What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages CCPA/CPRA (California), GDPR and UK GDPR (EEA and United Kingdom), GLBA (financial data), and PCI DSS (payment card data). Enforcement authorities include the California Privacy Protection Agency, state attorneys general, the FTC under Section 5 authority, EU data protection authorities, the UK ICO, and financial regulators including the CFPB. Where the policy asserts broad legitimate interest bases for processing or wide advertising data sharing, these…

How does Square's Square Privacy Notice affect users?

The notice establishes that data collection occurs for users of Square-powered merchants and Cash App without requiring a separate Square account, and that collected data may be shared with third-party advertising and analytics partners as well as financial institutions. Users may exercise data access, deletion, and opt-out rights through Square's privacy request portal or by contacting Square's support team, with specific rights available to California residents and EU users under applicable s…

How often is Square's Square Privacy Notice updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Square updates this document?

Yes. Watcher subscribers ($9.99/month) can add Square to their watchlist and receive same-day email alerts whenever this document or any other Square document changes.

CA-D-000363

Square Privacy Notice

Square

Last change detected May 5, 2026 Privacy policy

SHA-256: f2057841ee1584f119e… 4 versions captured 4 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Square ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

3 High severity

4 Medium severity

1 Low severity

Summary

Square's Privacy Notice establishes the data collection, use, and sharing practices for Square's payment processing, point-of-sale systems, Cash App, and related financial services. The notice specifies that Square collects payment card details, transaction history, device identifiers, location data, and identity verification documents, and authorizes sharing this data with advertising partners, analytics providers, financial institutions, and affiliates. The notice provides California residents and EU users with mechanisms to access, delete, or restrict use of personal data through the privacy request portal at squareup.com/privacy or by contacting Square support.

Technical / Legal Breakdown

This document is Square's global Privacy Notice, governing the collection, use, storage, and disclosure of personal information across Square's payment processing, point-of-sale, financial services, and related products, with legal basis grounded in contractual necessity, legitimate interests, legal obligation, and consent depending on jurisdiction. The policy states that Square collects identifiers, financial account details, transaction data, device and location information, biometric-adjacent identity verification data, and inferred characteristics, and the terms authorize sharing this data with affiliates, service providers, financial partners, and third parties for advertising and analytics purposes. The breadth of data collection extending to device signals, browsing behavior on third-party sites via cookies, and inferred consumer attributes, combined with a stated right to share data with advertising partners, is operationally significant; however, the policy also documents opt-out mechanisms for certain sharing categories, and applicable law may constrain the broadest assertions, particularly for California residents and EU/EEA users. The policy explicitly engages CCPA/CPRA for California residents, GDPR and UK GDPR for EEA and UK users, and intersects with GLBA and PCI DSS given Square's role as a payment processor and financial services provider; compliance obligations under these frameworks vary materially by jurisdiction and user category. Compliance teams should note that Square's dual role as both a data controller for its own purposes and a data processor on behalf of merchant customers creates layered obligations that may require separate evaluation under applicable law.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

4 important changes detected

4 versions captured · Last updated: May 2026

May 5, 2026

low

What changed Square reorganized the list of links to its various legal documents and service terms in the footer of its Privacy Notice. The order and grouping of these links changed, but the documents themselves and the substantive privacy protections they describe remain the same. This is a formatting and navigation change with no impact on what rights or obligations Square or its users have.

Why this matters This change does not affect the substantive protections, rights, or obligations described in Square's Privacy Notice or the linked documents. The reorganization of footer links is a presentational change only and does not alter how Square collects, uses, or protects consumer data. No action is required by consumers in response to this change.

View full change record →

April 19, 2026

low

What changed Square removed a reference to the Square Payment Terms from its list of related policy documents in its privacy notice on April 19, 2026. This appears to be an organizational or administrative change to the document's footer or references section rather than a substantive change to how Square handles your data or privacy rights. The payment terms document itself may still apply to your account; this change only affects which documents are listed as companion resources.

Why this matters This change removes a hyperlink or reference to the Square Payment Terms from the privacy notice's list of related documents. It does not modify any substantive privacy practices, data collection rules, or your rights. If you need to access the Square Payment Terms, you may need to locate it through a different part of Square's website or your account.

View full change record →

March 29, 2026 low

Square removed two linked documents from its Privacy Notice reference list on March 29, 2026: Square Payment Terms and Square AI Terms of Service. These documents are no longer listed …

View change record →

March 19, 2026 low

Square reordered a list of linked policy documents in their Australian privacy notice footer. The 'Government Licenses' link moved from appearing after 'Square Payment Terms' to appearing before 'Square Additional …

View change record →

High — 3 provisions

Collection of Payment and Financial Data Compare →

Square collects your bank account details, card numbers, and payment information whenever you use its financial or payment services.

Added May 11, 2026 Common Seen across 150 platforms
Sharing Data with Advertising and Analytics Partners Compare →

Square may share your personal information with outside advertising companies and analytics firms to show you targeted ads and to analyze how you use Square products.

Added May 11, 2026 Standard Seen across 189 platforms
Identity Verification and Biometric-Adjacent Data Collection Compare →

Square may collect government ID documents and, in some cases, biometric data such as facial recognition information to verify who you are and to comply with legal requirements.

Added May 11, 2026 Standard Seen across 251 platforms

Medium — 4 provisions

California Consumer Privacy Rights (CCPA/CPRA) Compare →

California residents have legally enforceable rights to know what data Square has collected, to request deletion, to opt out of data sales and sharing, to correct errors, and to restrict use of sensitive data.

Added May 11, 2026 Standard Seen across 262 platforms
GDPR Rights for EEA and UK Users Compare →

Users in the EU, UK, and Switzerland have rights to access, correct, delete, and port their data, and can object to certain processing or file a complaint with local privacy regulators.

Added May 11, 2026 Standard Seen across 262 platforms
Automatic Collection of Device and Behavioral Data

Square automatically collects technical data about your device and browsing behavior, including information from third-party websites, even without you actively entering it.

Added May 11, 2026 Rare
Data Sharing with Affiliates and Service Providers Compare →

Square shares your personal data with its related companies and outside vendors who help it run its business, including for payment processing, marketing, and fraud detection.

Added May 11, 2026 Standard Seen across 246 platforms

Low — 1 provision

Data Retention Compare →

Square keeps your personal data for as long as it needs to provide services and meet legal requirements, and may retain it longer for regulatory or tax reasons.

Added May 11, 2026 Standard Seen across 223 platforms

Monitoring

Square has updated this document before.

Watcher includes same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

Professional Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Professional includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Professional free trial

Cross-platform context

See how other platforms handle Broad Third-Party Data Sharing and similar clauses.

Compare across platforms →