Welcome to the Stripe Privacy Center
Stripe respects the privacy of everyone that engages with our platform, and we are committed to being transparent about our privacy processes and policies. We are a platform that enables millions of businesses, and in order to provide our services to our Business Users and End Users, we collect and process personal data.
The Stripe Privacy Center contains the answers to frequently asked questions about how we collect and use personal data, the rights that individuals have in relation to personal data held by Stripe, and how Stripe complies with international data protection laws.
All materials have been prepared for general information purposes only. The information presented is not legal advice, is not to be acted on as such, may not be current and is subject to change without notice.
- General updates for improved readability: we have made changes to the structure and layout of the Policy to make it easier to navigate, including to help you understand how it applies to you.
- Additional information on products: we are sharing greater detail about how we use data to provide our product experiences and to improve the effectiveness of our services.
Below is a list of terms that will help “you” navigate the Privacy Center:
|Business User||Stripe provides services to entities (“Business Users”) who directly and indirectly provide us with “End Customer” Personal Data in connection with those Business Users’ own business and activities.||Stripe user or merchant
|End Customer||When you do business with, or otherwise transact with, a Business User (typically a merchant using Stripe Checkout, e.g. when you buy a pair of shoes from a merchant that uses Stripe for payment processing) but are not directly doing business with Stripe, we refer to you as an “End Customer.”||Individual using Identity
Cardholder using Checkout
|End User||When you directly use an End User Service (such as when you sign up for Link, or make a payment to Stripe Climate in your personal capacity), for your personal use, we refer to you as an “End User.”||User of Link
Personal contributor to Stripe Climate
|Representative||When you are acting on behalf of an existing or potential Business User (e.g. you are a founder of a company, or administering an account for a merchant who is a Business User), we refer to you as a “Representative.”||Beneficial owner
Shareholder, officer, director
|Visitor||When you visit a Site without being logged into a Stripe account or otherwise communicate with Stripe, we refer to you as a “Visitor.” (e.g. you send Stripe a message asking for more information because you are considering being a user of our products).||Stripe Sessions attendee
Stripe Site visitor
How We Collect, Disclose, and Use Personal Data
Is Stripe acting as a data controller or a data processor?
The answer is both.
The “data controller” is the entity which determines the purposes and means of the data processing taking place. The “data processor” is an entity acting on behalf and under the instructions of a controller in processing personal data.
Stripe is a data controller when it determines the purposes and means of the processing taking place. These data processing activities include (1) providing the Stripe products and services, (2) monitoring, preventing and detecting fraudulent payment transactions and other fraudulent activity on the Stripe platform, (3) complying with legal or regulatory obligations applicable to the financial sector to which Stripe is subject, and (4) analyzing, developing and improving Stripe’s products and services. Please see this Privacy Center article for more information on Stripe’s controller activities.
Stripe is a data processor where it is facilitating payment transactions on behalf of and at the direction of a Business User. Our Business Users direct us to take payment from cardholders / End Customers.
Stripe is considered a processor when directed to process payments (i.e., Stripe receives instructions about whom to pay, how much to pay, when to pay).
As a platform provider, we need to ensure consistency across our platform, and that includes consistency with respect to the commitments that we give about how we operate our platform. We contract with all of our Business Users (including some of the world’s largest companies) on this basis.
Which Stripe entities are involved?
For most of our services, it is either Stripe, Inc., the US parent company operating under US law, or Stripe Payments Europe, Limited (“SPEL”), an Irish company operating under Irish law, the data controller responsible for Personal Data collected and processed in relation to Stripe Services.
The Stripe entity responsible for your data will depend on your location, the product or service you use with us and whether Stripe is acting as a controller and/or data processor.
If you are located outside of the Americas (e.g., European Economic Area (“EEA”), Switzerland or the United Kingdom, countries located in Asia Pacific (“APAC”)), SPEL is the primary entity responsible for the processing of your personal data. Some of the payment processing services offered by Stripe are services that may be only provided for by an authorised payment services provider or electronic money institution. In this case, SPEL and the Stripe local regulated entity (defined as those who are licensed, authorized or registered by a Local Regulatory Authority) will act as joint controllers of your Personal Data.
Please see our table below for more information on who is your controller in these jurisdictions:
|Location of User||Purpose of processing||Name of Stripe entity||Location of Stripe entity|
|EEA & Switzerland||Provision of certain authorised payment services in the EEA and Switzerland
||Stripe Technology Europe, Limited (the e-money licensed entity with the Central Bank of Ireland)||Ireland|
|EEA||All other activities.||SPEL||Ireland|
|United Kingdom & Switzerland||Provision of authorised payment services in the UK.
||Stripe Payments UK, Ltd. (the e-money licensed entity with the UK FCA)||United Kingdom|
|United Kingdom||All other activities.||SPEL||Ireland|
|United Kingdom||Provision Stripe Capital product and related services to Stripe users in the UK.||Stripe Capital Europe, Limited||Ireland|
Stripe affiliates also provide local support services in certain countries where Stripe operates. These entities act as data processors on behalf of Stripe, Inc. or SPEL, depending on the jurisdiction. You will find the most up-to-date list of the Stripe affiliates on this page.
For certain products, Stripe may act as an independent controller (e.g. Stripe Capital), a data processor or both (e.g. Stripe Identity). Please see the Privacy Center article for each specific product for more information.
What are your data controller activities?
- Providing the Stripe products and services to Business Users and End Users, including determining the third parties (banks and payment method providers) to be utilized;
- Monitoring, preventing and detecting fraudulent payment transactions and other fraudulent activity on the Stripe platform;
- Complying with legal or regulatory obligations applicable to the financial sector to which Stripe is subject, including applicable anti-money laundering screening and compliance with know-your-customer obligations; and
- Analyzing, developing and improving Stripe’s products and services.
As a Stripe User and as a data controller, what does GDPR mean for me?
As a data controller, Business Users are responsible for the relationship with the data subject (i.e., your End Customer). You may instruct a third party (like Stripe) to process the data, but it is your job to set the purpose (or objectives) and legal basis for the processing.
The GDPR requires data controllers to use third parties who agree to abide by certain contractual terms. To be sure of this, the data controller must have Data Processing Agreements (“DPAs”) with each third party. Our DPA has been designed to serve this purpose for you; it is strongly aligned with payment transactions, so it should establish that you are compliant with GDPR from a payments perspective.
Who are Stripe’s sub-processors and how are they vetted?
Please see our service providers page where we have a list of our most common sub-processors, service providers and affiliates. Stripe identifies, evaluates, and engages sub-processors through our vendor management program. We enter into a contract with each sub-processor prior to sharing data with the sub-processor, and each contract contains terms that provide for monitoring and audit. In addition, all potential vendors are vetted and approved through Stripe’s security review process before we begin using their services.
From where does Stripe collect information used for fraud prevention and security purposes?
