Here’s a summary of key changes:
We provided additional clarifications on what data we collect, use, and share, and for what purposes.
We have updated the descriptions of how we share data with additional third party partners, such as advertising partners who help us advertise our products and services to you.
We provided more information about the privacy rights available to you in the United States and other countries.
We provide financial infrastructure for the internet. Individuals and businesses of all sizes use our technology and services to facilitate purchases, accept payments, send payouts, and manage online businesses.
In this Policy, “Stripe”, “we”, “our”, or “us” refers to the Stripe entity responsible for the collection, use, and handling of Personal Data as described in this document. Depending on your jurisdiction, the specific Stripe entity accountable for your Personal Data might vary. Learn More.
“Personal Data” refers to any information associated with an identified or identifiable individual, which can include data that you provide to us, and we collect about you during your interaction with our Services (such as device information, IP address, etc.).
“Services” refer to the products and services provided by Stripe under the Stripe Services Agreement and the Stripe Consumer Terms of Service. This may include devices and applications provided by Stripe. Our “Business Services” are services that we provide to entities (“Business Users”) that directly and indirectly provide us with “End Customer” Personal Data in connection with their own business operations and activities. Our “End User Services” are those that Stripe provides directly to individuals for their personal use. “Sites” refer to Stripe.com, Link.com, and other Stripe websites, apps, and online services. Collectively, we refer to Sites, Business Services, and End User Services as “Services”.
“Financial Partners” are financial institutions, banks, and other partners such as payment method acquirers, payout providers, and card networks that we partner with to provide the Services.
Depending on the context, “you” might be an End Customer, End User, Representative, or Visitor:
When you use an End User Service for personal use, such as signing up for Link, we refer to you as an “End User”.
When you do business with, or otherwise engage in a transaction with a Business User, such as buying a pair of shoes from a Business User using Stripe Checkout for payment processing, but are not directly transacting with Stripe, we refer to you as an “End Customer”.
When you are acting on behalf of an existing or potential Business User—perhaps as a company founder, account administrator for a Business User, or a recipient of an employee credit card from a Business User via Stripe Issuing—we categorize you as a “Representative”.
When you interact with Stripe by visiting a Site without being logged into a Stripe account, or when your interaction with Stripe does not involve you being an End User, End Customer, or Representative, you are considered a “Visitor”. For example, you are a Visitor when you send a message to Stripe asking for more information about our Services.
In this Policy, “Transaction Data” refers to data collected and used by Stripe to facilitate transactions you request. Some Transaction Data is Personal Data and may include: your name, email address, contact number, billing and shipping address, payment method information (like credit or debit card number, bank account details, or payment card image chosen by you), merchant and location details, amount and date of purchase, and in some instances, information about what was purchased.
Depending on the activity, Stripe assumes the role of a “data controller” and/or “data processor” (or “service provider”) based on the activity. For more details about our role, the specific Stripe entity responsible under this Policy, and our legal bases for processing your Personal Data, please visit our Link Privacy Center.
For purposes of the General Data Protection Regulation and other applicable data protection laws, we rely on a number of legal bases to process your Personal Data. Learn More. For some jurisdictions, there may be additional legal bases, which are outlined in the Jurisdiction-Specific Provisions section below.
a. Contractual and Pre-Contractual Business Relationships. We process Personal Data to enter into business relationships with prospective Business Users and End Users and fulfill our respective contractual obligations with them. These processing activities include:
b. Legal Compliance. We process Personal Data to verify the identities of individuals and entities to comply with obligations related to fraud monitoring, prevention, and detection, laws associated with identifying and reporting illicit and illegal activities, such as those under the Anti-Money Laundering ("AML") and Know-Your-Customer (“KYC") regulations, and financial reporting obligations. For example, we may be required to record and verify a Business User’s identity to comply with regulations designed to prevent money laundering, fraud, and financial crimes. These legal obligations may require us to report our compliance to third parties and subject ourselves to third party verification audits.
c. Legitimate Interests. Where allowed under applicable law, we rely on our legitimate business interests to process your Personal Data. The following list provides an example of the business purposes for which we have a legitimate interest in processing your data:
d. Consent. We may rely on consent or explicit consent to collect and process Personal Data regarding our interactions with you and the provision of our Services such as Link, Financial Connections, Atlas, and Identity. When we process your Personal Data based on your consent, you have the right to withdraw your consent at any time, and such a withdrawal will not impact the legality of processing performed based on the consent prior to its withdrawal.
e. Substantial Public Interest. We may process special categories of Personal Data, as defined by the GDPR, when such processing is necessary for reasons of substantial public interest and consistent with applicable law, such as when we conduct politically-exposed person checks. We may also process Personal Data related to criminal convictions and offenses when such processing is authorized by applicable law, such as when we conduct sanctions screening to comply with AML and KYC obligations.
Depending on your location and subject to applicable law, you may have choices regarding our collection, use, and disclosure of your Personal Data:
If you wish to stop receiving marketing-related emails from us, you can opt-out by clicking the unsubscribe link included in such emails or as described here. We'll try to process your request(s) as quickly as reasonably practicable. However, it's important to note that even if you opt out of receiving marketing-related emails from us, we retain the right to communicate with you about the Services you receive (like support and important legal notices) and our Business Users might still send you messages or instruct us to send you messages on their behalf.
Depending on your location and subject to applicable law, you may have the following rights regarding the Personal Data we control about you:
The right to request confirmation of whether Stripe is processing Personal Data associated with you, and if so, request access to that Personal Data (Learn More);
The right to request that Stripe rectify or update your Personal Data if it's inaccurate, incomplete, or outdated;
The right to request that Stripe erase your Personal Data in certain circumstances as provided by law (Learn More);
The right to request that Stripe restrict the use of your Personal Data in certain circumstances, such as while Stripe is considering another request you've submitted (for instance, a request that Stripe update your Personal Data);
The right to request that we export the Personal Data we hold about you to another company, provided it's technically feasible;
The right to withdraw your consent if your Personal Data is being processed based on your previous consent;
The right to object to the processing of your Personal Data if we are processing your data based on our legitimate interests; unless there are compelling legitimate grounds or the processing is necessary for legal reasons, we will cease processing your Personal Data upon receiving your objection (Learn More);
The right not to be discriminated against for exercising these rights; and
The right to appeal any decision by Stripe relating to these rights by contacting Stripe’s Data Protection Officer (“DPO”) at firstname.lastname@example.org.
You may have additional rights, depending on applicable law, over your Personal Data. For example, see the Jurisdiction-specific provisions section under United States below.
To exercise your data protection rights, visit our Link Privacy Center or contact us as outlined below.
We make reasonable efforts to provide a level of security appropriate to the risk associated with the processing of your Personal Data. We maintain organizational, technical, and administrative measures designed to protect the Personal Data covered by this Policy from unauthorized access, destruction, loss, alteration, or misuse. Learn More. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure.
We encourage you to assist us in protecting your Personal Data. If you hold a Stripe account, you can do so by using a strong password, safeguarding your password against unauthorized use, and avoiding using identical login credentials you use for other services or accounts for your Stripe account. If you suspect that your interaction with us is no longer secure (for instance, you believe that your Stripe account's security has been compromised), please contact us immediately.
We retain your Personal Data for as long as we continue to provide the Services to you or our Business Users, or for a period in which we reasonably foresee continuing to provide the Services. Even after we stop providing Services directly to you or to a Business User that you're doing business with, and even after you close your Stripe account or complete a transaction with a Business User, we may continue to retain your Personal Data to:
Comply with our legal and regulatory obligations;
Enable fraud monitoring, detection, and prevention activities; and
Comply with our tax, accounting, and financial reporting obligations, including when such retention is required by our contractual agreements with our Financial Partners (and where data retention is mandated by the payment methods you've used).
In cases where we keep your Personal Data, we do so in accordance with any limitation periods and record retention obligations imposed by applicable law. Learn More.
As a global business, it's sometimes necessary for us to transfer your Personal Data to countries other than your own, including the United States. These countries might have data protection regulations that are different from those in your country. When transferring data across borders, we take measures to comply with applicable data protection laws related to such transfer. In certain situations, we may be required to disclose Personal Data in response to lawful requests from officials, such as law enforcement or security authorities. Learn More.
If you are located in the European Economic Area (“EEA”), the United Kingdom ("UK"), or Switzerland, please refer to our Link Privacy Center for additional details. When a data transfer mechanism is mandated by applicable law, we employ one or more of the following:
Transfers to certain countries or recipients that are recognized as having an adequate level of protection for Personal Data under applicable law.
EU Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum issued by the Information Commissioner’s Office. You can obtain a copy of the relevant Standard Contractual Clauses. Learn More.
Other lawful methods available to us under applicable law.
Stripe, Inc. complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce and as applicable. Learn More.
We may change this Policy from time to time to reflect new services, changes in our privacy practices or relevant laws. The “Last updated” legend at the top of this Policy indicates when this Policy was last revised. Any changes are effective the latter of when we post the revised Policy on the Services or otherwise provide notice of the update as required by law.
We may provide you with disclosures and alerts regarding the Policy or Personal Data collected by posting them on our website and, if you are an End User or Representative, by contacting you through your Stripe Dashboard, email address and/or the physical address listed in your Stripe account.
