What can I do about this clause?

{'method': 'WEB_FORM', 'recipient': 'https://stripe.com/legal/dpa', 'difficulty': 'EASY', 'action_type': 'EXPORT_DATA', 'instructions': "If you process EU or UK customer personal data through Stripe, execute Stripe's Data Processing Agreement at stripe.com/legal/dpa. This is a legal requirement under GDPR Art. 28 and must be completed before or immediately upon processing any customer personal data.", 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': "The FTC has enforcement authority over data privacy practices of non-bank payment processors and can investigate whether Stripe's data use disclosures are adequate under FTC Act Section 5.", 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Data Use and Privacy clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar Data Use and Privacy clauses across approximately 1 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

Data Use and Privacy — Stripe

Share 𝕏 Share in Share 🔒 PDF

What it is

Stripe uses your transaction data and business information for its own analytics and product development purposes, and if you're handling customer personal data through Stripe, you need to sign a separate Data Processing Agreement.

Consumer impact (what this means for users)

Merchants' transaction data, customer behavior patterns, and business metrics are used by Stripe for its own analytics and product development; merchants must also execute a separate Data Processing Agreement to maintain GDPR compliance for their own customers' personal data.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Export Your Data

If you process EU or UK customer personal data through Stripe, execute Stripe's Data Processing Agreement at stripe.com/legal/dpa. This is a legal requirement under GDPR Art. 28 and must be completed before or immediately upon processing any customer personal data.

Cross-platform context

See how other platforms handle Data Use and Privacy and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Stripe's use of aggregated transaction data for its own business purposes — including competitive intelligence and product development — means your business data contributes to Stripe's commercial advantage without direct compensation.

View original clause language

By accepting this Agreement, you grant Stripe the right to use data relating to your use of the Stripe Services, including transaction data, for the purposes described in our Privacy Policy. Stripe may use aggregated or anonymized data derived from your use of the Stripe Services for product development, analytics, and business purposes. Stripe's collection and use of personal data in connection with the Stripe Services is as set forth in Stripe's Privacy Policy. If you are processing personal data of your customers using the Stripe Services, you agree to enter into Stripe's Data Processing Agreement.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: GDPR Arts. 6, 13, 28, and 44-49 govern Stripe's processing of EU merchant and customer personal data; CCPA §§1798.100-1798.199 applies to California residents' data; UK GDPR (post-Brexit) applies for UK operations. The requirement to execute a DPA for customer personal data processing reflects GDPR Art. 28 controller-processor obligations. Cross-border data transfers to Stripe's US infrastructure require SCCs or equivalent mechanisms under GDPR Chapter V. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

The FTC has enforcement authority over data privacy practices of non-bank payment processors and can investigate whether Stripe's data use disclosures are adequate under FTC Act Section 5.
File a complaint →

Provision details

Document information

Document

Stripe Terms of Service

Entity

Stripe

Document last updated

April 29, 2026

Tracking information

First tracked

April 27, 2026

Last verified

April 27, 2026

Record ID

CA-P-003380

Document ID

CA-D-00107

Evidence Provenance

Source URL

https://stripe.com/legal/ssa

Wayback Machine

View archived versions →

SHA-256

ba3a7b25a1b43698323b986577624b162c5c51802d1bb82f1a99dff5da4335ef

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Stripe | Document: Stripe Terms of Service | Record: CA-P-003380
Captured: 2026-04-27 12:29:11 UTC | SHA-256: ba3a7b25a1b43698…
URL: https://conductatlas.com/platform/stripe/stripe-terms-of-service/data-use-and-privacy/
Accessed: May 2, 2026

Classification

Severity

Medium

Data Use and Privacy