Stripe HR Data Privacy Framework Policy

Effective date: October 31, 2023 

Stripe, Inc. (“Stripe”, “we”, “our” or “us”) complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce (collectively, the “DPF”).

This Stripe Data Privacy Framework Policy (“DPF Policy”) and where applicable, the European Applicant Personal Information Notice or the European Employee Personal Information Notice, describes the privacy practices that we implement for Personal Data received from the EEA, UK and Switzerland in reliance on the DPF. Stripe has certified to the Department of Commerce that it adheres to the DPR Principles with respect to the processing of such data. This DPF Policy uses terms that are defined in the relevant notice(s). If there is any conflict between the terms in this DPF Policy and the DPF Principles as concerns the Personal Data received under the DPF, the DPF Principles will prevail. 

To learn more about the DPF program, please visit https://www.dataprivacyframework.gov/, and to view our certification, please see here

What this disclosure covers

Please see the relevant parts of the applicable notice and/or other policies for information about:

  • The types of Personal Data processed;
  • The purposes of data processing;
  • Third parties who may receive Personal Data;
  • An individual’s right to access Personal Data; and
  • Any choices and means to limit the use and disclosure of Personal Data.

Compelled disclosure

Stripe may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Enforcement

Stripe’s compliance with the DPF is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. Stripe remains responsible for any Personal Data that is shared with third parties in a manner inconsistent with the DPF unless we prove we are not responsible for the event giving rise to any alleged damage.

Questions and complaints

If you have any questions or concerns about our DPF certification, please reach out to:

Alternatively, please write to us at the following address:

Stripe, Inc.

354 Oyster Point Boulevard

South San Francisco, California, 94080

Attention: Stripe Legal

In the event Stripe is unable to resolve your concern, you can also refer a complaint to your local data protection authority (free of charge) and we will work with them to resolve your concerns. 

We will cooperate and comply with the advice of the panel established by the EU Data Protection Authorities, the UK Information Commissioner’s Office and the Swiss Federal Data Protection and Information Commissioner with regard to such unresolved complaints concerning our handling of Personal Data received in reliance on the DPF.

In certain circumstances, the DPF provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Data Privacy Framework Principles.

Changes to this policy

This DPF Policy may be changed from time to time, consistent with the requirements of the DPF and in accordance with the process described in the relevant notice. You can determine when this DPF Policy was last revised by referring to the “Last updated” date or “Effective date” at the top of this page.

*Stripe will not rely on the Swiss-U.S. Data Privacy Framework until it enters into force, but we adhere to its required commitments in anticipation of it doing so.