No Brazilian law is titled "Terms of Service Act." But three pieces of legislation together create obligations that effectively require a terms of service document for any SaaS operating in Brazil: the Marco Civil da Internet (Law 12,965/2014), the Consumer Protection Code (CDC — Law 8,078/1990), and the LGPD (Law 13,709/2018).

Understanding which rules apply — and which clauses are legally void even if users click "accept" — is essential before publishing your terms.

Marco Civil da Internet establishes user rights in digital services and the liability rules for application providers (Art. 19 and following). It requires that service contracts be clear about privacy policies, data retention, and user rights — and voids clauses that violate those rights.

Consumer Protection Code (CDC) applies whenever one party is a consumer (end user). It voids abusive clauses (Art. 51), requires that contract terms be legible and prominently disclosed (Art. 46), and imposes strict liability for product/service defects regardless of what the terms say.

LGPD requires a separate privacy policy (or clearly distinct section) governing personal data collection and processing. The terms of service and privacy policy serve different legal functions and should not be merged into a single undifferentiated document.

What Must Be in Your Terms

  • Service description: What the product does, what it does not do, and what is excluded from your commitment.
  • Account and access: How accounts are created, authentication, shared access rules, what happens to data when an account is deleted.
  • Acceptable use: Prohibited uses, content standards (for user-generated platforms), consequences of violations.
  • Intellectual property: Who owns the platform IP, who owns user data and content, and what license the user grants the platform (if any).
  • Payment and billing: Pricing, billing cycle, failed payment handling, refund policy (if applicable).
  • SLA: For B2B SaaS, define uptime commitments, scheduled maintenance windows, and what the remedy is for breaches.
  • Suspension and termination: What triggers suspension, the process for termination, what happens to user data after account closure.
  • Governing law and jurisdiction: Brazilian law and the chosen court. For B2B, consider an arbitration clause.

What Is Legally Void Even If Users Accept

The CDC Art. 51 voids specific types of clauses, including those that:

  • Limit or extinguish the supplier's liability for defects or harms caused to the consumer;
  • Impose disproportionate obligations on the consumer;
  • Require the consumer to waive rights guaranteed by law;
  • Allow the supplier to modify the contract unilaterally to the consumer's detriment.

These rules apply to B2C SaaS. For B2B contracts between companies (no consumer relationship), liability limitation clauses are generally valid and enforceable.

Limitation of Liability: B2B vs. B2C

B2B: You can limit your liability to the amount paid in the last 12 months, exclude consequential damages, and cap total liability. These clauses routinely survive scrutiny between companies.

B2C: Clauses that eliminate or substantially limit your liability for service defects are void under the CDC — regardless of what the user accepted. You can limit liability in scope and manner, but you cannot disclaim responsibility for failing to deliver the core service you promised.

One Common Mistake: Merging Terms and Privacy Policy

Burying LGPD-required privacy disclosures inside a long "Terms of Service and Privacy Policy" document may technically satisfy the letter of the law in some readings, but creates practical problems. Users cannot locate their data rights. Regulators may take a dim view of disclosure by dilution. Keep them separate — or use a clearly labeled, visually distinct section.

FAQ

Are terms of service legally required for a SaaS in Brazil?

No single law explicitly requires 'terms of service'. But the Marco Civil Internet Act, the Consumer Protection Code (CDC), and the LGPD together create obligations that can only be fulfilled through a terms document — making them effectively indispensable in practice.

What must SaaS terms of service include in Brazil?

Service description, account and access conditions, acceptable use policy, intellectual property (company's and user's), liability for third-party content, billing and cancellation, SLA (for B2B), suspension and termination conditions, and governing law and jurisdiction.

Can I limit my liability in terms of service?

In B2B contracts, liability limitation clauses are broadly valid. In consumer (B2C) contracts, the CDC (Art. 51) voids clauses that limit consumer rights or exclude supplier liability for damages caused — even if the user clicked 'accept'.

Are terms of service and a privacy policy the same document?

No. Terms of service govern the contractual relationship (what you can and cannot do on the platform). A privacy policy governs how personal data is collected, processed, and shared — required by the LGPD. They must be separate documents or clearly distinguished sections.

What does the Marco Civil Internet Act require in terms of service?

The Marco Civil (Law 12,965/2014) requires that user contracts be clear about usage policies and that clauses violating user privacy and rights are void. Application providers must retain connection logs for a specified period and are liable for damages caused by their own content.

Do terms of service protect against consumer lawsuits?

Partially. Well-drafted terms help define liability and set expectations, but they do not eliminate legal obligations. A consumer can challenge any clause deemed abusive under the CDC, regardless of having clicked 'accept'.

// PRACTICE AREA
Digital ContractsCustom contracts for digital products, creators, and licensing in Brazil.Data Protection & PrivacyLGPD compliance, legal bases, and ANPD liaison for foreign businesses.
Monika Hosaki
Author
Monika Hosaki

Managing Partner and founder of Hosaki Advogados. Practice in intellectual property, digital law, and creator economy.