Track 1 platform and get the weekly governance digest. No credit card required.
This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology
This is Stripe's Privacy Policy, describing how Stripe collects and uses personal and financial data from individuals who interact with Stripe's payment processing, identity verification, and business services. The policy authorizes Stripe to collect government-issued identification details, financial account numbers, transaction history, device identifiers, browsing activity on third-party sites where Stripe's technology is embedded, and geolocation data, and to share this information with financial partners, fraud prevention services, advertising networks, and analytics providers. The policy also discloses that Stripe may process data about individuals who have not directly created a Stripe account, such as customers of businesses that use Stripe to process payments.
This document is Stripe's global Privacy Policy (last updated April 28, 2026), governing the collection, use, sharing, and retention of Personal Data across Stripe's financial infrastructure services, including payment processing, identity verification, fraud prevention, and business management tools. The policy states that Stripe collects identifiers, financial account details, government-issued ID information, transaction data, device and network information, browsing activity, geolocation data, and biometric data (where applicable), and the terms authorize sharing this data with business partners, financial partners, identity verification providers, advertising networks, and analytics providers. The policy asserts broad legitimate interests as a legal basis for certain processing activities, including fraud detection, network security, and marketing communications, which may require evaluation under GDPR Article 6 balancing tests and equivalent frameworks in other jurisdictions. The policy engages GDPR, CCPA/CPRA, and a range of other national and regional privacy frameworks, with Stripe noting its participation in the EU-U.S. Data Privacy Framework and reliance on Standard Contractual Clauses for international data transfers; compliance obligations vary materially by jurisdiction, particularly regarding consent requirements, data subject rights timelines, and cross-border transfer mechanisms.
Institutional analysis available with Compliance
Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.
Start Compliance free trial7 important changes detected
7 versions captured · Last updated: May 2026
Stripe updated its privacy policy on April 25, 2026 with minor editorial changes. Three contact email addresses for exercising privacy rights had trailing spaces added after the email addresses. The …
View change record →Stripe updated its privacy policy on April 23, 2026, but the substantive changes detected are minimal. The update date listed in the document was revised from February 23, 2026 to …
View change record →Stripe updated its Privacy Policy on April 18, 2026 with 39 new sentences and 73 modified sentences. The changes include refined definitions of Stripe entities, expanded descriptions of Financial Partners …
View change record →Stripe updated its Privacy Policy on March 16, 2026 with multiple minor edits to defined terms and descriptions. The document's last-updated date was changed from February 23, 2026 to January …
View change record →Stripe updated its Privacy Policy on March 15, 2026 with 39 new sentences and 73 modified sentences. The changes clarify definitions of key terms used in the policy, expand the …
View change record →Provides explicit definition of Personal Data scope including technical identifiers, establishing broader potential data collection.
Appears to be a placeholder or generic statement that lacks substantive detail about law enforcement data disclosure procedures and safeguards.
Adds acknowledgment of opt-out rights and right to object, though excerpt is largely boilerplate with limited specificity.
New provision category for advertising and analytics partner sharing, though the excerpt provided is generic boilerplate without substantive detail.
Introduces complexity around data subject identity and rights differentiation based on user role, potentially affecting how rights are applied to different parties.
Removal of explicit disclosure regarding third-party data broker sourcing and combination with first-party data, reducing transparency about data collection methods.
Removal of specific disclosure about using transaction data for machine learning model training, reducing transparency about automated decision-making and model development practices.
Removal of comprehensive enumeration of GDPR-based data subject rights (access, correction, deletion, objection, restriction, portability, supervisory complaint), replaced with vague references.
Removal of explicit disclosure regarding cookie usage purposes (authentication, preference storage, usage analytics, targeted advertising), reducing transparency about tracking practices.
Removal of explicit disclosure about collection and use of sensitive biometric data (facial images, government IDs) for KYC/identity verification, reducing transparency about sensitive data handling.
Severity increased from medium to high; quotation marks changed from single to double quotes with no substantive content change.
Removed specific uses of data sharing (transaction processing, fraud detection, identity verification, compliance) and replaced with generic reference to 'provide the Services'.
Significantly reduced scope from detailed explanation of cross-border transfer mechanisms (SCCs, DPF, UK Extension) to vague statement about entity responsibility variation by jurisdiction.
Monitoring
Stripe has updated this document before.
Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
Compliance Governance Intelligence
Need provision-level monitoring and regulatory mapping?
Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.
Start Compliance free trialCross-platform context
See how other platforms handle Biometric Data Collection and similar clauses.
Compare across platforms →Stripe's terms authorize fund reserves, payout withholding, and account termination. Here is what the agreement states and what business ow…
The Kickstarter-Stripe controversy reveals how payment processors, cloud providers, and AI platforms quietly shape downstream policy decisi…
Mastercard, Stripe, and Cloudflare are building payment infrastructure for autonomous AI agents. The governance layer is not keeping pace.
Governance Monitoring
Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.