7 Total
2 High severity
5 Medium severity
0 Low severity
Summary

This is Stripe's Privacy Policy, describing how Stripe collects and uses personal and financial data from individuals who interact with Stripe's payment processing, identity verification, and business services. The policy authorizes Stripe to collect government-issued identification details, financial account numbers, transaction history, device identifiers, browsing activity on third-party sites where Stripe's technology is embedded, and geolocation data, and to share this information with financial partners, fraud prevention services, advertising networks, and analytics providers. The policy also discloses that Stripe may process data about individuals who have not directly created a Stripe account, such as customers of businesses that use Stripe to process payments.

Technical / Legal Breakdown

This document is Stripe's global Privacy Policy (last updated April 28, 2026), governing the collection, use, sharing, and retention of Personal Data across Stripe's financial infrastructure services, including payment processing, identity verification, fraud prevention, and business management tools. The policy states that Stripe collects identifiers, financial account details, government-issued ID information, transaction data, device and network information, browsing activity, geolocation data, and biometric data (where applicable), and the terms authorize sharing this data with business partners, financial partners, identity verification providers, advertising networks, and analytics providers. The policy asserts broad legitimate interests as a legal basis for certain processing activities, including fraud detection, network security, and marketing communications, which may require evaluation under GDPR Article 6 balancing tests and equivalent frameworks in other jurisdictions. The policy engages GDPR, CCPA/CPRA, and a range of other national and regional privacy frameworks, with Stripe noting its participation in the EU-U.S. Data Privacy Framework and reliance on Standard Contractual Clauses for international data transfers; compliance obligations vary materially by jurisdiction, particularly regarding consent requirements, data subject rights timelines, and cross-border transfer mechanisms.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

7 important changes detected

7 versions captured · Last updated: May 2026

What changed Stripe updated its privacy policy on May 19, 2026 to replace all references to its payment service 'Link' with 'Onelink.' This is a product rebranding change that affects how the policy describes End User Services, account creation, transaction data collection, and bank account integration. No changes were made to what data Stripe collects, how it processes personal data, or users' rights and obligations.
Why this matters Stripe updated its privacy policy to reflect the rebranding of its Link product to Onelink. This is purely a naming change. All references to Link—including how account creation, payment transactions, and bank account integration work—now refer to Onelink instead. The policy's substantive provisions governing what data Stripe collects, how it uses personal data, and what rights users have remain unchanged.
View full change record →
What changed Stripe updated its Privacy Policy on April 29, 2026 with four minor editorial changes. The policy's last-updated date was changed from February 23, 2026 to April 28, 2026. Stripe's legal entity name was simplified from 'Stripe Inc., now known as Stripe, LLC' to 'Stripe, LLC' in the Data Privacy Framework compliance statement. The reference to learning more about the Data Privacy Framework was expanded from a generic 'Learn More' link to explicit text stating 'You can learn and read Stripe's Data Privacy Framework Policy here'. These are formatting and organizational updates with no material changes to substantive privacy rights or data-handling practices.
Why this matters Stripe's Privacy Policy was updated with editorial revisions that do not substantively alter consumer privacy rights or data practices. The policy continues to state Stripe's compliance with the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework. The clarified link to Stripe's Data Privacy Framework Policy provides more direct access to supplementary framework information, but this is a disclosure improvement rather than a change to how Stripe collects, uses, or shares personal data.
View full change record →

April 25, 2026 low

Stripe updated its privacy policy on April 25, 2026 with minor editorial changes. Three contact email addresses for exercising privacy rights had trailing spaces added after the email addresses. The …

View change record →
April 23, 2026 low

Stripe updated its privacy policy on April 23, 2026, but the substantive changes detected are minimal. The update date listed in the document was revised from February 23, 2026 to …

View change record →
April 18, 2026 low

Stripe updated its Privacy Policy on April 18, 2026 with 39 new sentences and 73 modified sentences. The changes include refined definitions of Stripe entities, expanded descriptions of Financial Partners …

