Skip to content
AI-Native PM
7 min · 0 of 7 in Your Build

The legal basics every public build needs

Previous chapterNext chapter

The deploy finishes late one night, and you post the link in two communities before bed. By morning there are signups from strangers, and one of them typed a real name, an email address, and three paragraphs about their work into your feedback box. That text sits in a database you rent, and somewhere between the first coffee and the second the question arrives. What exactly did you just sign up for?

The answer is a short set of obligations that arrive in stages, and you can meet your current stage in an afternoon. Guardrails: keep secrets, money, and data safe protected the build itself. This chapter covers the promises you owe the people who use it.

The four documents every public build carries

One test catches the worst decisions before any document exists.

Picture the action your build is about to take, performed by a human offline, and ask whether that human would get away with it.

Emailing a thousand strangers who never asked to hear from you, or handing a diner a bill that no menu ever priced, is obviously wrong the moment a person does it, and the rules that stop the human offline usually reach online behavior too. The test is a filter, not legal advice, and whatever passes it still needs paper behind it, in four standard pieces.

  • Terms of service. This is the contract between you and your user, covering what each side may do, what you are not promising, and what happens when the deal breaks. Payment and refund language joins it the day you charge money.
  • Privacy policy. It states what you collect, why, where it lives, how long you keep it, and who else can see it. This is the most regulated of the four, because it makes claims that users and regulators can check.
  • Disclaimer. It marks the limits of what your product takes responsibility for. If the build touches health, money, or law, it says the output is information, not professional advice.
  • Contact. Users need a working way to reach you. An email address is enough, and it is often the difference between a quiet bug report and a public complaint.
The four documents every public build carriesAcross the top, one gut-check: the offline test, picture the action performed by a human offline, and ask whether they would get away with it. Below it, four document cards left to right: terms of service, the contract; the privacy policy, what you collect and why, flagged as the most regulated; a disclaimer, the limits of liability; and contact, a way to reach you. Caption: drafted with AI in an afternoon, then read every line.THE OFFLINE TESTwould a human doing this offline get away with it?TERMSthe contractPRIVACYwhat you collect, whyMOST REGULATEDDISCLAIMERthe limits of liabilityCONTACTa way to reach youDrafted with AI in an afternoon, then read every line.

The three disclosures AI products add

If a model sits anywhere in the path of your users, the runtime roles you sorted in Where AI fits in your product, three more obligations attach.

  • Tell people when they are talking to AI. The notice does not need to be loud, a line near the chat input is enough, but it must exist before anyone mistakes generated text for a human reply.
  • Do not pass AI output off as professional advice. A model produces the same fluent, confident prose about medication and tax strategy that it produces about restaurant choices. A visible note that answers are generated and can be wrong keeps the boundary explicit.
  • Say what happens to what users type in. People put surprisingly personal material into a text box that answers back. If their words travel to a model provider's API, the privacy policy says so, and if conversations are stored, for how long.

The regulatory weather behind these is concrete. Italy's data-protection authority temporarily blocked ChatGPT in 2023 over data-protection concerns, and service returned after disclosures and user controls were added. The EU AI Act phases in transparency obligations through 2025 and 2026, including the requirement to tell people when they are interacting with an AI system.

What you owe depends on what the build does

What you owe scales with what your build does. Two mistakes are common here: ignoring the rules entirely, or hiring a lawyer for a landing page. The fix for both is to match your obligations to the stage your build is actually at.

  • A page that collects nothing personal needs little more than a way to reach you. Portfolios, calculators, and free tools without accounts sit here.
  • A waitlist page that collects an email address adds a short, truthful privacy policy. It names the one kind of data you take, where it is stored, and how to be removed.
  • Accounts and stored data add more. Once people sign in, the territory of Auth, who you are vs. what you can do, you need all four documents, a working deletion path, and a breach plan, because the rights below are now live.
  • Money and user-facing AI each add a step of their own. Charging cards brings payment terms and refund language, and a model in front of users brings the three disclosures above.

We recommend knowing what the next stage requires, so that when your product moves up a stage you update your documents on schedule instead of in a scramble.

The rights your users already have

Store anything about an identifiable person and that person holds rights over the data, whether or not your documents mention them. Two laws supply the vocabulary, GDPR in Europe and CCPA in California, and a public URL reaches both jurisdictions on day one.

  • The right to know. A user can ask what you hold about them, and you must be able to answer. If you cannot trace where user data lives, revisit Data, where information lives.
  • The right to delete. A user can ask you to erase their data, and you must be able to actually do it. A manual process is fine at small scale, while an impossible one is not.
  • Breach notification. If someone breaks into your database, you must tell the people affected, and the strictest regimes allow as little as 72 hours to notify the regulator. Meeting it starts with a written plan for who you would tell and how.

None of it requires a law degree, only a build designed so each obligation stays achievable.

Draft with AI help, then read every line

These documents fit AI drafting well, because their structure is conventional and your contribution is the facts. Hand Claude Code what you collect, where it is stored, and who can see what, and a readable first draft of all four comes back in an afternoon.

The half you cannot delegate is the read. Test every line against your actual build, keep what is true, cut what is not, and question anything you do not understand. When your product starts handling money, health data, or other people's contracts, pay a professional to review the result. Until then, a modest document you fully understand protects you better than an impressive one you do not, because you are responsible for every sentence you publish.

Try it now

No setup: Open a notes app and write the five answers for your build, one sentence each. What do you collect? Where is it stored? Who can see it? How does someone get it deleted? Where do they complain? Where the truthful answer is "no answer yet," write that; the gaps are the point. These five sentences are the skeleton of your privacy policy.

With your tools: Paste the five answers into Claude Code and ask for the draft: "Write a plain-language privacy policy for the build described below. Use only these facts. Where a standard policy would claim something these facts do not support, write TODO instead of inventing the claim." Then read every line and cut whatever is not true of your build, starting with flattering sentences about security practices you have not built. In Codex or Cursor the move is the same: paste the five answers into the sidebar chat, ask for the draft with TODO markers, and do the same line-by-line read. If nothing is installed yet, The Setup Clinic gets you to a working session in one sitting.

Chapter Summary

  • Before you write anything, run the offline test: if a human doing the same thing offline would be in trouble, your build is too.
  • Every public build carries four documents: terms of service, a privacy policy, a disclaimer, and a working way to contact you.
  • The privacy policy is the one regulators and users can check, so it has to be true: what you collect, why, where it lives, how long you keep it, and who can see it.
  • If a model sits in front of users, add three disclosures: tell people they are talking to AI, say the output is not professional advice, and say where their typed words go.
  • What you owe scales with what the build does, so know what the next stage requires and update your documents before you reach it, not after.
  • Anyone whose data you store already has rights: to ask what you hold, to have it deleted, and to be told if you are breached, with as little as 72 hours to notify the regulator.
  • AI can draft all four documents in an afternoon, but you have to read every line and cut anything that is not true of your build, because you own every sentence you publish.
  • Next, Write your Build Plan and start the build turns everything you have decided into a plan and a first session.

Sources

  • Public reporting on the Italian data-protection authority's ChatGPT suspension (2023).
  • EU AI Act transparency provisions (2024 to 2026).
Marks this chapter complete on your course map. Reaching the end does this for you.