Acuity Scheduling and data protection – what to put in the privacy policy

When a website operator uses Acuity Scheduling, it typically processes web server log data, device data, browser information, coarse location data and user content from the booking form for the purpose of online appointment scheduling – on the basis of a third-party content consent at embed time, contract initiation (Art. 6(1)(b) GDPR) and supplementary legitimate interests. This page explains which data Acuity Scheduling processes, which tool category the service belongs to and which mandatory information about Acuity Scheduling typically belongs in the privacy policy.

A. Acuity Scheduling – purpose and functionality

Acuity Scheduling is a software-as-a-service product for online appointment booking. Website visitors choose available time slots via a booking form, enter their contact details and – depending on the website operator's configuration – book an appointment directly, optionally with prepayment or deposit. The provider is Squarespace (Acuity was acquired by Squarespace in 2019 and has since been marketed as a Squarespace product).

Acuity Scheduling offers several integration variants:

• JavaScript embed via the snippet https://embed.acuityscheduling.com/js/embed.js, which embeds a booking iframe served from app.acuityscheduling.com on the website. This variant is the focus of this page.
• Direct link / pop-up button: The website operator links to an Acuity-hosted booking page or opens it in a pop-up.
• Acuity API and webhooks for connecting to third-party systems (e.g. CRM, calendars) – this server-side use is not covered here.

Typical secondary functions of Acuity Scheduling include reminder e-mails and SMS, calendar synchronisation (Google Calendar, Outlook, iCloud), payment processing via Stripe/Square/PayPal, and automated follow-up communication. The present article focuses on the embed/booking-form integration, because this is where data of website visitors is transmitted directly to Acuity/Squarespace and the mandatory information in the website operator's privacy policy must be tailored accordingly.

B. Mandatory information on Acuity Scheduling in the privacy policy

In addition to general information about the website operator, the rights of data subjects and the supervisory authority, the GDPR requires the following specific information with regard to deployed tools in the privacy policy:

• the purposes of the processing (Art. 13(1)(c) GDPR),
• the legal bases of the processing (Art. 13(1)(c) GDPR),
• where the processing is based on a balancing of interests, additionally the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients (Art. 13(1)(e) GDPR),
• whether data is transferred to an unsafe third country and on what basis (Art. 13(1)(f) GDPR),
• the storage period or the criteria for determining it (Art. 13(2)(a) GDPR),
• where data is not collected directly from the data subject, additionally the categories of personal data (Art. 14(1)(d) GDPR).

These mandatory items are broken down for Acuity Scheduling in sections C to H below.

In practice, many privacy policies include a separate text block for every tool – including Acuity Scheduling. This "text-block-per-tool" approach has become common but is rarely appropriate: it bloats the privacy policy, leads to repetitive content, makes maintenance difficult when tools change and conflicts with the transparency requirement of Art. 12(1) GDPR (concise, transparent, intelligible and easily accessible). A more suitable approach is a topic-oriented structure, describing the processing across topics (server operation, third-party content, appointment booking, sales, tracking …) and naming specific service providers like Acuity Scheduling only in an Annex of recipients.

C. Acuity Scheduling – provider

According to the publicly available information from the provider, the contracting partner for website operators based in Germany or the EEA is Squarespace Ireland Limited, Ship Street Great, Dublin 8, D08 N12C, Ireland. The parent company and recipient of the data in the USA is Squarespace, Inc., 225 Varick Street, 12th Floor, New York, NY 10014, USA.

Acuity Scheduling was acquired by Squarespace in 2019; the product privacy policy at acuityscheduling.com/privacy.php is redirected to the unified Squarespace privacy policy. According to publicly available information, Squarespace, Inc. participates in the EU-US Data Privacy Framework (DPF). The current status should be verified by the website operator before deployment at https://www.dataprivacyframework.gov/s/participant-search. For data transfers not covered by the DPF, the Squarespace DPA provides for the EU Standard Contractual Clauses (SCC, Implementing Decision 2021/914).

Sources:

D. Acuity Scheduling – data processing flow

E. Data collected by Acuity Scheduling

When the Acuity Scheduling embed is used on a website, the following data is typically processed: IP address, date/time, requested URL, referrer, user agent, device and browser type, coarse location (via IP), cookies in the iframe context as well as all content entered by the visitor in the booking form (in particular name, e-mail address, optionally phone number, reason for the appointment, requested time slot and additional questions) and conversion events (e.g. successful booking).

This data can be classified into the following standardised categories:

• Web server log data: Data received by the Acuity/Squarespace web server with each request from the user's device, in particular IP address, date, time, embed URL, referrer, browser, operating system and device information as well as technical metadata.
• Device data: Information about the user's device, e.g. device type, operating system, screen resolution and touch support.
• Browser information: Browser name, browser version and possibly language settings.
• Coarse location data: User location at city or municipality level derived from the IP address.
• User content: Content entered by the visitor in the Acuity booking form, in particular name, e-mail address, phone number, reason and free-text fields, uploaded files as well as answers to additional questions defined by the website operator.
• Conversion events: User interactions defined as relevant by the website operator, in particular completed bookings, possibly deposit or prepayment transactions and access to confirmation pages.
• Cookies: Acuity Scheduling sets cookies in the iframe context, e.g. for session management and abuse protection.

