Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Acuity Scheduling, now branded Squarespace Scheduling, is an appointment booking platform widely used by coaches, therapists, salons, photographers, consultants and small healthcare practices. It offers a calendar centric booking experience with intake forms, reminders, recurring appointments and integrations with Stripe, Square, Zoom, Google Meet and most calendar systems. The Acuity widget loads on the customer site and transmits booking data to Squarespace, Inc. servers in the United States.
Acuity Scheduling, now formally Squarespace Scheduling since the 2019 acquisition by Squarespace, is an online appointment booking platform aimed at independent professionals and small businesses. Coaches, therapists, hairdressers, photographers, consultants and small healthcare practices use it to publish a public booking page, manage availability, send automated reminders and reduce no shows. Customers can book single or recurring appointments, complete intake forms, pay through Stripe or Square at booking, and join video meetings via Zoom or Google Meet.
At booking time, Acuity collects name, email, phone, address, optional date of birth, intake form responses (which may include health information for medical practices), payment data forwarded to Stripe or Square and IP address. The embedded widget sets cookies on acuityscheduling.com such as _acuityscheduling_session, acuity-csrf-token and several Squarespace tracking cookies (ss_cookieAllowed, RecentRedirect). Webhook integrations expose data to Mailchimp, ConvertKit, ActiveCampaign or Zapier depending on the practitioner''s configuration.
The embedded widget loads automatically on the host page and sets cookies before any booking starts, which triggers Article 5(3) ePrivacy. The processing of appointment data after the user actively books rests on contract performance under Article 6(1)(b) GDPR. Intake forms collecting health information bring Article 9 special category data into play, requiring an explicit consent or a healthcare professional secrecy basis. The US transfer must be referenced with the DPF or SCC mechanism.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For the embedded widget, yes: gate the script behind a consent banner under the Functional or Marketing category. If you only link to a hosted booking page on acuityscheduling.com, the consent shift moves to that destination and the user is then on Acuity''s privacy notice. Inside the booking flow itself, once the user has actively chosen to book, processing can run under contract, but intake forms with health data still need their own explicit consent.
Acuity Scheduling stores all appointment, customer and payment data on Squarespace, Inc. infrastructure in the United States. Squarespace is self certified under the EU US Data Privacy Framework. EU SCCs are included in the Squarespace DPA. For healthcare professionals, the US storage of Article 9 data requires a documented Transfer Impact Assessment and is in tension with several national health data laws (notably the Health Data Hub doctrine in France and the BfArM Hosting requirements in Germany).
Gate the widget behind your consent manager, sign the Squarespace DPA, configure intake forms to avoid collecting sensitive data unless strictly necessary, and obtain explicit consent for any health information. Document Squarespace, Inc. as a recipient in the privacy policy with the DPF and SCC mechanism. For practices subject to French Health Data Hosting (HDS) certification or German healthcare hosting requirements, consider an EU based alternative.
Websites using Acuity Scheduling must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA can be required when Acuity is used by healthcare professionals collecting health data, by therapists handling sensitive disclosures, or at large scale across multiple practices. Document the categories of data collected through intake forms, the US transfer mechanism, the integrations with payment and video providers, and the retention.
Sample consent text
We use Acuity Scheduling (Squarespace Scheduling) to manage appointments. Loading the booking widget sends your IP and booking details to Squarespace, Inc. in the United States. Do you accept?
Third-party domains contacted
acuityscheduling.comapp.squarespacescheduling.comcdn.acuityscheduling.comsquarespace.comjs.stripe.comsquarecdn.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _acuityscheduling_session | third party | Session | Maintains the booking session between the embedded widget and the Acuity backend during a reservation. |
| acuity-csrf-token | third party | Session | Cross site request forgery protection token used by Acuity during the booking flow. |
| ss_cookieAllowed | third party | 1 year | Squarespace cookie that remembers the user's cookie banner choice on the Squarespace platform. |
| RecentRedirect | third party | Session | Squarespace cookie used to track the previous URL when redirecting between Squarespace properties. |
| crumb | third party | Session | Squarespace CSRF protection cookie set on the booking page. |
| __stripe_mid / __stripe_sid | third party | Session to 1 year | Stripe payment cookies set when paying through Acuity, used for fraud prevention by Stripe. |
Acuity Scheduling uses cookies for user preferences — inform visitors with a consent banner.
The widget sets _acuityscheduling_session for the booking session, acuity-csrf-token for CSRF protection and a few Squarespace cookies (ss_cookieAllowed, RecentRedirect). If payment is configured, Stripe or Square cookies are also set during checkout.
For the embedded widget yes, because it sets cookies and loads scripts before any booking. Once the user actively books, the strictly necessary cookies (session, CSRF) can run under contract performance, but the initial load still needs consent.
Contract performance (Art. 6(1)(b) GDPR) for the booking and any service delivered after, legal obligation (Art. 6(1)(c)) for invoicing retention, consent (Art. 6(1)(a)) for the widget loading on the host page and for intake forms collecting Article 9 health data.
Yes. Squarespace, Inc. operates Acuity from US infrastructure. The EU US Data Privacy Framework certification and EU SCCs in the Squarespace DPA cover the transfer. Health data raises an additional layer requiring a Transfer Impact Assessment.
For independent coaches or beauty salons, generally no. For healthcare professionals collecting health data, therapists or multi practitioner platforms, a DPIA is recommended to cover the Article 9 processing, the US transfer and the integrations with Stripe, Square, Zoom or Google Meet.
Gate the widget behind a CMP, sign the Squarespace DPA, configure intake forms to ask only what is necessary, anchor health data on explicit consent, list Squarespace, Inc. as a recipient with the DPF or SCC mechanism, and consider an EU alternative for HDS or BfArM regulated practices.
EU based alternatives: Doctolib (FR, healthcare), Maiia (FR), Planity (FR, salons), Treatwell (UK/EU, salons), Calendly (US, but ISO 27001 with EU region), TIMIFY (DE), SimplyBook.me (UK/Cyprus). Open source: Cal.com (self hostable).
Add an entry under Functional or Marketing: provider Squarespace, Inc. (USA), domains acuityscheduling.com, app.squarespacescheduling.com, cookies (_acuityscheduling_session, acuity-csrf-token, ss_cookieAllowed), purpose appointment booking, transfer mechanism EU US Data Privacy Framework and SCCs, retention according to your appointment retention policy.