GDPR and Squarespace

Important information about GDPR, and ways to get started with your compliance.

Last updated November 29, 2023

The General Data Protection Regulation (EU GDPR) is a European privacy law that regulates how individuals and organizations may collect, use, and retain the personal data of individuals.

Following the exit of the United Kingdom of Great Britain and Northern Ireland (UK) from the European Union (EU), the EU GDPR forms part of the body of retained EU law in the UK (UK GDPR), along with the UK Data Protection Act 2018 (DPA 2018), continues to be part of UK law.

References to the GDPR and its provisions in this guide include the law as it applies to both EU GDPR and UK GDPR.

If individuals from the European Economic Area (EEA), the UK, or Switzerland visit your website or Acuity page this guide covers what you should know as a Squarespace user. For general information about data privacy in other parts of the world, visit Data privacy and Squarespace.

This guide is available as a resource, but should not be construed or relied upon as legal advice. Per our Terms of Service, Squarespace doesn't provide advice or recommendations regarding laws applicable to your site or business.

GDPR best practices for Squarespace

While we can’t offer legal advice, here are some best practices that will help you get started with your GDPR compliance.

Review your website, your scheduler, and other Squarespace products and look for areas where you collect personal data, bearing in mind the modified GDPR definition of personal data.

Some questions to consider:

• Do you collect personal data via Squarespace products using third-party services? (e.g., Google Analytics, a form block connected to Mailchimp and Google Drive). You should read the privacy policies of those services.

• Do you download or export data from your Squarespace products into another system?

• Do you combine the personal data you collect with other sources of data?

• Are you gathering information you don’t need?

Create (or update) your privacy policy

After you’ve identified your data collection activities, the GDPR requires that you provide individuals with specific information about how you collect and process their personal data. Posting a privacy policy provides clarity regarding your use of visitors’ information. Consider making a privacy policy page on your site or scheduler that documents:

• What information you collect. (For example, in your terms, you can include this list of cookies your site uses.)

• Why you collect that information

• Who you share that information with

• How long you'll store that information

• If you intend to transfer such information outside of the European Economic Area.

• Any other information required under the GDPR

For more tips on privacy policies for websites, visit Sharing policies and terms on your site, and Sample messages for your Squarespace website privacy policy. To learn how to use a Acuity intake form to add your privacy policy to your scheduler, visit Client intake forms and agreements in Acuity.

Who is affected by the GDPR?

While the GDPR is an EU/UK regulation, it extends to organizations in other countries that service EU/UK residents. It affects organizations:

• Based in the EU, the UK, and Switzerland

• Outside of the EU, the UK, and Switzerland offering goods or services to, or monitoring, EU, UK, or Swiss residents

What’s considered personal data?

Under the GDPR, personal data is any information that can reasonably identify a specific living person, either alone, or with other information. This broad definition includes traditional personal data—like dates of birth, names, physical addresses, email addresses—and location data, biometric data, financial information, and more.

To learn more about what is considered personal data in the EU and UK, visit the information pages of the European Commission, Data Protection Commission of Ireland, and Information Commissioner's Office.

Do I need to sign a DPA with Squarespace?

When you sign up for Squarespace, you agree to our Terms of Service, and our DPA. You don't need to request or sign a separate physical document. Review our Privacy Policy.

Cookies and similar technologies

Cookies are small pieces of data that websites store on a device. Cookies can improve your visitors’ browsing experience because they help websites remember preferences and understand how people use different features. Similar technologies include pixels, tags, local storage, and device fingerprinting. Websites use these technologies to:

• Identify visitors

• Enable the website to function efficiently

• Personalize content

• Permit online behavioral target advertising

In the EU and the UK, cookie laws are currently governed by the E-Privacy Directive, and The Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) (PECR 2003) (as amended), respectively. PECR 2003 continues to apply in the UK as retained EU law. The cookie laws in the EU and UK require website owners to take certain steps before dropping non-essential cookies on EU/UK visitors.

Alerting visitors to non-essential cookies 

Websites that drop non-essential cookies need to, through the use of a cookie banner, take the following minimum steps:

1. Provide clear and comprehensive information regarding the website’s cookie usage.

2. Display that information prominently so visitors can easily access it.

3. Obtain consent from the website visitor to drop the non-essential cookies.

The GDPR changed the concept of consent required from visitors. Before the GDPR, websites relied on implied consent, where continued use of the website was considered enough consent to drop non-essential cookies. Now, unambiguous consent is required, meaning the visitor needs to provide “clear affirmative action consent” to the use of non-essential cookies. You need to obtain affirmative consent before placing non-essential cookies on visitors' devices. The website also needs to allow the visitor to manage their cookies preferences.

To learn more about cookies and similar technologies, review this guidance from the UK’s Information Commissioner’s Office .

How does Squarespace help me comply with the GDPR and EU/UK cookie requirements for my website?

By default, we use cookies to run your site and obtain visitor information for Squarespace analytics. To help you comply with legal requirements in the EU and UK, you can:

• Disable Activity Log so you don’t collect or view visitors’ IP addresses or other personal data.

• Disable Squarespace analytics cookies so you don’t place these non-essential cookies on visitors’ browsers.

• Display a customizable cookie banner so visitors can opt into your use of cookies.

With Squarespace’s editing tools, you can post your own legal terms or privacy policies. For example, you can:

• Add content that informs visitors about when and how you collect data anywhere you can add your own customizable text, like in text blocks.

