What are the institutional and regulatory implications of this document?

REGULATORY EXPOSURE: This Policy engages GDPR Arts. 6, 9, 13, 14, 17, 20, 22, and 46 (EU/EEA, enforced by Irish DPC as lead supervisory authority); UK GDPR and Data Protection Act 2018 (ICO enforcement); CCPA §§1798.100-1798.199 / CPRA (California AG and CPPA enforcement); PCI DSS as applicable to payment data handling; Bank Secrecy Act/AML obligations referenced through Financial Partner sharing; and the EU-U.S. Data Privacy Framework and UK Extension for cross-border transfers. The FTC Act Se…

How does Stripe's Stripe Privacy Policy affect users?

Stripe collects extensive personal and financial data — including transaction history, device fingerprints, IP addresses, and identity verification documents — from both direct users and people who simply shop at merchants that use Stripe. This data is shared with Financial Partners, fraud-prevention networks, Stripe Affiliates, and the businesses you transact with, meaning your payment behavior is visible to a wide ecosystem of third parties. You can access, correct, delete, or export your per…

How often is Stripe's Stripe Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Stripe updates this document?

Yes. Watcher subscribers ($9.99/month) can add Stripe to their watchlist and receive same-day email alerts whenever this document or any other Stripe document changes.

Stripe Privacy Policy — Stripe

8 Total

2 High severity

6 Medium severity

0 Low severity

Summary

This is Stripe's privacy policy explaining how the company — which powers payment processing for millions of online businesses — collects and uses your personal data when you make purchases at any site using Stripe, create a Stripe account, or use products like Link. The most important thing to know is that Stripe collects your financial transaction history, device data, identity verification information, and behavioral data, and shares it with banks, payment networks, fraud-prevention services, and the businesses you buy from. You can exercise rights to access, correct, delete, or export your personal data by visiting Stripe's Privacy Center at stripe.com/legal/privacy-center or contacting privacy@stripe.com.

Technical Summary

Stripe's Privacy Policy governs the collection, use, and sharing of Personal Data across its Business Services (payment infrastructure for merchants), End User Services (direct consumer products like Link), and its Sites, with Stripe acting as either data controller or data processor depending on context. The Policy obligates Stripe to disclose data sharing with Financial Partners, Stripe Affiliates, service providers, and third parties for fraud prevention, identity verification, and compliance purposes, while granting users rights to access, delete, correct, and port their data. Notably, Stripe collects data from third-party sources including data brokers, public databases, and social media platforms, and shares transaction-level Personal Data with Financial Partners and Business Users in ways that end consumers may not anticipate given Stripe's typically invisible role in payment flows. The Policy engages GDPR (EU/UK), CCPA/CPRA (California), and various financial services regulations applicable to payment processors, with Stripe's Privacy Center referenced repeatedly for jurisdiction-specific details that are not fully disclosed within the Policy itself. Material compliance considerations include Stripe's dual role as controller and processor creating complex accountability chains, cross-border data transfers under SCCs and the EU-U.S. Data Privacy Framework, and the use of transaction data for fraud network and machine learning purposes that may implicate automated decision-making provisions under GDPR Art. 22.

Evidence Provenance

Captured April 29, 2026 06:20 UTC

Document ID CA-D-000106

Version ID CA-V-000994

Source URL https://stripe.com/privacy

Wayback Machine View archived versions →

SHA-256 4d67edcce11168502778ef5f27b9db91761257ae98bafac364f4ebec0553f77b

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed

Institutional Analysis

🔒 Institutional analysis locked

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Upgrade to Professional — $149/mo

Change Timeline

April 29, 2026 — Document updated low

Stripe updated their Privacy Policy on April 29, 2026, making several housekeeping and substantive changes. The company's legal name reference was simplified from 'Stripe Inc., now known as Stripe, LLC' to just 'Stripe, LLC,' and a vague 'Learn More' link about their Data Privacy Framework was replaced with a clearer sentence directing users to read Stripe's full Data Privacy Framework Policy. These changes improve transparency slightly by making it easier to find Stripe's data transfer compliance documentation.

· 4 modified
View diff → View full record →
4d67edcc…
April 25, 2026 — Document updated low

Stripe updated the 'last updated' date on their Privacy Policy from January 16, 2026 to February 23, 2026. This change appears in two places within the document. The date update itself signals a revision occurred, but the only detected change is the date stamp — no substantive policy language was altered.

· 2 modified
View diff → View full record →
8b928462…
April 23, 2026 — Document updated low

Stripe updated their Privacy Policy on April 23, 2026. The changes include a revision to the 'last updated' date shown in the document (from February 23, 2026 to January 16, 2026) and minor formatting adjustments to contact email addresses for their Data Protection Officer and Global Head of Privacy — specifically, a space was added before the period following each email address. These are cosmetic and administrative changes that do not affect your rights or how Stripe handles your data.

