Stripe collects and shares your business data and your customers' payment data with its partners, banking providers, and card networks. You're responsible for making sure your customers agreed to have their data processed by Stripe.
Merchants are responsible for obtaining downstream customer consent for Stripe's data processing, meaning any GDPR or CCPA compliance failures in the merchant's consent mechanisms could expose both the merchant and Stripe to regulatory liability.
Merchants bear the contractual obligation to ensure their customers have consented to Stripe's data collection and sharing practices, which means GDPR or CCPA violations in the merchant's checkout flow could result in regulatory liability flowing back to the merchant under the SSA's indemnification clause. End consumers' payment data — including card numbers, bank account details, and transaction history — is shared with a broad network of Stripe affiliates and financial partners.
How other platforms handle this
Dropbox uses certain trusted third parties (for example, providers of customer support and IT services) for the business purposes of helping us provide, improve, protect, and promote our Services. These third parties will access your information to perform tasks on our behalf, and we'll remain respo...
When you use Amazon Services, third-party service providers and sellers may receive information about your interactions to the extent necessary for them to fulfill their services. Third-party sellers who sell on Amazon's platform receive customer information necessary to fulfill orders, including na...
If your Calm subscription has been provided to you by someone else, like your employer or a family member who invited you to use one of their dependent subscriptions, we may inform them that you have signed up for the subscription they offered you;
This clause could change without notice.
Get alerted when Stripe updates this policy — with plain-language summaries and severity ratings.
REGULATORY FRAMEWORK: This provision engages GDPR (Regulation 2016/679) Articles 6, 13, 14, 28, and 46 — specifically the controller/processor relationship between the merchant (controller) and Stripe (processor), and the requirement for a Data Processing Agreement (Art. 28). CCPA (Cal. Civ. Code §§ 1798.100-1798.199) applies to California merchants and their customers. PCI-DSS v4.0 applies to all parties handling cardholder data. FinCEN's Customer Due Diligence Rule (31 C.F.R. § 1010.230) and Bank Secrecy Act (31 U.S.C. § 5318) require Stripe to collect and retain transaction and identity data. ECPA (18 U.S.C. § 2510 et seq.) may apply to certain data interception practices.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Watcher: regulatory citations. Professional: full compliance memo.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Don't miss changes to this clause.
Stripe has updated this policy before. Get alerted on the next change.
Watch StripeMerchants are responsible for obtaining downstream customer consent for Stripe's data processing, meaning any GDPR or CCPA compliance failures in the merchant's consent mechanisms could expose both the merchant and Stripe to regulatory liability.
Merchants bear the contractual obligation to ensure their customers have consented to Stripe's data collection and sharing practices, which means GDPR or CCPA violations in the merchant's checkout flow could result in regulatory liability flowing back to the merchant under the SSA's indemnification clause. End consumers' payment data — including card numbers, bank account details, and transaction history — is …
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Stripe.