Common Legal Mistakes in AI SaaS Terms for New Zealand Businesses

Many New Zealand businesses sign AI software subscriptions too quickly, then discover the real risk sits in the fine print. The most common mistakes are assuming the provider does not use your data to train models, accepting broad limits of liability that leave you carrying the loss, and relying on sales promises that never make it into the contract. Another common issue is missing how the terms deal with privacy, accuracy, and service changes.

If you are comparing an AI SaaS platform for customer support, drafting, analytics, automation, or internal productivity, your contract matters just as much as the product demo. The legal terms set out who owns outputs, who is responsible for errors, what happens if the tool goes down, and whether your business can safely use it with customer or employee information. Here’s what New Zealand businesses should look for in AI SaaS terms before they sign.

Overview

AI SaaS terms often look like standard software terms, but they usually include extra provisions around data use, model training, output accuracy, acceptable use, and changing functionality. For New Zealand businesses, the main legal question is not only whether the tool works, but whether the contract fairly allocates risk and fits your privacy and customer obligations.

• who can use your inputs and outputs, including for model training or service improvement
• whether the provider gives any promises about uptime, security, accuracy, or support
• how liability caps, exclusions, and indemnities shift risk back onto your business
• whether personal information can be processed lawfully under the Privacy Act 2020
• what happens if the provider changes the product, suspends access, or terminates the account
• whether important sales statements are actually written into the agreement

What AI SaaS Terms Means For New Zealand Businesses

AI SaaS terms are the contract rules that apply when your business uses a cloud-based AI product, and they often reach much further than a normal software subscription. They can affect your customer data, internal processes, intellectual property, compliance position, and commercial risk.

Most founders first see these terms as a click-through agreement or order form. That can make them look routine. In practice, they may include unusual clauses about machine learning models, generated content, automated decision-making, security incidents, and rights to change the service without much notice.

Why these terms matter more than a normal software contract

Traditional SaaS contracts usually focus on access to software, payment, support, data storage, and basic liability settings. AI products add extra uncertainty because the output may be incorrect, biased, incomplete, or unsuitable for your use case even when the service is operating as designed.

That matters if your team plans to use the tool for customer-facing content, legal or HR support, code generation, document review, credit decisions, pricing suggestions, or anything else with real business consequences. If an employee treats AI output as reliable and your contract says the provider gives no warranties at all, your business may wear the consequences.

The New Zealand legal context

New Zealand businesses also need to read AI SaaS terms through a local legal lens. A provider may be based overseas, but your business still has local obligations when handling personal information, dealing with customers, advertising what your systems can do, and managing commercial risk.

Depending on how you use the tool, the following may be relevant:

• the Privacy Act 2020, especially around collection, use, storage, access, and overseas disclosure of personal information
• the Fair Trading Act 1986, particularly if AI-assisted claims or outputs could mislead customers or markets
• your own contracts with customers, suppliers, and employees, which may limit outsourcing or offshore data handling
• intellectual property issues, especially if the platform uses your content, confidential information, or brand materials

This is where founders often get caught. The provider's standard terms may say one thing, while your promises to customers or your internal compliance settings require something stricter.

Where AI SaaS terms usually appear

Before you sign, check which documents actually form the contract. It is common for the legal deal to be split across several places:

• an order form or proposal
• online terms of service
• a privacy notice or data processing schedule
• service level terms
• acceptable use policies
• security documentation
• product-specific AI policies

If your team only reviews the pricing page and the order form, you can miss the clauses that really matter. A supplier may reserve the right to update online terms unilaterally, and those updates can change data use rights, model training permissions, or liability settings after the contract starts.

Legal Issues To Check Before You Sign

Before you accept the provider's standard terms, confirm exactly what data the AI tool will receive, what rights the provider gets over that data, and what legal risk remains with your business. Those three points usually drive most of the real commercial exposure.

Data use and model training

The first issue is whether your prompts, uploads, and outputs can be used to train the provider's models or improve its services. Some providers allow an opt out. Others treat business data as fair game unless a higher-tier enterprise agreement says otherwise.

