When you accept money you're establishing a contract, so you'll want to limit liability to just getting their money back. You'll want to establish what courts might be used for dispute resolution. You'll need to be explicit about any behaviors that would result in you terminating their service without refunding their money.
Your users agree to certain obligations as part of the contract; you should too. Make privacy a contractual obligation on your part, not just a policy.
Sounds like a bad plan to make privacy a contractual obligation, because then you're undertaking a legal obligation not to have your server hacked. No one who understands servers would do that.
ourdoings.com "Agrees not to use or disclose your personal information, or the personal information of others who use your site, without permission for any purpose other than providing and improving this service, except as required by law."
If someone breaks into the datacenter and physically steals the server (a more realistic scenario than the server being hacked) I don't think that would count as "disclosing". But I'm in Massachusetts where courts seem to have a higher-than-average degree of common sense.
Your users agree to certain obligations as part of the contract; you should too. Make privacy a contractual obligation on your part, not just a policy.