Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'Indefinite data retention without clear consumer notice may constitute an unfair or deceptive practice under FTC Act Section 5.', 'complaint_url': 'https://reportfraud.ftc.gov/'}, {'agency': 'CFPB', 'reason': 'Retention of financial account and transaction data by a payment processor implicates CFPB jurisdiction over financial data privacy practices.', 'complaint_url': 'https://www.consumerfinance.gov/complaint/'}

What is the severity of this clause?

ConductAtlas classifies this Data Retention clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar Data Retention clauses across approximately 29 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

Data Retention — Stripe

Share 𝕏 Share in Share

What it is

Stripe keeps your personal data for as long as it needs to for business and legal purposes, with no specific maximum retention period stated for most data types.

Consumer impact (what this means for users)

Stripe does not specify concrete retention timeframes for payment card details, transaction history, or behavioral data, meaning this information may be held indefinitely subject only to broad business and legal justifications.

How other platforms handle this

Strava Medium

Following deletion of your account, it may take up to 45 days to delete your personal information and system logs from our systems. Once deleted, we cannot reinstate your data, including your account, activities, and place on leaderboards.

Dropbox Medium

When you sign up for an account with us, we'll retain information you store on our Services for as long as your account exists or as long as we need it to provide you the Services. If you delete your account, we'll initiate deletion of this information after 30 days.

Character.AI Medium

When you connect to us or log in through a Third-Party Account like Facebook or Google, we receive information from that third party identifying your account. Information we collect in this context includes third-party account details such as username or email address. We collect and store this info...

See all platforms with this clause type →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

The absence of specific retention periods for most data types means Stripe could retain financial and behavioral data for extended periods, with limited practical ability for consumers to challenge retention beyond legal minimum requirements.

View original clause language

We retain Personal Data for as long as necessary to fulfill the purposes for which it was collected, including to comply with legal obligations, resolve disputes, and enforce our agreements. In some cases, we may retain data for longer periods where required by law or for legitimate business purposes such as fraud prevention and financial record-keeping.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: Data retention implicates GDPR Art. 5(1)(e) (storage limitation principle — data kept no longer than necessary), GDPR Art. 17 (right to erasure), GLBA recordkeeping requirements, FinCEN AML record retention (5 years under 31 CFR §1020.410), PCI DSS cardholder data retention requirements, and CCPA §1798.100 (consumers' right to know retention periods for each category of personal information).

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

Indefinite data retention without clear consumer notice may constitute an unfair or deceptive practice under FTC Act Section 5.
File a complaint →
CFPB

Retention of financial account and transaction data by a payment processor implicates CFPB jurisdiction over financial data privacy practices.
File a complaint →

Applicable regulations

CCPA/CPRA

California, USA

FCRA

United States Federal

GDPR

European Union

GLBA

United States Federal

HIPAA

United States Federal

UK GDPR

United Kingdom

Provision details

Document information

Document

Stripe Privacy Policy

Entity

Stripe

Document last updated

March 24, 2026

Tracking information

First tracked

March 15, 2026

Last verified

April 9, 2026

Record ID

CA-P-002346

Document ID

CA-D-00106

Evidence Provenance

Source URL

https://stripe.com/privacy

Wayback Machine

View archived versions →

SHA-256

87ac9fcdb4b3be9c7831662daf59f5425643d84690f687c3e918ab83a226dd37

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Stripe | Document: Stripe Privacy Policy | Record: CA-P-002346
Captured: 2026-03-15 11:47:00 UTC | SHA-256: 87ac9fcdb4b3be9c…
URL: https://conductatlas.com/platform/stripe/stripe-privacy-policy/data-retention/
Accessed: April 28, 2026

Classification

Severity

Medium

Data Retention

What it is

Consumer impact (what this means for users)

Why it matters (compliance & risk perspective)

Institutional analysis (Compliance & legal intelligence)

Applicable agencies

Applicable regulations

Provision details

Other provisions in this document