Privacy Policy for Squarespace Websites
Squarespace powers millions of websites with built-in analytics, commerce, scheduling, and member areas — all of which collect personal data. Generate a privacy policy that covers every Squarespace feature and third-party integration in under 2 minutes.
Why Your Squarespace Website Needs a Privacy Policy
Every Squarespace website collects personal data from the moment it goes live. Squarespace Analytics automatically tracks visitor behavior, geographic location, and device information on all published sites — no configuration required. The moment you add a contact form, enable Commerce, set up Member Areas, or connect Acuity Scheduling, you are collecting significantly more personal information that privacy laws require you to disclose.
Commerce & Payments
Squarespace Commerce collects customer names, addresses, email, phone numbers, payment details, and order histories. Payment processing flows through Stripe, PayPal, or Square — all third parties that must be disclosed in your privacy policy.
Forms & Data Collection
Contact forms, newsletter signups, and custom form blocks store all submissions in your Squarespace dashboard. This includes names, email addresses, phone numbers, file uploads, and any custom fields you create.
Scheduling & Members
Acuity Scheduling collects client contact details, appointment preferences, and intake form responses. Member Areas store account credentials, content access patterns, and payment data for gated content.
GDPR (EU) can impose fines up to €20 million or 4% of global revenue. CCPA (California) carries penalties of $7,500 per intentional violation. Beyond legal risk, many third-party services require merchants and site owners to maintain compliant privacy policies. Stripe's terms of service explicitly require merchants to publish a privacy policy, and Google Ads will reject accounts that link to sites without adequate privacy disclosures.
Squarespace Features That Collect Personal Data
Unlike platforms where data collection depends on which plugins you install, Squarespace has built-in features that collect personal data as part of the platform. Your privacy policy must account for every feature you have enabled. Here is what each one collects:
Squarespace Analytics
- •Page views, unique visitors, and session duration
- •Traffic sources and referral URLs
- •Geographic location (country, region, city)
- •Device type, browser, and operating system
- •Search keywords used to find your site
Note: Enabled by default on all Squarespace sites. Collects visitor data without requiring any setup from the site owner.
Form Blocks
- •Name, email address, phone number, and custom fields
- •File uploads attached to form submissions
- •Submission timestamps and page of origin
- •IP address logged in form submission metadata
Note: Contact forms, newsletter signups, and custom forms all store submissions in the Squarespace dashboard indefinitely unless manually deleted.
Squarespace Commerce
- •Customer name, email, phone, billing and shipping addresses
- •Order history, product selections, and transaction amounts
- •Payment method details (processed via Stripe, PayPal, or Square)
- •Tax information and discount code usage
- •Abandoned cart data including email and cart contents
Note: Commerce plans process payment data through third-party processors. Squarespace never stores full card numbers, but transaction metadata is retained.
Member Areas
- •Member email address and account credentials
- •Membership tier and subscription status
- •Content access history and login timestamps
- •Payment information for paid memberships
Note: Member data is stored by Squarespace and linked to Stripe for recurring billing. Members can access some data via their account settings.
Squarespace Scheduling (Acuity)
- •Client name, email, phone number
- •Appointment type, date, time, and duration
- •Intake form responses and custom field data
- •Payment details for paid appointments
- •Calendar sync data if connected to Google/Outlook
Note: Acuity Scheduling was acquired by Squarespace in 2021. Client data may be shared between Squarespace and Acuity systems.
Email Campaigns
- •Subscriber email addresses and names
- •Campaign open rates and click tracking
- •Unsubscribe and bounce records
- •Mailing list segments and tags
Note: Email Campaigns tracks recipient behavior (opens, clicks) using tracking pixels. This must be disclosed under GDPR.