View change record →
March 16, 2026 low

Stripe updated its Privacy Policy on March 16, 2026 with multiple minor edits to defined terms and descriptions. The document's last-updated date was changed from February 23, 2026 to January …

View change record →
March 15, 2026 low

Stripe updated its Privacy Policy on March 15, 2026 with 39 new sentences and 73 modified sentences. The changes clarify definitions of key terms used in the policy, expand the …

View change record →

Recent Provision Changes May 19, 2026

Added (5)
Data Collection Scope Medium

Provides explicit definition of Personal Data scope including technical identifiers, establishing broader potential data collection.

Law Enforcement and Government Data Disclosure Medium

Appears to be a placeholder or generic statement that lacks substantive detail about law enforcement data disclosure procedures and safeguards.

Consumer Privacy Rights and Opt-Out Medium

Adds acknowledgment of opt-out rights and right to object, though excerpt is largely boilerplate with limited specificity.

Advertising and Analytics Partner Data Sharing Medium

New provision category for advertising and analytics partner sharing, though the excerpt provided is generic boilerplate without substantive detail.

End Customer Data Rights via Business Users High

Introduces complexity around data subject identity and rights differentiation based on user role, potentially affecting how rights are applied to different parties.

Removed (5)
Collection from Third-Party Data Sources

Removal of explicit disclosure regarding third-party data broker sourcing and combination with first-party data, reducing transparency about data collection methods.

Use of Transaction Data for Fraud Prevention and Machine Learning

Removal of specific disclosure about using transaction data for machine learning model training, reducing transparency about automated decision-making and model development practices.

Consumer Data Subject Rights

Removal of comprehensive enumeration of GDPR-based data subject rights (access, correction, deletion, objection, restriction, portability, supervisory complaint), replaced with vague references.

Cookies and Tracking Technologies

Removal of explicit disclosure regarding cookie usage purposes (authentication, preference storage, usage analytics, targeted advertising), reducing transparency about tracking practices.

Identity Verification and Know Your Customer Data

Removal of explicit disclosure about collection and use of sensitive biometric data (facial images, government IDs) for KYC/identity verification, reducing transparency about sensitive data handling.

Modified (3)
Dual Controller and Processor Role

Severity increased from medium to high; quotation marks changed from single to double quotes with no substantive content change.

Financial Partners Data Sharing

Removed specific uses of data sharing (transaction processing, fraud detection, identity verification, compliance) and replaced with generic reference to 'provide the Services'.

Cross-Border Data Transfers

Significantly reduced scope from detailed explanation of cross-border transfer mechanisms (SCCs, DPF, UK Extension) to vague statement about entity responsibility variation by jurisdiction.

View full change record →
High — 2 provisions
Medium — 5 provisions

Monitoring

Stripe has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Biometric Data Collection and similar clauses.

Compare across platforms →

Related Analysis

Consumer Rights · April 21, 2026
Stripe's Reserve and Hold Authority: What the Terms Authorize

Stripe's terms authorize fund reserves, payout withholding, and account termination. Here is what the agreement states and what business ow…

Dependency Governance · May 27, 2026
When Infrastructure Providers Govern Platforms

The Kickstarter-Stripe controversy reveals how payment processors, cloud providers, and AI platforms quietly shape downstream policy decisi…

Dependency Governance · June 11, 2026
When AI Agents Start Paying for Things: Who Governs Machine-to-Machine Commerce?

Mastercard, Stripe, and Cloudflare are building payment infrastructure for autonomous AI agents. The governance layer is not keeping pace.

Archival ProvenanceSource & Archival Record
Last Captured May 19, 2026 00:11 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000106
Version ID CA-V-002714
SHA-256 75784d548ae312ef3404c433596e9ade4f9edc9f3d5ae3ade71e1a6f105c97c7
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans