Every SaaS company rolling out AI-powered features faces a legal question that did not exist five years ago: do your terms of service actually cover what your AI does?
Standard terms of service agreements were written for a world where software behaved predictably. Users input data, the software processed it according to defined rules, and the output was deterministic. Generative AI breaks that model. Your product now creates content, makes recommendations, generates code, or produces analysis that varies with every use. The outputs are probabilistic, not guaranteed. And if those outputs cause harm, infringe someone’s intellectual property, or violate a regulation your customer relies on, your existing terms may leave you exposed.
The EU AI Act takes effect for high-risk systems in August 2026. The FTC has sharpened its enforcement on deceptive AI practices. At least 20 US states now have comprehensive privacy laws that intersect with how AI processes personal data. If your SaaS product uses AI and your terms of service have not been rewritten to address it, you are operating with a legal gap that grows more dangerous every month.
1. Define What Your AI Actually Does
Your terms must include a clear, functional description of the AI features within your product. This is not a marketing paragraph. It should explain what type of AI your product uses (large language model, machine learning classifier, recommendation engine, generative model), what the AI does with user inputs, and what form the outputs take.
Under Article 50 of the EU AI Act, providers of AI systems that interact directly with users must disclose that the user is interacting with an AI system. If your SaaS product includes a chatbot, content generator, or automated decision-making tool, that disclosure must appear before or at the point of interaction.
A vague description like “our platform uses AI to enhance your experience” is not sufficient. Specify the function: “Our platform uses a large language model to generate draft contract summaries based on text you upload. These summaries are machine-generated and require human review before use.”
2. Clarify Who Owns the AI-Generated Output
Intellectual property ownership for AI-generated content is one of the most contested areas of technology law in 2026. The U.S. Copyright Office has maintained its position that works generated entirely by AI without meaningful human authorship are not eligible for copyright registration. This means your customers may not be able to claim copyright protection over outputs your AI produces for them.
Your terms of service should address three questions directly. First, does the customer own the output? Second, does your company retain any license to use, store, or learn from the output? Third, can the same or similar output be generated for other customers?
If your AI can produce identical or substantially similar outputs for multiple users, your terms need to disclose that. Promising exclusive ownership of non-exclusive outputs creates a misrepresentation risk that the FTC and state attorneys general can act on.
A SaaS agreement lawyer can draft IP provisions that accurately reflect how your AI model generates and distributes outputs without overpromising exclusivity your technology cannot deliver.
3. Address Data Usage and Model Training
This is where most AI terms of service fail. Customers want to know whether their data will be used to train or improve your AI model, and generic language about “improving our services” is no longer legally adequate.
Under the California Consumer Privacy Act (CCPA) as amended by the CPRA, consumers have the right to know how their personal information is used, including for automated decision-making. The EU’s General Data Protection Regulation (GDPR) requires a lawful basis for processing personal data, and using customer data to train AI models requires either explicit consent or a legitimate interest assessment.
Your terms should state clearly whether user inputs are used for model training, whether users can opt out of model training, how data is anonymized or aggregated before use, and what happens to user data when the subscription ends.
If your product processes data from EU users, the EU AI Act adds transparency requirements on top of GDPR obligations. Your privacy policy must align with your terms of service on these points. Contradictions between the two documents create enforcement risk.
4. Limit Liability for AI Outputs
Generative AI produces outputs that are probabilistic. Your model may generate inaccurate information, produce content that inadvertently infringes a third party’s copyright, or make a recommendation that causes a business loss. Your terms of service must account for this.
A well-drafted limitation of liability clause for AI features should include a disclaimer that AI outputs are not guaranteed to be accurate, complete, or error-free. It should state that the customer is responsible for reviewing and verifying any AI-generated output before acting on it. It should disclaim liability for business decisions made in reliance on AI outputs without independent verification. And it should separate the liability cap for AI-related claims from your general liability cap if the risk profile warrants it.
Without these provisions, a customer who relies on your AI’s output to draft a contract, calculate a financial figure, or make a compliance determination could hold you liable for the consequences of an inaccurate result. For guidance on structuring liability provisions in SaaS agreements, review our analysis of limitation of liability clauses.