Third-Party Integrations That Require Disclosure
Squarespace makes it easy to connect external services through built-in integrations and code injection. Each connected service that receives visitor or customer data must be named in your privacy policy. Here are the most common categories:
Analytics & Tracking
Google Analytics
Full visitor behavior tracking, demographics, interests, cross-device tracking
Facebook Pixel
Conversion tracking, retargeting audiences, cross-site behavior profiling
Pinterest Tag
Conversion events, audience building, shopping behavior tracking
Google Ads
Conversion tracking, remarketing lists, click attribution
Email & Marketing
Mailchimp
Subscriber lists, campaign engagement, e-commerce purchase data sync
Zapier
Form submissions, order data, and customer info routed to 5,000+ apps
ConvertKit
Email subscribers, tag-based segmentation, automation triggers
Social Media Embeds
Instagram Feed
Sets Instagram cookies, tracks viewing behavior, loads third-party scripts
YouTube Embeds
Google cookies for video tracking, watch history, ad personalization
Twitter/X Embeds
Sets Twitter cookies, tracks impressions and engagement
SoundCloud/Spotify
Audio player cookies, listening behavior tracking
Payment Processors
Stripe
Card details, billing address, transaction records, fraud prevention data
PayPal
Account email, billing info, transaction history, buyer protection data
Square
Card details, billing address, transaction metadata, refund records
Afterpay/Clearpay
Customer identity verification, credit assessment, installment payment data
Any code you add via Squarespace's Code Injection feature (Settings > Advanced > Code Injection) may also set cookies or collect data. This includes chat widgets like Intercom or Drift, heatmap tools like Hotjar, and A/B testing platforms.
Cookies Set by Squarespace Websites
Squarespace sets several first-party cookies on all sites, and additional cookies appear when you enable Commerce or connect third-party analytics. Under GDPR and the ePrivacy Directive, you must disclose every cookie your site sets and obtain consent for non-essential cookies before they are placed.
Squarespace Essential Cookies
| Cookie Name | Purpose | Duration |
|---|---|---|
| crumb | CSRF protection token for form submissions and security | Session |
| ss_cid | Identifies unique visitors for Squarespace Analytics | 2 years |
| ss_cvr | Tracks visitor conversion events and sessions | 2 years |
| ss_cvt | Tracks the timestamp of conversion events | 30 minutes |
| ss_cpvisit | Tracks campaign page visits and referrals | 2 years |
Commerce Cookies
| Cookie Name | Purpose | Duration |
|---|---|---|
| ss_carts | Stores shopping cart contents across sessions | 2 weeks |
| ss_lastvisit | Records the last visit timestamp for returning customers | 2 years |
| ss_cvisit | Tracks current browsing session for commerce analytics | 30 minutes |
Third-Party Cookies (Common)
| Cookie Name | Purpose | Duration |
|---|---|---|
| _ga / _ga_[ID] | Google Analytics: distinguishes unique users and tracks sessions | 2 years |
| _gid | Google Analytics: distinguishes users within a 24-hour window | 24 hours |
| _fbp | Facebook Pixel: tracks visitors for ad targeting and conversion | 3 months |
| __stripe_mid / __stripe_sid | Stripe: fraud prevention and payment session management | 1 year / 30 min |
Need a standalone cookie policy? Use our Cookie Policy Generator to create one that covers every cookie your Squarespace site sets.
GDPR and CCPA Requirements for Squarespace Sites
If your Squarespace website is accessible to visitors in the EU or California — which applies to virtually every public website — you must comply with GDPR and CCPA regardless of where you are based.
GDPR Requirements
- 1.Lawful basis — State the legal basis for each type of data processing (consent, legitimate interest, contractual necessity, legal obligation).
- 2.Cookie consent — Block non-essential cookies until visitors explicitly opt in. Squarespace's default banner alone is not sufficient.
- 3.Data subject rights — Provide mechanisms for data access, portability, rectification, erasure, and restriction of processing.
- 4.Cross-border transfers — Squarespace stores data on US servers. Disclose this and reference appropriate transfer mechanisms (Standard Contractual Clauses).
- 5.Data retention — Document how long each type of data is stored and when it is deleted.
CCPA Requirements
- 1.Right to know — Disclose what personal information you collect, why, and with whom it is shared.
- 2.Right to delete — Provide a mechanism for California residents to request deletion of their personal information.
- 3.Right to opt out — If you "sell" personal information (including sharing with ad networks for targeted advertising), provide a "Do Not Sell My Personal Information" link.