• Customize the newsletter block with a disclaimer.

• Get consent to send marketing emails.

• Add a cookie banner with customized consent language and a link to your policies.

To learn about how to add these to your site, visit Sharing policies and terms on your site.

We built tools for you to manage the cookies your Squarespace site uses, but we can’t control third-party services you use through connected accounts, product integrations, or code-based modifications. Review the policies for all services connected to your Squarespace site to understand your site’s cookie use.

How does Acuity Scheduling help me comply with the GDPR?

Acuity has tools to help you comply with the GDPR, but being GDPR compliant is ultimately up to you. How you use and configure your account, and what data you collect from clients, will factor into your compliance. In Acuity, you can:

• Display terms and conditions in your scheduling instructions.

• Include consent requests on intake forms. You can also require clients to agree to your terms before buying a package or signing up for a subscription.

• Delete client information in the Client List, delete inactive clients, and delete clients in bulk.

• Export client data to follow a client's data portability request.

Using Squarespace with third-party services

The GDPR not only affects how the Squarespace products you use process personal data, but also how other services process data on your behalf. You can use built-in integrations to connect the Squarespace products to third-party services, and other methods for integrating additional services, including:

• Connected accounts

• Code Block

• Code Injection (Which lets you use services like Google AdSense)

• Embed Blocks

• Meta Pixel

• Form block storage (Email, Google Drive, Mailchimp)

• Google Analytics

• Payment processors (Stripe or PayPal)

• Social Blocks

• Specific integrations or blocks (e.g., Acuity, ChowNow, Mailchimp)

• Squarespace Extensions

Typically, third-party services accept data from, or embed content into your site, or other Squarespace products. Squarespace acts as a pass-through for such data or displayed content. These services may have their own terms of service, privacy policies, and other practices which are different from ours. It’s important to carefully review the policies of all services connected to your Squarespace products.

How does Squarespace transfer customer and visitor data outside the EU and the UK?

The GDPR requires certain safeguards when transferring personal data from outside the EEA, the UK and Switzerland to "third countries," which are all countries outside these protected areas, including the United States. Squarespace is committed to treating personal data received from the EEA, the UK, Switzerland, and elsewhere around the world in a secure and privacy-first way. Squarespace processes personal data in a way that meets the European Commission and UK Standard Contractual Clauses.

Standard Contractual Clauses

Squarespace uses the European Commission Standard Contractual Clauses (also known as Model Contractual Clauses) and the UK’s International Data Transfer Addendum (UK Addendum) as the legal basis for transferring personal data to third countries, including the United States.

The European Commission updated the Standard Contractual Clauses on June 4, 2021 to reflect:

• How data processing happens in the modern world.

• The requirements of the EU GDPR.

• Recommendations from the European Data Protection Board The Schrems II decision by the Court of Justice of the European Union.

On March 21, 2022, the UK’s Information Commissioner’s Office’s updated requirements related to data transfers outside of the UK, including the use of an international data transfer agreement and the UK Addendum to the updated Standard Contractual Clauses, took effect.

We protect your personal data and have put appropriate technical and organizational safeguards in place to meet these standards. To learn more, visit our Security Measures page.

In accordance with Article 45 of the GDPR, an adequacy decision was adopted for the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Frameworks (each individually and jointly, the “Data Privacy Frameworks”).

Squarespace, Inc. complies with the Data Privacy Frameworks to provide a legal basis for transfers of personal data to Squarespace, Inc. in the US from, as applicable, the EEA, Switzerland and the UK. Squarespace, Inc. has certified its compliance to the Data Privacy Frameworks. You can find our certification here. To learn more about the Data Privacy Frameworks and DPF Principles, visit the Data Privacy Framework Program site.

Other transfer requirements

Articles 45 to 50 of the GDPR set the various requirements for the lawful transfers of personal data to third countries or international organizations that provide an adequate level of protection. These include:

Third countries, specified sectors within third countries, or international organizations, have adequacy if the EU Commission determined they provide an adequate level of data protection.

In the absence of an adequacy decision, the GDPR allows a transfer if the controller or processor has provided “appropriate safeguards,” which may include:

• Approved Codes of Conduct or Approved Certification Mechanisms

• Binding Corporate Rules

• Standard Contractual Clauses

Exceptions allow transfers in specific situations, like if consent is obtained, or:

• For the performance or conclusion of a contract

• For the exercise of legal claims

• To protect the vital interests of the data subject when they can't give consent or for reasons of public interest

To learn more, visit the guidance documents from the European Data Protection Board or the Information Commissioner’s Office for the UK.

We may use other transfer mechanisms to ensure adequate data protection. We'll provide more information, as appropriate, if other transfer mechanisms are used for the lawful transfers of personal data to third countries.

Where can I get more information about the GDPR?

Regulators in the EU and UK provide specific guidance on the GDPR and Cookies. You can view their documentation here:

• Agencia Española de Protección de Datos (Spain)

• Bundesministerium des Innern (Germany)

• Commission Nationale de l’Informatique et des Libertés (France)

• Data Protection Commission (Ireland)

• Full text of the GDPR

• Information Commissioner’s Office (UK)

• Official EU GDPR website

• The European Data Protection Board (EDPB)

If your business is a large corporation or enterprise looking for premium support, you may require a custom solution to meet your contracting, payment, or support needs. To learn more, visit our Enterprise page.