· 4 modified
View diff → View full record →
2668106e…
April 18, 2026 — Document updated medium

Stripe updated its Privacy Policy on April 18, 2026, making a range of clarifications and expansions to how it defines key terms and describes its data practices. Notable changes include expanding the list of financial partners (now including payment intermediaries, aggregators, and processors), broadening the definition of 'Visitor' to include people who visit Stripe's physical offices, and clarifying that 'Transaction Data' covers data used in relation to — not just to facilitate — transactions. These changes give Stripe broader latitude in how it describes its data-sharing relationships and slightly widens the scope of who is considered a 'Visitor' under the policy.

39 added · 73 modified
View diff → View full record →
2b975ac2…
March 16, 2026 — Document updated medium

Stripe updated their Privacy Policy on March 16, 2026, rolling back the document to a January 16, 2025 version and making numerous wording changes that narrow definitions and reduce detail. For example, the definition of 'Financial Partners' was simplified to remove references to payment intermediaries, aggregators, and processors, and the 'Visitor' category no longer explicitly covers people who visit Stripe offices. These changes reduce the specificity of how Stripe describes its data practices and partnerships.

4 added · 43 removed · 71 modified
View diff → View full record →
a1b7279e…
March 15, 2026 — Initial capture

Initial snapshot — monitoring begins

515ec37b…

View full version history (0 captures) →

Analyzed Changes

5 changes analyzed since monitoring began.

Updated April 29, 2026

low

What changed Stripe updated their Stripe Privacy Policy on April 29, 2026. Change detected: 4 sentence(s) modified. Document contained 517 sentences after update.

Consumer impact Stripe simplified its legal name reference and replaced a vague 'Learn More' link with a direct statement pointing users to its Data Privacy Framework Policy, making it easier for consumers — especially those in the EU and UK — to find information about how their data is handled when transferred internationally. The date stamp was also updated from February 23 to April 28, 2026, signaling a fresh policy revision. You can read Stripe's Data Privacy Framework Policy directly via the updated link now referenced in the Privacy Policy.

Why it matters The legal entity name finalization from 'Stripe Inc.' to 'Stripe, LLC' means businesses with contracts or data agreements referencing the old name may have a counterparty mismatch that could matter in regulatory or legal proceedings. The clearer DPF Policy reference also makes it easier for EU and UK users to verify how their international data transfers are protected.

Updated April 25, 2026

low

What changed Stripe updated their Stripe Privacy Policy on April 25, 2026. Change detected: 2 sentence(s) modified. Document contained 517 sentences after update.

Consumer impact Stripe updated the 'last updated' date on their Privacy Policy from January 16, 2026 to February 23, 2026, appearing in two locations in the document. No substantive changes to how your personal data is collected, used, or shared were detected in this update. There is no action required from consumers at this time.

Why it matters A date-only update to a privacy policy can sometimes signal an unreported substantive change, making it worth logging for compliance tracking. In this case, no substantive changes were detected, so the practical impact on users is minimal.

Updated April 23, 2026

low

What changed Stripe updated their Stripe Privacy Policy on April 23, 2026. Change detected: 4 sentence(s) modified. Document contained 517 sentences after update.

Consumer impact Stripe made minor formatting and administrative changes to their Privacy Policy, including adjusting the displayed 'last updated' date and adding a space before the period after contact email addresses for their privacy team. These changes do not affect how Stripe collects, uses, or shares your personal data, nor do they alter any of your privacy rights. No action is required on your part.

Why it matters This change is purely administrative and does not affect how Stripe processes personal data or the rights available to users. The revision to the 'last updated' date (moving it earlier) may cause minor confusion about document versioning but has no legal or practical consequence.

Updated April 18, 2026

medium

What changed Stripe updated their Stripe Privacy Policy on April 18, 2026. Change detected: 39 sentence(s) added, 73 sentence(s) modified. Document contained 517 sentences after update.

Consumer impact Stripe has expanded the list of third-party financial partners it may share your data with, now explicitly including payment intermediaries, aggregators, and processors — meaning your personal data may flow to a broader set of companies than before. The definition of 'Visitor' has also been widened to include people who visit Stripe's physical premises, subjecting office visitors to the same data collection notice. The scope of 'Transaction Data' has been subtly broadened from data used 'to facilitate' transactions to data used 'in relation to' transactions, which could capture a wider range of data points. You can review Stripe's updated Privacy Policy at stripe.com/privacy to understand the full list of partner categories now covered.

Why it matters The expansion of Financial Partners to include indirect payment intermediaries and aggregators means consumer personal data can now flow to a broader and less transparent network of third-party companies. The broadened Transaction Data definition may also allow Stripe to process more data under this classification without a direct transaction facilitation purpose.