- 4.Non-discrimination — You cannot deny service or charge different prices to users who exercise their privacy rights.
- 5.Privacy notice at collection — Inform users at the point of data collection about the categories and purposes of data use.
Important: Squarespace stores all site data on servers in the United States. For EU visitors, this constitutes a cross-border data transfer under GDPR. Your privacy policy must disclose this and reference Squarespace's Data Processing Agreement, which includes Standard Contractual Clauses for EU-US data transfers.
Squarespace's Built-In Cookie Banner vs. Full Compliance
Squarespace offers a cookie banner that can be enabled in Settings > Cookies & Visitor Data. While this is a helpful starting point, it has significant limitations for full GDPR compliance:
Cookie Notification Banner
Squarespace Default
Basic notification that cookies are used
Full Compliance Requires
Requires granular opt-in consent with category controls (analytics, marketing, functional) before any non-essential cookies are set
Cookie Blocking
Squarespace Default
Does not block cookies before consent is given
Full Compliance Requires
Must prevent non-essential cookies from loading until the visitor actively consents
Consent Records
Squarespace Default
No audit trail of consent decisions
Full Compliance Requires
Must maintain records of when and how each visitor consented, for regulatory audits
Withdraw Consent
Squarespace Default
No built-in mechanism for visitors to change their cookie preferences after initial choice
Full Compliance Requires
Must provide an accessible way for visitors to review and change their cookie preferences at any time
To achieve full cookie compliance on Squarespace, consider using a third-party consent management platform. Tools like CookieYes, Osano, or Iubenda can be added via Squarespace's Code Injection feature and provide granular consent controls, automatic cookie scanning, and consent record keeping.
How to Add a Privacy Policy to Your Squarespace Site
Squarespace does not have a dedicated privacy policy setting like WordPress. You need to create a page and link it manually. Follow these steps:
1. Generate Your Policy
Use PolicyForge to generate a privacy policy tailored to your Squarespace features. Select the features you use (Analytics, Commerce, Scheduling, Member Areas), specify your third-party integrations, and download the formatted policy text.
2. Create a Legal Page
In the Squarespace editor, go to Pages and click '+' to add a new page. Choose a blank page or use the 'Legal' layout if your template provides one. Paste your generated privacy policy content.
3. Add to Footer Navigation
Navigate to the footer section in your site editor. Add a navigation link or text block linking to your privacy policy page. Most Squarespace templates support footer navigation through the editor or the Navigation panel.
4. Link from Forms and Checkout
Add a line below your form blocks stating 'By submitting this form, you agree to our Privacy Policy' with a link. For Commerce sites, add a privacy policy link on the checkout page via the Commerce settings or a checkout form custom field.
5. Configure Cookie Settings
Go to Settings > Cookies & Visitor Data and enable the cookie banner. For full GDPR compliance, add a third-party consent tool via Settings > Advanced > Code Injection that blocks non-essential cookies until consent is given.
6. Set Up Data Request Process
Create a contact form or dedicated email address for privacy requests (e.g., privacy@yourdomain.com). Mention this contact method in your privacy policy so users know how to exercise their data rights.
PolicyForge vs. Writing Your Own Squarespace Privacy Policy
Squarespace does not provide a privacy policy generator or template. Site owners typically choose between writing their own policy, hiring a lawyer, or using a generator. Here is how PolicyForge compares:
| Feature | Write Your Own | Hire a Lawyer | PolicyForge |
|---|---|---|---|
| Cost | Free (your time) | $500 - $3,000+ | Free / $4.99 / $12.99 |
| Time to complete | 4-8 hours research | 1-2 weeks | Under 2 minutes |
| Squarespace-specific | If you research it | If lawyer knows Squarespace | Yes, built-in |
| Cookie disclosure | Manual research | Usually included | Auto-generated table |
| GDPR coverage | Risk of gaps | Comprehensive | Full coverage |
| Updates when laws change | Manual | Additional fees | Regenerate anytime |
Common Privacy Compliance Mistakes Squarespace Users Make
These are the most frequent compliance gaps we see on Squarespace websites. Avoiding these mistakes can save you from regulatory penalties and customer trust issues:
Relying solely on Squarespace's built-in cookie banner
Squarespace's default banner is a simple notification, not a compliant consent mechanism. GDPR requires granular opt-in consent before non-essential cookies are set. The built-in banner does not block cookies until consent is given.