To prevent fraud and strengthen our security, we may collect information from Business Users, End Customers, End Users, financial parties, and in some cases third parties. For example, we collect and analyze information that helps us identify bad actors and bots, including both transactional data (such as amount, customer shipping address, date, and so on) and advanced fraud detection signals (device and activity signals). Learn more.
Stripe also receives information from third parties to prevent and respond to security incidents, and for protecting against other fraudulent activity. For example, we may receive information from third parties about IP addresses that malicious actors have compromised.
I heard that Stripe is collecting additional information about my account from a third party and/or my other Stripe account. Why is Stripe collecting this information?
Does Stripe sell my personal information under the CCPA?
Stripe does not sell personal information. As such, we do not have actual knowledge that we sell personal information of minors under 16 years of age. For California residents, the California Consumer Privacy Act (“CCPA”) defines “selling” personal information to include providing it to a third party in exchange for money or valuable consideration. See Cal. Civ. Code § 1798.140(t)(1).
For Shine the Light law (Cal. Civ Code § 1798.83) purposes, Stripe does not share personal data of California customers to third parties for their direct marketing purposes, as defined by this law.
The table below discloses the categories of personal information about California consumers that we collect and disclose for a business purpose.
|Categories of Personal Information Collected||Disclosed for a business purpose in the preceding 12 months||To Whom the Data may be Disclosed|
|Identifiers (for example, a device identifier)||Yes||We may disclose the data, pursuant to applicable law, to: service enablers (like service providers and financial partners servicing the financial product), the merchant that you do business with (a.k.a. our business user), an entity engaged in a business transfer/merger, law enforcement, courts, governments and regulatory agencies.|
|Characteristics of protected classifications under California or federal law (for example, gender and age noted in ID documents that you submit so that Stripe can verify your identity on behalf of your merchant - a.k.a. our business user)||Yes||We may disclose the data, pursuant to applicable law, to: service enablers (like service providers and financial partners servicing the financial product), the merchant that you do business with (a.k.a. our business user), an entity engaged in a business transfer/merger, law enforcement, courts, governments and regulatory agencies.|
|Commercial information (for example, the merchant that you choose to do business with - a.k.a. our business user - may receive your transaction data)||Yes||We may disclose the data, pursuant to applicable law, to: service enablers (like service providers and financial partners servicing the financial product), the merchant that you do business with (a.k.a. our business user), an entity engaged in a business transfer/merger, law enforcement, courts, governments and regulatory agencies.|
|Biometric information (for example, biometric identifiers from photo IDs used to confirm your identity)||Yes||We may disclose the data, pursuant to applicable law, to: a service provider - i.e., Amazon Web Services ("AWS"), an entity engaged in a business transfer/merger, law enforcement, courts, governments and regulatory agencies.|
|Online activity information (for example, information about devices and browsers across certain business user sites that use Stripe and IP addresses associated with those devices and browsers, and usage data)||Yes|
|Geolocation Data (for example, IP addresses)||Yes|
|Audiovisual (for example, visual, audio, or similar information, like photos you submit so that Stripe can verify your identity on behalf of your merchant – a.k.a. our business user)||Yes||We may disclose the data, pursuant to applicable law, to: service providers, the merchant that you do business with (a.k.a. our business user), an entity engaged in a business transfer/merger, law enforcement, courts, governments and regulatory agencies.|
|Professional or Employment-Related Information||Yes||We may disclose the data, pursuant to applicable law, to: Service Providers, an entity engaged in a business transfer/merger, law enforcement, courts, governments and regulatory agencies.|
|Categories of personal information described in Cal. Civ. Code 1798.80(e) (such as name, address, telephone number, credit card or debit card number)||Yes|
In addition to its sub-processors, what other third parties does Stripe share information with?
When we work with service providers in our capacity as a data processor for our Business Users’ and End Users’ personal data, the GDPR calls these third-party service providers a sub-processor. Sub-processors are service providers who have or potentially will have access to or process personal data on behalf of Stripe. These third parties are disclosed on our Stripe Service Providers List.
In addition to Stripe’s sub-processors, we may also share Business Users’ onboarding data and payment instrument information with third party business partners when this is necessary to provide our services to our Business Users. We do so, for example, for the purposes of offering payment processing services to our Business Users or facilitating payment settlements.
Third parties to whom we may disclose personal data for this purpose are banks, payment method providers and payment processors, including, but not limited to, the following entities:
- American Express Payment Services Limited and American Express Payments Europe S.L.
- Banking Circle S.A.
- Barclays Bank PLC
- Credit Mutuel Arkea and Arkea Banking Services
- Currence iDEAL B.V.
- Klarna AB
- Mastercard Europe S.A.
- Polski Standard Płatności
- PPRO Financial Ltd.
- Swisscard AECS GmbH
- Visa Europe Limited
The data shared with payment method providers will depend on the payment method(s) enabled on the Business User’s account.
In addition, Stripe shares personal data as we believe necessary to, among other things, protect Stripe’s services, rights, privacy, safety and property of Stripe, our users or others. For example, to protect our services, Stripe may receive or disclose information about IP addresses that malicious actors have compromised.
Stripe will pass on personal data to affiliates and service providers or sub-processors, if deemed strictly necessary to carry out contractual obligations or for the data to be processed. Depending on the enabled payment method(s), data may be transferred to the jurisdiction(s) of the respective payment method(s). Before we engage any third party, we perform due diligence, including a vendor security assessment. All of our service providers are subject to contract terms designed to ensure that these service providers process personal data only for the purposes of providing services to Stripe and in accordance with our commitments to Users and applicable data protection laws. Moreover, Stripe maintains and enforces a security program that addresses the management of security and the security controls employed by Stripe, which includes third party risk management. In addition, Stripe employees, agents, and contractors acknowledge their data security and privacy responsibilities under Stripe’s policies.
What data about End-Customers and their transactions is used by Radar and what data does Stripe share with its Radar Business Users?
When processing payments, it’s valuable to Stripe, Business Users and End-Customers to enable legitimate transactions while also trying to prevent fraudulent transactions, making online purchases safer for everyone involved. Radar helps detect potentially fraudulent transactions for Stripe’s Business Users (i.e., merchants) through machine learning and other techniques. To do this, Radar leverages data collected across our Services.
Business Users can use Radar to leverage a transaction “score” or transaction “level” calculated by Stripe and implement rules determined by the Business User that will allow, block, or flag transactions for additional review based on an assessment of the likelihood that the transaction is legitimate. Business Users can use Radar as one of multiple inputs in making decisions with respect to the potential for fraud in a transaction.
Radar uses data collected about the End Customer from various sources, including payments transaction data, advanced fraud detection data, IP address and physical address information. Radar uses this data to establish the likelihood that the payment method offered by the End Customer for a transaction is truly authorized for that transaction.
