Depending on what you are doing with Stripe, Stripe may be responsible for your data as the primary decision-maker (controller) or as a company processing data on behalf of the business you bought from (processor). This distinction affects whether you can ask Stripe directly to access or delete your data.
This analysis describes what Stripe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
When Stripe acts as a processor on behalf of a Business User, your privacy rights requests may need to go to the merchant, not Stripe. This can make exercising rights more complex for consumers who interact with Stripe only through third-party checkouts.
Interpretive note: The practical allocation of controller versus processor responsibilities for specific data flows depends on the contractual arrangements between Stripe and individual Business Users, which are not fully disclosed in this policy.
Consumers who have paid through a Stripe-powered merchant checkout may find that their access, deletion, or correction requests must be directed to the merchant rather than to Stripe, because Stripe processes that data as a service provider on the merchant's behalf rather than as a data controller in its own right.
How other platforms handle this
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
At Workday, we believe privacy is a fundamental right, regardless of where you live. When you connect with Workday, we understand you are trusting us to handle your personal information appropriately. That is why we are committed to transparency about how we collect, use, and share that information.
When you visit a website built on Squarespace, Squarespace acts as a service provider or data processor, meaning that we process your information on behalf of the website owner. In this case, the website owner is responsible for the information they collect through their website and you should conta...
Monitoring
Stripe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Depending on the activity, Stripe assumes the role of a "data controller" and/or "data processor" (or "service provider"). For more details about our privacy practices, including our role, the specific Stripe entity responsible under this Policy, and our legal bases for processing your Personal Data, please visit our Privacy Center.— Excerpt from Stripe's Stripe Privacy Policy
(1) REGULATORY LANDSCAPE: The controller/processor distinction directly engages GDPR Articles 4, 24, and 28, which impose different obligations and liability frameworks on controllers versus processors. The CCPA similarly distinguishes between businesses and service providers. The Irish DPC and UK ICO are relevant supervisory authorities for EU and UK processing respectively. Where Stripe acts as processor, Business Users bear primary responsibility as controllers for lawful basis, data subject rights, and breach notification obligations. (2) GOVERNANCE EXPOSURE: High. The dual-role framework creates significant compliance complexity for B2B customers integrating Stripe. If a Business User's privacy notice does not accurately describe Stripe's processing role, or if the DPA between the Business User and Stripe does not align with applicable regulatory requirements, the Business User may face regulatory exposure independent of Stripe's own compliance posture. (3) JURISDICTION FLAGS: EU/EEA and UK jurisdictions create the highest exposure given GDPR's explicit controller/processor regime. California's CCPA service provider framework also applies. In jurisdictions without a formal controller/processor distinction, the allocation of responsibility may be less clear and may require additional contractual specificity. (4) CONTRACT AND VENDOR IMPLICATIONS: Business Users must execute Stripe's Data Processing Agreement (available at stripe.com/legal/dpa) to satisfy GDPR Article 28 processor agreement requirements. Procurement teams should verify the DPA is current and covers all relevant processing activities. The DPA's scope, audit rights, and sub-processor notification provisions should be reviewed against internal data governance standards. (5) COMPLIANCE CONSIDERATIONS: Legal teams should map all Stripe integration points to determine whether Stripe acts as controller or processor in each context, update privacy notices accordingly, and ensure data subject rights procedures correctly route requests. Where Stripe is the processor, internal procedures must be established to relay data subject requests to Stripe within regulatory timeframes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
When Stripe acts as a processor on behalf of a Business User, your privacy rights requests may need to go to the merchant, not Stripe. This can make exercising rights more complex for consumers who interact with Stripe only through third-party checkouts.
Consumers who have paid through a Stripe-powered merchant checkout may find that their access, deletion, or correction requests must be directed to the merchant rather than to Stripe, because Stripe processes that data as a service provider on the merchant's behalf rather than as a data controller in its own right.
ConductAtlas has identified this type of provision across 3 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Stripe.