F. Acuity Scheduling – purposes of use

The website operator typically uses the data collected via Acuity Scheduling to provide the booking form, to initiate and process the appointment (including pre- and post-booking communication), to remind the booker, to ensure security against abuse (e.g. spam bookings) and, where applicable, to fulfil commercial and tax retention obligations for paid appointments.

The purposes can be classified into the following standardised categories:

• Provision of functionality: Provision of the booking form and the iframe on the website, display of available slots, display of confirmations as well as error detection and correction.
• Contract performance: Initiation, performance and processing of the appointment between the website operator and the booker, possibly including payment processing for paid services and creation of a user account for recurring bookings.
• Security and abuse prevention: Detection of spam and bot bookings, protection against attacks on the booking form and authentication of recurring users.
• Communication: Sending booking confirmations, appointment reminders, cancellation and rescheduling notifications and answering enquiries about the appointment.
• Compliance with retention obligations: Compliance with statutory retention periods for paid appointments (e.g. § 257 HGB, § 147 AO).
• Compliance and legal enforcement: Asserting, exercising and defending legal claims arising from the appointment relationship (e.g. cancellation fees).

G. Legal bases for Acuity Scheduling

Within the tool taxonomy, Acuity Scheduling falls primarily into the category third-party content / appointment booking: the embed triggers third-party server requests and at the same time provides a function for contract initiation.

The following legal bases typically come into consideration:

• Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG (third-party content consent) for loading and executing the Acuity embed, including any non-essential cookies. As the script triggers third-party requests on page load and may set cookies, an explicit consent via the consent banner is regularly required. Alternatively, the embed can be loaded only after the user clicks a placeholder ("Book appointment"), which shifts the consent question to the click.
• Art. 6(1)(b) GDPR (contract initiation/performance) for processing the booking data (name, e-mail, requested time slot, custom fields) where the appointment itself is the subject of, or a pre-contractual measure for, a contract between the website operator and the booker.
• Art. 6(1)(f) GDPR (legitimate interest) for supplementary processing, in particular with the interests efficiency (efficient appointment management), security and abuse prevention (spam/bot defence) as well as legal enforcement (proof of bookings).
• Art. 6(1)(c) GDPR in conjunction with commercial and tax retention obligations, where the appointment leads to a paid transaction.

The applicable legal basis depends on the specific integration (direct embed vs. click-to-load), the type of appointment (free vs. paid) and the configuration in the Acuity back-end and is to be assessed by the website operator on a case-by-case basis.

H. Acuity Scheduling – special points and notes

• DPA: Squarespace provides a Data Processing Addendum at https://www.squarespace.com/dpa. According to that document, the contracting partner for European customers is Squarespace Ireland Limited; the DPA also engages Squarespace, Inc. as a sub-processor and refers to the SCC (Module 2/3).
• Third-country transfer / DPF: According to the provider, data transfers to Squarespace, Inc. in the USA take place on the basis of the EU-US Data Privacy Framework, supplemented by the SCC. Website operators should verify the current DPF status at https://www.dataprivacyframework.gov/s/participant-search and document a Transfer Impact Assessment (TIA) where appropriate.
• Sub-processors: Squarespace lists hosting, IT security and communications providers as recipients. With optional features such as payment processing (Stripe, Square, PayPal), calendar sync (Google, Microsoft, Apple) and SMS sending, additional independent controllers or processors come into play, which the website operator must enable themselves.
• Embed variant / consent control: Website operators should consider whether to embed the Acuity widget directly or only via a "click-to-load" placeholder activated after a user action. The latter reduces load before consent.
• Cookies and opt-out: Acuity sets cookies in the iframe context. Control is regularly handled via the website operator's consent banner; a dedicated opt-out link on the Acuity side is not standardised in the documentation.
• Configuration in the Acuity back-end: Data minimisation can be achieved by configuring only essential mandatory fields in the booking form, by activating optional SMS reminders only with additional consent, and by limiting retention periods for customer and appointment histories appropriately.

I. Acuity Scheduling – FAQ

J. Acuity Scheduling – conclusion

Acuity Scheduling is a widely used appointment booking tool that, when embedded, processes web server log data, device data, browser information, coarse location data and user content entered by the visitor, supplemented by conversion events around the booking. According to the provider, the contracting partner for European website operators is Squarespace Ireland Limited, with data transferred to Squarespace, Inc. in the USA on the basis of the DPF and SCC. Legal bases that regularly come into consideration are a third-party content consent at embed time, plus contract initiation and legitimate interests.

For the privacy policy this means: it is usually not appropriate to include a separate text block for Acuity Scheduling. Such text blocks repeat themselves in substance, bloat the privacy policy, are hard to maintain and conflict with the transparency requirement of Art. 12(1) GDPR. A more appropriate approach is a structured, topic-oriented one that explains processing across topics (server operation, third-party content, appointment booking, sales, tracking …) and lists specific service providers like Acuity Scheduling only in the Annex of recipients. This is exactly the methodology of the matterius generator.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com