Platform terms and policies - direct legal advice from Bratby Law

Platform Terms and Policies

Compliant terms of service, privacy policies and regulatory documents for digital platforms

UK platform operators need compliant platform terms and policies before they can launch or scale a digital product. At minimum, a SaaS or subscription platform requires terms of service, a privacy policy and a cookie policy. These documents must comply with the Consumer Rights Act 2015 (both the digital content provisions in Chapter 3 and the services provisions in Chapter 4), the UK GDPR, and the Privacy and Electronic Communications Regulations 2003. Where the platform includes AI-powered features, the terms must also address transparency obligations, liability for AI-generated content, and intellectual property rights in user inputs and outputs. Bratby Law drafts complete document suites as a single fixed-fee instruction, drawing on its specialist practice in data protection, consumer digital services, and AI governance.

Who this advice is for

This page is for UK-based operators launching or scaling digital platforms: SaaS products, subscription services, consumer apps, marketplace platforms, and AI-powered tools. It covers both B2C platforms with consumer-facing terms and B2B platforms with enterprise agreements. It is also relevant for platform operators adding new features, expanding to EU users, or updating documents following new legislation such as the Digital Markets, Competition and Consumers Act 2024.

Why platform operators need specialist legal documents

Getting platform terms and policies right is not about navigating complexity in the abstract. It is that a platform’s legal documents must work together as a coherent suite. The terms of service reference the privacy policy. The privacy policy must reflect the platform’s actual data flows, including transfers to AI processors and analytics providers. The cookie policy must align with the consent mechanism deployed on the site. Off-the-shelf templates cannot achieve this because they do not reflect the platform’s specific processing activities, third-party integrations, or commercial model.

For B2C platforms, the documents must also comply with consumer protection legislation. The Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013 require specific pre-contract information and a 14-day cancellation right for digital subscriptions. The Consumer Rights Act 2015 imposes statutory implied terms on both digital content (Part 1 Chapter 3: satisfactory quality, fitness for purpose, as described) and services (Part 1 Chapter 4: reasonable care and skill). A SaaS platform may engage both regimes: the platform itself is a service; content generated or delivered through it may be digital content.

The Digital Markets, Competition and Consumers Act 2024 will, once its subscription contract provisions are brought into force, add mandatory renewal reminders, an easy cancellation requirement, and enhanced cooling-off rights for subscription contracts. No commencement order had been made for these provisions as at March 2026, but the government has indicated it intends to bring them into force during 2026.

For B2B platforms, the focus shifts to limitation of liability, service level commitments, intellectual property licensing, and a standalone data processing agreement. Some platforms serve both audiences, with a freemium consumer tier and an enterprise offering. The document suite must accommodate both.

What we deliver

We draft complete platform terms and policies for UK operators on a fixed-fee basis. The scope typically covers the following.

Terms of service. We draft subscription terms covering payment mechanics, auto-renewal, cancellation rights (including the 14-day cooling-off period under the Consumer Contracts Regulations 2013), acceptable use, intellectual property, and liability. For B2C platforms, the terms reflect the Consumer Rights Act 2015 implied terms for digital content (satisfactory quality, fitness for purpose, as described under sections 34 to 36) and for services (reasonable care and skill under section 49). For B2B platforms, the terms include enterprise-grade limitation of liability, service levels, and IP licensing provisions.

Privacy policy. We prepare a UK GDPR-compliant privacy notice covering all current processing activities: account registration, user inputs, AI processing, analytics, payment processing, and marketing communications. The policy identifies each third-party processor and its role, sets out the lawful basis for each category of processing, and explains international transfer mechanisms where servers or processors are outside the UK. Where the platform serves EU users, we address the extraterritorial application of the EU GDPR under Article 3(2).

Cookie policy and consent. We draft a PECR-compliant cookie notice, categorise all cookies (strictly necessary, functional, analytics, marketing), and provide practical guidance on consent mechanism configuration and banner implementation.

