Square collects your bank account details, card numbers, and payment information whenever you use its financial or payment services.
This analysis describes what Square's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Payment and banking credentials are among the most sensitive categories of personal data, and understanding how they are stored, shared, and protected is critical for any user of Square's services.
This addition explicitly discloses sensitive financial data collection practices, directly replacing the vague previous 'Use of Financial and Transaction Data' provision with concrete details about payment card and banking information collection.
View full change record →Your credit card numbers, bank routing numbers, and payment credentials are collected by Square and may be shared with financial partners and service providers as described in the policy, creating potential exposure if data handling practices are not robustly secured.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Square has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We collect information about you when you use our Services. This includes information you provide to us, information we collect automatically, and information we receive from other sources. Financial information such as bank account and routing numbers, credit and debit card numbers, and other payment information you provide to us when you use our financial services.— Excerpt from Square's Square Privacy Notice
REGULATORY LANDSCAPE: Collection and handling of payment card data engages PCI DSS compliance obligations as well as GLBA requirements for financial data. The CFPB has supervisory authority over Square's financial products. State-level financial privacy laws, including California's Financial Information Privacy Act, may also apply depending on the nature of the financial product. GOVERNANCE EXPOSURE: High. Payment credential data is among the most regulated categories of personal information. Any breach or misuse of this data category creates significant regulatory, reputational, and financial exposure. The policy's authorization to share financial data with service providers and financial institution partners requires careful contractual controls. JURISDICTION FLAGS: PCI DSS applies globally wherever card payments are processed. GLBA applies to US financial services. GDPR Article 9 does not expressly classify payment data as special category, but national implementations and supervisory guidance in some EU member states may treat financial data with heightened sensitivity. California CPRA treats certain financial information as sensitive personal information with enhanced protections. CONTRACT AND VENDOR IMPLICATIONS: Merchants using Square as a payment processor should confirm that data processing agreements adequately address payment data handling and that Square's PCI DSS compliance scope is clearly defined. Liability for card data breaches and the allocation of responsibility between Square and the merchant should be reviewed in the merchant services agreement. COMPLIANCE CONSIDERATIONS: Legal teams should verify that Square's data processing agreements include appropriate sub-processor controls, audit rights, and breach notification timelines consistent with PCI DSS, GLBA, and applicable state law. Data mapping exercises should clearly document the flow of payment credential data through Square's infrastructure and into third-party financial partner systems.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Payment and banking credentials are among the most sensitive categories of personal data, and understanding how they are stored, shared, and protected is critical for any user of Square's services.
Your credit card numbers, bank routing numbers, and payment credentials are collected by Square and may be shared with financial partners and service providers as described in the policy, creating potential exposure if data handling practices are not robustly secured.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Square.