← All Skills
AI Skill

legal-shield

Last updated: 2026-05-17

| WSGR-grade legal document generator for SaaS/AI startups. Generates Terms of Service and Privacy Policy that maximize company rights and minimize liabilit

Quick Install
npx skills add legal-shield

Legal Shield — WSGR-Grade Legal Document Generator

Philosophy

"The best terms of service read like boilerplate but function like a fortress."

This skill thinks like a Wilson Sonsini partner advising a YC-backed AI startup:

  • Maximize rights without sounding aggressive
  • Minimize liability without sounding unfair
  • Preserve optionality without making commitments
  • Sound standard while being maximally protective

How to Use

Mode 1: Full Generation (/legal-shield generate)

Generate complete Terms of Service + Privacy Policy from scratch.

Mode 2: Audit (/legal-shield audit)

Audit existing legal docs against the playbook — find gaps, missing clauses, over-commitments.

Mode 3: Competitor Analysis (/legal-shield compare )

Pull a competitor's terms/privacy, compare clause-by-clause, identify where they're weaker or stronger.

Mode 4: Codebase Scan (/legal-shield scan)

Scan the actual codebase to discover what data is collected, what third-party services are used, what cookies/tracking exist — then verify the privacy policy matches reality.

Execution Protocol

Step 1: Gather Context

REQUIRED INPUTS (ask user if not provided):

    

  • Company legal name (e.g., "HeyMall, Inc.")
    • 

  • Product name (e.g., "Tycoon")
    • 

  • What the product does (1-2 sentences)
    • 

  • Contact email for legal notices
    • 

  • Jurisdiction (default: Delaware)
    • 

  • Business model (subscription / usage-based / freemium / marketplace)

Step 2: Codebase Discovery (automatic)

Scan the codebase to discover:

# What data is collected
grep -rn "email\|password\|phone\|address\|name\|token\|cookie\|session\|auth" --include=".ts" --include=".tsx" --include=".py" src/ app/ | head -50


What third-party services are used

grep -rn "stripe\|posthog\|analytics\|sentry\|workos\|google\|facebook\|pixel\|gtag\|intercom\|zendesk\|hubspot\|slack\|twilio" --include=".ts" --include=".tsx" --include=".py" -i src/ app/ | head -50


What cookies/tracking exist

grep -rn "cookie\|localStorage\|sessionStorage\|tracking\|pixel\|gtag\|fbq\|analytics" --include=".ts" --include=".tsx" src/ app/ | head -30


Auth mechanism

grep -rn "jwt\|session\|oauth\|auth\|signin\|login" --include=".ts" --include=".tsx" src/ app/ lib/ | head -30


Payment/billing

grep -rn "stripe\|billing\|subscription\|payment\|invoice\|charge\|refund" --include=".ts" --include=".tsx" src/ app/ | head -30


AI/ML model usage

grep -rn "openai\|anthropic\|claude\|bedrock\|gpt\|model\|llm\|embedding" --include=".ts" --include=".tsx" --include=".py" src/ app/ | head -30


File uploads / storage

grep -rn "upload\|s3\|r2\|cloudflare\|storage\|bucket\|blob" --include=".ts" --include="*.tsx" src/ app/ | head -20

Step 3: Competitor Research (if URL provided or competitors known)

For each competitor:

    

  1. Fetch their /terms and /privacy pages
    2. 

  2. Extract section headings
    3. 

  3. Identify: license grant scope, liability cap, refund policy, data usage rights,
    4. 
   termination conditions, indemnification scope

  4. Note what they DON'T cover (gaps = our advantage)

Step 4: Generate Documents

Apply the WSGR Playbook (below) to generate Terms + Privacy that:

  • Cover everything the codebase actually does
  • Are at least as protective as the strongest competitor
  • Follow the 7 Cardinal Rules

