EU Consultant Personal Information Notice

1. Introduction

Stripe takes data privacy seriously. We ensure the highest level of protection and diligence around collecting, using and retaining the Personal Data of all independent contractors and consultants (“Consultants”). We also want you to be informed about how it’s collected, used and retained. This Notice is intended to provide you – EU-based Consultants – with that information.

2. What Personal Data is collected?

As part of doing business, Stripe (which includes Stripe, Inc. and its subsidiaries) collects and uses the categories of Personal Data described in Appendix 1 (“Personal Data”). This allows Stripe to do all the things that are important in a consulting relationship, e.g. ensuring that you’re paid! The controller of your Personal Data is your Stripe contracting entity.

3. How and why is my Personal Data used?

Stripe collects and uses Personal Data for reasons related to your consulting engagement, and always in accordance with data protection laws. Specifically, Stripe collects and uses Personal Data:

  1. to perform the terms of the consulting contract between you and Stripe;
  2. to comply with legal obligations;
  3. to serve Stripe’s legitimate interests (or the interests of a third party) if your interests and fundamental rights don’t override those interests, e.g. to manage, secure, defend, and develop Stripe’s business and people, and to make necessary strategic and corporate responsibility decisions. Of course, we will inform you about other legitimate interests, as applicable.

This chart gives more detail:

USE

REASON

To administer the terms of the contract between you and Stripe.

To perform the consulting agreement between you and Stripe, and

To comply with a legal obligation.

To make decisions about your consulting engagement or the end of your consulting engagement.

To perform the consulting agreement between you and Stripe, and

To comply with a legal obligation.

To administer, assessments and development requirements.

To perform the consulting agreement between you and Stripe, and

As necessary to serve Stripe’s legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests.

To administer guidelines, policies and procedures, e.g. IT security, diversity, and equal opportunity policies.

To perform the consulting agreement between you and Stripe,

To comply with a legal obligation, and

As necessary to serve Stripe’s legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests.

To comply with applicable laws and regulations.

To comply with a legal obligation, and

As necessary to serve Stripe’s legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests.

To handle and defend against actual or potential legal disputes/claims.

To comply with a legal obligation, and

As necessary to serve Stripe’s legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests.

To ensure your health and safety.

To perform the consulting agreement between you and Stripe,

To comply with a legal obligation, and

As necessary to serve Stripe’s legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests.

To manage IT systems and operational processes within Stripe (e.g., logs and monitoring of email or Internet use).

As necessary to serve Stripe’s legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests.

Where applicable to the consulting agreement, to issue equity.

To perform the consulting agreement between you and Stripe,

To comply with a legal obligation, and

As necessary to serve Stripe’s legitimate interests (or those of a third party), and your interests and fundamental rights do not override those interests.

If you do not provide Stripe with your Personal Data, we may not be able to process your fees, manage your engagement with Stripe, and comply with our legal obligations or manage Stripe’s business.

4. Does Stripe retain my Personal Data?

Yes, but only as long as necessary to satisfy the purpose for which it was collected and used, unless a longer period is needed because of legal obligations or to defend a legal claim. Because statutory retention periods vary depending on the type of data, please contact consultant-privacy@stripe.com to find out more.

5. What security is in place to protect my Personal Data?

Stripe takes reasonable technical, physical, and organizational measures to ensure that your Personal Data is properly secured against unauthorised or unlawful use, alteration, unauthorised access or disclosure, accidental or wrongful destruction, and loss.

Stripe also takes reasonable steps to limit access to your Personal Data to those persons who need to fulfill the purposes listed in the chart above. And, we contractually ensure that any third parties are processing your Personal Data in a secure way that provides for confidentiality and integrity of your Personal Data.

6. How is my Personal Data disclosed and transferred?

Stripe shares your Personal Data only on a need to know basis, only for the reasons listed above, and only with individuals in certain roles who need access to this information (both in the country where you work and in other countries where we have operations, including countries outside the European Economic Area (“EEA”)).

Stripe also shares your Personal Data with service providers who process data on Stripe’s behalf; these service providers include: payroll, IT support, equity plan service provider, and successors in title. Most of these service providers are located within the EEA. Stripe may also need to share Personal Data with government authorities (e.g. regulatory authorities, enforcement authorities, and other governmental agencies, including taxing authorities.

Stripe takes measures to ensure that your Personal Data is shared and treated securely, in accordance with this Notice and applicable legislation. And we didn’t stop within the EEA – any transfer of your Personal Data outside of the EEA will be covered by contractual agreements with the recipients of the data, including Standard Contractual Clauses, as approved by the European Commission, or equivalent means.

You can request a copy of any documentation showing the data transfer safeguards that have been taken by making a request to consultant-privacy@stripe.com.

