📄 Terms & Conditions + Privacy Policies

Do they actually matter?

Author

Ray Koh
June 19, 2026

🎉 Happy Friday, funds family!

When a company starts operating online, taking customer data, processing payments, and/or running a marketplace, it needs a set of legal terms and policies that govern how it interacts with its users & customers. It’s an important topic for companies and their investors, because these documents are not just legal boilerplate. They define how the company collects revenue, allocates risk, and protects the user data that often forms a core part of the investment thesis.

But first…

/ SELF PROMOTION

We’re a tech-enabled modern law firm with expertise in investment funds, SPVs, corporate & commercial matters, venture capital financings, M&A, private credit, outside general counsel, regulatory, and tax.

This article is part of the corporate series we are running that covers topics relating to an investment fund's investments into portfolio companies and the key items that matter both to the investors & companies throughout their entire lifecycles.

Thanks for reading. Now, let’s jump into the article 😃

The short answer is: every company that has a website, an app, or a customer-facing service needs at least a terms of service (or terms of use) and a privacy policy. Depending on the business model, it may also need additional policies addressing data, cookies, returns, acceptable use, intellectual property, and dispute resolution. These should be put in place before launch, not after the fact (once problems arise).

➡️ Why should investors care about terms and policies?

Investors should care about the following reasons:

  • The terms define the company’s legal relationship with its users, which drives revenue protection and risk allocation.

  • The privacy policy governs the company’s obligations with respect to user data, which is often a core asset.

  • Regulatory exposure (e.g., GDPR, CCPA/CPRA, state privacy laws, sector-specific rules) flows through these documents

  • Badly drafted or missing terms create real liability that an acquirer or later-stage investor will diligence and potentially price into the deal itself.

➡️ What are the core documents most companies need for terms and policies?

At a minimum, most companies should properly implement:

  • Terms of service (or terms of use) governing the user’s relationship with the company, including, for example, limitations of liability, dispute resolution, intellectual property ownership, and acceptable use.

  • A privacy policy disclosing what personal data is collected, how it is used, with whom it is shared, and how users can exercise rights regarding their data.

  • A cookies policy (or integrated language in the privacy policy) for any company using cookies or similar tracking technologies.

  • For marketplaces, processors, and platforms: additional layered terms for sellers, merchants, or partners.

If the company processes payments, hosts user-generated content, sells regulated products, or operates internationally (through subsidiaries or otherwise), additional policies will likely be required.

➡️ What are the most common problems?

The most common issues we see are:

  • Companies using boilerplate templates downloaded from the internet without tailoring them to the actual business (and thus irrelevant).

  • Privacy policies that don’t accurately describe what the company is actually doing with user data.

  • Terms that are not properly accepted by users (no clickwrap or weak browsewrap), leading to enforceability problems.

  • Missing state-specific disclosures (e.g., California CCPA/CPRA, Virginia VCDPA, Colorado CPA, Texas TDPSA).

  • No 📄 IP assignment language for user-generated content, when the business model depends on it substantially.

  • Limitation of liability and indemnification provisions that are missing or unenforceable as drafted.

  • Arbitration and class action waiver provisions that are not properly drafted to be enforceable.

These issues are fixable, but they create exposure that compounds over time as user counts grow and data accumulates.

➡️ How should an investor diligence terms and policies?

Diligence here is straightforward but often skipped. An investor should:

  • Review the terms of service and privacy policy that are actually live on the site or app, not just a draft sent over by counsel.

  • Confirm that user acceptance is mechanically enforceable.

  • Check that the privacy policy matches the company’s actual data practices.

  • Confirm compliance with applicable privacy laws based on where customers are located.

  • Review any terms governing IP ownership of user content, especially for content-generating platforms.

  • Look for an information security program / SOC 2 audit if the company processes sensitive data.

  • Confirm there is a clear process for updating the policies and notifying users of material changes; if not, come up with a plan to do so with the company.

➡️ Why this matters more as the company scales

In the early days, gaps in terms and policies are mostly theoretical risks. But as the user base grows, regulators take interest, and the company moves toward a financing or exit, those gaps become real liabilities and problems. As one example, class action plaintiffs target privacy missteps. Acquirers run privacy diligence. State attorneys general enforce state privacy statutes. The cost of cleaning up early-stage policy gaps at the scale of millions of users is significantly higher than the cost of getting it right at launch. So let’s make sure to get it right.

➡️ The practical takeaway

For the company:

  1. Put a tailored terms of service, privacy policy, and any other applicable policies in place before launch.

  2. Use a proper acceptance mechanism.

  3. Make sure the privacy policy matches actual data practices, and update it whenever those practices change.

  4. Review the documents at least annually, and whenever the business model, geography, or product set changes.

  5. For data-heavy businesses, build a privacy and security program (not just a policy document) early.

For the investor:

  1. Diligence the live terms and policies, not the version shared in the data room.

  2. Confirm that user acceptance is enforceable.

  3. Check privacy law compliance based on where users are located.

  4. Build representations and warranties on terms, privacy, and data security into the financing documents.

  5. For data-heavy businesses, treat the privacy and security program as part of the investment thesis, not as an afterthought.

Thanks for reading, everyone!

Have a great weekend! 🙌

/ JURY TRIAL

How did you like today's post?

Login or Subscribe to participate in polls.

Have you enjoyed this newsletter? Don’t forget 🔗 to share it with your GP, Co-GP, LPs, or anyone else you think might find it valuable!

You can also propose a topic that you would like us to cover! Just reply to this email or submit your suggestions 🔗 here.

⚠️ Note: This newsletter is for informational purposes only and nothing should be considered legal advice. For that, hire a lawyer! I am a lawyer, but not your lawyer (unless I actually am your lawyer because you’ve signed an engagement letter and we’re working together). This may be considered attorney advertising.

Reply

or to participate.