The WSGR Playbook — 7 Cardinal Rules

Rule 1: License Grant = Maximum Breadth, Minimum Attention

Pattern (from Anthropic, OpenAI, Notion, Figma): 
"You grant [Company] a non-exclusive, worldwide, royalty-free, sublicensable,
transferable, irrevocable, and perpetual license to use, host, store, reproduce,
modify, create derivative works from, communicate, publish, publicly display,
and distribute Your Content for any purpose related to operating, providing,
improving, developing, and promoting the Service and our business."
Key adjectives that must be present:
  • irrevocable — user can't revoke after the fact
  • perpetual — survives account deletion
  • sublicensable — we can sub-license to partners/acquirers
  • transferable — survives M&A
  • create derivative works — covers model training without saying "training"
Anti-pattern to AVOID:
  • Never call it "AI training" in a heading
  • Never use a highlighted callout box for data usage
  • Never say "we sell your data" (even if de-identified data is monetizable)
Smart phrasing:
  • "improve, develop, and promote the Service and our business"
  • "any lawful commercial purpose" (covers everything)
  • "de-identified data is not Your Content" (legal firewall)

Rule 2: Derived Data = Ours, Forever

The key clause every WSGR lawyer insists on: 
"We may create de-identified, aggregated, statistical, or otherwise anonymized
data from Your Content or your use of the Service ('Derived Data'). Once data
has been de-identified, it is no longer personal information. We own all Derived
Data and may use, retain, disclose, and commercialize it for any lawful purpose
without restriction or obligation to you."
Why this matters:
  • Raw user data = regulated, risky
  • Derived Data = yours, free to monetize
  • The moment data is de-identified, it exits privacy law
  • "Derived Data is not Your Content" = legal firewall

Rule 3: AI Output = No Guarantees, No Liability

"AI-generated output may be incorrect, incomplete, or inappropriate.
You assume all risk arising from your use of and reliance on the Service
and its outputs. We do not warrant that any results obtained from the
Service will be accurate or reliable."
Must explicitly disclaim:
  • Accuracy of AI output
  • Results of agent actions
  • That agents will achieve intended results
  • Professional advice (legal, financial, tax, medical)

Rule 4: Liability Cap = Minimum Defensible

WSGR standard for early-stage SaaS: 
"Our total liability will not exceed the lesser of (a) amounts paid in the
three (3) months preceding the claim, or (b) $100 USD."
Why "lesser of" not "greater of":
  • "Greater of" = at least $100 even if they paid $0
  • "Lesser of" = could be $0 if they're on a free plan
  • Anthropic uses "greater of $100" — we go tighter
Must also exclude:
  • Indirect, incidental, special, consequential, punitive damages
  • Loss of profits, revenue, data, business opportunity, goodwill
  • Agent actions and third-party fees
  • AI output decisions

Rule 5: No Refunds, Period

"All fees are non-refundable. Once credits, tokens, or usage-based
resources have been consumed or allocated, they are deemed fully used
and are non-refundable under any circumstances."
The "consumed = done" doctrine:
  • Token consumed = service delivered = no refund
  • Credit purchased = allocated = no refund
  • Subscription started = period committed = no refund for partial
  • "Regardless of the reason for cancellation — including dissatisfaction"

Rule 6: Termination = We Can, Anytime, No Reason

"We may suspend, limit, or terminate your access at any time, for any
reason or no reason, with or without notice."
Must also include:
  • User remains liable for all fees pre-termination
  • License grant survives termination (for de-identified data)
  • Indemnification survives termination
  • Disclaimer/liability sections survive termination

Rule 7: Indemnification = User Covers Everything

"You agree to indemnify, defend, and hold harmless [Company] from any
claims arising out of: your use of the Service, Your Content, agent
actions under your account, your violation of these Terms, and your
violation of any third-party rights."
Must cover:
  • Agent actions on user's behalf
  • Third-party disputes from AI output
  • Communications sent by agents
  • The user's own negligence

Privacy Policy Playbook

What to Cover (in order)

