Gumroad · Gumroad Terms of Service · View original document ↗

Third-Party Payments Provider Data Sharing

Medium severity High confidence Explicitdocumentlanguage Unique · 0 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity Gumroad recorded 3 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for Gumroad Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

By using Gumroad's payment services, users consent to being bound by Stripe's and PayPal's separate privacy policies and terms of service, and authorize Gumroad, Stripe, and PayPal to share the user's information and payment instructions with third-party payment providers to the extent required to complete transactions.

This analysis describes what Gumroad's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision binds users to the terms of service and privacy policies of two separate third-party payment processors as a condition of using Gumroad's payment services, and authorizes data sharing across Gumroad, Stripe, PayPal, and additional third-party payment providers. Users are subject to the data practices of multiple entities under distinct policy frameworks.

Consumer impact (what this means for users)

Under this clause, users who transact through Gumroad authorize the sharing of their personal information and payment instructions with Stripe, PayPal, and potentially additional third-party payment providers, and are bound by the separate privacy policies and terms of service of each provider.

How other platforms handle this

Ledger Medium

At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.

Garmin Medium

If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...

Strava Medium

We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...

See all platforms with this clause type →

Monitoring

Gumroad has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
By through the Services, you (a) agree to be bound by, in the case of Stripe, Stripe's Privacy Policy (currently accessible at https://stripe.com/us/privacy) and its Stripe Connected Account Agreement (currently accessible at https://stripe.com/legal/connect-account); and in the case of PayPal, PayPal's Privacy Statement (currently accessible at https://www.paypal.com/us/webapps/mpp/ua/privacy-full) and its terms of service (currently accessible at https://www.paypal.com/us/webapps/mpp/ua/useragreement-full?locale.x=en_US); (b) agree to provide only true, accurate, current and complete information about you and to update such information as necessary to maintain its truth and accuracy; and (c) and you hereby consent and authorize Gumroad, Stripe and PayPal to share any information and payment instructions you provide with one or more Third-Party Payments Provider(s) to the minimum extent required to complete your transactions.

— Excerpt from Gumroad's Gumroad Terms of Service

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: This provision implicates CCPA for California residents, GDPR and the Payment Services Directive (PSD2) for EU users, and PCI DSS standards for payment data handling across the named processors. Data sharing with Stripe and PayPal constitutes disclosure of personal and financial data to third-party service providers, which requires adequate legal basis under GDPR and appropriate notice under CCPA. The FTC has authority over data sharing practices that may constitute unfair or deceptive acts. (2) GOVERNANCE EXPOSURE: Medium. The provision authorizes data flows to Stripe, PayPal, and unspecified additional third-party payment providers, with data practices governed by each provider's separately maintained policies. The reference to 'one or more Third-Party Payments Provider(s)' beyond Stripe and PayPal introduces data-sharing scope that is not fully defined in the Gumroad terms alone. (3) JURISDICTION FLAGS: EU and EEA users require a valid GDPR legal basis for cross-border data transfers to US-based payment processors. CCPA requires disclosure of personal information categories shared with third parties. Users in financial services-regulated jurisdictions may have additional data protection rights with respect to payment data. (4) CONTRACT AND VENDOR IMPLICATIONS: Organizations using Gumroad for business transactions should conduct data mapping exercises to account for personal and financial data flows to Stripe, PayPal, and any additional third-party payment providers referenced in this clause. Data processing agreements with Gumroad should address the downstream data sharing authorized by this provision. (5) COMPLIANCE CONSIDERATIONS: Legal and compliance teams should review the current versions of Stripe's and PayPal's terms and privacy policies, as those documents govern the processing of user data independent of Gumroad's own policies. GDPR-regulated organizations should assess whether the data transfers authorized by this clause are supported by adequate transfer mechanisms.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 3 platforms — free Get Monitor

Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has jurisdiction over data sharing practices in consumer-facing payment and e-commerce contexts, including disclosures about third-party data recipients
    File a complaint →
  • CFPB
    The CFPB has jurisdiction over payment processing practices and consumer financial data handling, including third-party data sharing by payment service providers
    File a complaint →

Provision details

Document information
Document
Gumroad Terms of Service
Entity
Gumroad
Document last updated
May 20, 2026
Tracking information
First tracked
May 20, 2026
Last verified
May 20, 2026
Record ID
CA-P-012267
Document ID
CA-D-00899
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
c356520388516842e2919afec5fa2cd0d2a51c5d6bafbdf2e9e720a587e88fe7
Analysis generated
May 20, 2026 14:18 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Gumroad
Document: Gumroad Terms of Service
Record ID: CA-P-012267
Captured: 2026-05-20 14:18:58 UTC
SHA-256: c356520388516842…
URL: https://conductatlas.com/platform/gumroad/gumroad-terms-of-service/third-party-payments-provider-data-sharing/
Accessed: July 4, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Get Compliance

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Gumroad's Third-Party Payments Provider Data Sharing clause do?

This provision binds users to the terms of service and privacy policies of two separate third-party payment processors as a condition of using Gumroad's payment services, and authorizes data sharing across Gumroad, Stripe, PayPal, and additional third-party payment providers. Users are subject to the data practices of multiple entities under distinct policy frameworks.

How does this clause affect you?

Under this clause, users who transact through Gumroad authorize the sharing of their personal information and payment instructions with Stripe, PayPal, and potentially additional third-party payment providers, and are bound by the separate privacy policies and terms of service of each provider.

Is ConductAtlas affiliated with Gumroad?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Gumroad.