Users in the EU, UK, and Switzerland have rights to access, correct, delete, and port their data, and can object to certain processing or file a complaint with local privacy regulators.
This analysis describes what Square's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
GDPR provides some of the strongest personal data protections in the world, and EU and UK users have enforceable rights against Square that go beyond what is available to users in most other jurisdictions.
This addition establishes compliance transparency for European users under GDPR/CPRA, representing an expansion of user rights disclosures beyond the US-only CCPA provisions in the previous version.
View full change record →EEA and UK users can request access to or deletion of their data, object to processing based on legitimate interests (including profiling for advertising), and complain to their national data protection authority if they believe Square has mishandled their data.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...
For individuals in the United States, please also refer to our Notice For Individuals Residing In Certain US States below and the Consumer Health Data Policy.
Monitoring
Square has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have certain rights under applicable data protection law, including the right to access, rectify, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and the right to lodge a complaint with your local data protection authority.— Excerpt from Square's Square Privacy Notice
REGULATORY LANDSCAPE: This provision engages GDPR (EU Regulation 2016/679) and UK GDPR as retained in domestic law. Enforcement authorities include national data protection authorities in each EU member state, the UK Information Commissioner's Office, and the European Data Protection Board for cross-border matters. Penalties under GDPR can reach 4% of global annual turnover or 20 million euros, whichever is higher. GOVERNANCE EXPOSURE: High. Square processes data from EU and UK users in connection with payment services, making it subject to GDPR obligations including lawful basis for processing, data subject rights, international transfer mechanisms, and data breach notification. The policy's reliance on legitimate interests as a lawful basis for advertising and analytics processing may face challenge from EU supervisory authorities, which have applied the legitimate interests test strictly in the context of digital advertising. JURISDICTION FLAGS: All EU/EEA member states apply GDPR. The UK applies UK GDPR with some divergences post-Brexit. Switzerland applies its Federal Act on Data Protection. International data transfer from the EEA to the US requires a valid transfer mechanism such as Standard Contractual Clauses or reliance on the EU-US Data Privacy Framework. Square should be assessed for its current transfer mechanism. CONTRACT AND VENDOR IMPLICATIONS: B2B customers in the EEA should ensure a Data Processing Agreement compliant with GDPR Article 28 is in place with Square. The agreement should identify sub-processors, specify processing purposes, and include appropriate technical and organizational measures. If Square acts as a joint controller in any context, that relationship should be formalized under GDPR Article 26. COMPLIANCE CONSIDERATIONS: Square should maintain records of processing activities under GDPR Article 30. Data subject request workflows should be reviewed to confirm they meet 30-day response requirements and identity verification standards that do not create undue barriers. The lawful basis for each processing purpose should be documented in an internal record that aligns with the public-facing privacy notice.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
GDPR provides some of the strongest personal data protections in the world, and EU and UK users have enforceable rights against Square that go beyond what is available to users in most other jurisdictions.
EEA and UK users can request access to or deletion of their data, object to processing based on legitimate interests (including profiling for advertising), and complain to their national data protection authority if they believe Square has mishandled their data.
ConductAtlas has identified this type of provision across 5 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Square.