What are the institutional and regulatory implications of this document?

(1) REGULATORY EXPOSURE: Square's privacy policy engages multiple regulatory frameworks simultaneously: CCPA/CPRA (Cal. Civ. Code §1798.100–1798.199) enforced by the California Privacy Protection Agency (CPPA) and California AG, requiring opt-out rights for sale/sharing of personal information; GDPR (Arts. 6, 9, 13, 17, 20) enforced by EU member state DPAs, requiring lawful basis, data subject rights, and cross-border transfer safeguards; GLBA (15 U.S.C. §6801–6809) enforced by the FTC and fede…

How does Square's Square Privacy Notice affect users?

Square collects a wide range of personal and financial data — including transaction history, device identifiers, location data, government-issued ID, and inferred behavioral profiles — from both merchants and the consumers who shop at Square-powered businesses, even without a direct account relationship. This data may be shared with financial institution partners, service providers, and used for cross-product profiling and marketing purposes, which creates meaningful privacy exposure for everyd…

How often is Square's Square Privacy Notice updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Square updates this document?

Yes. Watcher subscribers ($9.99/month) can add Square to their watchlist and receive same-day email alerts whenever this document or any other Square document changes.

Square Privacy Notice — Square

10 Total

4 High severity

6 Medium severity

0 Low severity

Summary

This is Square's privacy policy explaining how the company collects and uses your personal data when you use Square's payment terminals, online checkout, Cash App ecosystem, and other financial tools — including your name, payment card details, government ID, transaction history, and device location. The most important thing to know is that Square may collect your financial transaction data even if you are a buyer at a merchant's store — not just a Square account holder — meaning you may be in Square's database without ever signing up. You can request access to, correction of, or deletion of your personal data by submitting a request through Square's privacy rights portal at https://squareup.com/us/en/privacy/request.

Technical Summary

This document is Square's Privacy Policy governing the collection, use, and sharing of personal data across Square's suite of payment processing, point-of-sale, financial services, and commerce products, operating under a consent and legitimate interests legal basis framework consistent with CCPA, GDPR, and U.S. state privacy laws. The policy obligates Square to disclose categories of data collected (including financial transaction data, government-issued ID, biometric identifiers for identity verification, device and location data, and inferred consumer profiles) and grants users rights to access, delete, correct, and opt out of certain data sales or sharing. Notably, Square collects transaction-level data from both sellers (merchants) and buyers (consumers who transact with Square-powered businesses), meaning consumer data is collected even from individuals who have never directly contracted with Square — a materially broader collection scope than many industry peers. The policy engages CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.), GDPR (Arts. 6, 9, 13, 17), GLBA (15 U.S.C. §6801), FinCEN BSA/AML requirements, and state money transmission regulations, with the CFPB, FTC, and California Privacy Protection Agency as primary enforcement authorities. Compliance teams should note that Square's dual-sided data collection model (merchant and buyer data) and its use of transaction data for product development and cross-product profiling require careful data mapping and potentially dual consent frameworks under CPRA and GDPR.

Evidence Provenance

Captured April 19, 2026 06:34 UTC

Document ID CA-D-000363

Version ID CA-V-000835

Source URL https://squareup.com/us/en/legal/general/privacy

Wayback Machine View archived versions →

SHA-256 cdc6ce194ab795c09eb511d4069b8946375530c2f0f0036a98acd4decc736197

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed

Institutional Analysis

🔒 Institutional analysis locked

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Upgrade to Professional — $149/mo

Change Timeline

March 29, 2026 — Document updated low

Square updated their Privacy Notice on March 29, 2026, by reordering items in a navigation or footer link list. Specifically, 'Square Data Processing Agreement' was moved earlier in the list, and 'Government Licenses' was repositioned — the overall set of linked documents remains the same. This is a cosmetic reorganization and does not affect any consumer rights or data practices.

· 1 modified
View diff → View full record →
18e0e249…
March 19, 2026 — Initial capture

Initial snapshot — monitoring begins

5910e77e…

View full version history (0 captures) →

Analyzed Changes

1 change analyzed since monitoring began.

Updated March 29, 2026

low

What changed Square updated their Square Privacy Notice on March 29, 2026. Change detected: 1 sentence(s) modified. Document contained 285 sentences after update.

Consumer impact Square rearranged the order of links in the footer or navigation section of its Privacy Notice on March 29, 2026. No substantive rights, data practices, or legal terms were added, removed, or altered. This change has no practical impact on consumers.

Why it matters This change is purely cosmetic and does not affect any consumer rights, data handling practices, or legal obligations. No action is needed.

Recent Clause-Level Changes Mar 29, 2026

8 provisions unchanged.

View full change record →

High Severity — 4 provisions

Passive Buyer Data Collection

Square collects personal and transactional data from consumers who pay at businesses using Square's payment systems, even if those consumers have never created a Square account or directly agreed to Square's terms.

Added April 1, 2026
Cross-Product Data Sharing and Profiling

Square may use data collected across its various products — including payment processing, Cash App, and other financial tools — to build consumer profiles and deliver targeted marketing and product recommendations.

Added April 1, 2026
Identity Verification and Government ID Collection

Square collects government-issued identification documents and, in some cases, biometric data as part of identity verification processes for account opening and financial compliance purposes.

Added April 1, 2026
Location Data Collection

Square collects precise and approximate location data from devices used to access its services, including through mobile apps and merchant hardware, for purposes including fraud detection, service personalization, and compliance.

Added April 1, 2026

Medium Severity — 6 provisions

Data Sharing with Financial Institution and Payment Network Partners

Square shares personal and financial data with banks, card networks (such as Visa and Mastercard), and other financial institution partners in order to process transactions and comply with financial regulations.

Added April 1, 2026
CCPA/CPRA Consumer Privacy Rights

California residents have the right to know what personal data Square collects, request deletion or correction of their data, opt out of the sale or sharing of their personal information, and not be discriminated against for exercising these rights.

Added April 1, 2026
Data Retention for Legal and Fraud Prevention Purposes

Square retains personal and financial data for as long as necessary to provide its services, comply with legal obligations, resolve disputes, enforce agreements, and prevent fraud — which may mean data is retained indefinitely in some circumstances.

Added April 1, 2026
GDPR Rights for EU/EEA Users

EU and EEA users have rights under GDPR to access, correct, delete, port, and restrict processing of their personal data, as well as the right to object to processing and to not be subject to solely automated decisions.

Added April 1, 2026
Children's Data — Age Restriction

Square's services are not directed at children under the age of 13, and Square states it does not knowingly collect personal data from children under 13 without parental consent.

Added April 1, 2026
Third-Party Cookies and Tracking Technologies

Square uses cookies, pixel tags, and similar tracking technologies on its websites and may allow third-party advertising and analytics partners to collect data about users' online behavior across sites.

Added April 1, 2026

Cross-platform context

See how other platforms handle Cross-Product Data Sharing and Profiling and similar clauses.

Compare across platforms →

Applicable Regulations

CCPA/CPRA

California, USA

CFAA

United States Federal

CAN-SPAM

United States Federal

FCRA

United States Federal

GLBA

United States Federal