Australia. If you are an Australian resident and dissatisfied with our handling of any complaint you raise under this Policy, you may consider contacting the Office of the Australian Information Commissioner.
Brazil. You may exercise your rights by contacting our DPO at email@example.com. Brazilian residents, for whom the Lei Geral de Proteção de Dados Pessoais (“LGPD”) applies, have rights set forth in Article 18 of the LGPD.
Canada. As used in this Policy, “applicable law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA), the Personal Information Protection Act, SBC 2003 c 63, in British Columbia, the Personal Information Protection Act, SA 2003 c P-6.5, in Alberta, and the Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39-1 (Quebec Private Sector Act), in Quebec. Learn more. “Personal Data” includes “personal information” as defined under those laws.
EEA and UK. You may exercise your rights by contacting our DPO at firstname.lastname@example.org. If you are a resident of the EEA or if Stripe Payments Europe Limited is identified as your data controller, and you believe our processing of your information contradicts the General Data Protection Regulation (GDPR), you may direct your questions or complaints to the Irish Data Protection Commission. If you are a resident of the UK, direct your questions or concerns to the UK Information Commissioner’s Office. Where Personal Data is used for regulated financial activities in Europe, Stripe Payments Europe Limited and Stripe's local regulated entities are considered joint controllers. Learn More. You also have additional rights under the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Learn More.
India. In this Policy, “applicable law” includes the Digital Personal Data Protection Act (DPDPA) once the DPDPA is enacted. Further, the term “data controller” includes “data fiduciaries,” and the term “data subject” includes “data principal,” both as defined in the DPDPA.
In some cases, and as permitted under the DPDPA, we may rely on “legitimate use” as a legal basis. For example, we do so when you voluntarily provide your Personal Data to us. “Consent Managers” as defined under the DPDPA may submit a request to revoke or provide consent using the methods described in the Contact Us section below, or as set out in the following paragraph, or via other means made available by Stripe in the future. We may ask for proof of authorization and identity before processing such a request.
In certain cases, you may be asked to consent to the collection and processing of your Aadhaar number by Stripe India Private Limited and/or its third party verification partner(s). The purpose of this collection is to facilitate the identification verification process as required under applicable laws. Your provision of Aadhaar details is purely voluntary, and you may provide other identification documents as may be accepted by us from time to time. You will not be denied service merely for not submitting Aadhaar details.
If you have any questions or complaints regarding the processing of your Personal Data in India, or if you want to receive this Policy or communicate with us about privacy in one of India’s official languages, please contact our Nodal and Grievance Officer. Learn More. Alternatively, you may contact our DPO at email@example.com. If we are unable to address your complaint or grievance, you have the right to escalate the matter to the Data Protection Board of India.
Indonesia. In this Policy, “applicable law” includes Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Electronic Information and Transactions, Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions, and Minister of Communication and Informatics Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems, and from September 2024, Law No. 27 of 2022 concerning Personal Data Protection (PDP Law). If you have any questions or complaints about this Policy, please contact our DPO at firstname.lastname@example.org.
Japan. In this Policy, “applicable law” includes the Act on the Protection of Personal Information (APPI). When we transfer Personal Data of data subjects in Japan to jurisdictions not recognized as ‘adequate’ by the Personal Information Protection Commission, we enter into written agreements with any third parties located outside of Japan. These written agreements provide rights and obligations equivalent to those provided under the Japanese Act on the Protection of Personal Information. For more information on how we ensure that third parties protect your data and where your data is located, please see above or contact us as described below. For a description of foreign systems and frameworks that may affect the implementation of equivalent measures by the third party, see here.
In some cases, and as permitted under the APPI, we may rely on “public interest” as a legal basis, such as fraud detection and loss prevention.
Malaysia. If you have any questions or complaints about this Policy, please contact our DPO at email@example.com.
Singapore. In this Policy, “applicable law” includes the Personal Data Protection Act 2012 (PDPA) (No. 26 of 2012) as amended from time to time. In some cases, and as permitted under the PDPA, we may rely on “deemed consent” as a legal basis. For example, we do so when you voluntarily provide your personal data to us.
If you have any questions or complaints about this Policy, please contact our DPO at firstname.lastname@example.org.
Switzerland. In this Policy, “applicable law” includes the Swiss Federal Act on Data Protection (FADP), as revised. To exercise your rights under the FADP, please contact our DPO at email@example.com. You may also have additional rights under the Swiss-U.S. Data Privacy Framework when it comes into force. Learn More.
