As Bryan says, the details stored under “Customer Profile” API are private on a per-business basis and aren’t shared. However the Square Terminal does send receipts, with Square itself recognizing a customer card at new businesses and offering to send a receipt via whatever method(s) have been previously used for receipts, if there are any. So, if a customer previously entered their email via a Square Terminal, when the card is next used on another terminal at a new business, Square does offer to send a receipt to the email used last time.
From a privacy point of view, the Square Terminal shows only an obscured email to the customer, with just a few characters visible; so if their email was [email protected], they would only see something like “firstname.lastname@example.org” - ie: just enough for the customer to recognize the email before pressing Send Email on the terminal. The idea behind this is that it makes it super-easy for the customer to get receipts, and from memory I believe a “Forget” button is provided as well.
A customer might assume that the second business knows their details when they see their obscured email or cell number, but they’d be wrong in that assumption as far as I know, only Square knows these details and they are only used for receipts via Terminal (and possibly POS?). As far as I know Square stores these securely via the card fingerprint, rather than using the card details, and they store only the card fingerprint, name, and phone or email. The ability to easily and quickly get a receipt email is a big plus for customers as I see it, and again as far as I know, Square has been the first to introduce this feature.
If you had closely related businesses, you could potentially do something similar, though you need to be very, very careful in terms of both privacy and honouring GDPR forget requests. Best practice would probably mean explicitly asking whether you can retain details across allied businesses and you should also disclose how those details are to be used. You would do so in a central database which again could be indexed via card fingerprint, so that it was only accessible to businesses doing a transaction with the customer card. In this day and age, it’s probably best to not implement this because (a) many customers are getting more security conscious, and, (b) it’s hard to keep the details securely enough so they can’t be used to assist in privacy enumeration by organized crime, and (c) you have to implement GDPR forget to remain legal in the EU.
Happy New Year!
Important Addendum: Square says always get permission before storing cards - for example, the “Create a Card on File from a Payment ID” page:
Always ask customers for permission before saving their card information. For example, include a checkbox in your purchase flow that customers can select to specify that they want to save their card information for future purchases.
Linking cards on file without obtaining customer permission can result in your application being disabled without notice.