I suppose it depends on your product really, if you're storing credit card numbers you'll need to think about what you are responsible for legally, which can change from state to state. That being said, if you're doing some kind of social app I wouldn't be too worried about the legal stuff. I would write up something that tells the user you're going to do your best to keep their data safe and available but you can't promise 99.9% uptime or anything. I think a well written paragraph telling the users what they should expect, and what they will have to agree to, will go alot further then pages of legalise.
When you accept money you're establishing a contract, so you'll want to limit liability to just getting their money back. You'll want to establish what courts might be used for dispute resolution. You'll need to be explicit about any behaviors that would result in you terminating their service without refunding their money.
Your users agree to certain obligations as part of the contract; you should too. Make privacy a contractual obligation on your part, not just a policy.
Sounds like a bad plan to make privacy a contractual obligation, because then you're undertaking a legal obligation not to have your server hacked. No one who understands servers would do that.
ourdoings.com "Agrees not to use or disclose your personal information, or the personal information of others who use your site, without permission for any purpose other than providing and improving this service, except as required by law."
If someone breaks into the datacenter and physically steals the server (a more realistic scenario than the server being hacked) I don't think that would count as "disclosing". But I'm in Massachusetts where courts seem to have a higher-than-average degree of common sense.
