What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages CCPA/CPRA (California), GDPR and UK GDPR (EEA and United Kingdom), GLBA (financial data), and PCI DSS (payment card data). Enforcement authorities include the California Privacy Protection Agency, state attorneys general, the FTC under Section 5 authority, EU data protection authorities, the UK ICO, and financial regulators including the CFPB. Where the policy asserts broad legitimate interest bases for processing or wide advertising data sharing, these…

How does Square's Square Privacy Notice affect users?

The notice establishes that data collection occurs for users of Square-powered merchants and Cash App without requiring a separate Square account, and that collected data may be shared with third-party advertising and analytics partners as well as financial institutions. Users may exercise data access, deletion, and opt-out rights through Square's privacy request portal or by contacting Square's support team, with specific rights available to California residents and EU users under applicable s…

How often is Square's Square Privacy Notice updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Square updates this document?

Yes. Monitor subscribers ($19/month) can add Square to their watchlist and receive same-day email alerts whenever this document or any other Square document changes.

CA-D-000363

Square Privacy Notice

Square

Last change detected June 9, 2026 Privacy policy

SHA-256: 82ee6c28dc0279b8541… 8 versions captured 7 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Square ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

3 High severity

4 Medium severity

1 Low severity

Summary

Square's Privacy Notice establishes the data collection, use, and sharing practices for Square's payment processing, point-of-sale systems, Cash App, and related financial services. The notice specifies that Square collects payment card details, transaction history, device identifiers, location data, and identity verification documents, and authorizes sharing this data with advertising partners, analytics providers, financial institutions, and affiliates. The notice provides California residents and EU users with mechanisms to access, delete, or restrict use of personal data through the privacy request portal at squareup.com/privacy or by contacting Square support.

Technical / Legal Breakdown

This document is Square's global Privacy Notice, governing the collection, use, storage, and disclosure of personal information across Square's payment processing, point-of-sale, financial services, and related products, with legal basis grounded in contractual necessity, legitimate interests, legal obligation, and consent depending on jurisdiction. The policy states that Square collects identifiers, financial account details, transaction data, device and location information, biometric-adjacent identity verification data, and inferred characteristics, and the terms authorize sharing this data with affiliates, service providers, financial partners, and third parties for advertising and analytics purposes. The breadth of data collection extending to device signals, browsing behavior on third-party sites via cookies, and inferred consumer attributes, combined with a stated right to share data with advertising partners, is operationally significant; however, the policy also documents opt-out mechanisms for certain sharing categories, and applicable law may constrain the broadest assertions, particularly for California residents and EU/EEA users. The policy explicitly engages CCPA/CPRA for California residents, GDPR and UK GDPR for EEA and UK users, and intersects with GLBA and PCI DSS given Square's role as a payment processor and financial services provider; compliance obligations under these frameworks vary materially by jurisdiction and user category. Compliance teams should note that Square's dual role as both a data controller for its own purposes and a data processor on behalf of merchant customers creates layered obligations that may require separate evaluation under applicable law.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

7 important changes detected

8 versions captured · Last updated: June 2026

June 9, 2026

low

What changed Square reorganized the reference list of related legal documents in their Privacy Notice on June 9, 2026. The document previously listed 'Square Payment Terms' before 'Licenses', and also grouped several documents in a different order. The updated version reordered these references without removing or adding any documents. This is a formatting and organizational change with no operational impact on privacy rights, data handling, or user obligations.

Why this matters This change has no material impact on consumer privacy rights or obligations. The updated Privacy Notice reorganizes the order in which related Square legal documents are listed as references, but does not modify, add, or remove any of those documents or their terms. Users' rights, data handling practices, and privacy protections remain unchanged.

View full change record →

June 2, 2026

unknown

What changed Square updated their Square Privacy Notice on June 02, 2026. Change detected: 1 sentence(s) modified. Document contained 285 sentences after update.

View full change record →

May 30, 2026 low

Square updated its Privacy Notice on May 30, 2026, substantially expanding the document with 217 new sentences and modifying 2 existing sentences. The updated notice now includes effective dates (Last …

View change record →

May 5, 2026 low

Square reorganized the list of links to its various legal documents and service terms in the footer of its Privacy Notice. The order and grouping of these links changed, but …

View change record →

April 19, 2026 low

Square removed a reference to the Square Payment Terms from its list of related policy documents in its privacy notice on April 19, 2026. This appears to be an organizational …

View change record →

March 29, 2026 low

Square removed two linked documents from its Privacy Notice reference list on March 29, 2026: Square Payment Terms and Square AI Terms of Service. These documents are no longer listed …

View change record →

March 19, 2026 low

Square reordered a list of linked policy documents in their Australian privacy notice footer. The 'Government Licenses' link moved from appearing after 'Square Payment Terms' to appearing before 'Square Additional …

View change record →

Recent Provision Changes Jun 9, 2026

8 provisions unchanged.

View full change record →

High — 3 provisions

Collection of Payment and Financial Data Compare →

Square collects your bank account details, card numbers, and payment information whenever you use its financial or payment services.

Added May 11, 2026 Standard Seen across 284 platforms
Sharing Data with Advertising and Analytics Partners Compare →

Square may share your personal information with outside advertising companies and analytics firms to show you targeted ads and to analyze how you use Square products.

Added May 11, 2026 Standard Seen across 252 platforms
Identity Verification and Biometric-Adjacent Data Collection Compare →

Square may collect government ID documents and, in some cases, biometric data such as facial recognition information to verify who you are and to comply with legal requirements.

Added May 11, 2026 Standard Seen across 284 platforms

Medium — 4 provisions

California Consumer Privacy Rights (CCPA/CPRA) Compare →

California residents have legally enforceable rights to know what data Square has collected, to request deletion, to opt out of data sales and sharing, to correct errors, and to restrict use of sensitive data.

Added May 11, 2026 Standard Seen across 284 platforms
GDPR Rights for EEA and UK Users Compare →

Users in the EU, UK, and Switzerland have rights to access, correct, delete, and port their data, and can object to certain processing or file a complaint with local privacy regulators.

Added May 11, 2026 Standard Seen across 284 platforms
Automatic Collection of Device and Behavioral Data Compare →

Square automatically collects technical data about your device and browsing behavior, including information from third-party websites, even without you actively entering it.

Added May 11, 2026 Standard Seen across 284 platforms
Data Sharing with Affiliates and Service Providers Compare →

Square shares your personal data with its related companies and outside vendors who help it run its business, including for payment processing, marketing, and fraud detection.

Added May 11, 2026 Standard Seen across 252 platforms

Low — 1 provision

Data Retention Compare →

Square keeps your personal data for as long as it needs to provide services and meet legal requirements, and may retain it longer for regulatory or tax reasons.

Added May 11, 2026 Standard Seen across 284 platforms

Monitoring

Square has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Broad Third-Party Data Sharing and similar clauses.

Compare across platforms →