Stripe Privacy Policy — Stripe

9 Total

1 High severity

7 Medium severity

1 Low severity

Summary

Stripe's Privacy Policy explains how Stripe collects and uses your financial, identity, device, and behavioral data when you pay for things online using Stripe-powered checkouts or use Stripe's own products like Link. The most important thing to know is that Stripe shares your payment data, device fingerprints, and fraud risk scores with banks, card networks, and other Financial Partners — even when you never directly signed up with Stripe. If you are a California resident or EU/UK user, you have the right to access, delete, or opt out of certain uses of your data by visiting Stripe's Privacy Center at stripe.com/privacy-center.

Technical Summary

Stripe's Privacy Policy governs the collection, processing, and sharing of Personal Data across its Business Services (payment processing, payouts, financial infrastructure), End User Services (e.g., Link), and associated websites, with Stripe acting as either data controller or data processor depending on the activity and jurisdiction. The policy creates significant obligations including robust cross-border data transfer mechanisms (EU Standard Contractual Clauses, UK Data Transfer Addendum, Data Privacy Framework), layered consent and opt-out rights for different user categories, and extensive data sharing with Financial Partners, affiliates, and third-party service providers for fraud prevention and compliance purposes. Notably, Stripe collects and processes device fingerprinting data, behavioral signals, and inferred fraud risk scores that are shared broadly across its partner ecosystem — a practice that extends beyond what many consumers would reasonably anticipate from a payment processor. The policy engages GDPR (Articles 6, 13, 14, 17, 20, 21), UK GDPR, CCPA/CPRA (Cal. Civ. Code §§1798.100–1798.199), the EU-US Data Privacy Framework, and financial sector regulations including PCI DSS and BSA/AML requirements enforced by FinCEN and prudential regulators; material compliance considerations include dual-role controller/processor obligations, the adequacy of consent mechanisms for behavioral profiling, and obligations triggered when Stripe's fraud scoring data is used to deny services.

Institutional Analysis

REGULATORY EXPOSURE: This policy engages GDPR Arts. 6, 9, 13, 14, 17, 20, 21 (enforced by EU supervisory authorities, lead authority: Irish Data Protection Commission given Stripe's EU HQ in Dublin); UK GDPR and Data Protection Act 2018 (ICO); CCPA/CPRA Cal. Civ. Code §§1798.100–1798.199 (enforced …

🔒

Compliance intelligence locked

Regulatory exposure, material risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Evidence Provenance

Captured March 16, 2026 06:04 UTC

Document ID CA-D-000106

Version ID CA-V-000111

Source URL https://stripe.com/privacy

Wayback Machine View archived versions →

SHA-256 a1b7279eacf26876aa47a3b0beefd5312b9689dbd47bec60c09d3e75e46eb2ce

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed

Change Timeline

March 16, 2026 — Document updated medium

Stripe updated their Privacy Policy on March 16, 2026, rolling back the 'last updated' date from February 23, 2026 to January 16, 2025, suggesting this may be a reversion to an earlier version of the policy. The changes include narrower definitions of 'Financial Partners' (removing references to payment intermediaries, aggregators, and processors), removal of 'processing' from how Stripe describes its data handling responsibilities, and a narrower definition of 'Visitor' that no longer includes people who visit Stripe offices. These modifications reduce the specificity and breadth of disclosed data practices, which may leave consumers with less clarity about who handles their data and how.

4 added · 43 removed · 71 modified
View changes → View record →
a1b7279e…
March 15, 2026 — Initial capture

First snapshot archived

515ec37b…

Analyzed Changes

1 change analyzed since monitoring began.

Updated March 16, 2026

medium

What changed Stripe updated their Stripe Privacy Policy on March 16, 2026. Change detected: 4 sentence(s) added, 43 sentence(s) removed, 71 sentence(s) modified. Document contained 478 sentences after update.

Consumer impact Stripe has narrowed the definition of 'Financial Partners' to exclude payment intermediaries, aggregators, and processors, meaning fewer third parties are explicitly named in the policy as handling your data. The removal of 'processing' from Stripe's description of its own data responsibilities, and the rollback of the policy date, reduces transparency about how your personal data is managed. You can review Stripe's updated Privacy Policy at stripe.com and submit a data inquiry if you want to know which specific third parties handle your information.

Why it matters The narrowed Financial Partners definition means Stripe no longer explicitly discloses that payment intermediaries, aggregators, and processors handle consumer data — reducing transparency that both consumers and businesses rely on to understand who touches their payment information. Businesses using Stripe may need to independently update their own privacy disclosures to fill this gap.

High Severity — 1 provision

Fraud Risk Scoring and Behavioral Profiling
Stripe creates fraud risk scores based on your device information and payment behavior, and these scores may be used to approve or decline your payments across multiple merchants.

Added March 15, 2026

Medium Severity — 7 provisions

Passive Data Collection from Non-Account Holders
Stripe collects device information, IP addresses, and behavioral data about people who complete payments on any website powered by Stripe — even if those people never created a Stripe account.

Added March 15, 2026
Data Sharing with Financial Partners
Stripe shares your personal and payment data with a broad network of banks, card networks, payment processors, and other financial institutions involved in processing your transactions.

Added March 15, 2026
Dual Controller/Processor Role Designation
Stripe sometimes controls how your data is used (as a 'controller'), and sometimes processes it only on behalf of the merchant you bought from (as a 'processor') — and the rules that protect your data differ depending on which role applies.

Added March 15, 2026
Cross-Border Data Transfers (SCCs and Data Privacy Framework)
Stripe transfers your personal data from Europe to the US and other countries using legal mechanisms like Standard Contractual Clauses and the EU-US Data Privacy Framework to comply with EU and UK data protection laws.

Added March 15, 2026
Consumer Rights and Opt-Out Mechanisms
Stripe provides rights to access, correct, delete, restrict, or port your personal data, and allows you to object to certain processing — accessible through Stripe's Privacy Center or by emailing privacy@stripe.com.

Added March 15, 2026
Data Retention for Compliance and Legal Obligations
Stripe keeps your personal data for as long as it needs to — which can be many years — to meet legal requirements like anti-money laundering rules, even after you stop using Stripe services.

Added March 15, 2026
Third-Party and Affiliate Data Sharing for Business Improvement
Stripe shares your personal data with its affiliated companies and with outside vendors who help run its services — including analytics companies, marketing firms, and fraud prevention services.

Added March 15, 2026

Low Severity — 1 provision

Marketing Communications and Opt-Out
Stripe may send you marketing emails about its products and services, but you can unsubscribe at any time using the link in the email or by contacting privacy@stripe.com.

Added March 15, 2026