Square keeps your personal data for as long as it needs to provide services and meet legal requirements, and may retain it longer for regulatory or tax reasons.
This analysis describes what Square's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Open-ended retention language means your data could be held indefinitely under broad regulatory compliance justifications, limiting the practical effectiveness of deletion requests.
Interpretive note: The policy does not specify concrete retention periods for individual data categories, making it difficult to assess whether retention practices comply with GDPR's storage limitation principle or CPRA requirements in specific contexts.
Even after you stop using Square or request deletion of your data, certain records may be retained for extended periods based on legal, tax, or regulatory obligations, which is a standard practice in financial services but reduces the completeness of deletion outcomes.
How other platforms handle this
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
We may retain de-identified or aggregated information that can no longer be used to identify you for any period of time, including indefinitely.
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, or as otherwise permitted or required by applicable law.
Monitoring
Square has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain your personal information for as long as necessary to provide you with our Services and to comply with our legal obligations. In some circumstances, we may retain your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, or accounting requirements.— Excerpt from Square's Square Privacy Notice
REGULATORY LANDSCAPE: Data retention in the financial services context is shaped by Bank Secrecy Act and AML requirements (which may mandate multi-year retention of transaction records), IRS requirements, state financial regulations, and GDPR's storage limitation principle under Article 5(1)(e), which requires data not be kept longer than necessary. These legal retention obligations may conflict with consumer deletion requests in ways that reduce the practical scope of those rights. GOVERNANCE EXPOSURE: Medium. The retention language is broad and typical for financial services but creates compliance tension with GDPR's storage limitation principle and CPRA deletion rights. Square's obligation to respond to deletion requests should include communicating which data categories are exempt from deletion due to legal holds and for what period. JURISDICTION FLAGS: GDPR Article 5(1)(e) and Article 17(3) create explicit exemptions to deletion rights for data retained under legal obligations, but require those obligations to be specific and proportionate. California CPRA similarly includes exemptions for legal obligations but requires transparency about which exemptions apply. Financial services AML retention requirements under FinCEN apply in the US. CONTRACT AND VENDOR IMPLICATIONS: Service provider and sub-processor agreements should specify retention schedules aligned with Square's documented retention policy to prevent over-retention or premature destruction of records needed for regulatory compliance. COMPLIANCE CONSIDERATIONS: A formal data retention schedule should underpin the policy's general statements, mapping each data category to a specific retention period and legal basis. This schedule should be reviewed against all applicable regulatory requirements in Square's operating jurisdictions. Consumer-facing communications about deletion requests should clearly indicate which data is subject to legal retention holds.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Open-ended retention language means your data could be held indefinitely under broad regulatory compliance justifications, limiting the practical effectiveness of deletion requests.
Even after you stop using Square or request deletion of your data, certain records may be retained for extended periods based on legal, tax, or regulatory obligations, which is a standard practice in financial services but reduces the completeness of deletion outcomes.
ConductAtlas has identified this type of provision across 115 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Square.