Stripe Privacy Center

Last updated: July 30, 2020

Welcome to the Stripe Privacy Center

Stripe respects the privacy of everyone that engages with our platform, and we are committed to being transparent about our privacy processes and policies. We are a platform that enables millions of businesses, and in order to provide our services to our users, we collect and process personal data.

The Stripe Privacy Center contains the answers to frequently asked questions about how we collect and use personal data, the rights that individuals have in relation to personal data held by Stripe, and how Stripe complies with international data protection laws.

All materials have been prepared for general information purposes only. The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice.

What does the Schrems II decision mean? The Court of Justice of the European Union issued a ruling in a case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd and Maximilian Schrems (“Schrems II”) examining transfers of data from the European Economic Area (“EEA”) and Switzerland. Here’s some additional information on our approach.

Stripe continues to have appropriate safeguards and compliance measures to ensure an adequate level of protection of personal data transferred outside the EEA and Switzerland.

We no longer rely on the Privacy Shield as a transfer mechanism for the EU as a result of the Schrems II decision, but continue to take part in the program with respect to our certification with the U.S. Department of Commerce and for the Swiss-U.S. Privacy Shield. For this reason, we continue to make a reference to the Privacy Shield in some of our policies.

Our users can be assured that we are committed to compliant personal data flows through our services and that we’ll continue our work to provide adequate protections based on the issues raised in the Schrems II ruling. We will continue to evaluate the decision and anticipate regulatory guidance to be forthcoming shortly.

If you have additional questions, reach out to our Privacy team at privacy@stripe.com.
Is Stripe acting as a controller or a processor? The answer is both.

Stripe is a data controller when it determines the purposes and means of the processing taking place, including processing related to (1) anti-fraud activity, (2) all back-end verification and compliance activity (e.g., KYC requirements, relationships with financial partners and regulators, AML and sanction screening) and (3) improving Stripe products and services. This is because Stripe determines on its own how to handle such activity and is not instructed by the User or end-customer.

Stripe is a data processor where it is facilitating payment transactions on behalf of and at the direction of a Stripe User. In this case, the Stripe User is a data controller since Stripe is acting on the Stripe User’s instructions regarding the processing, i.e. whom to pay, how much to pay, when to pay.
What legal basis does Stripe rely on to process personal data as a Data Controller? We rely upon a number of legal grounds to ensure that our use of your Personal Data is compliant with applicable law. In short, we use Personal Data to facilitate the business relationships we have with our Users, to comply with our financial regulatory and other legal obligations, and to pursue our legitimate business interests. We also use Personal Data to complete payment transactions and to provide payment-related services to our Users.

Here’s a more detailed overview of why and how we use your Personal Data.

Contractual and pre-contractual business relationships. We use Personal Data for the purpose of entering into business relationships with prospective Stripe Users, and to perform the contractual obligations under the contracts that we have with Stripe Users. Activities that we conduct in this context include:

  • Creation and management of Stripe accounts and Stripe account credentials, including the evaluation of applications to commence or expand the use of our Services;
  • Creation and management of Stripe Checkout accounts;
  • Accounting, auditing, and billing activities; and
  • Processing of payments with Stripe Checkout, communications regarding such payments, and related customer service.


Legal and regulatory compliance. We use Personal Data to verify the identity of our Users in order to comply with fraud monitoring, prevention and detection obligations, laws associated with the identification and reporting of illegal and illicit activity, such as AML (Anti-Money Laundering) and KYC (Know-Your-Customer) obligations, and financial reporting obligations.

Legitimate business interests. We rely on our legitimate business interests to process Personal Data about you. For example, we:

  • Monitor, prevent and detect fraud and unauthorized payment transactions;
  • Mitigate financial loss, claims, liabilities or other harm to Users and Stripe;
  • Respond to inquiries, send service notices and provide customer support;
  • Promote, analyze, modify and improve our products, systems, and tools, and develop new products and services;
  • Manage, operate and improve the performance of our Sites and Services by understanding their effectiveness and optimizing our digital assets;
  • Analyze and advertise our products and services;
  • Conduct aggregate analysis and develop business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of, our business;
  • Share Personal Data with third party service providers that provide services on our behalf and business partners which help us operate and improve our business;
  • Ensure network and information security throughout Stripe and our Services; and
  • Transmit Personal Data within our affiliates for internal administrative purposes.


Payment transactions and related services (Stripe as a data processor). As a processor of payment transactions, we use Personal Data of our User’s Customers to process online payment transactions and authenticate Customers on behalf of our Users.

Marketing and events-related communication. We may send you email marketing communications about Stripe products and services, invite you to participate in our events or surveys, or otherwise communicate with you for marketing purposes, provided that we do so in accordance with the consent requirements that are imposed by applicable law.

Advertising. When you visit our Sites, we (and our service providers) may use Personal Data collected from you and your device to target advertisements for Stripe Services to you on our Sites and other sites you visit (“interest-based advertising”), where allowed by applicable law. We do not use, share, rent or sell the Personal Data of our Users’ Customers for interest-based advertising. We do not sell or rent the Personal Data of our Users, their Customers or our Site visitors.

