Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This document establishes Squarespace's data collection, use, and sharing practices for users of its website-building and e-commerce platform. Squarespace collects personal information including contact details, payment information, browsing behavior, and device data, and the policy authorizes disclosure of this information to advertising partners, analytics providers, and business partners. The policy establishes distinct data handling roles: Squarespace acts as a data controller for its direct customers and as a data processor for information collected on customer-hosted websites, with data on hosted websites controlled by the website owner.
This document is Squarespace's privacy policy governing the collection, use, storage, and sharing of personal information from users of Squarespace's website-building platform, e-commerce tools, and related services, with a stated legal basis rooted in contractual necessity, legitimate interests, consent, and legal obligation depending on the processing activity. The policy states that Squarespace collects identifiers such as name, email, and payment information; behavioral data including browsing and usage patterns; device and location data; and content uploaded by users, and the terms authorize sharing this data with service providers, business partners, advertising networks, and in the context of corporate transactions such as mergers or acquisitions. The policy's dual-role structure, in which Squarespace acts as both a data controller for its own users and a data processor for website visitors whose data is handled on behalf of Squarespace customers, is operationally distinct and creates layered compliance obligations that may not be immediately apparent to end users. The policy engages GDPR for EU/EEA users, CCPA and CPRA for California residents, and UK data protection law, with Squarespace identifying Ireland as its EU establishment and offering region-specific rights including access, deletion, portability, and objection; compliance exposure is heightened for EU and California users given the dual-controller/processor structure and the breadth of third-party data sharing described. Squarespace's use of standard contractual clauses for international data transfers and its reliance on opt-out rather than opt-in consent for certain marketing and analytics activities may require evaluation under applicable regulatory guidance, particularly for EU users.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Start Compliance free trialMonitoring
Squarespace has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Compliance free trialCross-platform context
See how other platforms handle Dual Controller-Processor Role and similar clauses.
Compare across platforms →Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.