What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: The policy explicitly engages GDPR (designating Stripe Payments Europe Limited as the EU/EEA controller), the UK GDPR, CCPA and CPRA (with specific California resident rights disclosures), and the EU-US Data Privacy Framework and UK/Swiss equivalents for cross-border transfers. The policy also references applicable financial services regulations governing data retention. Enforcement authorities include the Irish Data Protection Commission (as Stripe's EU lead superviso…

How does Stripe's Stripe Privacy Policy affect users?

The policy establishes that Stripe processes personal data including financial identifiers and transaction records from end-customers who use Stripe-powered checkouts regardless of account status with Stripe. The policy defines Stripe's role as either a data controller or service provider depending on the transaction context, which determines whether data rights requests are directed to Stripe or to the merchant. End-users in California, the EU, and UK are authorized to request data access, cor…

How often is Stripe's Stripe Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Stripe updates this document?

Yes. Watcher subscribers ($9.99/month) can add Stripe to their watchlist and receive same-day email alerts whenever this document or any other Stripe document changes.

CA-D-000106

Stripe Privacy Policy

Stripe

Last change detected May 19, 2026 Privacy policy

SHA-256: 75784d548ae312ef340… 7 versions captured 7 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Stripe ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

2 High severity

6 Medium severity

0 Low severity

Summary

Stripe's Privacy Policy establishes the procedures and legal bases for collection, use, and processing of personal data from payment end-users, merchant account holders, and website visitors. The policy specifies that Stripe collects name, contact details, payment card information, bank account details, transaction history, device identifiers, IP addresses, browsing behavior on Stripe-hosted pages, and derived financial profile information. For California residents and EU/UK users, the policy establishes mechanisms for exercising data access, correction, and deletion rights through Stripe's Privacy Center.

Technical / Legal Breakdown

This document is Stripe's global Privacy Policy (last updated April 28, 2026), governing the collection, use, and sharing of Personal Data across Stripe's Business Services, End User Services, websites, and applications, with Stripe acting as either a data controller or data processor depending on the activity. The policy states that Stripe collects identifiers, financial information, transaction data, device and network data, location information, behavioral and usage data, and inferred characteristics, and authorizes sharing with Business Users, Financial Partners, service providers, advertising and analytics partners, and government or law enforcement authorities. The policy distinguishes between multiple data subject roles (End Customers, End Users, Representatives, and Visitors) and asserts that data collected about End Customers is primarily processed as a service provider on behalf of Business Users, which may limit direct consumer rights against Stripe in those contexts. The policy references GDPR, CCPA and the California Privacy Rights Act, the EU-US Data Privacy Framework, the UK-Switzerland frameworks, and applicable financial services regulations; it designates Stripe, Inc. (US) and Stripe Payments Europe Limited (EU/EEA/UK) as the primary responsible entities depending on jurisdiction. Material compliance considerations include the breadth of inferred data and behavioral profiling disclosed, cross-border data transfer mechanisms, the scope of Financial Partners and sub-processors with whom data is shared, and the policy's assertion that Stripe may share data with law enforcement without notice to users in some circumstances.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

7 important changes detected

7 versions captured · Last updated: May 2026

May 19, 2026

low

What changed Stripe updated its privacy policy on May 19, 2026 to replace all references to its payment service 'Link' with 'Onelink.' This is a product rebranding change that affects how the policy describes End User Services, account creation, transaction data collection, and bank account integration. No changes were made to what data Stripe collects, how it processes personal data, or users' rights and obligations.

Why this matters Stripe updated its privacy policy to reflect the rebranding of its Link product to Onelink. This is purely a naming change. All references to Link—including how account creation, payment transactions, and bank account integration work—now refer to Onelink instead. The policy's substantive provisions governing what data Stripe collects, how it uses personal data, and what rights users have remain unchanged.

