If you are an End Customer who interacted with Stripe through a merchant's checkout, your privacy rights may need to be exercised through that merchant rather than directly through Stripe, because Stripe processes your data as a service provider for the merchant.
This analysis describes what Stripe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Operationally, this contextual framing means different privacy rights, data-handling obligations, and procedural protections attach based on the user's transactional role. Stripe structures its privacy commitments to align with the functional relationship each user category has with the platform.
Interpretive note: The precise allocation of controller versus processor responsibility for specific End Customer data flows depends on the contractual arrangements between Stripe and each Business User, which vary and are not fully described in this policy.
End Customers whose data Stripe processes on behalf of a Business User merchant may need to direct access, deletion, or correction requests to the merchant rather than to Stripe, as the policy establishes distinct roles for each data subject category.
Cross-platform context
See how other platforms handle End Customer Data Rights via Business Users and similar clauses.
Compare across platforms →Monitoring
Stripe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Depending on the context, "you" might be an End Customer, End User, Representative, or Visitor.— Excerpt from Stripe's Stripe Privacy Policy
(1) REGULATORY LANDSCAPE: The End Customer rights routing framework engages GDPR Article 28 (processor obligations to assist controllers with data subject rights) and CCPA service provider provisions. Under GDPR, processors are required to assist controllers in responding to data subject rights requests. The Irish DPC and UK ICO supervise these obligations in their respective jurisdictions. (2) GOVERNANCE EXPOSURE: High. Business Users who receive data subject rights requests from End Customers must have documented procedures to relay those requests to Stripe and receive responses within applicable regulatory timeframes. Failure to establish these procedures creates liability for the Business User as data controller. (3) JURISDICTION FLAGS: EU/EEA and UK jurisdictions impose strict response timeframes (one month under GDPR, extendable to three months in complex cases) that apply to the Business User as controller and must be met even when Stripe is the processor holding the data. California's 45-day CCPA response timeframe applies similarly. (4) CONTRACT AND VENDOR IMPLICATIONS: Business Users' contracts with Stripe (including the DPA) should expressly address the procedure and timeline for relaying End Customer rights requests. The DPA should confirm that Stripe will provide sufficient information to enable the Business User to respond to data subjects within regulatory deadlines. Procurement teams should verify these provisions are current. (5) COMPLIANCE CONSIDERATIONS: Business Users should implement intake and escalation procedures for data subject rights requests from End Customers, including clear identification of whether Stripe or the Business User holds the requested data, and SLA agreements with Stripe for rights request relay and response.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Operationally, this contextual framing means different privacy rights, data-handling obligations, and procedural protections attach based on the user's transactional role. Stripe structures its privacy commitments to align with the functional relationship each user category has with the platform.
End Customers whose data Stripe processes on behalf of a Business User merchant may need to direct access, deletion, or correction requests to the merchant rather than to Stripe, as the policy establishes distinct roles for each data subject category.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Stripe.