Who this is for: Founders of AI-powered products or services at any stage who are operating (or planning to launch) before their legal paperwork is in place. Applies to any business accessible from the US or EU.
The problem
Most AI founders treat legal documents as a post-launch task. They are not. Running an AI product without the minimum legal stack is operating uninsured: you have real liability exposure from the first interaction a user has with your product. New regulations are layering on faster than most founders are aware of. The penalty math ($500 to $1,500 per call for TCPA violations, $1,000 to $5,000 per violation under Illinois BIPA) means a single compliance miss can dwarf months of revenue.
The fix is not expensive. The four core documents can be assembled in under a week using lawyer-drafted templates. The risk of skipping them is not theoretical.
The 4-Document Minimum Legal Stack
Every AI product needs these four documents live before the first paying customer.
Document 1: Terms of Service (ToS)
The ToS is your primary liability shield. It establishes what your product does, what it does not do, how disputes are handled, and what users are agreeing to when they use it. For AI products specifically, the ToS must include:
- Output disclaimers: AI outputs may be inaccurate, incomplete, or inappropriate for any specific purpose. Users are responsible for reviewing and verifying outputs before acting on them.
- Acceptable use scope: Explicit prohibitions on using the AI for illegal activity, generating regulated content, or making high-stakes automated decisions (medical, legal, financial) without human review.
- Training data clause: Whether user inputs may be used to improve models, and how to opt out.
- Automated decision-making disclosure: If your AI makes or materially influences decisions about users, this must be disclosed and, in some jurisdictions, subject to human review rights.
Without a ToS, you have no agreed-upon framework for limiting liability when a user acts on AI output and suffers harm.
Document 2: Privacy Policy
Required the moment your website or product collects any personal data, including IP addresses, names, email addresses, or any information that could identify a person. Twenty US states now have active privacy laws with CCPA/CPRA penalties up to $7,500 per intentional violation. The policy must cover:
- What data you collect and why
- How long you retain it
- Whether you share it with third parties (including your AI model provider)
- User rights: access, deletion, portability
- Cookie and tracking disclosure
For AI products, add a dedicated section on how user-provided data interacts with model training and inference.
Document 3: Acceptable Use Policy (AUP)
Separate from the ToS, the AUP defines what your product may and may not be used for. For AI products this matters because your product can be misused in ways that create liability for you even if you did not intend it. The AUP should:
- Enumerate prohibited uses explicitly (harassment, fraud, impersonation, generating illegal content, circumventing automated systems)
- Specify consequences for violations (account suspension, termination)
- Reserve your right to terminate access for misuse
The AUP is also your first line of defense if a user claims your product was used for something that caused harm to a third party.
Document 4: Data Processing Addendum (DPA)
Required before any enterprise deal, and increasingly expected by sophisticated SMB buyers. The DPA covers how you handle personal data on behalf of customers. It specifies:
- What data you process, on whose behalf, and for what purpose
- Sub-processor list (your AI model provider, cloud host, telephony provider, analytics tools)
- Data retention and deletion timelines
- Security obligations
- Breach notification procedures and timelines
The EU General Data Protection Regulation (GDPR) requires a DPA for any data processing involving EU residents. Even without EU customers, having a DPA in place signals enterprise readiness and unblocks deals that would otherwise stall at security review.
The EU AI Act: The Deadline You Cannot Ignore
On August 2, 2026, EU AI Act Article 50 takes effect for any AI product accessible from EU countries, regardless of where your business is incorporated. Article 50 requires disclosure that users are interacting with an AI system at the start of the interaction. This applies to chatbots, voice agents, and any AI system capable of generating text, images, audio, or video that a reasonable person might believe was human-generated.
Complying universally (disclosing AI on every interaction regardless of geography) eliminates per-state compliance tracking overhead. The alternative is maintaining separate flows for EU, Texas (SB 140), Colorado, and California users.
Universal AI disclosure is cheaper than tracking 12+ jurisdictions. One complaint costs more than the marginal conversion loss from disclosure across thousands of calls.
The SMS Trap: 10DLC and TCPA Exposure
If your AI product sends any SMS messages, you face two compliance layers that most founders miss:
10DLC registration: The major US carriers require all business SMS traffic to be registered through the 10-Digit Long Code system. Unregistered messages are filtered, blocked, or throttled. Your product simply stops working for new customers on certain carriers.
TCPA consent requirements: The Telephone Consumer Protection Act requires explicit written consent before sending any AI-generated or automated text messages. Willful violations: $500 to $1,500 per message with no cap. Collecting consent at sign-up is the minimum. Stored consent records are your legal defense.
Both are solvable before launch with one day of implementation work. Neither is solvable quickly after a complaint has been filed.
When to use: Before launch or if you've launched without all four documents. Replace the bracket with a real description of your product. The output is a prioritized compliance gap list.
When to use: When building or updating your Privacy Policy. Fill in the brackets with your actual data collection practices. The output is a draft policy section, not legal advice. Have a lawyer review before publishing.
When to use: Before signing any contract with an AI vendor or model provider. Paste the actual contract. The output highlights AI-specific risk areas most standard contract reviews miss.
How to apply it
- Week 1, Documents: Use a lawyer-drafted template service (Termly, Iubenda, or Bonterms for the DPA) to generate your ToS, Privacy Policy, and AUP. Plan for $0 to $50/month in template service fees. Download the Bonterms DPA (free, widely accepted). Add your sub-processor list. Publish all four documents and link them from your signup flow, footer, and any point of data collection.
- Week 1, Disclosures: Add AI disclosure language to every customer-facing interaction: voice greeting, chat widget first message, email signature if AI-drafted. Add TCPA consent checkbox at any point where you collect a phone number.
- Week 2, SMS: Complete 10DLC brand and campaign registration with your SMS provider. This takes 1 to 3 business days if all business information is ready.
The one decision
The one decision this topic forces: universal AI disclosure vs. jurisdiction-specific flows.
Universal disclosure ("You are speaking with [business]'s AI assistant" on every interaction) eliminates the compliance tracking burden of monitoring 12+ state laws, EU regulations, and FCC rulings. The tradeoff is a potential minor effect on first-impression experience in markets that do not legally require it yet.
The penalty math strongly favors universal disclosure: $500 to $1,500 per TCPA violation, $5,000 per BIPA violation for Illinois voiceprint data. One complaint from a single customer costs more than the marginal conversion loss from disclosure across thousands of calls.