Stripe may share with the Business User certain information relevant to fraud detection, including:
- a transaction score or level that assesses the likelihood of the transaction becoming a fraudulent charge-back,
- risk insights for that transaction,
- related payments made by the End-Customer to the Business User,
- other transaction data related to that End-Customer’s transaction with that Business User (e.g., cardholder name, card information, and the payment amount and date),
- device and browser information for the device used to make the transaction with that Business User, and
- aggregated benchmarks.
As a Business User, what notice do I provide to my End Customers about Stripe?
Under the terms of our agreements, Business Users are required to provide all necessary notices and obtain all necessary rights and consents from their End Customers to enable Stripe to lawfully collect, use, retain and disclose the Personal Data as part of the Stripe Services. Business Users, as data controllers, are responsible for the contents of their privacy notice and cookie banner. As an example, here is a paragraph that you can consider adding to your privacy notice (if you don’t already have such a disclosure):
Please be aware that the disclosure above is for illustrative purposes only and is not legal advice. Please talk to your legal advisor to understand how to comply with your obligations under applicable law.
Stripe Legal Bases Tables
What legal basis does Stripe rely on to process personal data as a data controller?
We rely upon a number of legal grounds to enable our use of your Personal Data. In short, we use Personal Data to facilitate the business relationships we have with our Business Users and End Users, to comply with our financial regulatory and other legal obligations, and to pursue our legitimate business interests. We also use Personal Data to complete transactions and to provide payment-related services to our Business Users.
Our table below provides a detailed overview of why and how we use your Personal Data.
For the purposes of the General Data Protection Regulation, we rely upon a number of legal bases to enable our processing of your Personal Data.
When you directly use an End User Service (such as when you sign up for Link, or make a payment to Stripe Climate in your personal capacity), for your personal use, we refer to you as an “End User.”
|Processing purpose||Categories of Personal Data||Legal bases|
|Provide our Services. To provide services to you, including delivery, support, personalization and messages related to the service.||Your name, contact information, payment information including Bank Account Information and Bank Payments, and/or payment card number, CVC code and expiration date.||Our contractual necessity to perform our contractual relationship with you, under applicable data protection laws.|
|For the provision of our services including Link, Atlas and Identity. When we process data based on your consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on such consent before the consent is withdrawn.||If you choose to use Link you agree to let Stripe store your payment method and related information so that you can more readily make purchases with Business Users who use Stripe to provide payment processing services (e.g. Stripe Checkout).||Based on consent in processing this personal information.|
|Card Products and Financial Products including Issuing and Treasury Direct Services. We use your Personal Data to offer you card products and financial products and services under the Stripe brand and/or under the brand of a Business User.||Your name, email address, phone number, postal address, transaction information, password, PIN or similar credentials, card PANs, age, DOB, credit card number, drivers license number, tax ID, cookie data, tags and beacons, IP address.||Our legitimate interests in promoting our products and in determining eligibility for and offer new Stripe products and services.|
|Offer our Services and Alert you of Changes to our Services. For example, through Stripe Capital we offer capital loans to certain users who can satisfy particular criteria and to help determine if you qualify for a loan or not. Such information will be processed prior to the offer of a loan in order to determine eligibility.||The name of the representative of business, physical address of business, and the borrower's Stripe ID. The rest of the data processed concerns business information and not personal data.||Our legitimate interests in promoting our products and in determining eligibility for and offer new Stripe products and services.|
|Fraud Detection Services. We use your Personal Data collected across our Services (e.g. Stripe Radar) to detect and prevent fraud against us, our Business Users and financial partners, including to detect unauthorized log-ins using your online activity.||Transaction information. This includes: name, email address, billing and/or shipping address, payment method information (such as credit or debit card number, bank account information or payment card image), merchant and location, purchase amount, date of purchase, and in some cases, some information about what you have purchased, phone number and tax-related ID.
||Our legitimate interests in monitoring and detecting fraud to ensure we detect activity that can have a harmful effect on our End Users.|
|Marketing and Advertising. We may use your Personal Data to assess your eligibility for and offer you other Services. We use End User Personal Data for interest-based advertising and marketing purposes. We do not share End Customer Personal Data to third parties for their marketing purposes unless you give us or the third party permission to do so.||Contact information including: name, email address, work phone number, and job title.
||Based on consent in processing this personal information.
|Compliance and Harm Prevention. We share Personal Data as we believe necessary: (i) to comply with applicable law, (ii) for compliance with rules imposed by payment method in connection with use of that payment method (e.g. network rules for Visa); (iii) to enforce our contractual rights; (iv) to secure or protect the Services, rights, privacy, safety and property of Stripe, you or others, including against other malicious or fraudulent activity and security incidents; and (v) to respond to valid legal process requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.||Any Personal Data we process.||Our legal obligation where these disclosures are necessary to comply with our legal obligations, for the protection of a person's vital interests, for reasons of public interest, for reasons of substantial public interest, or for the purposes of Stripe’s or a third party’s legitimate interest in keeping Stripe secure, preventing a breach of the law, harm or crime, enforcing or defending legal rights, claims, or obligations, facilitating the collection of taxes and prevention of tax fraud or preventing loss or damage.|
When you do business with, or otherwise transact with, a Business User (typically a merchant using Stripe Checkout, e.g. when you buy a pair of shoes from a merchant that uses Stripe for payment processing) but are not directly doing business with Stripe, we refer to you as an “End Customer.”
|Processing purpose||Categories of Personal Data||Legal bases|
|Provide our Services to Business Users, including to process online payment transactions or in-person checkout, to calculate applicable sales tax, to invoice and bill, and to calculate their revenue.
||Transaction Information (including from Checkout, Payment Processing and Treasury/Issuing Use). Your name, email, billing and/or shipping address, payment method information (such as credit or debit card number, bank account information or payment card image), merchant and location, purchase amount, date of purchase, and in some cases, some information about what you have purchased, phone number and tax-related ID. The payment method information that we collect will depend upon the payment method that you choose to use from the list of available payment methods offered by the Business User as part of the “checkout” process for your purchase. We may also receive your transaction history with the Business User.
||Our legitimate interests in providing the Stripe products and services. Stripe processes this personal data given its legitimate interest in improving the Services and where it is necessary for the adequate performance of the contract with the Business Users.|
|Provide our Services to Business Users, to order payment methods on a per-customer basis on behalf of the Business User, to implement fraud thresholds chosen by the Business User, and to verify your payment method.||Verification Information. Your age (when purchasing age restricted goods) or information about you being the person who is authorized to use a payment method.
||Our legal obligations in respect of our financial and regulatory obligations.|
|Reduce fraud and enhance security. We will use Personal Data about your identity, including information that you provide, to perform verification Services for Stripe or for the Business Users that you are doing business with and to reduce fraud and enhance security.||In some cases you may provide a “selfie” along with an image of your identity document, and we will use technology to compare and calculate whether they match and can be “verified.” We will use information from our service providers and our Services to help verify your identity and fraud prevention.||Based on consent in processing this personal information.
|Radar and Card Verification Services. We use Personal Data of End Customers to detect and prevent fraud for Business Users, including to detect fraudulent payment cards using payment card images and unauthorized log-ins using online activity. In providing such services, we may provide Business Users that have requested such services with limited Personal Data about End Customers so that the Business Users can assess the fraud risk associated with an attempted transaction by its End Customer. We may also use payment card images to improve our Business Services.||Transaction information. This includes: name, email address, billing and/or shipping address, payment method information (such as credit or debit card number, bank account information or payment card image), merchant and location, purchase amount, date of purchase, and in some cases, some information about what you have purchased, phone number and tax-related ID.
||Our legitimate interests in detecting, monitoring and preventing fraud and unauthorized payment transactions.|
|Compliance and Harm Prevention. We share Personal Data as we believe necessary: (i) to comply with applicable law, (ii) to comply with rules imposed by payment method in connection with use of that payment method; (iii) to enforce our contractual rights; (iv) to secure or protect the Services, rights, privacy, safety and property of Stripe, you or others, including against other malicious or fraudulent activity and security incidents; and (v) to respond to valid legal process requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.||Any Personal Data we process.||Our legal obligations where disclosures are necessary to comply with our legal obligations.
When you are acting on behalf of an existing or potential Business User (e.g. you are a founder of a company, or administering an account for a merchant who is a Business User), we refer to you as a “Representative.”
|Processing purpose||Categories of Personal Data||Legal bases|
|Reduce fraud and enhance security. We will use Personal Data about your identity, including information that you provide, to perform verification Services for Stripe.||Onboarding and verification information that you choose to share for these purposes, which may include your government ID, photo, live image, and Personal Data apparent from the physical payment method (e.g. credit card image).||Our legal obligations in respect of our financial and regulatory obligations. We process Personal Data to verify the identity of the Representatives of our Business Users in order to comply with fraud monitoring, prevention and detection obligations, laws associated with the identification and reporting of illegal and illicit activity, such as AML (Anti-Money Laundering) and KYC (Know-Your-Customer) obligations, and financial reporting obligations.|
|Advertising. We may use and share Representative Personal Data with others so that we may advertise and market our products and services to you, including through interest-based advertising subject to any consent requirements under applicable law.||Contact information including: name, email address, work phone number, and job title.
||Based on consent in processing this personal information.|
|Communications. We may send you email marketing communications about Stripe products and services, invite you to participate in our events or surveys, or otherwise communicate with you for marketing purposes, provided that we do so in accordance with applicable law, including any consent or opt-out requirements.||Contact information such as your name, email address, phone number.||Based on consent in processing this personal information.
|Tax and Atlas (Incorporation) Services. We may use your Personal Data to file taxes on behalf of your associated Business User. If your Business User uses Atlas, we may use your Personal Data to submit forms to the IRS on your behalf and to file documents with other governmental authorities.||Your contact details, such as name, postal address, telephone number, and email address; and financial and personal information about you, such as your ownership interest in the Business User, your date of birth and government identifiers associated with you and your organization (such as your social security number, tax number, or Employer Identification Number). You may also choose to provide bank account information.||Our compliance with legal obligations in respect of our financial and regulatory obligations. We process Personal Data to verify the identity of the Representatives of our Business Users in order to comply with fraud monitoring, prevention and detection obligations, laws associated with the identification and reporting of illegal and illicit activity, such as AML (Anti-Money Laundering) and KYC (Know-Your-Customer) obligations, and financial reporting obligations.
When you visit a Site without being logged into a Stripe account or otherwise communicate with Stripe, we refer to you as a “Visitor.” (e.g. you send Stripe a message asking for more information because you are considering being a user of our products).
|Processing purpose||Categories of Personal Data||Legal bases|
|Communications. We use any contact information that you provide to us to respond to any inquiries or requests for information you made; and if you have asked about us or our Services, to send you marketing emails by either asking for your consent or providing you an opt out in any messages we send.||Contact information such as your name, email address, phone number.
||Based on consent in processing this personal information.
|Advertising. When you visit our Sites, we (and our service providers) may use Personal Data collected from you and your device to target advertisements for Stripe Services to you on our Sites and other sites you visit (“interest-based advertising”).||Information collected from cookies such as your device, browser ID, and pages on our website which you have visited.||Based on consent in processing this personal information.
|Fraud Detection. We use your Personal Data collected across our Services to detect and prevent fraud against Stripe, our Business Users and financial partners.||Advanced Fraud Signals information collected via cookies. This includes web browsing information, usage data, referring URLs, location, cookies data, device data and identifiers.||Our legitimate interests in detecting, monitoring and preventing fraud and unauthorized payment transactions.|
Data Processing Agreement
What is a Data Processing Agreement (DPA) and how can I get one with Stripe?
A Data Processing Agreement (“DPA”) is a contract between a data controller and a data processor that describes the roles and responsibilities of the parties when personal data is processed. Article 28 of the GDPR sets out a number of requirements that a DPA must satisfy in order to be compliant with European data privacy law. We have made a DPA available to Business Users. Please contact us or your account manager for more detail.
Information about Stripe Products
How do you implement Privacy by Design at Stripe?
Privacy by design aims at building privacy and data protection up front and into the design specifications and architecture of information and communication systems and technologies to facilitate compliance with privacy and data protection principles. We rely on our internal privacy team and a review process for any new product launch. We are dedicated at every level of product development —from engineering to product management—to making privacy a key consideration. This helps ensure that people can trust the Stripe products that they enjoy every day.
If you have been asked to verify your identity or have verified your identity using Stripe Identity, please visit the support web pages here and here to learn more about our privacy practices for Stripe Identity. Alternatively, you can jump to the specific topics linked here:
- Understanding Stripe Identity
- Biometric verification
- Consent to use my identity information
- Security of my identity data
- What data is collected
- Identity data retention
- Stripe’s role in controlling and processing identity data
- How I delete my identity data
Business User That Requested Verification
If you are a Business User that is using or intends to use Stripe Identity, please visit the support web page here for additional guidance on what you can tell your users and here for additional guidance on privacy considerations for your business.
Stripe’s Card Image Verification
If you have been asked by your merchant (i.e., a Stripe Business User) to scan your credit card before completing your requested transaction, please visit the support webpage here to learn more about Stripe’s Card Image Verification.
Stripe Connect At a Glance
Stripe Connect is a payment software your third party platform provider (Platform) may use to enable you to receive Stripe services (including payment processing) and/or receive payouts.
Data Controller/ Data Processor
Stripe acts as both a data controller and data processor for the Platform. The Stripe entity that acts as data controller/ data processor for data processed in Europe is Stripe Payments Europe Limited (“SPEL”).
