Stripe privacy policy: Requirements for businesses
It’s easier than ever to make a purchase online. With a few clicks, you can add purchases to your cart, check out — even faster if you’ve saved your credit card details — and transaction complete.
Online payment processors power that experience for everything from shoe shopping to SaaS subscriptions. Stripe ranks second globally in market share, holding around 20.6 percent of the market as of April 2025.
For businesses, Stripe does more than process payments. The company also supports terminal transactions, invoicing, identity verification, card programs, and other services for businesses across industries.
If you’re a Stripe Business User — meaning you use Stripe’s services for your business — you’re sharing data with Stripe about your customers. In some cases, Stripe will also share data with you.
Stripe’s privacy policy governs what happens to the personal data you share, including how the platform uses it and shares it with third parties.
We look at what data Stripe collects, how it uses this data, and what steps you need to take to meet your legal obligations and be transparent with your customers.
What data does Stripe collect?
When your business uses Stripe, the platform collects customer data to process payments, prevent fraud, and meet regulatory requirements.
Transaction data
Stripe collects payment data from your customers during online or in-person transactions. This may include:
- Name and contact details, such as email addresses, phone numbers, and billing/shipping addresses
- Payment method details, such as credit/debit card numbers, bank account info, or card images
- Purchase amounts and transaction dates
- In some cases, information about what was purchased
Importantly, Stripe can begin collecting data before the customer clicks “Pay.” Stripe may collect information that customers type into your business’s checkout form even if the customer leaves the page without completing the purchase.
Identity and verification information
Beyond standard payments, Stripe offers identity and fraud prevention services. If you use these services to verify a customer’s identity, Stripe collects some information directly from your customer. This may include:
• Government-issued ID
• Selfie for biometric verification
• Personal data visible on physical payment methods, such as a credit card image
This level of data collection is not standard for every Stripe transaction and only applies if you use identity verification services. This may constitute collection of sensitive personal data, which brings added legal obligations under laws like the GDPR.
Stripe may also cross-check this data with other sources, such as public records, identity verification services, financial institutions, and previously collected data from other Stripe Business Users.
Online activity
Stripe collects technical details about a customer’s device, browser, and online actions when that customer uses Stripe on your website or app.
These details may include:
- Device and browser details includingIP address, language settings, plug ins
- Browsing behavior likepages visited, time spent, referring URLs, link clicks
- Activity signals such asmouse movements or other engagement cues
- Payment methods used
This data collection happens through the Stripe scripts (like Stripe.js) and mobile software development kits (SDKs) that you install on your website or integrate into your app.
While this collection is standard on your checkout page, you might also use these scripts on other website pages or app screens for purposes like advanced fraud detection.
How does Stripe use personal data?
Stripe uses personal data in the following ways to deliver its services to Business Users and, where permitted, for its own operational, security, legal, and marketing purposes.
Payment processing and accounting
Stripe uses transaction data to process online payments, calculate taxes, handle invoices and disputes, and to support Business Users with revenue tracking and accounting tasks.
Financial services
For Business Users offering financial products through Stripe, such as branded payment cards, Stripe collects and uses personal data to provide and manage those products. This includes to prevent misuse or fraud.
Identity verification
Stripe uses identity-related personal data to verify users, prevent fraud, and improve security. Verification may involve:
- Comparing selfies with ID documents using biometric tools
- Verifying phone numbers via carrier data
Fraud detection and prevention
Stripe collects and analyzes personal data to identify potentially fraudulent or harmful activity across its services. It also seeks to secure both personal data and funds against unauthorized access, use, alteration, or misappropriation.
Efforts include:
- Reviewing attempted transactions
- Using data obtained from you, your customers, public sources, and credit bureaus
- Receiving identifying information like IP addresses from third parties to assess risk
Compliance with legal obligations
Stripe uses personal data to fulfil its contractual and legal obligations regarding anti-money laundering, Know Your Customer (KYC) laws, anti-terrorism activities, export control, and trade restriction requirements. They may monitor transactions and “other online signals“ to detect and identify potential money laundering or other illegal activity.
