Depending on what you are doing with Stripe, Stripe may be responsible for your data as the primary decision-maker (controller) or as a company processing data on behalf of the business you bought from (processor). This distinction affects whether you can ask Stripe directly to access or delete your data.
This analysis describes what Stripe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
When Stripe acts as a processor on behalf of a Business User, your privacy rights requests may need to go to the merchant, not Stripe. This can make exercising rights more complex for consumers who interact with Stripe only through third-party checkouts.
Interpretive note: The practical allocation of controller versus processor responsibilities for specific data flows depends on the contractual arrangements between Stripe and individual Business Users, which are not fully disclosed in this policy.
Severity increased from medium to high; quotation marks changed from single to double quotes with no substantive content change.
View full change record →Consumers who have paid through a Stripe-powered merchant checkout may find that their access, deletion, or correction requests must be directed to the merchant rather than to Stripe, because Stripe processes that data as a service provider on the merchant's behalf rather than as a data controller in its own right.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
Stripe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Depending on the activity, Stripe assumes the role of a "data controller" and/or "data processor" (or "service provider"). For more details about our privacy practices, including our role, the specific Stripe entity responsible under this Policy, and our legal bases for processing your Personal Data, please visit our Privacy Center.— Excerpt from Stripe's Stripe Privacy Policy
(1) REGULATORY LANDSCAPE: The controller/processor distinction directly engages GDPR Articles 4, 24, and 28, which impose different obligations and liability frameworks on controllers versus processors. The CCPA similarly distinguishes between businesses and service providers. The Irish DPC and UK ICO are relevant supervisory authorities for EU and UK processing respectively. Where Stripe acts as processor, Business Users bear primary responsibility as controllers for lawful basis, data subject rights, and breach notification obligations. (2) GOVERNANCE EXPOSURE: High. The dual-role framework creates significant compliance complexity for B2B customers integrating Stripe. If a Business User's privacy notice does not accurately describe Stripe's processing role, or if the DPA between the Business User and Stripe does not align with applicable regulatory requirements, the Business User may face regulatory exposure independent of Stripe's own compliance posture. (3) JURISDICTION FLAGS: EU/EEA and UK jurisdictions create the highest exposure given GDPR's explicit controller/processor regime. California's CCPA service provider framework also applies. In jurisdictions without a formal controller/processor distinction, the allocation of responsibility may be less clear and may require additional contractual specificity. (4) CONTRACT AND VENDOR IMPLICATIONS: Business Users must execute Stripe's Data Processing Agreement (available at stripe.com/legal/dpa) to satisfy GDPR Article 28 processor agreement requirements. Procurement teams should verify the DPA is current and covers all relevant processing activities. The DPA's scope, audit rights, and sub-processor notification provisions should be reviewed against internal data governance standards. (5) COMPLIANCE CONSIDERATIONS: Legal teams should map all Stripe integration points to determine whether Stripe acts as controller or processor in each context, update privacy notices accordingly, and ensure data subject rights procedures correctly route requests. Where Stripe is the processor, internal procedures must be established to relay data subject requests to Stripe within regulatory timeframes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
When Stripe acts as a processor on behalf of a Business User, your privacy rights requests may need to go to the merchant, not Stripe. This can make exercising rights more complex for consumers who interact with Stripe only through third-party checkouts.
Consumers who have paid through a Stripe-powered merchant checkout may find that their access, deletion, or correction requests must be directed to the merchant rather than to Stripe, because Stripe processes that data as a service provider on the merchant's behalf rather than as a data controller in its own right.
ConductAtlas has identified this type of provision across 4 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Stripe.