Stripe updated its privacy policy on May 19, 2026 to replace all references to its payment service 'Link' with 'Onelink.' This is a product rebranding change that affects how the policy describes End User Services, account creation, transaction data collection, and bank account integration. No changes were made to what data Stripe collects, how it processes personal data, or users' rights and obligations.
Stripe updated its privacy policy to reflect the rebranding of its Link product to Onelink. This is purely a naming change. All references to Link—including how account creation, payment transactions, and bank account integration work—now refer to Onelink instead. The policy's substantive provisions governing what data Stripe collects, how it uses personal data, and what rights users have remain unchanged.
The updated policy reflects Stripe's product rebranding from Link to Onelink. Users and partners referencing the policy to understand how Stripe collects and processes data for account creation, payment transactions, and bank account integration will now encounter Onelink as the service name. The substantive governance—what data is collected, how it is used, and what rights exist—remains unchanged.
Link product references updated to Onelink throughout the policy definition section
Link rebranded to Onelink in examples of how End User Services are provided for personal use
Link account features and data storage updated to reference Onelink service
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
This is a product rebranding change with no material impact on data governance, processing procedures, or compliance obligations. No updates to DPAs, vendor contracts, privacy impact assessments, or regulatory notices are required. The change is editorial in nature and does not alter Stripe's stated data collection practices, retention policies, or user rights. No action required.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-002173.
Provides explicit definition of Personal Data scope including technical identifiers, establishing broader potential data collection.
Appears to be a placeholder or generic statement that lacks substantive detail about law enforcement data disclosure procedures and safeguards.
Adds acknowledgment of opt-out rights and right to object, though excerpt is largely boilerplate with limited specificity.
New provision category for advertising and analytics partner sharing, though the excerpt provided is generic boilerplate without substantive detail.
Introduces complexity around data subject identity and rights differentiation based on user role, potentially affecting how rights are applied to different parties.
Removal of explicit disclosure regarding third-party data broker sourcing and combination with first-party data, reducing transparency about data collection methods.
Removal of specific disclosure about using transaction data for machine learning model training, reducing transparency about automated decision-making and model development practices.
Removal of comprehensive enumeration of GDPR-based data subject rights (access, correction, deletion, objection, restriction, portability, supervisory complaint), replaced with vague references.
Removal of explicit disclosure regarding cookie usage purposes (authentication, preference storage, usage analytics, targeted advertising), reducing transparency about tracking practices.
Removal of explicit disclosure about collection and use of sensitive biometric data (facial images, government IDs) for KYC/identity verification, reducing transparency about sensitive data handling.
Severity increased from medium to high; quotation marks changed from single to double quotes with no substantive content change.
Removed specific uses of data sharing (transaction processing, fraud detection, identity verification, compliance) and replaced with generic reference to 'provide the Services'.
Significantly reduced scope from detailed explanation of cross-border transfer mechanisms (SCCs, DPF, UK Extension) to vague statement about entity responsibility variation by jurisdiction.
Cross-platform context
See how other platforms handle similar provisions across the ConductAtlas archive.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorStripe updated its Privacy Policy on April 29, 2026 with four minor editorial changes. The policy's last-updated date was changed …
Mastercard, Stripe, and Cloudflare are building payment infrastructure for autonomous AI agents. The governance layer is not keeping pace.
The Kickstarter-Stripe controversy reveals how payment processors, cloud providers, and AI platforms quietly shape downstream policy decisi…
Stripe's terms authorize fund reserves, payout withholding, and account termination. Here is what the agreement states and what business ow…
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.