Gusto updated its Privacy Policy effective June 1, 2026, to clarify scope and expand disclosure of data collection practices. The policy now explicitly covers retirement accounts (401k and SEP IRA/IRA accounts), restructures how it describes data processing across different roles (service provider, employer, co-employer), adds Stripe as a third-party financial data collector alongside Plaid, and introduces a commitment to maintain de-identified data without re-identification. These changes establish clearer boundaries between when the Privacy Notice applies versus when separate notices govern, and specify new service providers users should be aware of.
The updated Privacy Policy now explicitly states it covers retirement account management (401k, SEP IRA, IRA accounts) and adds Stripe alongside Plaid as a third-party service provider that collects financial institution data. The policy restructures how it describes Gusto's role in different contexts: when Gusto acts as a service provider processing payroll or other data on behalf of employers, when it acts as an employer itself, or when it operates as a co-employer under a professional organization (PEO) arrangement, with separate privacy notices applying in each case. The policy introduces a new commitment that de-identified data will not be re-identified except to verify compliance with applicable law. If you connect a bank account through Stripe, that data will be treated under Stripe's Privacy Policy, which you should review separately.
The updated policy formally expands Gusto's privacy disclosures to cover retirement account management and establishes Stripe as a named financial data processor, requiring users to understand that bank data flows to Stripe under Stripe's terms. The restructured guidance on when separate notices apply (service provider, employer, co-employer contexts) clarifies governance boundaries, but also implies that different privacy rules may apply depending on the user's relationship to Gusto, which customers and users should verify. For organizations contracting with Gusto, these changes may require updates to vendor documentation, employee privacy notices, and data processing agreements.
→ Review Stripe's Privacy Policy if you connect a bank account through Gusto, as your financial data will be governed by Stripe's terms.
→ If you are a PEO participant, request and review the separate privacy notices referenced as applicable to your arrangement.
→ Bank account data connected through Stripe will be processed under Stripe's Privacy Policy without independent review of those terms.
→ Retirement account data is now subject to Gusto's expanded Privacy Notice without explicit notice of the scope change.
ConductAtlas has recorded 5 material changes to this document over 45 days of monitoring (since April 2026). An additional minor or cosmetic changes were excluded.
Across all monitored documents, Gusto has made 8 significant changes.
4 of Gusto's significant changes have been classified as negative for consumers.
Explicitly includes 401(k) and SEP IRA/IRA account access and use as covered interactions, broadening the Privacy Notice's application.
Stripe is added as a named financial data collector alongside Plaid, with users' acknowledgment required that Stripe's Privacy Policy governs that data.
Restructures disclosure by Gusto role (service provider, employer, co-employer) and explicitly references separate notices (DPA, Applicant Notice) as applicable in each context.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
If you connect your bank through Stripe, your data goes to Stripe and is governed by Stripe's rules, not just Gusto's.
Gusto's privacy disclosures now explicitly govern how your retirement account data is handled.
+ 1 more obligation changes. Full breakdown available with Monitor.
Track changes →Gusto expanded the scope of its Privacy Notice to explicitly cover retirement account administration and added Stripe as a named third-party financial data processor. The policy restructures disclosure of Gusto's data processing roles (service provider, employer, co-employer) and references separate notices (Employer Data Processing Addendum, Applicant Privacy Notice) as governing in specific contexts. The addition of Stripe and the explicit commitment regarding de-identification may affect data processing agreements with customers who rely on Gusto's privacy representations and data handling commitments. Organizations using Gusto should verify that existing DPAs and privacy documentation remain aligned with these expanded disclosures and clarified role definitions.
GDPR (roles and responsibilities of processors vs. controllers), CCPA (scope and application of privacy notices), state data broker regulations (third-party data sharing), potential tax or retirement account regulatory schemes (if applicable to de-identification commitments).
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-002532.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorGusto updated its Privacy Policy on May 21, 2026 to change the email address listed for privacy inquiries and data …
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and lia…
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.