Square collects your bank account details, card numbers, and payment information whenever you use its financial or payment services.
This analysis describes what Square's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Payment and banking credentials are among the most sensitive categories of personal data, and understanding how they are stored, shared, and protected is critical for any user of Square's services.
Your credit card numbers, bank routing numbers, and payment credentials are collected by Square and may be shared with financial partners and service providers as described in the policy, creating potential exposure if data handling practices are not robustly secured.
How other platforms handle this
Upwork acts as a limited payment collection agent for Freelancers. When a Client pays Upwork for Services performed by a Freelancer, Upwork receives such payment as the Freelancer's limited payment collection agent, and payment received by Upwork satisfies the Client's obligation to pay the Freelanc...
Whatnot charges fees for use of the Services by Sellers. By listing an item for sale, you agree to pay Whatnot the applicable Fees for any successful transaction. Fees are described in our Seller Policies, which are incorporated into these Terms by reference. Fees may be updated from time to time, a...
You authorize us to charge any Payment Method associated with your account in case your primary Payment Method is declined or no longer available to us for payment of your subscription fee. You remain responsible for any uncollected amounts. If a payment is not successfully settled, due to expiratio...
Monitoring
Square has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We collect information about you when you use our Services. This includes information you provide to us, information we collect automatically, and information we receive from other sources. Financial information such as bank account and routing numbers, credit and debit card numbers, and other payment information you provide to us when you use our financial services.— Excerpt from Square's Square Privacy Notice
REGULATORY LANDSCAPE: Collection and handling of payment card data engages PCI DSS compliance obligations as well as GLBA requirements for financial data. The CFPB has supervisory authority over Square's financial products. State-level financial privacy laws, including California's Financial Information Privacy Act, may also apply depending on the nature of the financial product. GOVERNANCE EXPOSURE: High. Payment credential data is among the most regulated categories of personal information. Any breach or misuse of this data category creates significant regulatory, reputational, and financial exposure. The policy's authorization to share financial data with service providers and financial institution partners requires careful contractual controls. JURISDICTION FLAGS: PCI DSS applies globally wherever card payments are processed. GLBA applies to US financial services. GDPR Article 9 does not expressly classify payment data as special category, but national implementations and supervisory guidance in some EU member states may treat financial data with heightened sensitivity. California CPRA treats certain financial information as sensitive personal information with enhanced protections. CONTRACT AND VENDOR IMPLICATIONS: Merchants using Square as a payment processor should confirm that data processing agreements adequately address payment data handling and that Square's PCI DSS compliance scope is clearly defined. Liability for card data breaches and the allocation of responsibility between Square and the merchant should be reviewed in the merchant services agreement. COMPLIANCE CONSIDERATIONS: Legal teams should verify that Square's data processing agreements include appropriate sub-processor controls, audit rights, and breach notification timelines consistent with PCI DSS, GLBA, and applicable state law. Data mapping exercises should clearly document the flow of payment credential data through Square's infrastructure and into third-party financial partner systems.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Payment and banking credentials are among the most sensitive categories of personal data, and understanding how they are stored, shared, and protected is critical for any user of Square's services.
Your credit card numbers, bank routing numbers, and payment credentials are collected by Square and may be shared with financial partners and service providers as described in the policy, creating potential exposure if data handling practices are not robustly secured.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Square.