Thailand. In this Policy, “applicable law” includes the Personal Data Protection Act 2019 (PDPA). If we rely on certain legal bases (such as “legal obligation” or “contractual necessity” and you do not provide us with your Personal Data, we may not be able to lawfully provide you services. If you have any questions or complaints about this Policy, please contact our DPO at firstname.lastname@example.org.
Your Rights and Choices. As a US consumer and subject to certain limitations under US privacy laws, you may have choices regarding our use and disclosure of your Personal Data (learn more about data subject rights metrics). In addition to the above rights, other rights include:
To submit a request to exercise any of the rights described above, please contact us using the methods described in the Contact Us section below. Please note that rights under some U.S. state laws do not apply to Personal Data we collect, process, and disclose when you act as a consumer to obtain financial products or services from Stripe for individual or household purposes. The federal Gramm-Leach Bliley Act may govern how Stripe shares and protects that data instead. See our US Consumer Privacy Notice below for more information.
We will verify your request by asking you to send it from the email address associated with your account or requiring you to provide information necessary to verify your identity, including name, address, transaction history, photo identification, and other information associated with your account.
You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under the CCPA. Your agent may submit a request on your behalf by contacting us using the methods described in the Contact Us section below. We may still require you to directly verify your identity and confirm that you gave the authorized agent permission to submit the request.
Global Privacy Control signals. Stripe honors the Global Privacy Control (GPC) opt-out preference signals. Learn More.
The following Consumer Privacy Notice applies to you if you are an individual who resides in the United States and obtains financial services from Stripe primarily for your own personal family or household purposes.
Last updated: January 16, 2024
|FACTS||WHAT DOES STRIPE DO WITH YOUR PERSONAL INFORMATION?|
|Why?||Financial companies choose how they share your personal information. Federal law gives consumers the right to limit some but not all sharing. Federal law also requires us to tell you how we collect, share, and protect your personal information. Please read this notice carefully to understand what we do.|
The types of personal information we collect and share depend on the product or service you have with us. This information can include:
When you are no longer our customer, we continue to share your information as described in this notice.
|How?||All financial companies need to share customers' personal information to run their everyday business. In the section below, we list the reasons financial companies can share their customers' personal information; the reasons Stripe chooses to share; and whether you can limit this sharing.|
|Reasons we can share your personal information||Does Stripe Share?||Can you limit this sharing|
|For our everyday business purposes – such as to process your transactions, maintain your account(s), respond to court orders and legal investigations, or report to credit bureaus||Yes||No|
|For our marketing purposes - to offer our products and Services to you||Yes||No|
|For joint marketing with other financial companies||Yes||No|
|For our affiliates' everyday business purposes - information about your transactions and experiences||Yes||No|
|For our affiliates' everyday business purposes - information about your creditworthiness||No||We don’t share|
|For our affiliates to market to you||No||We don’t share|
|For nonaffiliates to market to you if you are a Link user||Yes||Yes|
|For nonaffiliates to market to you if you are a Financial Connections user||No||We don’t share|
|To limit our sharing|
Login to your Link account at app.link.com/account and toggle off data sharing from the Account menu.
However, you can contact us at any time to limit our sharing.
|Questions?||Contact us at email@example.com or visit us at https://support.link.com|
|Who we are|
|Who is providing this notice?||Stripe, Inc., Stripe Payments Company, and their affiliates that provide consumers services in the U.S.|
|What we do|
|How does Stripe protect my personal information?||To protect your personal information from unauthorized access, destruction, loss, alteration, or misuse we use security measures to comply with federal law. These measures include computer safeguards and secured files and buildings. We impose access controls along with ongoing monitoring to prevent data misuse, and we require our service providers to take similar steps to protect your information.|
|How does Stripe collect my personal information?|
We collect your personal information, for example, when you
We also collect your personal information from others, such as affiliates or other companies.
|Why can’t I limit all sharing?|
Federal law gives you the right to limit only
State laws and individual companies may give you additional rights to limit sharing. See the Other Important Information section below for more information on your rights under state law.
|What happens when I limit sharing for an account I hold jointly with someone else?||Your choices will apply to everyone on your account.|
Companies related by common ownership or control. They can be financial and nonfinancial companies.
Companies not related by common ownership or control. They can be financial and nonfinancial companies.
A formal agreement between non-affiliated financial companies that together market financial products or services to you.
|Other important information|
California: If your account with us is associated with a California billing address, we will not disclose Personal Data we collect about you except to the extent permitted under California law. For instance, we may disclose your Personal Data as necessary to process transactions or provide products and services you request, at your instruction, as required for institution risk control, and to safeguard against fraud, identity theft, and unauthorized transactions.
For additional information about our privacy practices, please visit the Link Privacy Center.