Stripe collects and shares your business data and your customers' payment data with its partners, banking providers, and card networks. You're responsible for making sure your customers agreed to have their data processed by Stripe.
This analysis describes what Stripe's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause establishes the operational framework for data handling by defining the scope of Stripe's authorized data processing activities and establishing privacy governance through referenced policies. It also allocates responsibility to the user to obtain necessary consents from their own customers for payment data processing.
Merchants bear the contractual obligation to ensure their customers have consented to Stripe's data collection and sharing practices, which means GDPR or CCPA violations in the merchant's checkout flow could result in regulatory liability flowing back to the merchant under the SSA's indemnification clause. End consumers' payment data — including card numbers, bank account details, and transaction history — is shared with a broad network of Stripe affiliates and financial partners.
How other platforms handle this
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
RedCard. We share information with our financial partners to operate the Target RedCard program.
Monitoring
Stripe has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"By entering into this Agreement, you authorize Stripe to collect, use, retain, and share information about you and your transactions in accordance with Stripe's Privacy Policy (available at stripe.com/privacy) and any applicable Data Processing Agreement. Stripe may share your data with its affiliates, financial partners, card networks, and as required by applicable law or regulation. You represent and warrant that you have obtained all necessary consents from your customers to permit Stripe to process their payment data as described in the Privacy Policy.— Excerpt from Stripe's Stripe Terms of Service
REGULATORY FRAMEWORK: This provision engages GDPR (Regulation 2016/679) Articles 6, 13, 14, 28, and 46 — specifically the controller/processor relationship between the merchant (controller) and Stripe (processor), and the requirement for a Data Processing Agreement (Art. 28). CCPA (Cal. Civ. Code §§ 1798.100-1798.199) applies to California merchants and their customers. PCI-DSS v4.0 applies to all parties handling cardholder data. FinCEN's Customer Due Diligence Rule (31 C.F.R. § 1010.230) and Bank Secrecy Act (31 U.S.C. § 5318) require Stripe to collect and retain transaction and identity data. ECPA (18 U.S.C. § 2510 et seq.) may apply to certain data interception practices.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause establishes the operational framework for data handling by defining the scope of Stripe's authorized data processing activities and establishing privacy governance through referenced policies. It also allocates responsibility to the user to obtain necessary consents from their own customers for payment data processing.
Merchants bear the contractual obligation to ensure their customers have consented to Stripe's data collection and sharing practices, which means GDPR or CCPA violations in the merchant's checkout flow could result in regulatory liability flowing back to the merchant under the SSA's indemnification clause. End consumers' payment data — including card numbers, bank account details, and transaction history — is …
ConductAtlas has identified this type of provision across 5 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Stripe.