Square Privacy Notice — Square

10 Total

4 High severity

6 Medium severity

0 Low severity

Summary

This is Square's privacy policy explaining how the company collects and uses your personal data when you use Square's payment terminals, online checkout, Cash App ecosystem, and other financial tools — including your name, payment card details, government ID, transaction history, and device location. The most important thing to know is that Square may collect your financial transaction data even if you are a buyer at a merchant's store — not just a Square account holder — meaning you may be in Square's database without ever signing up. You can request access to, correction of, or deletion of your personal data by submitting a request through Square's privacy rights portal at https://squareup.com/us/en/privacy/request.

Technical Summary

This document is Square's Privacy Policy governing the collection, use, and sharing of personal data across Square's suite of payment processing, point-of-sale, financial services, and commerce products, operating under a consent and legitimate interests legal basis framework consistent with CCPA, GDPR, and U.S. state privacy laws. The policy obligates Square to disclose categories of data collected (including financial transaction data, government-issued ID, biometric identifiers for identity verification, device and location data, and inferred consumer profiles) and grants users rights to access, delete, correct, and opt out of certain data sales or sharing. Notably, Square collects transaction-level data from both sellers (merchants) and buyers (consumers who transact with Square-powered businesses), meaning consumer data is collected even from individuals who have never directly contracted with Square — a materially broader collection scope than many industry peers. The policy engages CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.), GDPR (Arts. 6, 9, 13, 17), GLBA (15 U.S.C. §6801), FinCEN BSA/AML requirements, and state money transmission regulations, with the CFPB, FTC, and California Privacy Protection Agency as primary enforcement authorities. Compliance teams should note that Square's dual-sided data collection model (merchant and buyer data) and its use of transaction data for product development and cross-product profiling require careful data mapping and potentially dual consent frameworks under CPRA and GDPR.

Institutional Analysis

(1) REGULATORY EXPOSURE: Square's privacy policy engages multiple regulatory frameworks simultaneously: CCPA/CPRA (Cal. Civ. Code §1798.100–1798.199) enforced by the California Privacy Protection Agency (CPPA) and California AG, requiring opt-out rights for sale/sharing of personal information; GDP…

🔒

Compliance intelligence locked

Regulatory exposure, material risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Evidence Provenance

Captured March 29, 2026 06:12 UTC

Document ID CA-D-000363

Version ID CA-V-000371

Source URL https://squareup.com/us/en/legal/general/privacy

Wayback Machine View archived versions →

SHA-256 18e0e24976c12e18ee48c6bdcf033319e72abe6870d5c97adf41e2449847cdc7

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed

Change Timeline

March 29, 2026 — Document updated low

Square updated their Privacy Notice on March 29, 2026, by reordering items in the navigation links section of the document. The 'Square Data Processing Agreement' was moved to appear before 'Government Licenses' and 'Square Payment Terms,' whereas before it appeared between 'Square Privacy Notice' and 'Square Payment Terms' with 'Government Licenses' listed after. This is a cosmetic reorganization of footer or menu links and does not change any consumer rights or data practices.

· 1 modified
View changes → View record →
18e0e249…
March 19, 2026 — Initial capture

First snapshot archived

5910e77e…

Analyzed Changes

1 change analyzed since monitoring began.

Updated March 29, 2026

low

What changed Square updated their Square Privacy Notice on March 29, 2026. Change detected: 1 sentence(s) modified. Document contained 285 sentences after update.

Consumer impact Square made a minor reordering of navigation links within its Privacy Notice on March 29, 2026. No actual policy language, data rights, or consumer protections were added, removed, or altered. This change has no practical impact on how Square collects, uses, or shares your personal data.

Why it matters This change is purely cosmetic and does not affect any consumer rights or data practices. No action or concern is warranted.

High Severity — 4 provisions

Passive Buyer Data Collection
Square collects personal and transactional data from consumers who pay at businesses using Square's payment systems, even if those consumers have never created a Square account or directly agreed to Square's terms.

Added April 1, 2026
Cross-Product Data Sharing and Profiling
Square may use data collected across its various products — including payment processing, Cash App, and other financial tools — to build consumer profiles and deliver targeted marketing and product recommendations.

Added April 1, 2026
Identity Verification and Government ID Collection
Square collects government-issued identification documents and, in some cases, biometric data as part of identity verification processes for account opening and financial compliance purposes.

Added April 1, 2026
Location Data Collection
Square collects precise and approximate location data from devices used to access its services, including through mobile apps and merchant hardware, for purposes including fraud detection, service personalization, and compliance.

Added April 1, 2026

Medium Severity — 6 provisions

Data Sharing with Financial Institution and Payment Network Partners
Square shares personal and financial data with banks, card networks (such as Visa and Mastercard), and other financial institution partners in order to process transactions and comply with financial regulations.

Added April 1, 2026
CCPA/CPRA Consumer Privacy Rights
California residents have the right to know what personal data Square collects, request deletion or correction of their data, opt out of the sale or sharing of their personal information, and not be discriminated against for exercising these rights.

Added April 1, 2026
Data Retention for Legal and Fraud Prevention Purposes
Square retains personal and financial data for as long as necessary to provide its services, comply with legal obligations, resolve disputes, enforce agreements, and prevent fraud — which may mean data is retained indefinitely in some circumstances.

Added April 1, 2026
GDPR Rights for EU/EEA Users
EU and EEA users have rights under GDPR to access, correct, delete, port, and restrict processing of their personal data, as well as the right to object to processing and to not be subject to solely automated decisions.

Added April 1, 2026
Children's Data — Age Restriction
Square's services are not directed at children under the age of 13, and Square states it does not knowingly collect personal data from children under 13 without parental consent.

Added April 1, 2026
Third-Party Cookies and Tracking Technologies
Square uses cookies, pixel tags, and similar tracking technologies on its websites and may allow third-party advertising and analytics partners to collect data about users' online behavior across sites.

Added April 1, 2026