Square keeps your personal data for as long as it needs to provide services and meet legal requirements, and may retain it longer for regulatory or tax reasons.
This analysis describes what Square's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Open-ended retention language means your data could be held indefinitely under broad regulatory compliance justifications, limiting the practical effectiveness of deletion requests.
Interpretive note: The policy does not specify concrete retention periods for individual data categories, making it difficult to assess whether retention practices comply with GDPR's storage limitation principle or CPRA requirements in specific contexts.
Previous version 'Data Retention After Account Closure' had empty excerpt; current version provides detailed excerpt clarifying retention duration based on service necessity and legal obligations without specific mention of post-closure scenarios.
View full change record →Even after you stop using Square or request deletion of your data, certain records may be retained for extended periods based on legal, tax, or regulatory obligations, which is a standard practice in financial services but reduces the completeness of deletion outcomes.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
Square has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We retain your personal information for as long as necessary to provide you with our Services and to comply with our legal obligations. In some circumstances, we may retain your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, or accounting requirements.— Excerpt from Square's Square Privacy Notice
REGULATORY LANDSCAPE: Data retention in the financial services context is shaped by Bank Secrecy Act and AML requirements (which may mandate multi-year retention of transaction records), IRS requirements, state financial regulations, and GDPR's storage limitation principle under Article 5(1)(e), which requires data not be kept longer than necessary. These legal retention obligations may conflict with consumer deletion requests in ways that reduce the practical scope of those rights. GOVERNANCE EXPOSURE: Medium. The retention language is broad and typical for financial services but creates compliance tension with GDPR's storage limitation principle and CPRA deletion rights. Square's obligation to respond to deletion requests should include communicating which data categories are exempt from deletion due to legal holds and for what period. JURISDICTION FLAGS: GDPR Article 5(1)(e) and Article 17(3) create explicit exemptions to deletion rights for data retained under legal obligations, but require those obligations to be specific and proportionate. California CPRA similarly includes exemptions for legal obligations but requires transparency about which exemptions apply. Financial services AML retention requirements under FinCEN apply in the US. CONTRACT AND VENDOR IMPLICATIONS: Service provider and sub-processor agreements should specify retention schedules aligned with Square's documented retention policy to prevent over-retention or premature destruction of records needed for regulatory compliance. COMPLIANCE CONSIDERATIONS: A formal data retention schedule should underpin the policy's general statements, mapping each data category to a specific retention period and legal basis. This schedule should be reviewed against all applicable regulatory requirements in Square's operating jurisdictions. Consumer-facing communications about deletion requests should clearly indicate which data is subject to legal retention holds.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Open-ended retention language means your data could be held indefinitely under broad regulatory compliance justifications, limiting the practical effectiveness of deletion requests.
Even after you stop using Square or request deletion of your data, certain records may be retained for extended periods based on legal, tax, or regulatory obligations, which is a standard practice in financial services but reduces the completeness of deletion outcomes.
ConductAtlas has identified this type of provision across 136 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Square.