AI feature terms. Where the platform uses AI to generate or process content, the terms must address transparency obligations under the UK GDPR (Articles 13 and 14), disclaimers on the accuracy and reliability of AI-generated output, intellectual property allocation for user inputs and AI outputs, and liability caps for AI-related loss. Where the AI feature constitutes solely automated decision-making that produces legal or similarly significant effects, Article 22 rights will also apply.

International compliance. A UK-based platform that actively offers paid services to users in the EU is likely caught by the EU GDPR (Article 3(2)) and may need to consider other privacy regimes. We draft for UK and EU compliance as standard. US state privacy laws and other regimes can be scoped as a separate phase.

Future-proofing. As part of the platform terms and policies, we build modular clauses for planned features, such as community profiles, messaging, user-generated content, or a marketplace, into the initial documents. This avoids a full redraft when those features are activated. The incremental cost of including framework provisions at the outset is modest compared with retrofitting them later.

Implementation guidance. We provide a practical note on document placement, consent flows, cookie banner configuration, cancellation mechanics, and deployment. This ensures the documents work as intended on the live platform, not just on paper.

What a platform document suite typically includes

The scope of platform terms and policies depends on whether the platform is consumer-facing (B2C), business-facing (B2B), or both.

DocumentB2C platformB2B platform
Terms of serviceSubscription, cancellation rights (CCR 2013, CRA 2015, DMCC 2024 when commenced), acceptable use, AI disclaimers, IP, liabilitySubscription or SLA, limitation of liability, IP licensing, acceptable use, AI disclaimers
Privacy policyUK GDPR, EU GDPR (Article 3(2)), processor mapping, international transfers, data subject rightsUK GDPR, standalone data processing agreement, processor obligations
Cookie policyPECR regulation 6, consent mechanism, full cookie categorisationPECR regulation 6, typically lighter (fewer marketing cookies)
Implementation guidanceConsent flows, cancellation mechanics, cookie bannerDPA execution, SLA monitoring, cookie banner

Typical triggers

Platform operators instruct us at several stages, each requiring a tailored approach to platform terms and policies. Pre-launch, when the platform is being built and needs compliant documents before going live. Post-launch, when the business has outgrown its original template terms and needs documents that reflect its current functionality and scale. When adding AI features, which require specific transparency disclosures and liability provisions that existing terms rarely cover. When expanding internationally, particularly to EU users, which triggers the extraterritorial application of the EU GDPR.

We also see instructions triggered by investor or acquirer due diligence that flags inadequate terms, by a data subject complaint or ICO inquiry that reveals gaps in the privacy notice, or by the introduction of new legislation. The DMCC Act 2024 subscription contract provisions are a current example of a legislative trigger. Once commenced, they will require B2C platforms to review their cancellation and renewal terms.

Frequently asked questions

How long does it take to draft a full document suite?

First drafts are typically delivered within 10 working days of receiving your processor list and platform access. The fixed fee includes one round of comments and revisions on each document. Most instructions complete within three to four weeks from engagement to final documents.

What information do you need from us to get started?

We need a list of your third-party processors (payments, analytics, email, AI provider, hosting) with confirmation of where each is based, access to the platform (a demo or trial account is sufficient), confirmation of the contracting entity and its directors and shareholders, and any existing terms or policies you are currently using.

Can you draft documents that cover both UK and EU users?

Yes. Where a platform actively offers services to individuals in the EU (for example, by accepting EU payments, marketing to EU users, or providing EU-specific content), it is likely caught by Article 3(2) of the EU GDPR. Mere passive accessibility is not sufficient; there must be evidence of intentional targeting.

We draft for UK and EU compliance as standard. The fixed fee covers both. Other privacy regimes, such as US state laws (California CCPA/CPRA), can be scoped as a separate phase if needed.

Do we need to address AI features specifically in our terms?