The personal data transmitted to Stripe usually involves first name, last name, address, identification number, e-mail address, IP address, telephone number, and other data necessary for payment processing.
The transmission of the data is aimed at payment processing, ledger management, and fraud prevention. The Business User / Platform will transfer personal data to Stripe. The personal data exchanged between Stripe and the Business User / Platform may be transmitted to verification agencies, and Business User data may be shared with Platforms. This transmission is intended for the Platform to manage its ledger and for Stripe to conduct identity and risk checks.
Stripe will pass on personal data to affiliates and service providers or sub-processors, if deemed necessary to carry out contractual obligations or for the data to be processed.
I am a user with a Custom connected account. Does Stripe also collect information about my Custom connected account from a third party?
What responsibilities do Connect platforms with custom accounts have to allow their users to update or correct information associated with their accounts?
You, the Platform, are responsible for all interactions with your Custom accounts and for collecting all of the information needed to verify the Custom account-holders. Since Custom account holders cannot log into Stripe, it is up to you to build the user dashboard and communication channels. You are responsible for actioning any request by a user to update or correct their Stripe Custom account information.
I am a user with a Custom connected account. Will data collected from a third party be visible to my customers?
Card networks and issuers use statement descriptors to identify payments on a cardholder’s bank statement. Statement descriptors usually include information about the payment, such as the name and phone number of the seller. However, the exact information displayed is ultimately up to a cardholder’s bank. If Stripe updates your account’s business address, phone number, or email address, these fields may be displayed on the statement descriptor within the cardholder’s bank statement. However, the exact information displayed is ultimately up to the card network or the cardholder’s bank. If any information is incorrect, please reach out to the platform through which you receive charges to ensure you have provided them with the most accurate information about you and your business.
What are Stripe ACS, Transaction Authentication, and Behavioral Biometrics?
What is Stripe ACS?
Stripe ACS is Stripe’s transaction authentication solution for card issuers (e.g., banks). Stripe ACS helps card issuers to authenticate transactions of cardholders when they are making payments online using their cards.
What is behavioral biometrics?
Behavioral biometrics is an innovative technology that can be used for the purpose of preventing fraud and identifying legitimate transactions. Behavioral biometrics leverages a combination of personal data and device characteristics to distinguish between legitimate customers and fraudsters or bots.
How is behavioral biometrics data collected and used in Stripe ACS?
This processing is designed to verify a cardholder’s identity based on their behavioral biometric data which is modeled based on data collected during each authentication attempt.
This type of transaction authentication will typically observe interactions within a system or device to verify a cardholder’s identity for the purposes of authenticating online payments. The following elements may be processed during the authentication process:
- Length of text field inputs
- Location of mouse pointer
- Modifier key details (e.g., CTRL, SHIFT)
- Timing and location of mouse clicks
- Timing and location of touch events
- Timing between keystrokes
- Window scroll position
Purpose of processing and Stripe’s role
Stripe may process biometric data relating to cardholders in order to assist card issuers to authenticate payment transactions. This is done as part of Stripe’s payment transaction authentication services provided to card issuers (including for the purposes of meeting Strong Customer Authentication requirements).
As part of providing this authentication services to card issuers, Stripe engages with a third party provider, Mastercard, which also acts as a data controller. See Mastercard’s Privacy Notice for details on Mastercard’s processing activities in this context.
Customers rights and choices
Upon initiating a transaction, cardholders will have the option of providing their consent to processing their behavioral biometrics data as part of the transaction authentication flow. This will be presented to the cardholder during the checkout flow on the merchant’s website or app when authentication is requested from the card issuer. Cardholders will have the option to withdraw their consent during each subsequent transaction flow.
To withdraw consent outside of a transaction flow, you can email email@example.com with the subject matter line “Stripe ACS - withdraw consent”. In your email to withdraw consent, please provide: (a) the first 6 digits of your card number as this enables Stripe to identify your issuing bank (please do not provide any digits other than the first 6 digits); and (b) the phone number (including the country code) registered with your bank account that is used for one-time passcodes.
We will action this withdrawal request as soon as possible after it is verified, but please note that this can take up to 10 working days as we may need to verify the request with your card issuer. You may also contact the card issuer in order for the issuer to implement this withdrawal of consent by engaging with Stripe.
Promotional Emails Feature
For End Customers and prospective End Customers of our Business Users
What is the Promotional Emails feature?
Promotional Emails is a feature that gives Business Users who use “Stripe Checkout” services a new tool to enable sending email promotional content to their customers and prospective customers. When you visit a Business User’s checkout page (that is powered by Stripe Checkout services), the Promotional Email feature will enable Stripe to collect information about your preferences to receive promotional emails from that merchant.
Promotional email preferences are collected whether or not you complete the purchase or are just a prospective End Customer. “Prospective End Customer” means you visited a Business User’s site and expressed an intent to make a purchase by starting a purchase on the Business User’s checkout page, but did not complete that purchase during that session. To be a “prospective End Customer” for the promotional email feature, you also need to have started to input your contact information into the checkout form, and then not delete that information prior to the end of the session.
If you, prospective End Customer, indicate permission to receive news and personalized offers by virtue of the opt-in/opt-out checkbox on your Business User’s checkout form, the following personal data is provided to your Business User so that your Business User can contact you to remind you of the items you left in the checkout or to provide you news and personalized offers:
- Email (if provided by you).
- Items in your cart with that merchant (if any).
What is Stripe’s role (Data Processor/Controller) in the processing of my Personal Data?
For the Promotional Emails feature, Stripe acts as a data processor or service provider, meaning that Stripe is acting at the direction of the Business User that has implemented this Stripe provided feature. The Stripe entity that acts as a data processor for personal data is:
- Stripe Inc. in the United States.
- Stripe Payments Europe Limited outside of the United States, including Europe.
What Personal Data Is Stripe Collecting?
What Personal Data is Shared by Stripe with the Business Users I use?
With the Promotional Emails feature:
- If you are a prospective End Customer (you start a purchase with your Business User on their checkout form but do not complete that purchase), the personal data that we share with your Business User depends on the following:
- If you have not inputted any personal data into your Business User’s checkout form, then we will not share any personal data with that Business User.
- If you have inputted personal data into your Business User’s checkout form:
- If the checkbox for receiving news and personalized offers is not enabled when you leave your Business User’s checkout session, we will not share any of that personal data.
- If the checkbox for receiving news and personalized offers is enabled when you leave your Business User’s checkout session, we will share the following information with that Business User:
- Email (if provided by you).
- Items in your cart with that merchant (if any).
Does Stripe share my personal data with other Business Users?
How do I stop promotional emails from a merchant?
