Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Square is a web technology service that provides essential functionality for websites and digital platforms. It delivers core capabilities that support site operations, content delivery, and user experience optimization. Square integrates seamlessly with modern web architectures, ensuring reliable performance and compatibility across browsers and devices. Trusted by businesses worldwide, Square helps organizations maintain robust websites that meet user expectations and technical requirements.
Square, the payments brand of Block, Inc., was founded in 2009 by Jack Dorsey and Jim McKelvey. Originally famous for its card reader dongle, Square is now a full commerce platform covering point of sale, online checkout, invoicing, payroll and lending. European merchants are contractually engaged with Square Up Europe Ltd in Dublin and Square UK Ltd in London, with payment processing performed on US infrastructure.
Square offers in person card readers, the Square Terminal, the Square Register, the Web Payments SDK (tokenised card collection for any website), the Checkout API (hosted payment pages), Square Online (e commerce builder) and recurring billing. It also includes anti fraud, 3D Secure, Strong Customer Authentication under PSD2, dispute management and tax reporting.
The Square Web Payments SDK loads JavaScript from web.squarecdn.com and may set cookies including __cf_bm (Cloudflare bot management) and a fraud risk fingerprint cookie. Square Online sites set additional analytics and marketing cookies such as _ga and _fbp. Square collects card BIN, last four digits, billing address, IP, user agent and device fingerprint for risk scoring.
Payment processing is performed on the legal basis of contract (Art. 6(1)(b) GDPR) and legal obligations (AML, tax). The fraud detection cookie may be considered strictly necessary for the security exemption of Art. 5(3) ePrivacy. Marketing and analytics cookies set by Square Online require ePrivacy consent. SCA under PSD2 requires the customer to authenticate with two factors for most online card payments above 30 EUR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Although Square Up Europe Ltd is contractually established in Dublin, the underlying systems (authorisation, fraud, settlement, support) run on Block, Inc. infrastructure in the United States. Block, Inc. is self certified under the EU US Data Privacy Framework. Document the transfer mechanism and the Transfer Impact Assessment for the payment processing and the supporting systems.
Use the Square Web Payments SDK rather than collecting card data on your own servers to keep PCI DSS scope minimal. Enable 3D Secure 2 for SCA compliance. Sign the Square DPA. Block marketing and analytics cookies behind a CMP category. Mention Block Inc. and Square Up Europe Ltd in your privacy notice with the EU US DPF transfer mechanism. Configure retention of payment records (typically 10 years for tax).
Websites using Square must obtain user consent under GDPR regulations.
Third-party domains contacted
squareup.comweb.squarecdn.compci-connect.squareup.comsquare.sitecash.appblock.xyzCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __cf_bm | third_party | 30 minutes | Cloudflare bot management cookie used by Square to distinguish humans from automated traffic on web.squarecdn.com. |
| sq_fid | third_party | Session | Device fingerprint cookie used by Square for fraud detection on online payments. |
| _ga | third_party | 2 years | Google Analytics identifier set by Square Online stores for visitor analytics. |
| _fbp | third_party | 3 months | Meta Pixel identifier set by Square Online when the merchant has enabled Facebook advertising. |
Square uses cookies for user preferences — inform visitors with a consent banner.
The Square Web Payments SDK sets a Cloudflare bot management cookie (__cf_bm, 30 minutes), a fraud fingerprint cookie and a session cookie on web.squarecdn.com. Square Online sites set additional cookies including _ga and _fbp. Strictly necessary cookies do not require consent; analytics and marketing ones do.
Consent is not required for the strictly necessary payment cookies and the security cookie. Consent is required for the marketing and analytics cookies set by Square Online and for any newsletter subscription or remarketing flow.
Contract (Art. 6(1)(b) GDPR) for processing the payment itself. Legal obligation (Art. 6(1)(c)) for anti money laundering and tax recordkeeping. Legitimate interest (Art. 6(1)(f)) for fraud detection. Consent (Art. 6(1)(a)) for marketing and analytics.
Yes. Although the EU contracting entity is Square Up Europe Ltd in Dublin, the back end systems are operated by Block, Inc. in the US. Transfers rely on the EU US Data Privacy Framework (Block is certified) or on Standard Contractual Clauses with supplementary measures.
A DPIA is recommended when handling card data at scale, recurring payments, card on file, or sensitive verticals (health, gambling). The DPIA covers the lawful basis, PCI DSS scope, SCA flow, fraud detection, US transfers and retention.
Use the Web Payments SDK with tokenisation to minimise PCI DSS scope. Enable 3D Secure 2 for SCA compliance. Sign the Square DPA. Block analytics and marketing cookies behind a CMP category. Document Block Inc. and Square Up Europe Ltd as sub processors and the EU US transfer mechanism in your records of processing.
EU based payment processors: Adyen (Netherlands), Mollie (Netherlands), Stripe Ireland (with US back end), Worldline (France), Lyra (France), GoCardless (UK). For SMB: SumUp (UK/Germany), Klarna Checkout (Sweden), Viva Wallet (Greece).
Subscribe to the Square trust centre. When sub processors, certifications, payment flows or cookies change, update your cookie table, privacy notice and records of processing, and bump the consent banner version. Re run your PCI DSS self assessment annually.