View full change record →

April 29, 2026

low

What changed Stripe updated its Privacy Policy on April 29, 2026 with four minor editorial changes. The policy's last-updated date was changed from February 23, 2026 to April 28, 2026. Stripe's legal entity name was simplified from 'Stripe Inc., now known as Stripe, LLC' to 'Stripe, LLC' in the Data Privacy Framework compliance statement. The reference to learning more about the Data Privacy Framework was expanded from a generic 'Learn More' link to explicit text stating 'You can learn and read Stripe's Data Privacy Framework Policy here'. These are formatting and organizational updates with no material changes to substantive privacy rights or data-handling practices.

Why this matters Stripe's Privacy Policy was updated with editorial revisions that do not substantively alter consumer privacy rights or data practices. The policy continues to state Stripe's compliance with the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework. The clarified link to Stripe's Data Privacy Framework Policy provides more direct access to supplementary framework information, but this is a disclosure improvement rather than a change to how Stripe collects, uses, or shares personal data.

View full change record →

April 25, 2026 low

Stripe updated its privacy policy on April 25, 2026 with minor editorial changes. Three contact email addresses for exercising privacy rights had trailing spaces added after the email addresses. The …

View change record →

April 23, 2026 low

Stripe updated its privacy policy on April 23, 2026, but the substantive changes detected are minimal. The update date listed in the document was revised from February 23, 2026 to …

View change record →

April 18, 2026 low

Stripe updated its Privacy Policy on April 18, 2026 with 39 new sentences and 73 modified sentences. The changes include refined definitions of Stripe entities, expanded descriptions of Financial Partners …

View change record →

March 16, 2026 low

Stripe updated its Privacy Policy on March 16, 2026 with multiple minor edits to defined terms and descriptions. The document's last-updated date was changed from February 23, 2026 to January …

View change record →

March 15, 2026 low

Stripe updated its Privacy Policy on March 15, 2026 with 39 new sentences and 73 modified sentences. The changes clarify definitions of key terms used in the policy, expand the …

View change record →

Recent Provision Changes Apr 25, 2026

8 provisions unchanged.

View full change record →

High — 2 provisions

Dual Controller and Processor Role Compare →

Depending on what you are doing with Stripe, Stripe may be responsible for your data as the primary decision-maker (controller) or as a company processing data on behalf of the business you bought from (processor). This distinction affects whether you can ask Stripe directly to access or delete your data.

Added May 10, 2026 Standard Seen across 189 platforms
End Customer Data Rights via Business Users

If you are an End Customer who interacted with Stripe through a merchant's checkout, your privacy rights may need to be exercised through that merchant rather than directly through Stripe, because Stripe processes your data as a service provider for the merchant.

Added May 12, 2026 Rare

Medium — 6 provisions

Data Collection Scope Compare →

Stripe collects a broad range of personal information including identifiers, financial data, device information, and behavioral data from anyone who interacts with its services, including people who have never signed up for a Stripe account.

Added May 12, 2026 Standard Seen across 251 platforms
Financial Partners Data Sharing Compare →

Stripe shares your personal and financial data with a broad network of banks, payment processors, card networks, and other financial intermediaries involved in processing your transactions.

Added May 12, 2026 Standard Seen across 246 platforms
Law Enforcement and Government Data Disclosure Compare →

Stripe's policy discloses that it may share personal data with government authorities and law enforcement, which is a standard practice among payment processors but carries specific implications for financial data.

Added May 12, 2026 Standard Seen across 246 platforms
Consumer Privacy Rights and Opt-Out Compare →

The policy states that data subjects have rights including the right to object to certain uses of their personal data, with specific rights varying by jurisdiction including EU GDPR rights and California CCPA rights.

Added May 12, 2026 Standard Seen across 262 platforms
Cross-Border Data Transfers Compare →

Stripe transfers personal data internationally between its entities and to third parties in different countries, relying on legal mechanisms such as Standard Contractual Clauses and the EU-US Data Privacy Framework to authorize those transfers.

Added April 9, 2026 Standard Seen across 246 platforms
Advertising and Analytics Partner Data Sharing Compare →

The policy discloses that Stripe shares data with advertising and analytics partners, which may include behavioral and device data collected from users interacting with Stripe-powered pages.

Added May 12, 2026 Standard Seen across 246 platforms