5. Include Acceptable Use Policies for AI Features
Your AI features can be misused. Customers may use your generative AI to create content that infringes third-party IP, generates deepfakes, produces discriminatory outputs, or violates regulations. Your terms must define what constitutes acceptable use and what is prohibited.
An acceptable use policy for AI should prohibit using your AI to generate content that violates applicable law, inputting personal data of third parties without proper consent, using outputs in regulated contexts (healthcare, legal, financial) without professional review, and attempting to reverse-engineer, extract, or replicate your AI model.
The FTC has signaled that companies can be held liable for foreseeable misuse of their AI tools if they fail to implement reasonable safeguards. Including clear acceptable use terms is both a contractual protection and a regulatory compliance measure.
6. Plan for Regulatory Change
AI regulation is moving fast. The EU AI Act’s high-risk system requirements take full effect in August 2026. Multiple US states are introducing AI-specific legislation. The FTC continues to issue guidance on deceptive AI practices. Your terms of service need a mechanism to adapt.
Include a modification clause that allows you to update your AI-related terms as regulations evolve, with reasonable notice to customers. Specify the notice period (30 days is standard for material changes), the method of notice (email to the account holder), and what happens if the customer does not accept the updated terms (termination with prorated refund, continued use on prior terms through the current billing cycle, etc.).
A rigid terms of service agreement that cannot adapt to regulatory changes puts your business at risk of non-compliance. A technology lawyer who specializes in SaaS and AI can structure modification clauses that protect your flexibility while maintaining enforceability.
7. Disclose Third-Party AI Providers
Many SaaS companies do not build their own AI models. They integrate third-party models from providers like OpenAI, Anthropic, Google, or open-source alternatives. If your product relies on a third-party AI provider, your terms of service must disclose that.
Your customers need to know that a third party may process their data, that the third party’s terms and limitations apply in addition to yours, and that you may not control how the third-party model handles inputs or generates outputs. Failure to disclose third-party AI processing can violate GDPR’s data controller and processor requirements, CCPA’s service provider provisions, and FTC guidelines on material omissions.
Frequently Asked Questions
Do I need separate terms of service for AI features, or can I add them to my existing agreement?
You can add AI-specific provisions to your existing terms of service, but they need their own dedicated sections. AI features raise distinct issues around output ownership, data training, liability, and regulatory compliance that general SaaS terms do not cover. A standalone AI addendum is another option, especially if your AI features are optional or separately priced.
Can my customers copyright the content my AI generates for them?
Under current U.S. Copyright Office guidance, works generated entirely by AI without meaningful human authorship are not eligible for copyright registration. If your customer substantially modifies, curates, or directs the AI output with specific creative input, they may have a stronger claim. Your terms should clarify that you make no representations about the copyrightability of AI-generated outputs.
Does the EU AI Act apply to my US-based SaaS company?
Yes, if your AI system is used by or affects people in the EU. The EU AI Act has extraterritorial reach, similar to GDPR. If your SaaS product is accessible to EU customers and includes AI features, you must comply with applicable transparency, disclosure, and risk assessment requirements by August 2026.
What happens if my AI generates content that infringes someone’s copyright?
Your liability depends on your terms of service, the applicable jurisdiction, and whether you took reasonable steps to prevent infringement. Without a clear disclaimer and indemnification framework, you could face direct or contributory infringement claims. Your terms should require customers to verify outputs for potential IP conflicts and include indemnification provisions that allocate this risk appropriately.
How often should I update my AI terms of service?
Review your AI-related terms at least quarterly in 2026, given the pace of regulatory change. Any time you add a new AI feature, change your AI provider, modify how you handle training data, or become subject to a new regulation, your terms should be updated to reflect the change.
If your SaaS product includes AI features and your terms of service were written before generative AI entered the picture, those terms have gaps that expose your business to regulatory, IP, and liability risk. Contact Hansen Tong at TOS Lawyer for a review of your AI-related agreements by a technology lawyer who understands both the legal requirements and the technical reality of how these products work.