  1. Who This Applies To — scope
  2. What We Collect — be comprehensive (shows transparency)
  3. How We Use Your Information — standard purposes + "improve our technology"
  4. Service Improvement and Derived Data — the key section (NOT called "AI Training")
  5. Who We Share Data With — sub-processors, not "selling"
  6. Data Retention — keep de-identified data forever
  7. Security — standard practices + breach notification (72hr for GDPR)
  8. Cookies and Tracking — minimal
  9. Your Rights and Choices — GDPR/CCPA rights (must have)
  10. Children — 18+ only
  11. International Users — SCCs for EU/UK
  12. Changes — 14-day notice
  13. Contact — email

Privacy Anti-Patterns to AVOID

  • Never have a section called "AI Training" or "How We Train Our Models"
  • Never use highlighted/colored boxes for data usage clauses
  • Never promise "we will never sell your data" (de-identified data sale is different)
  • Never promise specific opt-out mechanisms you might not implement
  • Instead of "opt out of AI training" → "contact us to discuss available options"

Privacy Power Moves

  • "De-identified data is no longer personal information" — exits privacy law
  • "Derived Data is not Your Content" — we own it
  • "For any lawful purpose without restriction" — maximum optionality
  • "This right is perpetual and survives termination" — forever
  • List many specific things you collect (shows transparency, builds trust)
  • Legal basis section (GDPR compliance) reads as "we thought about this"

Competitor Analysis Checklist

When comparing with a competitor, check these 12 dimensions:

#DimensionWhat to Look For
1License grant scopeHow many adjectives? Perpetual? Sublicensable? Transferable?
2Derived Data ownershipDo they explicitly own it? Can they commercialize?
3AI output disclaimerDo they disclaim accuracy? Agent results?
4Liability capDollar amount or formula? "Lesser of" or "greater of"?
5Refund policyAny exceptions? Token/credit refundability?
6Termination rightsCan they terminate without cause? Without notice?
7Indemnification scopeDoes it cover agent actions? Third-party disputes?
8Data training rightsExplicit or buried? Opt-out available?
9Warranty disclaimerHow comprehensive? AI-specific disclaimers?
10Survival clausesWhat survives termination?
11Dispute resolutionArbitration? Class action waiver? Jury waiver?
12GapsWhat's NOT covered that should be?
Score each dimension 1-5:
  • 1 = Missing or user-favorable
  • 3 = Industry standard
  • 5 = Maximum company protection
Target: Average score >= 4.0

Output Format

When generating or auditing, produce:

For Terms of Service:

1. JSX/TSX page component (ready to drop into Next.js app router)

    

  1. Uses the project's existing design system (check globals.css, layout)
    2. 

  2. All sections numbered, with proper HTML entities for quotes
    3. 

  3. Variables for COMPANY, EMAIL, EFFECTIVE_DATE at top
    4. 

  4. Responsive layout matching existing terms/privacy pages

For Privacy Policy:

Same format as Terms. Must reference Terms sections by number where relevant.

For Audit Report:

## Legal Shield Audit Report

Overall Score: X/60 (12 dimensions x 5 points each)


Strengths


    

  • ...
    • 




Critical Gaps


    

  • ...
    • 




Recommended Changes (by priority)


    

  1. [P0] ...
    2. 

  2. [P1] ...
    3. 




Competitor Comparison Matrix

| Dimension | Us | Competitor A | Competitor B |

Reference: What the Best Companies Do

Anthropic (Claude)

  • Assigns output IP to user (rare, generous)
  • BUT retains right to use Materials for model training (unless opt-out)
  • Feedback = always trainable, no opt-out
  • Liability cap: greater of $100 or fees paid
  • All payments non-refundable

OpenAI

  • User owns input and output
  • BUT broad license for "improving services"
  • Business terms have broader data usage rights than consumer terms
  • Liability cap: fees paid in prior 12 months

Notion

  • Broad license grant for "operating and improving"
  • Derived/aggregated data = theirs
  • Standard SaaS liability cap

Pattern: The best companies all do the same thing — they give users "ownership" of raw content while retaining maximum rights over derived/aggregated/de-identified data. This reads as fair while preserving all commercial optionality.