Squarespace plays two different privacy roles: it controls data when you are its direct customer, but when you visit a website that someone else built on Squarespace, the website owner controls your data and Squarespace is just processing it on their behalf.
This analysis describes what Squarespace's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This distinction determines who is legally responsible for protecting your data and who you can contact to exercise rights like deletion or access, which may not be obvious when visiting a Squarespace-powered site.
If you are a visitor to a third-party website built on Squarespace, your data access and deletion rights must be exercised with the website owner, not Squarespace, which may limit the practical remedies available to you depending on that owner's responsiveness.
How other platforms handle this
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
At Workday, we believe privacy is a fundamental right, regardless of where you live. When you connect with Workday, we understand you are trusting us to handle your personal information appropriately. That is why we are committed to transparency about how we collect, use, and share that information.
Mixpanel acts as a data processor on behalf of its customers (the controllers) when processing end user data through the Mixpanel analytics platform, and as a data controller with respect to data it collects about its own website visitors and account holders.
Monitoring
Squarespace has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"When you visit a website built on Squarespace, Squarespace acts as a service provider or data processor, meaning that we process your information on behalf of the website owner. In this case, the website owner is responsible for the information they collect through their website and you should contact them about their privacy practices. When we collect information directly from you in order to provide our services to you (such as when you create a Squarespace account or subscribe to a plan), we act as a data controller.— Excerpt from Squarespace's Squarespace Privacy Policy
REGULATORY LANDSCAPE: This dual-role structure directly implicates GDPR Articles 4(7) and 4(8) defining controller and processor, and Article 28 governing processor agreements. The Irish Data Protection Commission serves as Squarespace's lead EU supervisory authority. The structure also engages CCPA and CPRA definitions of business versus service provider. Where this distinction is not clearly communicated to website visitors, it may engage GDPR Articles 13 and 14 transparency obligations at the website-owner level. GOVERNANCE EXPOSURE: High. The operational complexity of a dual controller/processor structure creates downstream compliance obligations for Squarespace's B2B customers, who bear controller responsibility for visitor data but may not have adequate data processing agreements or GDPR-compliant notice mechanisms in place. Squarespace's policy asserts this distinction but enforcement of it depends on whether customer-facing sites implement adequate privacy notices. JURISDICTION FLAGS: Heightened exposure in the EU/EEA and UK, where GDPR and UK GDPR impose strict controller/processor delineation and mandate written data processing agreements. California exposure exists under CPRA, which similarly distinguishes between businesses and service providers. The provision may affect any jurisdiction with statutory definitions of data controller versus processor. CONTRACT AND VENDOR IMPLICATIONS: Organizations using Squarespace to host customer-facing websites should confirm that a compliant data processing agreement is in place with Squarespace, and that their own privacy notices adequately disclose Squarespace's role as a processor. Procurement teams should audit whether existing DPAs address all relevant processing activities, data categories, and sub-processor arrangements. COMPLIANCE CONSIDERATIONS: Compliance teams at organizations using Squarespace should review their own privacy notices to ensure visitors are informed of the controller's identity and data practices. Data mapping exercises should reflect Squarespace as a sub-processor where applicable. Any data subject requests received by Squarespace-hosted site operators should be responded to within GDPR or CCPA timelines, and teams should confirm Squarespace's contractual commitments support this.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This distinction determines who is legally responsible for protecting your data and who you can contact to exercise rights like deletion or access, which may not be obvious when visiting a Squarespace-powered site.
If you are a visitor to a third-party website built on Squarespace, your data access and deletion rights must be exercised with the website owner, not Squarespace, which may limit the practical remedies available to you depending on that owner's responsiveness.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Squarespace.