Not disclosing third-party integrations
Every connected service (Google Analytics, Mailchimp, social embeds, payment processors) that receives visitor data must be named in your privacy policy with a description of what data is shared and why.
Using a generic template that doesn't mention Squarespace features
Squarespace-specific data collection (Analytics, Commerce, Scheduling, Member Areas) has unique characteristics. A generic template won't cover Acuity Scheduling intake forms or Commerce abandoned cart emails.
Forgetting about Email Campaigns tracking
Squarespace Email Campaigns uses tracking pixels to monitor opens and clicks. This constitutes personal data processing under GDPR and must be disclosed, with an unsubscribe mechanism provided.
Not providing a data deletion mechanism
GDPR gives users the right to erasure. Squarespace stores form submissions, commerce orders, and member data. You need a clear process for handling deletion requests, even if some data must be retained for legal obligations like tax records.
Ignoring Member Areas data processing
If you use Member Areas with paid tiers, you're collecting account credentials, payment data, and content access patterns. This requires specific disclosure about how membership data is handled and how members can manage their information.
Generate Your Squarespace Privacy Policy
PolicyForge generates privacy policies designed for Squarespace websites. Cover your analytics, commerce, scheduling, member areas, form blocks, cookies, and third-party integrations — all in under 2 minutes.
Already Have a Privacy Policy?
Enter your Squarespace site URL to scan your existing privacy policy across 10 compliance categories. See where you pass and where you need improvements.
Free Compliance ScanFrequently Asked Questions
Does my Squarespace website need a privacy policy?
Yes. Every Squarespace website collects personal data by default through Squarespace Analytics, which tracks visitor IP addresses, geographic location, device information, and browsing behavior. If you use any form blocks, Commerce features, Member Areas, or Scheduling, you are collecting additional personal data. GDPR, CCPA, and other privacy laws require you to disclose this data collection regardless of your website's size or traffic volume. Squarespace itself recommends adding a privacy policy to all sites.
Does Squarespace provide a privacy policy template?
Squarespace does not provide a built-in privacy policy generator or template. It offers a 'Legal' page type that you can use to display legal documents, but the content must be written or generated by you. Squarespace's support documentation mentions the need for a privacy policy but directs users to create their own. PolicyForge fills this gap by generating a comprehensive privacy policy tailored to Squarespace's specific data collection features.
Is Squarespace's cookie banner GDPR compliant?
Squarespace offers a basic cookie banner that can be enabled in Settings > Cookies & Visitor Data. However, this banner functions primarily as a notification rather than a true consent mechanism. For full GDPR compliance, you need a cookie banner that: blocks non-essential cookies until consent is given, provides granular category controls (analytics, marketing, functional), records consent for auditing purposes, and allows users to withdraw consent easily. Consider using a third-party cookie consent tool like CookieYes or Osano that integrates with Squarespace via code injection.
How do I add a privacy policy page to my Squarespace site?
In the Squarespace editor, go to Pages and click the '+' icon to add a new page. Select 'Blank Page' or use the 'Legal' page layout if available in your template. Paste your generated privacy policy content. Then add it to your footer navigation: go to the footer section in the editor and add a navigation link pointing to your privacy policy page. You should also link to it from any form blocks, the checkout page (for Commerce sites), and your cookie consent banner. Squarespace does not have a dedicated 'Privacy Policy' setting like WordPress, so manual linking is required.
What happens to customer data when I cancel my Squarespace subscription?
When you cancel your Squarespace subscription, your site becomes inaccessible to visitors after the billing period ends. Squarespace retains your site data (including form submissions, commerce orders, and member data) for 30 days after expiration, after which it may be permanently deleted. If you have GDPR obligations to retain certain data or provide data access to past customers, you should export all relevant data before cancellation. Squarespace allows data export through Settings > Advanced > Import/Export for site content, and Commerce > Orders for transaction records.