Any offers or promotional emails that you receive as a result of a Business User’s use of the Promotional Emails feature are sent by Business Users (or others identified in the message), and not by Stripe. I If you do not find value in receiving these emails, please contact the Business User you are receiving the messages from. Stripe requires that Business Users that choose to implement the Promotional Email feature also provide the option to unsubscribe or opt-out of receiving further promotional messages. It would be a breach of Stripe’s terms of service for a Business User to not promptly comply with opt-out requests.
How Does the Data Collection and Transfer Work?
How do I stop the sale of my personal data in connection with this feature?
Stripe requires that Business Users that choose to implement the Promotional Email feature also provide the option to unsubscribe or opt-out of receiving further promotional messages. It would be a breach of Stripe’s terms of service for a Business User to not promptly comply with opt-out requests.
For Business Users
How to Use this Service as a Business User
If you are a business that is using or intends to use Stripe’s Promotional Emails feature, please visit the support webpage for tips and guidance on information to share with your End Customers and prospective End Customers regarding privacy considerations in connection with the Promotional Emails feature for your business.
Stripe Delegated Authentication
You may be given the option to enable on-device biometric verification and provide your consent for Stripe to store your payment method details for future transactions that use the same card. Please visit our support site to learn more about our privacy practices for Stripe Delegated Authentication. Alternatively, you can jump to a specific topic here:
- Why does the cardholder see Stripe when asked to authenticate a payment?
- What is Stripe Delegated Authentication?
- How is personal data used in Stripe Delegated Authentication?
- How can cardholders provide and withdraw their consent for the storage of their payment method details?
We offer you the opportunity to store your payment methods with us so that you can conveniently use it across certain merchants who are our Business Users – we call this “Link” (formerly known as “Remember Me”). When you choose to use Link, you agree to let us store your payment method so that you can more readily make purchases through Link with Business Users of our payment processing Business Services (e.g., name, card number, cvc, and expiration date). We will also collect other Transaction Data, including billing address, shipping address, email and phone number. Your payment method data is secured using PCI-DSS standards.
Should you not have used Link and receive an SMS in error due to an inaccurate number being inserted at the authentication flow stage you can opt out here and your personal data will be deleted.
Stripe Capital provides Business Users with fast, flexible financing so businesses can manage cash flows and invest in growth. Depending on your business’s corporate structure, eligible Business Users may apply for one of two Stripe Capital products: a loan or a merchant cash advance (“MCA”).
What information does Stripe process for Stripe Capital?
We use existing data linked to your Stripe Account to evaluate your business’s eligibility for Stripe Capital. The following information may be considered prior to the offer of a loan or a MCA in order to determine eligibility, including:
- Payment processing volume
- Payment processing growth
- Chargeback rate
- Customer base
- Duration of relationship with Stripe
Where Stripe is satisfied that a Business User meets particular criteria, we will send the Business User an email and dashboard notification notifying them of their business’s eligibility for potential financing and invite them to apply for a loan or a MCA.
Once you have received a financing offer and submitted an application to receive your financing, we will use this above listed information to verify your business’s eligibility and where your application is approved, to disburse the loan or the MCA to you.
The legal basis for using your information
We will use your data where its use is in accordance with our legitimate business interests. Automated analysis of our Business User’s information helps us to manage our business for our legitimate interests. It allows us to:
- Verify the identity of our Business Users in order to comply with fraud monitoring, prevention and detection obligations, applicable laws associated with the identification and reporting of illegal and illicit activity, such as AML (Anti-Money Laundering) and KYC (Know-Your-Customer) obligations, and financial reporting obligations.
- Assess the level of financial risk to us and to Business Users involved in offering Business Users a loan or MCA.
- Enhance our learning models to allow us to better tailor our loans or MCAs to, and decrease the risk to, you and other Business Users.
We will also process your data where it is necessary for a loan agreement that you have entered into or because you have submitted an application to receive funding so that you can enter into a loan agreement with us.
We may send you email marketing communications about Stripe Capital offers, provided we do so in accordance with applicable law, including any consent requirements.
Who does Stripe share information with?
Stripe does not share any Personal Data collected for Stripe Capital related to Business Users in the UK. In the future, Stripe may share your loan agreement data with third parties who purchase the right to receive repayments on your loan or MCA.
What is Stripe’s role?
Stripe, Inc., or a wholly-owned subsidiary of Stripe, is the controller of your data.
For Business Users located in the UK, the joint controllers of your data are Stripe Payments Europe, Limited. (“SPEL”) and Stripe Capital Europe Limited, Ltd. (“SCEL”). The loan or MCA provided under the loan agreement is solely provided by SCEL.
How do I exercise my rights?
Depending on your location and subject to applicable law, you may have the right to object to Stripe using automated decision making processing. If you wish to exercise any rights under applicable privacy laws for data related to Stripe Capital, please contact us.
Linked Financial Accounts
If you are an End Customer who has been asked to link your financial account using Stripe, please visit the support webpage here to learn more about our privacy practices. Or you can jump to the specific topics linked here:
- Linking my financial account and consent
- Data collected, stored, and shared from my linked account
- How Stripe accesses data from my linked account
- Relationship between Stripe and its service providers
- Data security
- Who can access data from my linked account and for what purposes
- Who will obtain my login credentials
- Requesting disconnection or data deletion
- Correcting my financial account information
Are there instances when Stripe receives non-Stripe transaction history?
Yes. For example, Stripe enables the Business User to import non-Stripe data through the Stripe Dashboard to consolidate their revenue data in one place. Learn more. Separately, Stripe may also obtain your account transactions from your financial account with your consent. Learn more.
Refunds to End Customer Bank Account
If you have been asked to provide your bank account and other information to process a refund on behalf of your merchant (i.e., our Business User), please visit the webpage here to learn more about our privacy practices for end customer bank account refunds.
Business User that uses Stripe to Process Refunds
If you are a Business User that is using or intends to use Stripe to process refunds, please visit the webpage here for additional guidance on privacy considerations for your business.
What is Stripe Frontier?
Frontier is an advance market commitment (AMC) that aims to accelerate the development of carbon removal technologies by guaranteeing future demand for them. It facilitates purchases from high-potential carbon removal companies on behalf of buyers. Learn more at https://frontierclimate.com/.
What information does Stripe Frontier collect?
What is the legal basis for processing Stripe Frontier information?
We rely on consent to process your data. Where you proactively reach out to Stripe and provide your data, Stripe will process your data based on Stripe’s legitimate business interests (e.g. help answer your queries, and provide customer support). With your permission or where allowed by law, we use your personal data to market our services to you, invite you to participate in our events or surveys, or otherwise communicate with you for our marketing purposes, provided that we do so in accordance with applicable law, including any consent or opt-out requirements.
Is my data relating to Stripe Frontier transferred?
What are my rights and choices with respect to the information collected for Stripe Frontier?
You may have choices regarding our collection, use and disclosure of your Personal Data. If you no longer want to receive marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails or as described here. We will try to comply with your request(s) as soon as reasonably practicable. Depending on your location and subject to applicable law, you may have the following rights described here with regard to the Personal Data we control about you.
