When you pay for a Medium subscription or other purchase, Medium collects your card number and billing details and passes this through a third-party payment processor.
This analysis describes what Medium's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Your financial data is involved in this transaction, and understanding that it flows through a third-party processor helps you assess the security and privacy risks associated with paying on the platform.
Removal of dedicated payment data processing clause may indicate integration of payment details into broader data collection scope, reducing transparency about payment-specific handling.
View full change record →Your credit or debit card number and billing address are collected at the time of payment and processed by a third-party payment company, meaning your financial data is subject to both Medium's and the payment processor's privacy and security practices.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.
Monitoring
Medium has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you make a payment on Medium, we collect your payment information, including your credit or debit card number, billing address, and other information necessary to process your payment. We use third-party payment processors to handle payment transactions on our behalf.— Excerpt from Medium's Medium Privacy Policy
REGULATORY LANDSCAPE: Payment data collection and processing implicates PCI DSS compliance standards for card data security, as well as applicable state consumer protection laws regarding financial data. The FTC has authority over deceptive or unfair practices related to payment data handling. Where European users make payments, GDPR applies to the processing of payment data as personal data. GOVERNANCE EXPOSURE: Low to Medium. Use of a third-party payment processor is standard industry practice and typically reduces PCI DSS scope for the primary merchant. However, the policy does not name the payment processor, which limits users' ability to assess the security posture of the entity handling their card data. JURISDICTION FLAGS: EU/EEA users making payments are protected by GDPR's requirements for lawful processing of financial data. California residents have CCPA rights that extend to financial information. States with specific financial data protection statutes (e.g., New York SHIELD Act) may create additional obligations. CONTRACT AND VENDOR IMPLICATIONS: Medium's contract with its payment processor should include appropriate data security requirements and liability provisions. Enterprise procurement teams engaging with Medium on a paid basis should confirm that payment data flows do not create additional contractual obligations or audit requirements under their own vendor management frameworks. COMPLIANCE CONSIDERATIONS: Compliance teams should confirm Medium's PCI DSS compliance level and whether the payment processor relationship is governed by a current service agreement with appropriate security standards. Users with concerns about payment data security should review the named payment processor's own privacy policy and security certifications.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Your financial data is involved in this transaction, and understanding that it flows through a third-party processor helps you assess the security and privacy risks associated with paying on the platform.
Your credit or debit card number and billing address are collected at the time of payment and processed by a third-party payment company, meaning your financial data is subject to both Medium's and the payment processor's privacy and security practices.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Medium.