Stripe Data Privacy Framework Policy

Stripe Data Privacy Framework Policy

Effective date: September 29, 2023 

Stripe, Inc. (“Stripe”, “we”, “our” or “us”) complies with the U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce (collectively, the “DPF”).* 

This Stripe Data Privacy Framework Policy (“DPF Policy”) and the Stripe Privacy Policy (“Privacy Policy”) describes the privacy practices that we implement for Personal Data received from the EEA, UK and Switzerland in reliance on the DPF. Stripe has certified to the Department of Commerce that it adheres to the DPR Principles with respect to such data. This DPF Policy uses terms that are defined in the Privacy Policy. If there is any conflict between the terms in this DPF Policy and the DPF Principles as concerns the Personal Data received under the DPF, the DPF Principles will prevail. 

To learn more about the DPF program, please visit https://www.dataprivacyframework.gov/, and to view our certification, please see here

What this disclosure covers

Please see the relevant parts of the Privacy Policy and/or other policies for information about:

  • The types of Personal Data processed
  • The purposes of data processing;
  • Third parties who may receive Personal Data;
  • An individual’s right to access Personal Data; and
  • Any choices and means to limit the use and disclosure of Personal Data.

Compelled disclosure

Stripe may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Enforcement

Stripe’s compliance with the DPF is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. In accordance with the DPF, Stripe is also liable for onward transfers to third parties that process personal information in a way that does not follow the DPF unless Stripe was not responsible for the event giving rise to any alleged damage.

Questions and complaints

If you have any questions or concerns about our DPF certification, please contact us at privacy@stripe.com or please write to us at the following address:

Stripe, Inc.

354 Oyster Point Boulevard

South San Francisco, California, 94080

Attention: Stripe Legal

In the event we are unable to resolve your concerns, you can contact our third party dispute resolution provider JAMS (free of charge). 

In some cases, the DPF gives you the right to pursue binding arbitration. You can do this to resolve complaints not resolved by Stripe or our third party dispute resolution provider, as described in Annex I to the DPF Framework

Changes to this policy

This DPF Policy may be changed from time to time, consistent with the requirements of the DPF and in accordance with the process described in the Stripe Privacy Policy. You can determine when this DPF Policy was last revised by referring to the “Effective date” or “Last updated” date at the top of this page.

*Stripe will not rely on the UK Extension to the EU-U.S. Data DPF or the Swiss-U.S. Data Privacy Framework until each enters into force, but we adhere to their required commitments in anticipation of their doing so.