Learn about the best practices for collecting and handling customer information.
If you collect, or plan to collect, personal information from users, it's critical that you handle that data responsibly.
Personal identifiable information (PII) includes obvious items such as an email address, phone number, device identifier, physical location, and spending habits. However, even less obvious information such as ZIP codes and typical commute times can be combined to help identify people without their consent.
Collect the minimum amount of personal information necessary to provide the desired functionality. For example, if you only use email to communicate with site visitors, there's no reason to also collect phone numbers.
Let customers consent to sharing their data rather than collecting their data by default. For example, include a checkbox asking for permission to collect contact information and leave it unchecked by default.
Avoid persistent caching or storage of PII, including in logs. Don't keep the information for longer than needed. The easiest way to avoid unintentionally exposing sensitive information is to delete it when you no longer need it.
Avoid sharing any PII or location information with third parties. When customers give you permission to collect and save their information, there's an expectation that the information is kept safe and not shared with others. Sharing their information with a third party without asking for explicit permission violates those expectations. You might be complicit if a third party handles the information irresponsibly.
Secure your website traffic with HTTPS and TLS. If you're unfamiliar with HTTPS and TLS, see TLS and HTTPS for more information.
If your application uses contact information from a Customer object, be sure to use that information judiciously. The following tips describe how to handle customer data responsibly:
- Respect customer email preferences. An
email_unsubscribed
field set totrue
indicates that the customer has opted out of marketing emails. Don't use their contact information to send marketing communications. - Don't store PII such as names, email addresses, and physical addresses without explicit consent.
- Don't store sensitive or payment information in the
note
field. - Always use secure HTTPS for your own services to protect user information in transit.
There are several other introductory topics provided for a new developer to quickly learn the basics of developing applications with Square. For more information, see Basics of Building Applications with Square.