Do I need to disclose Square in my privacy policy?

Yes. Square processes sensitive payment card data and customer information on your behalf, making it a data processor under GDPR, CCPA, and other privacy regulations. You must disclose Square's involvement in your privacy policy and clearly explain how payment data is handled. This transparency is legally required and helps users understand their data flows.

What specific data does Square collect?

Square collects tokenized payment card details (never raw card numbers), transaction amounts and status, customer contact information (name, email, phone), and order or inventory data. All payment card data is tokenized for PCI-DSS Level 1 compliance, meaning Square never stores full card numbers on your systems. Transaction data is subject to financial services regulations.

Does Square require a cookie consent banner?

Square itself does not set cookies documented in standard implementations. However, you should audit your complete integration for any tracking technologies Square may use for analytics or fraud prevention. Check Square's current privacy documentation at https://squareup.com/legal/privacy to confirm current practices, as this may vary by integration type.

Who processes my data with Square and where does it go?

Block Inc. (Square's parent company, based in the United States) is your data processor. Customer payment and transaction data is transferred to and processed in the United States. You should include this processor name, location, and data transfer information in your privacy policy, and ensure appropriate data transfer mechanisms (like Standard Contractual Clauses) are in place for international compliance.

Fintech

Privacy policy clauses for Square

Square is a fintech payment processing platform that enables businesses to accept credit card payments, manage point-of-sale transactions, and process online orders. Websites integrate Square to securely handle customer payment information and transaction processing through tokenized payment methods.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Square collects

Your privacy policy must disclose each of the following data types when you use Square.

Payment card details (tokenized)

Transaction amounts and status

Customer contact information

Inventory and order data

When does Square trigger privacy obligations?

Installation triggers immediate data collection

The moment you integrate Square into your checkout flow or POS system, you begin collecting and processing payment card details (tokenized), transaction amounts, customer contact information, and order data. This triggers obligations immediately—before a single transaction completes.

Regulated financial data flow

Square operates as a payment processor under PCI-DSS Level 1 compliance, meaning you are jointly responsible for the security of cardholder data. This is not discretionary: any site accepting card payments is subject to PCI Data Security Standard (PCI-DSS) requirements, enforced by card networks (Visa, Mastercard) and acquiring banks. Additionally, transaction data is subject to

Privacy policy clauses for Square

What data Square collects

When does Square trigger privacy obligations?

Installation triggers immediate data collection

Regulated financial data flow

GDPR and CCPA thresholds

First concrete step

Where data goes

Common compliance pitfalls

Pitfall 1: Omitting Square from privacy disclosures or treating it as invisible

Pitfall 2: Failing to execute or maintain a Data Processing Addendum (DPA)

Pitfall 3: Misconfiguring consent and retention in Square's dashboard

Legal note

Sample privacy policy clause

What regulators look for

DPA enforcement priorities with Square

CCPA enforcement focus

Precedent

Frequently asked questions

Do I need to disclose Square in my privacy policy?

What specific data does Square collect?

Does Square require a cookie consent banner?

Who processes my data with Square and where does it go?

Don't ship without Bandit.