Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Square Appointments is an online booking and appointment scheduling tool by Block Inc. (formerly Square) that can be embedded on websites. It collects customer names, email addresses, phone numbers, service preferences, and payment information for booking fulfilment. While the primary processing basis is contract performance, the embedded widget sets cookies requiring ePrivacy consent, and all data is processed in the United States with no EU residency option.
Square Appointments is an online booking and scheduling platform operated by Block Inc. (formerly Square Inc.), the US-based financial technology company. It allows businesses to accept appointment bookings online through an embeddable widget or a hosted booking page. Square Appointments integrates with Square''s broader payment and point-of-sale ecosystem, enabling businesses to manage customer relationships, send booking confirmations and reminders, process deposits, and track appointment history. It is used across a wide range of service businesses including salons, healthcare providers, fitness studios, and professional services firms.
Square Appointments collects customer name, email address, phone number, service type, preferred staff member, appointment date and time, booking notes, and payment information for deposits or prepayments. It also collects IP addresses and device information when the booking widget loads. Appointment history is stored and linked to customer profiles in the Square Customer Directory. If integrated with Square Payments, card details and transaction records are also processed.
Square Appointments has a relatively clear GDPR compliance profile for standard booking use cases. The core data collection — name, contact details, and appointment information — is necessary to fulfil the booking contract, providing a solid contract performance basis under Article 6(1)(b). The ePrivacy Directive still requires consent for any non-essential cookies set by the embedded widget before it loads. Special consideration applies when Square Appointments is used for health-related bookings, as appointment data in a medical context may constitute health data under Article 9, requiring explicit consent and heightened data protection measures.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For the booking data itself, consent is not required as contract performance provides the lawful basis. However, for any non-essential cookies set by the Square Appointments widget script before booking begins, ePrivacy consent is required. Customers completing a booking must be informed through a privacy notice that their data will be processed by Square in the US, what data is collected, and how long it will be retained. A pre-booking privacy notice or link to your privacy policy satisfies this transparency requirement.
Block Inc. is a US company and processes all appointment and customer data on US infrastructure with no EU data residency option. This is a third-country transfer under GDPR Chapter V. Standard Contractual Clauses apply as the transfer mechanism. Organisations should reference Block Inc.''s Data Processing Addendum and sign it to ensure GDPR-compliant transfer safeguards are in place.
To use Square Appointments compliantly: obtain ePrivacy consent before the booking widget script loads; include a privacy notice on your booking page informing customers of Square as a processor and the US transfer; sign Block Inc.''s Data Processing Addendum; update your privacy policy to describe Square Appointments as a data processor; document the US transfer in your RoPA; for health-related bookings, obtain explicit consent under Article 9(2)(a) and implement appropriate additional safeguards; and configure Square''s customer notification settings to avoid sending unsolicited marketing to booked customers without their separate marketing consent.
Websites using Square Appointments must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for basic appointment booking deployments. However, it becomes advisable when Square Appointments processes health-related booking data (medical appointments, therapy sessions) which may constitute special category data under GDPR Article 9, or when integrated with payment processing that handles financial personal data at scale.
Sample consent text
This booking widget is powered by Square Appointments (Block Inc., United States). To complete your booking, Square will collect your name, email address, phone number, and appointment preferences. This data will be processed in the United States. Your booking data is necessary to fulfil your appointment request. For more information, see our privacy policy.
Third-party domains contacted
squareup.comsquarecdn.comapi.squareup.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _sq_session | session | Session | Session identifier used to maintain the active booking flow state |
| _sq_anon_id | persistent | 1 year | Anonymous visitor identifier used to track booking funnel behaviour |
Square Appointments uses cookies for user preferences — inform visitors with a consent banner.
Square Appointments collects customer name, email address, phone number, selected service, preferred staff, appointment date and time, booking notes, and payment information for deposits. It also logs the IP address and device information of the customer when the booking widget loads. This data is stored in the Square Customer Directory and linked to the customer profile.
For the booking data itself, no separate consent is required as contract performance provides the lawful basis. However, consent is required for any non-essential cookies the booking widget sets before the customer starts booking. A pre-booking privacy notice informing the customer about Square as a processor and the US transfer must be displayed before they provide personal data.
Contract performance under Article 6(1)(b) GDPR is the primary legal basis for processing customer booking data necessary to fulfil the appointment. Consent under Article 6(1)(a) is required for non-essential cookies set by the widget. If Square's marketing features are used to contact customers after their appointment, a separate marketing consent is required.
Yes. Block Inc. is a US company and processes all booking, customer, and payment data on US infrastructure. Standard Contractual Clauses apply. Organisations should sign Block Inc.'s Data Processing Addendum to formalise the transfer safeguard and document the transfer in their Records of Processing Activities.
Generally not for standard service bookings. A DPIA becomes necessary when Square Appointments is used for health-related bookings where appointment data constitutes health data under GDPR Article 9, or when integrated with payment systems processing large volumes of financial personal data. The combination of health data and US transfer would require a DPIA.
Display a privacy notice on your booking page before customers enter their data, identifying Square as a processor and disclosing the US transfer. Obtain ePrivacy consent before the widget script loads. Sign Block Inc.'s DPA. Update your privacy policy. For health bookings, obtain explicit Article 9 consent. Configure Square's marketing settings to avoid using booking data for marketing without separate consent. Document the processing in your RoPA.
Calendly offers EU data residency options. Acuity Scheduling (part of Squarespace) has EU data processing. For full EU sovereignty, open-source tools like Cal.com can be self-hosted on EU infrastructure. Doctolib is a French booking platform specifically designed for healthcare with GDPR compliance built in for medical appointment data.
With caution. Appointment data in a medical context (doctor, therapist, specialist) may constitute health data under GDPR Article 9, which requires explicit consent and a higher standard of protection. You must obtain explicit consent from patients before using Square for medical bookings, conduct a DPIA, and ensure your DPA with Block Inc. covers Article 9 data. EU-hosted alternatives like Doctolib are specifically designed for this purpose.