Updated March 16, 2026

medium

What changed Stripe updated their Stripe Privacy Policy on March 16, 2026. Change detected: 4 sentence(s) added, 43 sentence(s) removed, 71 sentence(s) modified. Document contained 478 sentences after update.

Consumer impact Stripe's updated policy uses narrower definitions of who counts as a partner and what data practices apply, which means less transparency about who may receive your financial and personal data. The removal of language covering office visitors and certain payment intermediaries reduces the scope of people and entities explicitly described as covered or responsible. You can review Stripe's full updated Privacy Policy at stripe.com to compare what protections and disclosures now apply to your data.

Why it matters Stripe no longer explicitly names payment intermediaries and aggregators as entities that may receive your financial data, reducing the transparency consumers and regulators expect under modern privacy law. This matters most for users in jurisdictions with strong disclosure requirements like the EU and California.

Recent Clause-Level Changes Apr 29, 2026

Added (4)

Collection from Third-Party Data Sources High

This new provision discloses a significant expansion in data sources and combination practices that was not previously explicitly mentioned, raising transparency concerns about third-party data acquisition.

Use of Transaction Data for Fraud Prevention and Machine Learning Medium

This new provision explicitly details the use of personal data for machine learning model training and refinement, which is a more specific and potentially broader use case than the previous generic fraud prevention language.

Stripe's Dual Role as Controller and Processor Medium

This new provision explicitly articulates Stripe's dual role and legal relationship complexity, which is important for data subjects to understand their rights and which entity they should contact.

Identity Verification and Know Your Customer Data High

This new provision introduces explicit disclosure of biometric data collection (facial images) as part of KYC processes, representing a significant expansion in sensitive personal data categories requiring enhanced transparency.

Removed (4)

Personal Data Collection Scope

The removal of this comprehensive enumeration of collected data categories makes the current policy less transparent about the specific types of personal data Stripe collects during normal operations.

End Customer Rights Routed Through Merchants

The removal of explicit guidance routing end customer privacy rights through merchants may create confusion about who is responsible for handling data subject requests in multi-party transaction scenarios.

Fraud Prevention and Legitimate Interests Basis

The removal of this high-severity provision explicitly stating the legal basis (legitimate interests) for fraud detection and automated processing eliminates important transparency about the lawful grounds for sensitive processing activities.

Data Retention

The removal of this data retention provision eliminates transparency about how long Stripe retains personal data and under what circumstances extended retention periods apply.

Modified (4)

Data Sharing with Financial Partners

Expanded rationale for sharing to explicitly include fraud detection, prevention, and identity verification as separate purposes beyond generic legal compliance.

Cross-Border Data Transfers

Removed broad language about 'other legally recognized transfer mechanisms' and added specific reference to the UK Extension to the EU-U.S. Data Privacy Framework, making the policy more precise about available legal bases.

Consumer Data Subject Rights

Removed explicit mention of 'right to withdraw consent', added 'right to lodge a complaint with a supervisory authority', and removed reference to Privacy Center contact details.

Cookies and Tracking Technologies

Shifted focus from detailed enumeration of technical data points to functional purposes of tracking, added 'deliver relevant advertising' as explicit use case, and delegated detailed information to separate Cookies Policy.

View full change record →

High Severity — 2 provisions

Collection from Third-Party Data Sources

Stripe purchases or receives your personal data from data brokers, public databases, and social media companies, then combines it with data it already has about you.

Added April 27, 2026
Identity Verification and Know Your Customer Data

Stripe collects government IDs, facial images, and potentially biometric data to verify your identity when you sign up for certain services, to comply with financial regulations and prevent fraud.

Added April 27, 2026

Medium Severity — 6 provisions

Data Sharing with Financial Partners

Stripe shares your personal and financial data with banks, card networks, and payment processors to complete transactions and meet legal requirements, including fraud checks.

Added April 27, 2026
Use of Transaction Data for Fraud Prevention and Machine Learning

Stripe uses your transaction history, device data, and other personal information to train its fraud detection algorithms and other AI/machine learning systems.

Added April 27, 2026
Cross-Border Data Transfers

Stripe moves your personal data internationally, including to the United States, relying on EU-approved legal tools like Standard Contractual Clauses and the EU-US Data Privacy Framework.

Added April 27, 2026
Consumer Data Subject Rights

Depending on where you live, you have rights to see, fix, delete, or export your personal data that Stripe holds, and to complain to a regulator if you think Stripe has mishandled your data.

Added April 27, 2026
Cookies and Tracking Technologies

Stripe uses cookies and trackers on its websites to identify you, remember your preferences, analyze your behavior, and serve targeted advertising.

Added April 27, 2026
Stripe's Dual Role as Controller and Processor

Stripe acts as either the entity in charge of your data (controller) or as a processor acting on behalf of businesses, depending on the service — and the Policy directs you to a separate document to find out which applies to you.

Added April 27, 2026