By using Gumroad's payment services, users consent to being bound by Stripe's and PayPal's separate privacy policies and terms of service, and authorize Gumroad, Stripe, and PayPal to share the user's information and payment instructions with third-party payment providers to the extent required to complete transactions.
This analysis describes what Gumroad's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision binds users to the terms of service and privacy policies of two separate third-party payment processors as a condition of using Gumroad's payment services, and authorizes data sharing across Gumroad, Stripe, PayPal, and additional third-party payment providers. Users are subject to the data practices of multiple entities under distinct policy frameworks.
Under this clause, users who transact through Gumroad authorize the sharing of their personal information and payment instructions with Stripe, PayPal, and potentially additional third-party payment providers, and are bound by the separate privacy policies and terms of service of each provider.
How other platforms handle this
That is why we are committed to transparency about how we collect, use, and share that information.
We may share your personal information with third-party advertising partners, analytics providers, and social media platforms. We use this information to show you relevant advertising, measure the effectiveness of our advertising campaigns, and understand how you interact with our websites and servi...
We retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the p...
Monitoring
Gumroad has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"By through the Services, you (a) agree to be bound by, in the case of Stripe, Stripe's Privacy Policy (currently accessible at https://stripe.com/us/privacy) and its Stripe Connected Account Agreement (currently accessible at https://stripe.com/legal/connect-account); and in the case of PayPal, PayPal's Privacy Statement (currently accessible at https://www.paypal.com/us/webapps/mpp/ua/privacy-full) and its terms of service (currently accessible at https://www.paypal.com/us/webapps/mpp/ua/useragreement-full?locale.x=en_US); (b) agree to provide only true, accurate, current and complete information about you and to update such information as necessary to maintain its truth and accuracy; and (c) and you hereby consent and authorize Gumroad, Stripe and PayPal to share any information and payment instructions you provide with one or more Third-Party Payments Provider(s) to the minimum extent required to complete your transactions.— Excerpt from Gumroad's Gumroad Terms of Service
(1) REGULATORY LANDSCAPE: This provision implicates CCPA for California residents, GDPR and the Payment Services Directive (PSD2) for EU users, and PCI DSS standards for payment data handling across the named processors. Data sharing with Stripe and PayPal constitutes disclosure of personal and financial data to third-party service providers, which requires adequate legal basis under GDPR and appropriate notice under CCPA. The FTC has authority over data sharing practices that may constitute unfair or deceptive acts. (2) GOVERNANCE EXPOSURE: Medium. The provision authorizes data flows to Stripe, PayPal, and unspecified additional third-party payment providers, with data practices governed by each provider's separately maintained policies. The reference to 'one or more Third-Party Payments Provider(s)' beyond Stripe and PayPal introduces data-sharing scope that is not fully defined in the Gumroad terms alone. (3) JURISDICTION FLAGS: EU and EEA users require a valid GDPR legal basis for cross-border data transfers to US-based payment processors. CCPA requires disclosure of personal information categories shared with third parties. Users in financial services-regulated jurisdictions may have additional data protection rights with respect to payment data. (4) CONTRACT AND VENDOR IMPLICATIONS: Organizations using Gumroad for business transactions should conduct data mapping exercises to account for personal and financial data flows to Stripe, PayPal, and any additional third-party payment providers referenced in this clause. Data processing agreements with Gumroad should address the downstream data sharing authorized by this provision. (5) COMPLIANCE CONSIDERATIONS: Legal and compliance teams should review the current versions of Stripe's and PayPal's terms and privacy policies, as those documents govern the processing of user data independent of Gumroad's own policies. GDPR-regulated organizations should assess whether the data transfers authorized by this clause are supported by adequate transfer mechanisms.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 10 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision binds users to the terms of service and privacy policies of two separate third-party payment processors as a condition of using Gumroad's payment services, and authorizes data sharing across Gumroad, Stripe, PayPal, and additional third-party payment providers. Users are subject to the data practices of multiple entities under distinct policy frameworks.
Under this clause, users who transact through Gumroad authorize the sharing of their personal information and payment instructions with Stripe, PayPal, and potentially additional third-party payment providers, and are bound by the separate privacy policies and terms of service of each provider.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Gumroad.