How do I exercise my rights as to Stripe Frontier?
EEA and UK . To exercise your rights, you may contact our DPO. If you are a resident of the EEA or we have identified Stripe Payments Europe Limited as your data controller, and believe we process your information within the scope of the General Data Protection Regulation (GDPR), you may direct your questions or complaints to the Irish Data Protection Commission. If you are a resident of the UK, you may direct your questions or concerns to the UK Information Commissioner’s Office.
Any questions about Stripe Frontier and the processing of your data?
If you have any questions or complaints, please contact us.
Data Protection Officer
Does Stripe have a Data Protection Officer (DPO)?
Yes, Stripe has appointed a Data Protection Officer (“DPO”), who can and they can be reached via email.
International Data Transfers
The detail below is provided for informational purposes. It is not intended to provide legal advice. Stripe urges Business Users to consult with counsel to familiarize themselves with the requirements that govern their specific situations.
How is Stripe dealing with international data transfers?
On 4 June 2021, the European Commission adopted a new set of Standard Contractual Clauses (“SCCs”) for cross-border data transfers. SCCs are a transfer mechanism (in the form of a legal contract) used by Stripe to provide a legal mechanism to transfer EU personal data outside of the EEA/UK. These are required under EU data protection law (known as the GDPR) and are incorporated into our agreements.
These modernised SCCs cover data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR) and replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46.
Stripe continues to have appropriate safeguards and compliance measures to ensure an adequate level of protection of personal data transferred outside the UK, EEA and Switzerland. Stripe’s measures include the updated EU Commission’s SCCs to accommodate international data transfers.
Stripe respects the privacy of everyone that engages with our products and services, and we are committed to being transparent about our privacy processes and policies.
We also want to highlight some of our supplementary measures to protect our Business Users’ data from unauthorized access.
Stripe employs security controls and maintains and enforces a security program that addresses the management of security. We also perform risk assessments and implement and maintain controls for risk identification, analysis, monitoring, reporting, and corrective action. Stripe maintains and enforces an asset management program that appropriately classifies and controls hardware and software assets throughout their life cycle. In addition, Stripe employees, agents, and contractors acknowledge their data security and privacy responsibilities under Stripe’s policies.
Stripe applies technical and organizational measures that include the following:
- Physical access control to prevent unauthorized persons from gaining access to the data processing systems available at premises and facilities (including databases, application servers, and related hardware), where Personal Data are processed.
- Virtual access control to prevent data processing systems from being used by unauthorized persons.
- Data access control to ensure that persons entitled to use a data processing system gain access only to such Personal Data in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization.
- Disclosure control to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Data are disclosed.
- Entry control to audit whether data have been entered, changed or removed (deleted), and by whom, from data processing systems.
- Availability control to ensure that Personal Data are protected against accidental destruction or loss (physical/logical).
- Separation control to ensure that Personal Data collected for different purposes can be processed separately.
By default, Stripe encrypts data at rest and data in transit. We further protect your data with tools like audit logs, access management policies and certifications as described on our Payments page in the section “Security and compliance at the core”. Security controls implemented at Stripe include TLS 1.2 configuration of endpoints for data in transit, TLS and/or SSL encryption for HTTPS and regular testing of infrastructure components. Two-step authentication is available for an extra layer of security at Dashboard login.
We no longer rely on the Privacy Shield as a transfer mechanism for data transfers given EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield are no longer valid as a result of the Schrems II decision issued by the European Court of Justice on July 16, 2020. We do continue to commit to the principles of the Privacy Shield Framework as it can still provide privacy protections to Business Users.
We get requests for access to data from law enforcement, and we review each request with the goal of responding with the minimum amount of required information in response to legitimate, legally mandated requests. We are committed to ensuring that our Business Users’ data can continue to flow freely between the EU and the U.S., and we will continue to partner with regulators, industry groups and similarly situated companies to make sure our Business Users’ needs are met.
If you have any questions, please contact us.
How do the European Commission’s new Standard Contractual Clauses impact my organization?
Standard Contractual Clauses (“SCCs”) are legal contracts entered into between parties that are transferring EEA personal data outside of the EEA. At present Stripe relies on the existing SCCs for transfers of EEA data in our services. We have updated our agreements to implement the modernised SCCs (where applicable).
How to get a copy of the SCCs?
We can provide more information about the appropriate or suitable safeguards that we have in place, such as a copy of the SCCs on request.
If you are a Business User, we offer the modernised SCCs published in 2021 (“2021 SCCs”) for cross-border transfers outside of the EEA and Switzerland. The older versions of the SCCs will continue to apply to transfers of personal data from the UK. We will continue to monitor regulatory requirements and guidance from the UK Information Commissioner’s Office. If you have signed an older version of the SCCs, these will remain valid until 27 December, 2022. If you would like to sign the 2021 SCCs, you can reach out to us at any time.
Please contact us or your account manager for more information.
Your Rights and Choices
How do I exercise my data protection rights?
Depending on your location and subject to applicable law, you may have the followings rights:
- Right to access
- Right of rectification
- Right to data portability
- Right to restrict processing
- Right to object to processing
- Right to withdraw consent (where it is relied upon)
- Right to erasure/deletion
- Right to opt-out of receiving electronic communications from us
- Right to non-discrimination for exercising your CCPA rights
- Right to opt-out from a sale (as defined by the CCPA)
Please read this section to find out more about specific rights. To submit a request to exercise any of the rights described above, please reach out to us by email, or via our form or by physical addresses listed in Contact Us.
You have the right to complain to your local data protection authority if you are unhappy with our privacy practices.
How do I access my data?
If you are a Business User or Representative, you may login in to the Stripe Dashboard to view personal information shared with Stripe.
If you are the End Customer of a Business User that uses Stripe services, the Business User would be the correct party to respond to a data subject access request related to your transactional information.
Depending on your location and subject to applicable law, you may have the right to request confirmation of whether Stripe processes Personal Data relating to you, and if so, to request a copy of that Personal Data. If you are an End User or otherwise have a direct relationship with us, you may submit your access request by email, or through our form. Please note that we may need to verify your identity and your relationship with us before we can proceed with your request.
How do I unsubscribe from marketing emails?
If you are a Business User or Visitor, you may unsubscribe from Stripe marketing emails here. If you have any questions about how to opt-out of Stripe marketing communications, please contact us here.
Can I turn off tracking and advanced fraud signals?
Your web browser may allow you to manage your cookie preferences, including deleting or disabling Stripe cookies. If you choose to disable cookies, keep in mind that some features of our Site or Services may not operate as intended. Disabling cookies will not disable the collection of advanced fraud signals, which we use to prevent fraud on Stripe. The collection of this data is controlled by the Business User that integrated with Stripe. If a Business User seeks to disable this data collection, they can find instructions to do so through Stripe’s documentation. You can take a look at the help section of your web browser or follow the links below to understand your options for disabling cookies.