7. What are my rights?

Subject to some legal conditions, you have the following rights related to the processing of your Personal Data:

  • Right to access, correct and delete your Personal Data. Stripe will ensure that all Personal Data is correct, but we can only do so if you give us correct information. So, it’s your responsibility to notify Stripe of any changes in personal circumstances (for example, change of address, bank account, etc.) as soon as possible. You may request access to your Personal Data and request correction of any inaccurate Personal Data. You may also request deletion of any irrelevant Personal Data.
  • Right to withdraw consent. If your Personal Data is processed on the basis of your consent, you may withdraw consent at any time by sending an email to consultant-privacy@stripe.com. This will not affect the lawfulness of processing that was based on consent before its withdrawal.
  • Data portability. To the extent Stripe uses your Personal Data for the performance of the consulting agreement and that Personal Data is processed by automatic means, you have the right to receive it in a structured, commonly used and machine-readable format. You can also request for it to be transmitted to another data controller, if technically feasible and required.
  • Right to restrict Personal Data use. You may restrict Stripe’s use of your Personal Data if you contest the accuracy or legitimate legal basis of the use anjjd you don’t want Stripe to erase the Personal Data. You may also request restriction of Personal Data use if Stripe no longer needs the Personal Data for the relevant purposes, but you require it for the establishment, exercise or defense of legal claims; or if you have objected to Stripe’s Personal Data use justified on legitimate interests pending verification as to whether Stripe has compelling interests to continue use.
  • Right to object. To the extent that Stripe is relying on its legitimate interests to use your Personal Data, you may object to the use, and Stripe will stop processing unless Stripe demonstrates either compelling legitimate grounds for the use that override your interests, rights and freedoms or where Stripe needs to process the Personal Data for the establishment, exercise or defense of legal claims.
  • Digital Legacy. If you are engaged in France, you have the right to issue directives relating to the disposition of your Personal Data after your death.
  • Lodge a complaint. You may lodge a complaint with a supervisory authority in your country of residence if you believe the collection and use of your Personal Data infringes this Notice or applicable law.

8. Who should I contact with questions?

For further information regarding your rights or have questions about the use of your Personal Data, please contact consultant-privacy@stripe.com.

For Consultants based in Germany, you can also reach out to our data protection officer by emailing dpo@stripe.com.

9. Where is this Notice published?

This Notice is published at stripe.com/eu-consultant-privacy-notice

Appendix 1: Personal Data that Stripe collects and uses

Section A - general categories of Personal Data

To the extent permitted under applicable law, Stripe will collect the following types of information, including Personal Data from or about you:

  • Personal details: personal (contact) details such as your name, address, email address, telephone number or other contact information, degree/title, date of birth, gender, nationality, national ID (such as passport, social security or national insurance number, all subject to applicable law), marital- or civil partnership status, domestic partners, dependents, citizenship;
  • Emergency contact details: name and contact details of emergency contacts (please note that you are required to inform your emergency contacts about the collection and processing of their Personal Data for emergency contact purposes);
  • Financial details: such as financial information or other identifiers such as your bank account details;
  • Basic service details: such as work contact details (corporate email address and telephone number), details regarding your consultancy duties, primary location, service hours, your terms and conditions of engagement, immigration status, and work permit details;
  • System and application access data: information required to access the Company systems and applications such as email account and system passwords;
  • Professional qualifications: professional certifications, special skills including (driver) licenses, language skills, memberships of committees or other bodies, education history;
  • Management records: details of any shares of common stock or directorships;
  • Recruitment or selection information: any personal data contained in your CV, resumes and application form, references, record of interview or interview notes, and selection and verification records, previous (job) experience and references;
  • Fees and remuneration: such as details of your fees or payment, long term incentives, Company credit card data, tax information;
  • Training and development information: such as data relating to training and development needs or trainings received;
  • Disciplinary information: such as any personal data contained in records of allegations, investigation and proceeding records and outcomes;
  • Termination information: such as dates and reason for leaving, termination agreements and payments;
  • Stock plan information: information necessary for stock plan administration;
  • Survey information: such as survey data related to your engagement insofar as those details contain Personal Data;
  • Inventions and IP-related information: such as information shared with Stripe in the course of executing the Confidential Information and Invention Assignment Agreement (CIIAA), where applicable; and
  • Any other information which you choose to disclose to Stripe during the course of your contractual relationship with Stripe.

Section B - special categories of Personal Data

To the extent permitted under applicable law, the following information, including types of special categories of Personal Data will be collected and used by Stripe:

  • Physical or mental health information: such as information about your physical or mental health or condition.
  • Other special categories of Personal Data: such as racial or ethnic origin; religious or similar beliefs; membership of a trade union; the commission or alleged commission by you of any offence; and any proceedings for any offence committed or alleged to have been committed by you, the disposal of those proceedings or the sentence of any court in those proceedings.

Special categories of Personal Data will only be collected and used as necessary to carry out an obligation under labor, social security, and social protection laws, when the use is authorized by European Union or Member State law providing for appropriate safeguards for your rights and freedoms.