaaS Terms Generator · General ToS Generator |
| Privacy Policy | GDPR Privacy Policy Generator · Privacy Policy Generator |
| Data Processing Agreement | DPA Generator |
| Cookie Policy | Cookie Policy Generator |
| Acceptable Use Policy | Acceptable Use Policy Generator |
| AI Content Disclaimer | AI Content Disclaimer Generator · General Disclaimer |
If you're also curious about the broader legal compliance picture for any website or SaaS product — not just AI-specific requirements — read the GDPR explained guide for a foundational walkthrough of what the regulation actually requires and how it applies to software products.
Generate All 6 Documents Free
Get your AI Transparency Notice, Privacy Policy, Terms of Service, DPA, Cookie Policy, and AUP — all free, all AI-configured, all in under 10 minutes. No signup required.
Start with AI Notice Generate SaaS TermsFrequently Asked Questions
Article 50 of the EU AI Act requires AI tools that interact with users — chatbots, content generators, virtual assistants — to clearly disclose the AI nature of the system to users. Providers must also label AI-generated content (text, images, audio, video) as AI-generated. These transparency obligations apply to any provider whose AI system is used by people in the EU, regardless of where the company is based. Non-compliance carries fines of up to €15 million or 3% of global annual turnover.
Yes. Your privacy policy must specifically disclose how user inputs and prompts are handled, whether they are stored and for how long, whether they are used to train or improve AI models, any third-party AI APIs you rely on (such as OpenAI, Anthropic, or Google Gemini) and their data practices, and how any automated decision-making works under GDPR Article 22. A standard privacy policy template without these AI-specific sections does not provide adequate disclosure under current regulatory expectations.
Any B2B SaaS product that processes personal data on behalf of its customers needs a Data Processing Agreement under GDPR Article 28. If your AI tool can receive any personal data — names, emails, customer records, or any information about identifiable people — from your business customers, you are acting as a data processor and you need a signed DPA with each customer before processing begins. Without it, your EU customers are out of compliance simply by using your product, which makes you unsellable to GDPR-aware buyers.
Yes. Like GDPR, the EU AI Act applies to any provider whose AI system is used by people in the EU, regardless of where the company is incorporated or where its servers are located. If your AI tool has even a single EU user, the relevant obligations under the Act — including Article 50 transparency requirements — apply to you. The extraterritorial reach of the EU AI Act is intentional and mirrors the GDPR model that has already proven enforceable against non-EU companies.
Fines depend on the type of violation. Violations of Article 50 transparency obligations — the ones most relevant to typical SaaS AI tools — carry fines of up to €15 million or 3% of global annual turnover, whichever is higher. Violations involving prohibited AI practices (such as social scoring or real-time biometric surveillance of people in public spaces) carry fines of up to €35 million or 7% of global annual turnover. For SMEs and startups, the lower of the two figures applies in each case.
Written by
Abd ShantiBuilding FreeTOS.org. Writing about website compliance, legal documents, and making legal tools accessible to everyone. Connect on LinkedIn.