diff --git a/src/axum_lib.rs b/src/axum_lib.rs
index 84ad128..b2bd120 100644
--- a/src/axum_lib.rs
+++ b/src/axum_lib.rs
@@ -297,6 +297,17 @@ pub async fn main() {
                 },
             ),
         )
+        .nest(
+            "/legal",
+            get_service(ServeDir::new("./static/legal")).handle_error(
+                |error: std::io::Error| async move {
+                    (
+                        StatusCode::INTERNAL_SERVER_ERROR,
+                        format!("Unhandled internal error: {}", error),
+                    )
+                },
+            ),
+        )
         .nest(
             "/img",
             get_service(ServeDir::new("./static/img")).handle_error(
diff --git a/src/oidc.rs b/src/oidc.rs
index eabd25e..900e0a9 100644
--- a/src/oidc.rs
+++ b/src/oidc.rs
@@ -18,9 +18,9 @@ use openidconnect::{
     url::Url,
     AccessToken, Audience, AuthUrl, ClientConfigUrl, ClientId, ClientSecret, EmptyAdditionalClaims,
     EmptyAdditionalProviderMetadata, EmptyExtraTokenFields, EndUserPictureUrl, EndUserUsername,
-    IssuerUrl, JsonWebKeyId, JsonWebKeySetUrl, LocalizedClaim, Nonce, PrivateSigningKey,
-    RedirectUrl, RegistrationAccessToken, RegistrationUrl, RequestUrl, ResponseTypes, Scope,
-    StandardClaims, SubjectIdentifier, TokenUrl, UserInfoUrl,
+    IssuerUrl, JsonWebKeyId, JsonWebKeySetUrl, LocalizedClaim, Nonce, OpPolicyUrl, OpTosUrl,
+    PrivateSigningKey, RedirectUrl, RegistrationAccessToken, RegistrationUrl, RequestUrl,
+    ResponseTypes, Scope, StandardClaims, SubjectIdentifier, TokenUrl, UserInfoUrl,
 };
 use rand::{distributions::Alphanumeric, thread_rng, Rng};
 use rsa::{pkcs1::ToRsaPrivateKey, RsaPrivateKey};
@@ -54,6 +54,8 @@ pub const CLIENT_PATH: &str = "/client";
 pub const USERINFO_PATH: &str = "/userinfo";
 pub const SIGNIN_PATH: &str = "/sign_in";
 pub const SIWE_COOKIE_KEY: &str = "siwe";
+pub const TOU_PATH: &str = "/legal/terms-of-use.pdf";
+pub const PP_PATH: &str = "/legal/privacy-policy.pdf";
 
 #[cfg(not(target_arch = "wasm32"))]
 type DBClientType = (dyn DBClient + Sync);
@@ -150,7 +152,17 @@ pub fn metadata(base_url: Url) -> Result<CoreProviderMetadata, CustomError> {
         CoreClientAuthMethod::ClientSecretBasic,
         CoreClientAuthMethod::ClientSecretPost,
         CoreClientAuthMethod::PrivateKeyJwt,
-    ]));
+    ]))
+    .set_op_policy_uri(Some(OpPolicyUrl::from_url(
+        base_url
+            .join(PP_PATH)
+            .map_err(|e| anyhow!("Unable to join URL: {}", e))?,
+    )))
+    .set_op_tos_uri(Some(OpTosUrl::from_url(
+        base_url
+            .join(TOU_PATH)
+            .map_err(|e| anyhow!("Unable to join URL: {}", e))?,
+    )));
 
     Ok(pm)
 }
diff --git a/static/index.html b/static/index.html
index a22604d..7e76c3a 100644
--- a/static/index.html
+++ b/static/index.html
@@ -17,4 +17,9 @@
   </head>
 
   <body></body>
+
+  <footer>
+    <a href="/legal/privacy-policy.pdf">Privacy Policy</a>
+    <a href="/legal/terms-of-use.pdf">Terms of Use</a>
+  </footer>
 </html>
diff --git a/static/legal/privacy-policy.pdf b/static/legal/privacy-policy.pdf
new file mode 100644
index 0000000..35748cb
Binary files /dev/null and b/static/legal/privacy-policy.pdf differ
diff --git a/static/legal/terms-of-use.pdf b/static/legal/terms-of-use.pdf
new file mode 100644
index 0000000..635b7dc
Binary files /dev/null and b/static/legal/terms-of-use.pdf differ