The single most common reason Product Hunt and Google de-rank an indie launch is missing or boilerplate legal pages. Here's the minimum that actually works.
## The two must-have pages
1. Privacy Policy. Required if you collect any data (including IP addresses via analytics). Must describe: what data you collect, why, who sees it, how users can access/delete it, your contact for privacy questions.
2. Terms of Service. Required if users agree to anything (using your site counts). Must describe: what the service is, what's allowed/not, liability limits, jurisdiction, how the terms can change.
## Generators that are actually usable
Free options with reasonable output: Termly, Iubenda free tier, Shopify's free generator (general enough). Paid-but-cheap: $50-100 one-time for Genie AI, RocketLawyer templates. Skip: AI-generated policies that don't reference any specific law (Google flags these).
## Common indie mistakes
- Listing services you don't use. If you don't use Mailchimp, don't mention it. - Generic jurisdiction. "United States" is not a jurisdiction. Pick your state (Delaware if incorporated, California if you're physically there). - Missing contact method. Your privacy policy needs a reachable email. choppy.young@gmail.com counts, but a domain email is better. - No update date. "Last updated" is a trust signal and required in most regimes. - Hiding ToS acceptance. If payment is involved, you need an affirmative "I agree" at signup, not just a footer link.
## Cookie banner — when you actually need it
EU users, UK users, California residents. If you have any of those AND you use any non-essential cookies (including GA4 by default), you need a cookie banner. Free option: Cookiebot free tier, or open-source like cookieconsent.js.
You do NOT need a cookie banner if: - You serve only US non-California users AND - You only use strictly necessary cookies (session, CSRF)
In practice, most indie sites serving a global audience should just install a lightweight banner.
## The launch-day minimum
Before the launch post goes up, confirm: - /privacy and /terms URLs return real content - Both are linked from the footer of every page - A contact email is reachable - If you have EU/UK traffic, a cookie banner is live - If you charge money, your ToS mentions refund policy and jurisdiction
Everything else (DMCA, cookie policy as separate page, acceptable use policy) is week-4+ work.