Check the contract for clauses dealing with:

• customer content
• inputs and prompts
• generated outputs
• usage data, telemetry, or analytics
• service improvement and machine learning training
• de-identification or aggregation

If your staff will input customer names, support tickets, contracts, financial records, employee data, or confidential business material, this point matters immediately. A broad licence to use your content may not fit your privacy obligations or your confidentiality commitments to clients.

Privacy Act compliance

If personal information will go into the system, your business needs a lawful and practical way to use the tool. The provider's contract cannot remove your responsibilities under New Zealand privacy law.

Before you sign, think about:

• whether the tool really needs personal information to perform the task
• where the data is stored or accessed, including overseas cloud infrastructure
• whether the provider uses subprocessors
• what security commitments are actually written into the contract
• how data can be deleted, exported, corrected, or accessed
• whether your own privacy disclosures or privacy notice need updating

Founders often assume a provider's generic privacy statement is enough. It usually is not. You may need clearer internal rules about what staff can upload, when data must be anonymised, and which business functions should not use the tool at all.

Output ownership and IP risk

The next issue is who owns the AI-generated output and whether you can use it safely. Some contracts say you own your output, but that promise may be limited, non-exclusive, or subject to the provider's rights in the underlying models and training systems.

You should check:

• whether the contract assigns or licenses output to you
• whether similar outputs can be generated for other users
• whether the provider gives any protection if output infringes someone else's rights
• whether your own uploaded materials remain yours
• whether the provider can retain and reuse your content after termination

This matters most where your team will publish generated content, build customer deliverables, create marketing copy, draft code, or generate product assets. If the terms say the provider does not guarantee non-infringement and gives no meaningful indemnity, your business may bear that IP risk.

Liability caps and exclusions

The main risk in many AI SaaS terms is that the provider charges a modest subscription fee but excludes almost all meaningful liability. That can leave your business exposed if the tool produces harmful errors, leaks data, or causes downtime.

Look closely at:

• the overall liability cap, especially if it is limited to fees paid in the last month or year
• excluded loss categories, such as indirect loss, lost profits, or data loss
• whether privacy breaches, confidentiality breaches, or IP claims are carved out differently
• whether the provider disclaims warranties for accuracy, fitness for purpose, and uninterrupted access
• whether your business gives broader indemnities to the provider than it gives to you

There is no single right position, but the allocation should make commercial sense. If the tool will sit inside a critical workflow, a low cap combined with wide disclaimers and one-sided liability clauses may be unacceptable.

Service changes, suspension, and termination

AI products change quickly, and many providers reserve broad rights to alter features, usage limits, or technical settings. A tool you buy for one capability may look different six months later.

Before you rely on a verbal promise, make sure the contract covers:

• what features are committed versus merely described in marketing material
• how much notice is required for material changes
• whether the provider can suspend access for suspected misuse
• what termination rights each side has
• how long you have to retrieve your data after termination

If your operations depend on the service, these points can be as important as price.

Common Mistakes With AI SaaS Terms

Most legal problems with AI SaaS terms come from treating them as ordinary software paperwork when the product is doing much more. The mistakes below are the ones we see businesses make most often before they sign.

1. Accepting the default data licence without reading it

A common mistake is assuming your data stays yours and that is the end of the story. Ownership is only one part of the issue. The bigger question is what licence you give the provider to use, store, analyse, share, de-identify, or train on that data.

A clause can say you retain ownership while still letting the provider do far more than you expect. If you handle sensitive commercial information or personal information, this is a major point to negotiate or control operationally.

2. Relying on the sales call instead of the signed documents

Founders often hear reassuring statements such as, “we do not train on your data”, “the system is secure”, or “enterprise support is included”. If those points are not reflected in the contract, they may be hard to enforce later.

Ask for the promises that matter to be written into the order form or the governing written terms. That may include data handling commitments, support response times, uptime, data location, or opt-out settings.

3. Using AI with personal information before checking internal privacy settings

This is where practical business operations and legal terms intersect. Even if the provider offers decent privacy wording, your own team can create problems by pasting customer files, CVs, complaint records, or health-related information into a tool that was never approved for that purpose.

