If you paid through a website or app that uses Stripe (rather than using Stripe directly), Stripe acts as a service provider to that merchant and you must contact the merchant — not Stripe — to exercise most of your privacy rights.
This analysis describes what Stripe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This allocation of data controller responsibilities clarifies the contractual relationship and legal obligations regarding personal data. It establishes that the Business User assumes primary responsibility for data subject rights and privacy compliance obligations, while Stripe operates under processor or service provider constraints.
If you are an End Customer — meaning you paid through a merchant that uses Stripe — you cannot directly request data deletion or access from Stripe and must route your request through the merchant, which may be difficult if you have no ongoing relationship with that merchant.
How other platforms handle this
We may share your personal information with our clients (which include financial institutions and merchants), service providers, affiliates, and other third parties as described in this Privacy Notice. We may share personal information with our clients such as financial institutions and merchants so...
We may audit your app and your use of Platform to confirm compliance with these Terms and our other policies, and you agree to cooperate with any audit we conduct, including by providing access to relevant records and personnel.
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
Monitoring
Stripe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Depending on the context, 'you' might be an End Customer, End User, Representative, or Visitor. End Customers interact with Stripe's services through Business Users (e.g., when purchasing from a merchant). For End Customers, the Business User is the primary data controller and Stripe acts as a data processor or service provider. End Customers should direct privacy inquiries to the relevant Business User.— Excerpt from Stripe's Stripe Privacy Policy
REGULATORY FRAMEWORK: The processor/controller distinction implicates GDPR Arts. 4(7), 4(8), 26, and 28; CCPA §1798.140 definitions of 'service provider' and 'business'; and UK GDPR equivalent provisions. GDPR Art. 17 (right to erasure) and Art. 15 (right of access) are technically exercisable against the controller (merchant), not the processor (Stripe), though GDPR Art. 28(3)(e) requires processors to assist controllers in fulfilling data subject requests.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This allocation of data controller responsibilities clarifies the contractual relationship and legal obligations regarding personal data. It establishes that the Business User assumes primary responsibility for data subject rights and privacy compliance obligations, while Stripe operates under processor or service provider constraints.
If you are an End Customer — meaning you paid through a merchant that uses Stripe — you cannot directly request data deletion or access from Stripe and must route your request through the merchant, which may be difficult if you have no ongoing relationship with that merchant.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Stripe.