Stripe · Stripe Privacy Policy

End Customer Rights Routed Through Merchants

Medium severity
Share 𝕏 Share in Share

What it is

If you paid through a website or app that uses Stripe (rather than using Stripe directly), Stripe acts as a service provider to that merchant and you must contact the merchant — not Stripe — to exercise most of your privacy rights.

Consumer impact (what this means for users)

If you are an End Customer — meaning you paid through a merchant that uses Stripe — you cannot directly request data deletion or access from Stripe and must route your request through the merchant, which may be difficult if you have no ongoing relationship with that merchant.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    If you are a direct Stripe user (End User), visit stripe.com/privacy-center to submit a deletion request. If you are an End Customer who paid through a merchant, contact that merchant's customer support to initiate the request.

How other platforms handle this

Waze Medium

Waze may offer you the option to link Waze to third party services that may be useful to you (like, Spotify). Where Waze detects an integration may be available (either because a third party service attempts to link to Waze, or Waze detects an installed service on the device which has an integration...

Wealthfront Medium

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, then your Personal Information may be transferred as part of such a transaction, as permitted by law and/or contra...

BeReal Medium

The personal data is transferred to countries recognized as offering an equivalent level of protection or, One of the mechanisms offering appropriate guarantees is implemented (for example, the adoption of the standard contractual clauses of the European Commission.

See all platforms with this clause type →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Millions of consumers interact with Stripe only through third-party merchant checkouts and may not realize that to delete or access their payment data held by Stripe, they must go through the merchant who collected it, creating a practical barrier to exercising data rights.

View original clause language
Depending on the context, 'you' might be an End Customer, End User, Representative, or Visitor. End Customers interact with Stripe's services through Business Users (e.g., when purchasing from a merchant). For End Customers, the Business User is the primary data controller and Stripe acts as a data processor or service provider. End Customers should direct privacy inquiries to the relevant Business User.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: The processor/controller distinction implicates GDPR Arts. 4(7), 4(8), 26, and 28; CCPA §1798.140 definitions of 'service provider' and 'business'; and UK GDPR equivalent provisions. GDPR Art. 17 (right to erasure) and Art. 15 (right of access) are technically exercisable against the controller (merchant), not the processor (Stripe), though GDPR Art. 28(3)(e) requires processors to assist controllers in fulfilling data subject requests.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    Routing consumer data rights through merchants rather than directly to Stripe may constitute an unfair practice under FTC Act Section 5 if it creates practical barriers to exercising legally guaranteed rights.
    File a complaint →

Applicable regulations

BIPA
Illinois, USA
CCPA/CPRA
California, USA
COPPA
United States Federal
CAN-SPAM
United States Federal
DMA
European Union
FCRA
United States Federal
GDPR
European Union
GLBA
United States Federal
HIPAA
United States Federal
UK GDPR
United Kingdom

Provision details

Document information
Document
Stripe Privacy Policy
Entity
Stripe
Document last updated
March 24, 2026
Tracking information
First tracked
March 15, 2026
Last verified
April 9, 2026
Record ID
CA-P-002341
Document ID
CA-D-00106
Evidence Provenance
Source URL
https://stripe.com/privacy
Wayback Machine
View archived versions →
SHA-256
87ac9fcdb4b3be9c7831662daf59f5425643d84690f687c3e918ab83a226dd37
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Stripe | Document: Stripe Privacy Policy | Record: CA-P-002341
Captured: 2026-03-15 11:47:00 UTC | SHA-256: 87ac9fcdb4b3be9c…
URL: https://conductatlas.com/platform/stripe/stripe-privacy-policy/end-customer-rights-routed-through-merchants/
Accessed: April 28, 2026
Classification
Severity
Medium
Categories
Data sharing

Other provisions in this document

Related Analysis