Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Squarespace is a US-based SaaS website builder used widely in Europe for portfolios, brochure sites and small e-commerce stores. Pages are served from Squarespace infrastructure in the United States, which means EU visitor data is transferred under Standard Contractual Clauses. The platform sets a few first-party cookies for session management and analytics; non-essential analytics and marketing scripts require prior consent.
Squarespace is a fully managed SaaS website builder founded in 2003 and headquartered in New York. It targets creators, freelancers and small businesses who want a polished site without managing their own server. Squarespace also offers an integrated commerce module, scheduling, email marketing and a domain registrar. Hosting and processing happen on Squarespace infrastructure in the United States.
On a default Squarespace site, the platform sets a session cookie (SS_MID), an analytics cookie (ss_cvisit, ss_cvr) and additional cookies when visitors interact with forms, the cart or members areas. Squarespace Analytics tracks page views, referrers, devices and conversions. Optional integrations such as Google Analytics, Meta Pixel, TikTok Pixel or chat widgets add further trackers depending on what the merchant configures.
The session cookie is strictly necessary and exempt from consent under Art. 5(3) ePrivacy. Squarespace Analytics, Cookies & Visitor Data and any third party tracker require freely given consent (Art. 6(1)(a) GDPR). Squarespace ships a built-in cookie banner module, but it must be configured in opt-in mode for EU visitors and combined with proper categorisation. Customer accounts and Commerce orders rely on contract performance (Art. 6(1)(b)).
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Squarespace processes data in the United States. EU visitor and customer data is transferred to the US under Standard Contractual Clauses, included in the Squarespace Data Processing Addendum. Schrems II requires the merchant to perform a Transfer Impact Assessment and to inform data subjects of the US transfer in the privacy policy.
Sign the Squarespace DPA from your account settings. Enable the built-in Cookies & Visitor Data banner in opt-in mode for EU visitors. Disable Squarespace Analytics or block it until consent is given. Mention Squarespace as a US processor in your privacy notice with the SCC reference. Review installed code injections and third party widgets quarterly.
Websites using Squarespace must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for Squarespace Commerce stores that process large customer volumes, sensitive data or extensive marketing automation, given the US transfer combined with US based processing of customer and order data.
Sample consent text
This website is built on Squarespace (Squarespace, Inc., United States). Analytics and marketing scripts are loaded only after your consent. Customer and order data is transferred to the US under Standard Contractual Clauses.
Third-party domains contacted
www.squarespace.comimages.squarespace-cdn.comstatic1.squarespace.comassets.squarespace.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| SS_MID | first_party | 2 years | Strictly necessary cookie used by Squarespace to identify the visitor session and for security signals. |
| ss_cvisit | first_party | 2 years | Squarespace Analytics cookie that tracks first-time and returning visitors. |
| ss_cvr | first_party | 2 years | Squarespace Analytics cookie that records aggregated visit information for site reports. |
| crumb | first_party | Session | CSRF token used by Squarespace forms and Commerce checkout flows. |
| test | first_party | Session | Verifies whether the visitor browser accepts cookies for Squarespace functionality. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Squarespace sets a session and identification cookie (SS_MID), Squarespace Analytics cookies (ss_cvisit, ss_cvr) that track first time and returning visitors, a CSRF cookie (crumb) for forms and Commerce checkout, and an internal test cookie that verifies cookie support. Additional cookies appear when you enable Member Areas, Commerce or third-party integrations such as Google Analytics or Meta Pixel.
Yes for the analytics cookies (ss_cvisit, ss_cvr) and any third party tracker. The session and CSRF cookies are strictly necessary and exempt under Art. 5(3) ePrivacy. Configure the built-in Cookies & Visitor Data banner in opt-in mode for EU visitors and block analytics until consent is given.
Strictly necessary cookies rely on Art. 5(3) ePrivacy. Squarespace Analytics, marketing pixels and chat widgets rely on consent (Art. 6(1)(a) GDPR). Customer accounts and Commerce orders rely on contract performance (Art. 6(1)(b)). Tax retention for Commerce relies on legal obligation (Art. 6(1)(c)).
Yes. Squarespace, Inc. processes data in the United States. EU visitor and customer data is transferred to the US under the Standard Contractual Clauses included in the Squarespace Data Processing Addendum. Run a Transfer Impact Assessment and disclose the US transfer in your privacy notice.
A standard portfolio or brochure site does not normally require a DPIA. A DPIA is recommended for Squarespace Commerce stores with high transaction volumes, processing of special category data, or extensive marketing automation, given the US transfer combined with US based customer data processing.
Sign the Squarespace DPA from your account settings. Enable the Cookies & Visitor Data banner in opt-in mode for EU visitors with proper categories. Disable Squarespace Analytics until consent is given or rely on the consent integration. Add Squarespace as a US processor in your privacy notice with the SCC reference. Audit code injections and third party widgets quarterly.
For EU-hosted website builders, consider Webflow with EU hosting, Strikingly EU, Jimdo (Germany) or open source options like WordPress on a European host. The privacy result depends on the hosting region and which third-party scripts you load.
List the cookies set by Squarespace (SS_MID, ss_cvisit, ss_cvr, crumb, test) with name, purpose, duration and category. Add cookies introduced by Member Areas, Commerce, payment processors, custom code injections and third party widgets. Document the consent mechanism and the US data transfer to Squarespace, Inc.