Square updated its Privacy Notice on May 30, 2026, substantially expanding the document with 217 new sentences and modifying 2 existing sentences. The updated notice now includes effective dates (Last Updated: March 16, 2026; Effective Date: April 16, 2026), clarifies that separate privacy notices apply to consumers shopping at Square-using businesses and to buyers using Square Buyer Services, and establishes which Square entity serves as data controller based on the user's country of residence (Block, Inc. for US users; Square Canada, Inc. or Square Technologies, Inc. for Canada; Square KK for Japan; Square AU PTY, Ltd. for Australia; Squareup International Ltd. for EU residents). The expanded notice creates clearer operational delineation between merchant-facing services and consumer-facing services, with users directed to separate notices depending on their relationship with Square.
The updated Privacy Notice establishes explicit jurisdiction-specific data controller identities and clarifies which privacy notice applies depending on whether you are a Square seller, consumer shopping at a Square-using merchant, or user of Square Buyer Services. The notice now states that EU residents' data is controlled by Squareup International Ltd., while US residents' data is controlled by Block, Inc., and similar entity assignments apply to Canada, Japan, and Australia. This change establishes clearer governance structure rather than modifying substantive data practices.
The updated terms establish explicit jurisdiction-specific data controller assignments and clarify which Privacy Notice applies based on user role (merchant, consumer, or Square Buyer Services participant). This organizational clarification improves transparency regarding governance accountability and supports alignment with GDPR and equivalent privacy frameworks that require clear identification of the responsible data controller.
→ Identify whether you are a Square seller, consumer shopping at a Square merchant, or user of Square Buyer Services to determine which Privacy Notice governs your data.
→ If you are an EU resident, note that Squareup International Ltd. is identified as your data controller; if you are a US resident, Block, Inc. is your data controller.
→ If you do not review which Privacy Notice applies to your specific role, you may reference the incorrect notice when exercising data subject rights or responding to data requests.
→ The terms will apply as written; jurisdiction-specific data controller assignments will govern your data processing regardless of whether you review the updated notice.
Establishes Squareup International Ltd. as data controller for EU residents, Block, Inc. for US residents, and specific entities for Canada, Japan, and Australia.
Clarifies that consumers shopping at Square-using merchants and Square Buyer Services users are governed by separate privacy notices, directing them to the appropriate document.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Square expanded its Privacy Notice to clarify jurisdiction-specific data controller assignments and separate applicability statements for merchants versus consumers. The document now explicitly identifies Squareup International Ltd. as data controller for EU residents, Block, Inc. for US residents, and other entities for Canada, Japan, and Australia. This clarification may support GDPR Article 13/14 transparency requirements and aligns with data controller identification obligations under EU privacy frameworks. No new substantive data practices appear to be introduced; the change is primarily organizational and jurisdictional clarification.
GDPR (Articles 13, 14 - transparency obligations regarding data controller identity); CCPA (California Consumer Privacy Act); equivalent privacy frameworks in UK, Australia, Canada, and Japan.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-002484.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorSquare reordered the list of linked terms and policies in their Terms of Service on May 30, 2026. The substantive …
Square reorganized the order of links in its Terms of Service document footer on May 22, 2026. The substantive waiver …
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them t…
ConductAtlas tracked the restructuring, new disclosures, and entity changes that followed the largest privacy fine in EU history.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do…
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.