Does a B2B SaaS need a cookie policy?

Yes — every SaaS with a public marketing site needs one, because the marketing site typically runs GA / ads pixels / chat tools that trigger ePrivacy and CCPA cookie rules. The product interior may have lower exposure but should still be disclosed.

What's the difference between marketing site cookies and product cookies?

Marketing site cookies (landing pages, blog, pricing) are typically marketing / analytics — full GDPR consent required for EU / UK visitors. Product cookies (after login) are typically functional — legitimate interest as the lawful basis, less restrictive consent but still need disclosure. Best to handle separately in the policy.

How do I disclose product analytics tools like PostHog or Mixpanel?

Name them individually, describe the purpose (product analytics, feature adoption tracking, A/B testing), specify the legal basis (typically legitimate interest for in-product analytics with a clear connection to product improvement), and explain how users can opt out (account settings, DNT signal, etc.).

Home / Cookie Policy / Cookie Policy for SaaS

Cookie Policy for SaaS

A SaaS cookie policy that procurement teams accept — named tools, clear consent framing, no surprises in the redline.

Generate my SaaS cookie policy → Free preview · No signup · 2 minutes

Procurement-friendly: named tools, clear processor framing
Separates marketing site cookies from product cookies
EU consent + CCPA disclosure + processor passthroughs covered

A B2B SaaS's cookie policy gets read by two audiences: end users (where compliance matters) and procurement teams reviewing the policy as part of vendor onboarding (where presentation matters). Procurement is looking for: named third-party tools, clear consent framing for marketing site vs. product, and explicit reference to your DPA for processor data. A generic cookie policy creates redline back-and-forth that delays deals. This generator produces a SaaS-shaped policy: separate sections for marketing site cookies and product cookies, named tools, processor framing where relevant.

What your B2B SaaS cookie policy needs to cover

Disclosures that matter for B2B SaaS.

Marketing site vs. product cookies

Marketing site (landing pages, blog) typically uses GA + Meta / LinkedIn ads pixels + chat. Product (app interior) uses session cookies + product analytics + error tracking. Different consent profiles for each; separate sections in the policy.

Product analytics

PostHog, Mixpanel, Amplitude, Heap, etc. Set cookies for cross-session user identification. In the product, these are functional with legitimate interest as the lawful basis. The cookie policy should disclose them.

Session replay

Hotjar, FullStory, LogRocket, PostHog Session Replay. Higher risk — record user interaction. Required disclosure under EU / UK; recommended disclosure in US. Some regulators (CNIL) have flagged session replay as needing explicit consent.

Error tracking

Sentry, Bugsnag, etc. Cookies for session context. Strictly necessary for product reliability — disclosed but no consent gate.

Intercom / chat tools

Set cookies for chat continuity and identification. Functional + marketing cookies. Should be named individually per EDPB guidance.

DPA reference

Where cookies are tied to processor data (your customer's end-users), the cookie policy should reference your DPA so procurement teams can trace the data flow.

Common mistakes

Where B2B SaaS policies usually go wrong.

Same policy for marketing + product

Marketing site needs full GDPR consent banner; product is often legitimate interest. Conflating them creates an over-burdened product experience or under-disclosed marketing site.
No session-replay disclosure

Session replay tools capture user input and interaction. CNIL and other EU regulators have flagged these as needing explicit consent. Missing disclosure is a common procurement redline item.
Generic "analytics providers"

Procurement teams expect to see specific tool names so they can map to their own DPAs. Vague disclosure triggers a security questionnaire.