Yes, if the platform uses AI to generate or process content. Users need to understand what the AI does, what it does not guarantee, who owns the outputs, and how their inputs are used. The UK GDPR imposes transparency obligations under Articles 13 and 14, which require clear information about how user data is processed by the AI. Where the AI feature makes decisions based solely on automated processing that produce legal or similarly significant effects on users, Article 22 rights will also apply. We advise on which provisions are engaged and draft specific AI clauses accordingly.

What is the DMCC Act 2024 and does it affect subscription terms?

The Digital Markets, Competition and Consumers Act 2024 introduces new rules for subscription contracts, including mandatory pre-contract information, renewal reminders, and a straightforward cancellation process. These provisions have not yet been brought into force. The government consulted on implementation during 2025 and has indicated an intention to commence them during 2026.

B2C subscription platforms should prepare now, as the provisions will require changes to existing terms.

Should we build in provisions for features we plan to add later?

Usually yes. Adding modular clauses for community features, user-generated content, or a marketplace at the outset is a modest incremental cost. Retrofitting them later typically requires a more substantial redraft of both the terms and the privacy policy, because new processing purposes, lawful bases, and data sharing arrangements are all affected.

Do you offer a fixed fee for platform terms and policies?

Yes. Platform document suites are typically quoted on a fixed-fee basis. The fee depends on the platform’s complexity: the number of processors, international scope, whether AI features are involved, and whether the platform serves consumers, businesses, or both. We confirm the fee before work begins and it includes one round of revisions.

Need platform terms and policies?

Schedule an initial call

Rob Bratby advises digital platforms on their legal documentation suite, drawing on experience as General Counsel at TelXL and Core Communication Group and on his regulatory background at Oftel and Ofcom. Bratby Law is recognised in Chambers UK (Band 2) and by Lexology as a Global Elite Thought Leader for data protection.

Related direct legal advice pages

For related questions about platform terms and policies and other regulatory advice, see our other direct legal advice pages:

Ready to discuss your matter?

Schedule an initial call

What clients say about Bratby Law:

  • “I would highly recommend Rob and his team.”

    “I have had the pleasure of working with Rob now on a number of occasions and engagements with clients. Rob is one of the most knowledgeable people I have come across in the Telecommunications industry, both in his comprehensive understanding of the law for various countries and in the application of this law and what it means for Operators. This is complemented by his generosity with sharing his knowledge, and the friendly style with which he works. I would highly recommend Rob and his team.”
    Nick White
    (Former) Deloitte

  • “I would recommend Rob for any major Telecoms project”

    “I worked with Rob to introduce One Touch Switching for broadband and fixed voice, which launched successfully with almost two million customers using the service to date. Rob is a first class Legal Counsel with exceptional legal and regulatory knowledge enabling him to give insightful strategic guidance to the ExCo and the Board. He is highly trusted by Directors and easy to work with. I would recommend Rob for any major Telecoms project.”
    Toby Lovell
    (Former) Chief of Staff, The One Touch Switching Company

  • “…he has an outstanding understanding of the telecoms market…”

    “Rob has been my lawyer for over 25 years. He has advised us through every stage of the business, from international voice through to SIM distribution and eSIMs. He knows our business inside out, he has an outstanding understanding of the telecoms market and he gives us direct, practical advice without the overhead of a full-time hire.”
    Tony Greaves
    CEO, Core Communication Holdings Limited

Independent directory rankings

Our specialist expertise is recognised in major independent legal directories:

  • Chambers & Partners: Rob Bratby is ranked as a band 2 lawyer in the UK Guide 2026 in the “Telecommunications” category: Chambers
  • The Legal 500: Rob Bratby is listed as a “Leading Partner – Telecoms” in London (TMT – IT & Telecoms): The Legal 500
  • Lexology: Rob Bratby is featured on Lexology’s expert profiles as a Global Elite Thought Leader for data: Lexology
Chambers and Partners accreditation
Legal 500 accreditation
Lexology Global Elite Thought Leader accreditation