Your contract review should sit alongside internal rules. For many businesses, sensible controls include:

• deciding which teams can use the tool
• banning certain categories of information from being uploaded
• requiring anonymisation where possible
• approving specific use cases before rollout
• training staff not to rely on outputs without human review

4. Ignoring output accuracy disclaimers

Many AI SaaS terms say outputs may be inaccurate and must be independently verified. That clause is not filler. It is the provider telling you the business risk of bad output sits largely with you.

If your staff use AI to draft customer advice, product claims, legal wording, technical code, pricing recommendations, or summaries of important records, a human review process is essential. The more consequential the use, the more your internal controls matter.

5. Missing sector-specific or customer contract obligations

Your problem may not be the AI contract itself, but the mismatch between that contract and your other obligations. For example, your customer contract may restrict offshore hosting, subcontracting, or use of customer information beyond a defined purpose.

If you are in a regulated or sensitive sector, this review needs extra care. Even outside heavily regulated industries, SMEs often promise confidentiality or information security standards that a standard AI vendor contract does not neatly support.

6. Accepting a one-sided indemnity package

Some providers ask the customer to indemnify them for broad categories of claims arising from your use of the service, your content, or even alleged misuse by your users. At the same time, the provider may give little or no indemnity if their output infringes third-party rights or their conduct causes data-related loss.

This is not always unreasonable, but the balance should be examined. If your team is expected to trust the system in real business workflows, you should understand exactly where legal responsibility lands.

7. Overlooking governing law and dispute mechanics

Cross-border contracts often nominate overseas law and overseas dispute forums. That may be workable for a low-risk tool, but it becomes less attractive when the contract affects important customer data, core systems, or material spend.

At a minimum, understand the practical consequence. If something goes wrong, will your business realistically enforce the contract?

8. Not planning for exit

Businesses focus on buying software, not leaving it. AI tools can become deeply embedded in workflows, prompts, templates, and customer processes. If the contract ends abruptly, migration can be messy.

Check what happens to:

• stored prompts and uploaded files
• generated outputs and project history
• API integrations and connected systems
• data export formats
• assistance with transition
• deletion timeframes after termination

An exit clause rarely gets attention until after a dispute or a price increase.

FAQs

Can a New Zealand business rely on standard click-wrap AI SaaS terms?

Yes, but only after checking what they actually say. Click-wrap terms can still create binding obligations, and they often contain broad data licences, low liability caps, and rights for the provider to update terms later.

Do AI SaaS terms need a separate privacy schedule?

Not always, but many businesses should ask for one or review a data processing addendum if personal information is involved. The key issue is whether the contract properly covers data use, security, subprocessors, offshore access, and deletion rights.

Who owns AI-generated output under a SaaS contract?

It depends on the wording. Some providers say you own the output, while others grant a licence or reserve rights connected to the model and similar outputs for other users. The contract needs to be read carefully.

Are disclaimers about AI accuracy enforceable?

They can be, depending on the circumstances and the contract structure. The practical point for a business is to assume those disclaimers matter and put human review and approval processes in place for important use cases.

Should New Zealand businesses negotiate AI SaaS terms?

Often, yes. Negotiation is especially worthwhile where the tool handles personal information, confidential customer data, valuable IP, or a business-critical workflow. Even a short order form amendment can improve the risk position significantly.

Key Takeaways

• AI SaaS terms are not just standard software terms, they often decide how your data, outputs, privacy risk, and commercial liability are handled.
• Before you sign, check data use rights, model training permissions, privacy settings, output ownership, liability caps, and termination mechanics.
• Do not rely on sales statements unless they are written into the contract documents.
• If staff will use the tool with customer or employee information, align the contract with your Privacy Act obligations and internal usage rules.
• The main risk is often not the subscription price, but a one-sided allocation of loss if the AI makes mistakes, goes offline, or uses data in ways you did not expect.
• Reviewing the terms early is usually much easier than fixing the position after your business has adopted the platform.

If you want help with data use clauses, privacy compliance, liability limits, and contract amendments, you can reach us on 0800 002 184 or team@sprintlaw.co.nz for a free, no-obligations chat.