Effective date: October 31, 2023
Stripe, Inc. (“Stripe”, “we”, “our” or “us”) complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce (collectively, the “DPF”).*
This Stripe Data Privacy Framework Policy (“DPF Policy”) and where applicable, the European Applicant Personal Information Notice or the European Employee Personal Information Notice, describes the privacy practices that we implement for Personal Data received from the EEA, UK and Switzerland in reliance on the DPF. Stripe has certified to the Department of Commerce that it adheres to the DPR Principles with respect to the processing of such data. This DPF Policy uses terms that are defined in the relevant notice(s). If there is any conflict between the terms in this DPF Policy and the DPF Principles as concerns the Personal Data received under the DPF, the DPF Principles will prevail.
To learn more about the DPF program, please visit https://www.dataprivacyframework.gov/, and to view our certification, please see here.
What this disclosure covers
Please see the relevant parts of the applicable notice and/or other policies for information about:
- The types of Personal Data processed;
- The purposes of data processing;
- Third parties who may receive Personal Data;
- An individual’s right to access Personal Data; and
- Any choices and means to limit the use and disclosure of Personal Data.
Compelled disclosure
Stripe may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Enforcement
Stripe’s compliance with the DPF is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. Stripe remains responsible for any Personal Data that is shared with third parties in a manner inconsistent with the DPF unless we prove we are not responsible for the event giving rise to any alleged damage.
Questions and complaints
If you have any questions or concerns about our DPF certification, please reach out to:
- applicant-privacy@stripe.com (for applicants)
- hr-privacy-confidential@stripe.com (for employees)
Alternatively, please write to us at the following address:
Stripe, Inc.
354 Oyster Point Boulevard
South San Francisco, California, 94080
Attention: Stripe Legal
In the event Stripe is unable to resolve your concern, you can also refer a complaint to your local data protection authority (free of charge) and we will work with them to resolve your concerns.
- UK Information Commissioner's Office
- Swiss Federal Data Protection and Information Commissioner
- EU Data Protection Authorities
We will cooperate and comply with the advice of the panel established by the EU Data Protection Authorities, the UK Information Commissioner’s Office and the Swiss Federal Data Protection and Information Commissioner with regard to such unresolved complaints concerning our handling of Personal Data received in reliance on the DPF.
In certain circumstances, the DPF provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I to the Data Privacy Framework Principles.
Changes to this policy
This DPF Policy may be changed from time to time, consistent with the requirements of the DPF and in accordance with the process described in the relevant notice. You can determine when this DPF Policy was last revised by referring to the “Last updated” date or “Effective date” at the top of this page.
*Stripe will not rely on the Swiss-U.S. Data Privacy Framework until it enters into force, but we adhere to its required commitments in anticipation of it doing so.