You can learn more about how businesses can disable collection of advanced fraud signals in our documentation for disabling advanced fraud detection.
How do I delete my account?
You can close your Stripe account from the Settings page on the Dashboard. You can read more about that on our support page: Close a Stripe account.
Please be aware that we will delete some, but not all, of the information that we hold, for the reasons explained below.
How do I delete my Custom Connect account?
If you have a Custom Connect account, your account is managed by a Platform / Business User. They are the party responsible for managing payments for you and responding to your query; therefore we recommend reaching out to them for assistance.
How do I delete my Express Connect account?
If you have an Express Connect account, your account is managed by a Platform / Business User. They are the party responsible for managing payments for you and responding to your query; therefore we recommend reaching out to them for assistance.
How long will Stripe keep my data for?
Stripe keeps Personal Data for as long as Stripe reasonably needs to for the purposes listed here.
When determining the relevant retention periods, we will consider various criteria such as your location, the nature of our relationship with you, the types of products or services being offered or provided to you, the nature and sensitivity of your Personal Data, the mandatory retention periods provided by law or statute of limitations and any overriding legitimate grounds for continuing to retain the Personal Data (such as defending our rights in court, enforcing our agreements, detecting fraud or complying with valid legal process requests from courts or competent authorities).
For most jurisdictions, Stripe will generally keep Personal Data related to Business Users for a period of five or more years from the end of the business relationship with you, or the date of the last transaction, whichever is later.
California Privacy Rights Metrics
The following includes aggregate metrics of data subject rights requests received between January 1, 2021 and December 31, 2021. This data reflects requests received from individuals in California and may also include requests from individuals who do not reside in California.
- Number of “request to know” received, complied with in whole or in part, or denied: 14
- Number of “requests to delete” received, complied with in whole or in part, or * denied: 13,612
- Average number of days taken to respond to a request to know or delete: 1 day
There are instances where Stripe may deny a “request to know,” such as when the data subject fails to reply with information that would allow Stripe to accurately authenticate their identity to locate their data.
Due to the nature of Stripe’s products and services, when we receive a “request to delete,” our process is to direct the requestor to a page to action their request depending upon the relationship they have with Stripe. We also offer data subjects the opportunity to contact us, should they have any questions or concerns.
Request to Opt Out of Sale
Stripe does not “sell” personal information as defined by the California Consumer Privacy Act (CCPA). Learn more.
Cookies & Other Technology
What is Stripe.js?
For example, fraudsters and bots are less likely to spend time on different pages, which we’re able to detect and use as a signal in stopping fraud.
When you visit a site that uses Stripe, this fraud prevention could appear in a privacy report or tracker list in your web browser.
While you might see Stripe in a tracker list, we’re not building an individual tracking profile on you. Stripe doesn’t—and won’t—share or sell this data to advertisers.This data is securely exchanged between the following Stripe-controlled hosts:
What are advanced fraud signals?
Stripe’s advanced fraud detection looks at signals about device characteristics and user activity indicators that help distinguish between legitimate and fraudulent transactions. These signals are highly indicative of fraud and power Stripe’s fraud prevention systems, such as Radar. The signals are securely transmitted to Stripe’s backend by periodically making requests to the m.stripe.com endpoint.
You can learn more in our documentation for advanced fraud detection.
Why are advanced fraud signals not ad tracking?
Stripe only uses these advanced fraud detection signals to enable secure payments and prevent fraud. We don’t use this data to build individual profiles or share or sell it to third-party advertisers.
How does Stripe remember payment method details for Link?
Link (formerly known as “Remember Me”) lets end users save and reuse their payment information for faster checkout at thousands of online businesses that use Stripe. When an end user makes a purchase via a Business User (i.e., merchant) that enables Link, the end user can ask Stripe to remember their payment method details, such as credit and debit card details. If an individual chooses to be remembered, Stripe will remember the end user’s email address, phone number, shipping address, and payment method details for future Link transactions.
The payment method details for future transactions may be remembered across multiple Stripe Business Users. Generally, once the cookie is set, the end user may make “1-click” purchases using Link when you check out, which means that Stripe will automatically populate the end user’s saved information into their checkout on their behalf, and use the information to complete the transaction faster.
If the end user enters their phone number or email address during a future Link transaction, Stripe will authenticate the end user by sending the end user a One Time Passcode (OTP), e.g. via an SMS message or email. If the end user correctly enters the OTP, Stripe or the Business User will set a cookie in the end user’s browser, indicating that the end user has been authenticated. If the end user does not enter the OTP, or elects to “log out” of their Link session then the cookie won’t remember the end user.
A cookie is only stored in a specific browser on a specific device. If an end user wishes to make 1-click purchases in a different browser or on a different device, they must go through the OTP authentication process for the new browser or device combination.
After 90 days, it will be necessary for the end user to re-complete the OTP process. The end user may also proactively remove the cookie by clearing cookies in their browser or by selecting the “log out” option when this option is presented in checkout.
If an end user no longer wishes for Stripe to remember their payment method details when they check out in the future, the end user may use the self-service deletion tool. Alternatively, the end user may also contact Stripe support to make this request.
The description above describes how an end user may control how their information is stored and used to check out. However, this does not affect the other contexts in which Stripe may store and use end user information. In particular, Stripe may store and use such information as described elsewhere on this Privacy Center - including for purposes such as for advanced fraud detection.
What obligations should Link users keep in mind relating to cookie technology on their sites?
Based on your integration choice (e.g., for Link in Elements), you may have legal responsibilities associated with cookies and similar technology that Stripe uses for fraud detection and/or authentication purposes.
You should always check with your legal counsel to understand how you should comply with applicable legal obligations with setting cookies and similar technology. This section has information to keep in mind.
Stripe cookies or similar technology are set on your domain (e.g. on your checkout flow) or via browser storage from the Stripe.js library. The current Stripe cookies from the Stripe.js library include fraud prevention cookies like
m, and also end-user authentication cookies like
You should regularly review the Stripe cookies that are placed on your website to ensure that your own privacy disclosures tell your end users about this type of data collection, and also update your cookie banner accordingly after reviewing the cookies placed on your website. Here is a paragraph you could add to your privacy disclosures if it does not already include such a disclosure:
Does Stripe use reCAPTCHA to protect its website from fraud and abuse?
Contact our Privacy team
If you’d like to send us physical mail, please send to:
354 Oyster Point Boulevard
South San Francisco, California, 94080, USA
Attention: Stripe Legal
Stripe Payments Europe Limited
1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland
Attention: Stripe Legal
Where can I learn more about Stripe’s security practices?
Visit our security page to learn more about Stripe’s security practices. You should contact us by email immediately if you become aware of any unauthorized use or any other breach of security regarding the Stripe services.