Stripe Connect At a Glance
Description Stripe Connect is a payment software your third party platform provider (“Platform”) may use to enable you to receive Stripe services (including payment processing) and/or receive payouts.
Controller/Processor Stripe acts as both a data controller and data processor for the Platform. The Stripe entity that acts as data controller/data processor for data processed in Europe is Stripe Payments Europe Limited.
Personal Data The personal data transmitted to Stripe usually involves first name, last name, address, identification number, e-mail address, IP address, telephone number, and other data necessary for payment processing.
Purpose The transmission of the data is aimed at payment processing, ledger management, and fraud prevention. The Stripe User or Platform will transfer personal data to Stripe. The personal data exchanged between Stripe and the User/Platform may be transmitted to verification agencies and User data may be shared with Platforms. This transmission is intended for the Platform to manage its ledger and for Stripe to conduct identity and credit checks.
Transfer Stripe will pass on personal data to affiliates and service providers or subprocessors, if deemed necessary to carry out contractual obligations or for the data to be processed.
Privacy Policy For full details please see the applicable Privacy Policy of Stripe.
What are your data controller activities?
  • Providing the Stripe products and services to Stripe users;
  • Monitoring, preventing and detecting fraudulent payment transactions;
  • Complying with legal or regulatory obligations applicable to the financial sector to which Stripe is subject, including applicable anti-money laundering screening and compliance with know-your-customer obligations; and
  • Analyzing, developing and improving Stripe’s products and services.
As a Stripe User and as a Controller, what does GDPR mean for me? Take a look at our GDPR Guide.

In addition, as data controller, you are responsible for the relationship with the data subject (i.e., your end customer). You may instruct a third party (like Stripe) to process the data but it is your job to set the purpose (or objectives) and legal basis for the processing.

All third parties have to abide by the terms agreed by the data controller and the data subject. To be sure of this, the data controller must have Data Processing Agreements (i.e., DPAs) with each one. Our DPA has been designed to serve this purpose for you; it is strongly aligned with payment transactions, so it should establish that you are compliant with GDPR from a payments perspective.
Where can I get more information about your privacy and cookie practices? This information can be found in our Privacy Policy and our Cookie Policy. Security and privacy are the highest priority for Stripe. We take our responsibilities to you seriously and value transparency in our interactions. We put together this summary of the key clarifications we made to our Privacy Policy and Cookie Policy, effective as of April 28, 2020.

In the Privacy Policy:

  • We clarified that Stripe does not use, share, rent or sell payment transactional data or fraud detection signals for ad targeting. We also further clarified that we do not rent or sell this information to third parties for advertising purposes.
  • We clarified that in the event of a sale, merger, reorganization or similar transaction, the entity that buys all or part of our business will continue to be bound by the Privacy Policy, including our commitments around the use of data for ads.


In the Cookie Policy:

  • We have broken down our explanation about the types of cookies we use. We make more clear what cookies are necessary for providing the Stripe services our users have chosen to integrate.
  • Now, the cookie table also includes additional information about the purpose of certain cookies like those we use for fraud detection, and more information about where our cookies come from and their expiration.


We’ve also expanded our fraud documentation to further describe our Advanced Fraud Signals to help our Users understand in more detail how these cookies are integrated into the fraud detection tooling.
How do I delete my account? You can close your Stripe account from the Settings page on the Dashboard. You can read more about that on our support page: Close a Stripe account.

Please be aware that we will delete some, but not all, of the information that we hold, for the reasons explained below.

As a provider of payment services, Stripe is required to comply with many regulations, including anti-terrorism and anti-money laundering laws. These regulations and laws may require Stripe to retain transactional records associated with Stripe Users for a prescribed period of time after the close of the customer relationship. You can read more about our underwriting obligations in our Privacy Policy.
How do I delete my Custom Connect account? If you are a Custom Connect account User, your account is managed by a Platform User of Stripe. They are the party responsible for managing payments for you and responding to your query, therefore we recommend reaching out to them for assistance.
How do I delete my Express Connect account? If you are an Express Connect account User, your account is managed by a Platform User of Stripe. They are the party responsible for managing payments for you and responding to your query, therefore we recommend reaching out to them for assistance.
Does Stripe have a Data Protection Officer (“DPO”)? Yes, Stripe has appointed a DPO and they can be reached via dpo@stripe.com.
Who are Stripe’s Sub-processors and how are they vetted? Please see our Sub-processor list where we have a list of our most common Sub-processors. Stripe identifies, evaluates, and engages Sub-processors through our vendor management program. We enter into a contract with each Sub-processor prior to sharing data with the Sub-processor, and each contract contains terms that provide for monitoring and audit. In addition, all potential vendors are vetted and approved through Stripe’s security review process before we begin using their services.
What is a Data Processing Agreement (DPA) and how can I get one with Stripe? A data processing agreement is a contract between a data controller and a data processor, which describes the roles and responsibilities of the parties when personal data is processed. Article 28 of the GDPR sets out a number of requirements that a data processing agreement must satisfy in order to be compliant with European data privacy law. We have made a Data Processing Agreement (DPA) available to Stripe Users. When you are logged in to your Stripe account you can review and accept the Stripe DPA.
How does Stripe use cookies? We use cookies to (1) ensure that our services function properly, (2) prevent and detect fraud and violations of our terms of service, (3) understand how visitors use and engage with our website and (4) analyse and improve our services. Depending on your relationship with Stripe and the domain you are visiting, different cookies apply: for instance. some cookies are set on the public Stripe domain, some on the Stripe Dashboard when you are logged in as a Stripe User, and some on the payment page available to customers who make payments and use the services Stripe provides.

Cookies play an important role in helping Stripe provide personal, effective and safe services. Please be mindful that we change the cookies periodically as we improve or add to our services. For more information, please see our Cookie Policy.
How do you implement Privacy by Design at Stripe? Privacy by design aims at building privacy and data protection up front, into the design specifications and architecture of information and communication systems and technologies, in order to facilitate compliance with privacy and data protection principles. We rely on our internal privacy team and a review process for any new product launch. We are dedicated at every level of product development to making privacy a key consideration – from engineering to product management. This helps ensure that people can trust the Stripe products that they enjoy every day.

On this page