cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
dieterslicke
Square Champion
‎07-18-2025 05:25 PM

Compliance with AHPRA / TGA / QLD Health – Is Square suitable for cosmetic medical clinics?

Hi everyone,

 

I regularly implement Square (especially Appointments) for clients across a range of industries. Some of my clients are cosmetic nurses in Australia who handle sensitive medical data — including clinical notes, photos, and consent forms.

 

Recently, there’s been a tightening of regulations from AHPRA, the TGA, and Queensland Health, particularly around:

 

  • Compliance with the Australian Privacy Act 1988 (Cth)
  • Alignment with Australian Privacy Principles (APPs)
  • Medical data storage, patient access rights, breach notification, and local retention laws

 

 

I’m trying to determine if Square can support full compliance for these clients under Australian law. So far, I haven’t been able to confirm key details like:

 

  • Where is customer data (especially medical data) hosted?
  • Does Square offer local data storage (e.g. in Australia)?
  • Is there a DPA that specifically aligns with APP 8 (cross-border privacy obligations)?
  • How does Square handle breach notifications, data access requests, and record retention compliance?

 

 

If any Square team members or fellow sellers in the cosmetic or medical field have navigated this, I’d really appreciate your input.

 

These clinics love Square, but they’re now concerned they may need to switch platforms to remain compliant — especially with compliance audits approaching.

 

I’ve reviewed Square’s Australian Privacy Policy, but there’s no clear info on data hosting or APP alignment, so I’d love some clarification or firsthand experience from others.

 

Thanks so much!

Proud Australian Square Super Seller and users of Square AppointmentsSquare POSSquare OnlineSquare ReaderSquare Stand

We use Square with integrations for Xero by AmakaPrintful / We have used Squarespace • Shopify • WooCommerce • QuickBooks and more!

Dieter Slicke is a boutique barber shop by appointment only with our own range of Australian made hair and skin care products
0 Kudos
231 Views
Message 1 of 2
Report
1 Solution
Katie_SQ
Square Community Moderator
‎07-22-2025 06:38 PM

Solution

Thank you for your patience, @dieterslicke

After consulting with internal team members, I've received the following information that addresses your questions:



Where is customer data (especially medical data) hosted?

Square systems are hosted in the United States. We may disclose your information to third party service provides in countries outside Australia as set out in our Privacy Notice. Square systems are not intended for the storage of medical data. However, in limited circumstances, they may incidentally capture sensitive health-related information (e.g., information recorded in a customer receipt or transaction history), which is processed in accordance with applicable laws (e.g., to provide services to you).


Does Square offer local data storage (e.g., in Australia)?

No.


Is there a DPA that specifically aligns with APP 8 (cross-border privacy obligations)?

Yes. Cross-border data transfers between Square and third parties (e.g., vendors) are governed by a Data Privacy Schedule in compliance with applicable laws, including the Privacy Act 1988 (Cth).


How does Square handle breach notifications, data access requests, and record retention compliance?

Square has an internal response team to manage notifications in accordance with applicable laws.
Our Privacy Notice outlines how Sellers can exercise their rights, including submitting data access requests via our dedicated online portal at privacy.block.xyz. The Privacy Notice also provides information about Square’s data retention practices.



I hope this information provides some more clarity. Please let me know if there's anything else I can help with. 🙂

View Solution >

0 Kudos
195 Views
Message 2 of 2
Report
1 REPLY 1
Katie_SQ
Square Community Moderator
‎07-22-2025 06:38 PM

Solution

Thank you for your patience, @dieterslicke

After consulting with internal team members, I've received the following information that addresses your questions:



Where is customer data (especially medical data) hosted?

Square systems are hosted in the United States. We may disclose your information to third party service provides in countries outside Australia as set out in our Privacy Notice. Square systems are not intended for the storage of medical data. However, in limited circumstances, they may incidentally capture sensitive health-related information (e.g., information recorded in a customer receipt or transaction history), which is processed in accordance with applicable laws (e.g., to provide services to you).


Does Square offer local data storage (e.g., in Australia)?

No.


Is there a DPA that specifically aligns with APP 8 (cross-border privacy obligations)?

Yes. Cross-border data transfers between Square and third parties (e.g., vendors) are governed by a Data Privacy Schedule in compliance with applicable laws, including the Privacy Act 1988 (Cth).


How does Square handle breach notifications, data access requests, and record retention compliance?

Square has an internal response team to manage notifications in accordance with applicable laws.
Our Privacy Notice outlines how Sellers can exercise their rights, including submitting data access requests via our dedicated online portal at privacy.block.xyz. The Privacy Notice also provides information about Square’s data retention practices.



I hope this information provides some more clarity. Please let me know if there's anything else I can help with. 🙂

0 Kudos
196 Views
Message 2 of 2
Report
Anonymous
Anonymous

Square Community

Square Products

Resources

More

© 2025 Square, Inc.