Your legal obligations depend on both where your company is based and where your customers are from, so there's no clearcut answer for everyone. For example, if you serve customers based in the EU, then you need to comply with GDRP law. I suggest reading up on that.
Some things aren't necessarily obligatory, but still advisable to protect you / your business. For example, most (online) businesses have a Terms of Service giving themselves some legal protection in case shit hits the fan. Here's WIP's: http://wip.chat/terms
Practically speaking though, many early-stage companies seemingly get away by not doing everything by the book since they are small and fly under the radar. You'll have to determine for yourself what's acceptable risk.