Website Launch Qs

Daawaa

Hi all

I am hoping to get some use cases and advice from devs on here who may have knowledge on this particular area of launching a website. I plan to investigate the topics below thoroughly (before launch), but I was hoping to get some advice from people who have had first-hand experience first.

I'm a software developer and I have been building a web app (React +Django(REST)) for the past few weeks - still a WIP concept. It will be a SaaS website. I have a placeholder domain name and will host it on Heroku. It will be a freemium service initially.

My questions/concerns on this project are on the legalities/gotchas of launching such a website and they are:

• Users: Visitors to the site can sign up for free (initially - plans for pricing after PoC) where they will give basic details such as email/name/etc. After signup they can continue to put in additional personal data as part of the web application. This information will be stored on PostgresDB on a separate host. What are the core areas of compliance to be aware of here RE storing this information(GDPR etc.) on such a freemium site? Would a tailored privacy policy and T&C confirmation on user signup be sufficient cover here? Is there legislation that details how to launch/operate a website that stores user information etc. from signup?
• Website Company: Services like Heroku/AWS allows anyone to launch such a site in minutes, where users can sign up to use the website. My question on this is; is there a requirement for such a site to have a registered limited company as the backdrop to the site? I have already registered as a sole trader to provide software dev services (totally separate to this SaaS site). I have also registered a business name with CORE (different to my personal name). Is this sufficient or would the registration of a PLC to be advisable/beneficial here or does this matter greatly? 
• Development/Partners: This is a general query I had in relation to development of a new SaaS website. What is the best practice to protect IP, when approaching potential business partners, investors, hires, advisors etc.? Is it advisable to get NDAs drafted/signed up every time you want to initially discuss your idea with others? 

I would love to hear any advice and stories you guys could provide on any points above and indeed if there is anything else to be aware of - let me know! 
Furthermore, if anyone has suggestions to the best source of information on this particular topic or link me to an individual/organisation that provides services in this area I would be very grateful.

Thank you and be safe!

Talisman

What data are you storing exactly? How are you protecting it? The answers to those questions determine your liability before you run the gauntlet of charging people money for the service.

The idea of using a company to front the website is to limit your own liability, as a sole trader you personally would be on the hook in the event of anything going wrong.

Daawaa

Hi Talisman

What data are you storing exactly? How are you protecting it?

To give a ballpark idea of the concept - It is a buy/sell type of web app. The user data being stored would be somewhat similar to the type of data that users upload to adverts.ie - user logins (email) and uploaded items for sale etc.

At the moment Im using a JWT authentication system in user sign up - Im aiming to add AuthO eventually and trial this(free plan allows for 7000 users with unlimited logins)

Using a custom user model in django, with associated user data connected via ForeignKey models. Stored in a Postgres DB.

Talisman

For the purpose of GDPR you need to document how you thought about the consequences of the database potentially being stolen and how secure the data needed to be.

If you are only capturing the email address then you have to decide whether or not that piece of information is essential to the users. If it is then you would need increase its security - don't leave it as plain text in the database.

Essentially that's GDPR covered in your happy path use case.

What liability do you have if a person perpetrates a crime using the service?

amen

Talisman wrote: »

What data are you storing exactly? How are you protecting it? The answers to those questions determine your liability before you run the gauntlet of charging people money for the service.

The idea of using a company to front the website is to limit your own liability, as a sole trader you personally would be on the hook in the event of anything going wrong.

Even as a director of Limited Company he may still be liable.

Daawaa

Thanks for that additional info on GDPR and the suggestion for plain text emails in the DB! Something I didn't have previous but found a few alt solutions to manage this.

Talisman wrote: »

What liability do you have if a person perpetrates a crime using the service?

I don't see this as an issue based on the type of web app it is - ( that ballpark idea of it being a buy/sell site was a rough example)