Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has enforcement authority over deceptive practices related to data controller/processor role representations under FTC Act Section 5.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Stripe's Dual Role as Controller and Processor clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Stripe's Dual Role as Controller and Processor — Stripe

Share 𝕏 Share in Share

What it is

Stripe acts as either the entity in charge of your data (controller) or as a processor acting on behalf of businesses, depending on the service — and the Policy directs you to a separate document to find out which applies to you.

Consumer impact (what this means for users)

Because Stripe acts as both a controller and processor in different contexts, consumers may find it unclear who is responsible for handling their data rights requests, and may be redirected between Stripe and the merchant when trying to exercise rights like deletion or access.

Cross-platform context

See how other platforms handle Stripe's Dual Role as Controller and Processor and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Stripe's shifting role between controller and processor affects who is responsible for your data rights and who you can hold accountable — but this Policy doesn't tell you which role applies to your situation without consulting a separate Privacy Center document.

View original clause language

Depending on the activity, Stripe assumes the role of a 'data controller' and/or 'data processor' (or 'service provider'). For more details about our privacy practices, including our role, the specific Stripe entity responsible under this Policy, and our legal bases for processing your Personal Data, please visit our Privacy Center.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: GDPR Arts. 4(7) (controller definition), 4(8) (processor definition), 28 (processor obligations), and 26 (joint controller arrangements) are directly implicated. The determination of controller vs. processor status affects which party bears primary GDPR accountability, which DPA applies, and who must respond to data subject requests. CCPA §1798.140(ag) defines 'service provider' vs. 'third party' with similar accountability implications. UK GDPR mirrors these definitions.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

The FTC has enforcement authority over deceptive practices related to data controller/processor role representations under FTC Act Section 5.
File a complaint →

Provision details

Document information

Document

Stripe Privacy Policy

Entity

Stripe

Document last updated

March 24, 2026

Tracking information

First tracked

April 27, 2026

Last verified

April 27, 2026

Record ID

CA-P-003374

Document ID

CA-D-00106

Evidence Provenance

Source URL

https://stripe.com/privacy

Wayback Machine

View archived versions →

SHA-256

44d69cd19e1ca6f2b31785fb53f7c219f512832c75cd8b17d2cae72b6a1516d6

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Stripe | Document: Stripe Privacy Policy | Record: CA-P-003374
Captured: 2026-04-27 12:23:52 UTC | SHA-256: 44d69cd19e1ca6f2…
URL: https://conductatlas.com/platform/stripe/stripe-privacy-policy/stripes-dual-role-as-controller-and-processor/
Accessed: April 29, 2026

Classification

Severity

Medium

Stripe's Dual Role as Controller and Processor