Welcome to the Stripe Privacy Center!
Stripe respects the privacy of everyone that engages with our platform, and we are committed to being transparent about our privacy processes and policies. We are a platform that enables millions of businesses, and in order to provide our services to our users, we collect and process personal data.
The Stripe Privacy Center contains the answers to frequently asked questions about how we collect and use personal data, the rights that individuals have in relation to personal data held by Stripe, and how Stripe complies with international data protection laws.
- What is the GDPR?
- How can I exercise my data subject access rights under the GDPR?
- Does Stripe retain personal data?
- Does Stripe have a Data Protection Officer (DPO)?
- Who are Stripe’s sub-processors and how are they vetted?
- What is a Data Processing Agreement (DPA) and how can I get one with Stripe?
- How does Stripe transfer European personal data?
- We clarified that Stripe does not use, share, rent or sell payment transactional data or fraud detection signals for ad targeting. We also further clarified that we do not rent or sell this information to third parties for advertising purposes.
- We have broken down our explanation about the types of cookies we use. We make more clear what cookies are necessary for providing the Stripe services our users have chosen to integrate.
- Now, the cookie table also includes additional information about the purpose of certain cookies like those we use for fraud detection, and more information about where our cookies come from and their expiration.
We’ve also expanded our fraud documentation to further describe our Advanced Fraud Signals to help our Users understand in more detail how these cookies are integrated into the fraud detection tooling.
2. What is the GDPR?
The General Data Protection Regulation, or “GDPR”, is a European data law that is the most important change in data privacy regulation in decades. Stripe published the General Data Protection Guide to help our users understand the GDPR’s widespread consequences, the opportunity it affords to improve data processing activities, and how to become and remain GDPR-compliant.
3. How can I exercise my data subject access rights under the GDPR?
Under the General Data Protection Regulation (GDPR), residents of the EU may exercise certain rights regarding their personal data. If you would like to make a data subject access request, please contact firstname.lastname@example.org.
4. Does Stripe retain personal data?
5. Does Stripe have a Data Protection Officer (DPO)?
Yes, Stripe has appointed a DPO and they can be reached via email@example.com.
6. Who are Stripe’s sub-processors and how are they vetted?
Stripe identifies, evaluates, and engages sub-processors through our vendor management program. We enter into a contract with each sub-processor prior to sharing data with the sub-processor, and each contract contains terms that provide for monitoring and audit. In addition, all potential vendors are vetted and approved through Stripe’s security review process before we begin using their services.
We maintain a list of our current sub-processors.
7. What is a Data Processing Agreement (DPA) and how can I get one with Stripe?
A data processing agreement is a contract between a data controller and a data processor, which describes the roles and responsibilities of the parties when personal data is processed. Article 28 of the GDPR sets out a number of requirements that a data processing agreement must satisfy in order to be compliant with European data privacy law.
We have made a Data Processing Agreement (DPA) available to Stripe users. When you’re logged in to your Stripe account you can review and accept the Stripe DPA.
8. How does Stripe transfer European personal data?
At Stripe we care deeply about the protection of our users’ data and we’ve looked closely at how to ensure that we remain compliant with evolving European law regarding transfers of European personal data.
Stripe’s services in Europe are provided by a Stripe affiliate—Stripe Payments Europe Limited (“Stripe Payments Europe”)—an entity located in Ireland. In providing Stripe Services, Stripe Payments Europe transfers personal data to Stripe, Inc., in the U.S. To ensure the adequate protection of personal data, we have certified to the EU-U.S. and Swiss-U.S. Privacy Shield Framework. For more information, please read our Privacy Shield Policy. In addition to Privacy Shield, Stripe continues to employ additional compliance measures to ensure an adequate level of protection of personal data transferred outside the European Economic Area and the UK.
Our aim is to ensure that Stripe remains compliant with European data protection laws and also to assist our users in doing so. If you have additional questions, please contact us.