diff --git a/legal.md b/legal.md
new file mode 100644
index 0000000..a88c589
--- /dev/null
+++ b/legal.md
@@ -0,0 +1,35 @@
+# Legalities
+
+As with everything, there are legalities involved with this project. I've tried to cover as many bases as I can, but be aware that it is very hard and I am very lazy.
+
+This is not legal advice, I am not a lawyer, and if if you have concerns, please consult a lawyer in your own jurisdiction.
+
+## zlib
+
+The MERN-template and all of it's microservices are released under the zlib license (see `LICENSE` for details). This means you can freely use it to make whatever you like, and attribution to Kayne Ruse, KR Game Studios and other MERN-template contributors is appreciated, but not strictly required. You also can't pretend you made it, and you can't take the license out of source distributions of the template.
+
+## Privacy Policy And Credits
+
+The website's footer links to the privacy policy and credits pages. These can be found under `client/markdown/` as markdown files; much easier to manage than handling React pages directly.
+
+Please remember to include a privacy policy with your website, and credit everyone involved in your website's creation. Tools for doing this may be coming soon.
+
+## Spam And Agreeing to Being Contacted
+
+One of the features built into this project is the contact flag - it's a way for the user to signal to the developer that they are OK with being contacted in the future with promotional material. This flag is saved in the `accounts` table in the database, and can be freely changed by users via their account pages. Removing this feature means you won't be able to contact *anyone*.
+
+If you're in America, please refer to the [CAN SPAM act of 2003](https://en.wikipedia.org/wiki/CAN-SPAM_Act_of_2003).
+
+## Deletion of Account Data
+
+According to the European GDPR as I understand it, [the right to be forgotten](https://en.wikipedia.org/wiki/Right_to_be_forgotten) is required by those operating out the the European Union.
+
+What this means practically is that user accounts must be able to be deleted, along with all identifiable user data. I've added a "Delete Account" button to the user's account page which enables this - the deletion is not immediate, they have a two day window to change their minds by logging back into the game. However after that two day window is up, the account is completely deleted.
+
+When modifying the MERN-template, be sure that any identifiable data, such as usernames and email accounts stored elsewhere, is also deleted in this manner.
+
+## Children Under 13
+
+According to the [COPPA act](https://en.wikipedia.org/wiki/Children%27s_Online_Privacy_Protection_Act), if you accept children under the age of 13 as users, you need to conform to certain expectations within the United States.
+
+Personally, I just find it easier to ban kids under 13 from playing my web games via my privacy policy.
\ No newline at end of file