Do I need to disclose Squarespace in my privacy policy?

Yes. Squarespace is a data processor handling information collected through your website, so you must disclose this in your privacy policy. Users have a right to know which third parties access their data. Squarespace's data processing also triggers obligations under GDPR and CCPA, requiring transparency about data transfers and processor relationships.

What specific data does Squarespace collect?

Squarespace collects form submission data, e-commerce transaction information, visitor IP addresses, and analytics data about how users interact with your website. This includes purchase history, customer contact information, and behavioral analytics. The platform uses this data to provide hosting, security, and performance services for your website.

Does Squarespace require a cookie consent banner?

Yes. Squarespace uses cookies prefixed with 'ss_*' that are strictly necessary for platform functionality. Under GDPR and similar regulations, you must disclose cookie usage and obtain consent for non-essential cookies. Even strictly necessary cookies require transparency in your privacy policy and cookie disclosure.

Who is the data processor and where is data stored?

Squarespace Inc., a United States-based company, is the primary data processor. Data is transferred to and processed in the United States. If you have EU residents as visitors, you must ensure appropriate data transfer mechanisms (like Standard Contractual Clauses) are in place, as Squarespace's U.S. location raises GDPR transfer concerns.

CMS

Privacy policy clauses for Squarespace

Squarespace is a website builder and content management system that enables businesses to create, host, and manage websites with integrated e-commerce capabilities. Websites using Squarespace must disclose this relationship because Squarespace processes visitor data on the site operator's behalf.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Squarespace collects

Your privacy policy must disclose each of the following data types when you use Squarespace.

Form submissions

Commerce data

IP address

Analytics

When does Squarespace trigger privacy obligations?

Installation and Data Flow Start Points

Squarespace begins collecting data the moment your site goes live. The platform automatically collects IP addresses from all visitors, form submission data (names, emails, messages), commerce transaction data (if e-commerce is enabled), and analytics events. These flows trigger obligations immediately—not after a certain traffic threshold.

Applicable Regulations by Geography

GDPR (EU/EEA visitors): Applies if you have any EU visitor, regardless of where your business is based. Squarespace Inc. (US-based processor) requires a Data Processing Agreement (DPA) under GDPR Article 28. You must establish lawful basis (Article 6) for each data type: consent for analytics cookies, legitimate interest for form data, contract for commerce data.

Common compliance pitfalls

Cookie	Duration	Category	Purpose
ss_*	varies	strictly necessary	Platform functionality

Pitfall 1: Missing the DPA Requirement

The mistake: Operators assume Squarespace's privacy policy is sufficient and don't request a Data Processing Agreement.

Why it happens with Squarespace: Squarespace provides general legal documentation, but doesn't automatically execute a DPA—you must formally request one. Many indie founders don't realize the DPA is a separate legal requirement (GDPR Article 28) from the privacy policy.

Consequence: Without a DPA, you lack contractual guarantees on how Squarespace will process EU personal data. This is a direct GDPR violation and exposes you to fines (up to 4% of global revenue) and data subject complaints. Regulators consistently flag missing DPAs first in audits.

Pitfall 2: Treating All Cookies as "Necessary"

The mistake: Operators don't implement a consent mechanism for Squarespace's `ss_*` cookies, assuming they're all strictly necessary.

Why it happens with Squarespace: Some `ss_*` cookies do support platform functionality, but Squarespace also uses cookies for tracking and analytics that are not strictly necessary. Without reviewing Squarespace's cookie documentation carefully, operators assume a blanket exemption.

Consequence: Non-essential tracking cookies loaded without explicit prior consent violate the ePrivacy Directive Article 5(3). EDPB and national DPAs (especially CNIL, ICO) have issued significant fines for this; it's treated as a high-priority enforcement issue.

Pitfall 3: Incomplete Privacy Policy Disclosures

The mistake: Privacy policies mention "analytics" generically but don't name Squarespace or explain specific data types collected (IP, form submissions, transaction details).

Why it happens with Squarespace: Squarespace's own privacy policy is detailed, but operators often write minimal privacy statements that assume visitors will read Squarespace's policy separately. GDPR Article 13 and CCPA Section 1798.100 require YOU to disclose this information directly.

Consequence: Regulators view this as opacity and lack of transparency. EU DPAs and California's CCPA enforcement team cite missing or vague disclosures as triggers for fines and orders to redesign privacy notices.

Privacy policy clauses for Squarespace

What data Squarespace collects

When does Squarespace trigger privacy obligations?

Installation and Data Flow Start Points

Applicable Regulations by Geography

First Concrete Steps

Where data goes

Cookies set by Squarespace

Common compliance pitfalls

Pitfall 1: Missing the DPA Requirement

Pitfall 2: Treating All Cookies as "Necessary"

Pitfall 3: Incomplete Privacy Policy Disclosures

Sample privacy policy clause

What regulators look for

Priority Audit Focus Areas

Known Enforcement Patterns

Frequently asked questions

Do I need to disclose Squarespace in my privacy policy?

What specific data does Squarespace collect?

Does Squarespace require a cookie consent banner?

Who is the data processor and where is data stored?

Don't ship without Bandit.