Analyzing, improving, and developing services
Stripe uses personal data across its platform to improve and develop services and user experience. This use includes:
- Tracking usage and diagnosing issues through analytics and cookies
- Generating aggregate and statistical information to evaluate how people use their services
- Training AI models to prevent fraud and power its services
- Analyzing transaction data to reduce disputes and improve approval rates
Communications
Stripe uses contact information to:
- Send service-related communications, such as authentication codes via SMS
- Provide updates about services and invite users to events, surveys, or user research
- Follow up after service inquiries or event participation
- Record calls, where legally permitted, for quality assurance, research, or compliance
Social media and promotions
If users participate in promotions or offers, Stripe may use the personal data they provide — as well as any publicly available information — to manage those promotions or offers and for marketing purposes.
Who does Stripe share personal data with?
Stripe shares personal data with a range of recipients to deliver services and fulfill legal, operational, and business requirements.
Third parties that Stripe shares data with include:
- Business Users and their authorized partners: You, the Business User, and any third-party services you explicitly authorize to access customer data
- Financial partners: Financial institutions that receive data to support services offered through Stripe, such as financing or payment products
- App Marketplace developers: Third-party developers who receive business data through Stripe when you install a Marketplace app and authorize sharing
- Stripe affiliates: Other entities within the Stripe group that receive data for purposes outlined in Stripe’s privacy policy
- Service providers: External vendors Stripe relies on for cloud infrastructure, analytics, security, identity verification, customer support, and auditing
- Referral partners (with consent): Third-party service providers that Stripe refers users to with prior consent
- Corporate transaction participants: Third parties involved in mergers, acquisitions, or other business restructuring transactions
- Legal and regulatory authorities: Courts, law enforcement, and government agencies that request data under applicable laws
Does Stripe sell personal data?
Under many US privacy laws, the terms “sell” or “share” have a broad legal definition. They don’t just mean exchanging data for money. They can also apply to providing data to partners, like advertising networks, in exchange for valuable services. Both terms often apply even when no money changes hands.
Stripe’s privacy policy states that it does not transfer personal data to third parties in exchange for payment. It also confirms that it does not sell or share sensitive personal information — such as government IDs or biometrics — for behavioral advertising.
However, the Stripe privacy policy also acknowledges that the company provides certain types of personal data to third party partners — including advertising partners, analytics providers, and social networks — to assist in advertising Stripe’s own products and services.
Since data is being exchanged for a service, this may be considered either “selling” or “sharing” data as those terms are defined under the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) and other applicable US privacy laws.
In its Privacy Center, Stripe clarifies that it has “sold” or “shared” the following categories of personal information (as defined under the CCPA/CPRA) to third parties, including advertising partners, in the past 12 months:
- Device and activity data including device identifiers, browser and usage information across Stripe-enabled business websites
- Geolocation data such as general location inferred from IP addresses
International data transfers
If your business uses Stripe, your customers’ personal data may be transferred to other countries, including the US. This can happen if your customers use an international payment method or financial partner service, or when Stripe or its service providers process data in other jurisdictions.
To carry out these data transfers in compliance with privacy laws, Stripe relies on mechanisms such as:
- The EU-U.S. Data Privacy Framework for transfers between the EEA/EU and the US
- The UK Extension to the EU-U.S. Data Privacy Framework and the UK International Data Transfer Addendum for transfers between the UK and the US
- The Swiss-US Data Privacy Framework for transfers between Switzerland and the US
- Standard Contractual Clauses (SCCs) approved by the European Commission
Stripe may also rely on other alternative data transfer mechanisms approved by relevant privacy authorities to transfer personal data to a third country.
This means you are relying on Stripe’s legal frameworks to lawfully transfer data. Your own privacy policy should inform your customers that their data may be processed in other countries, including the US.
Jurisdiction-specific provisions in the Stripe privacy policy
Since Stripe operates globally, it must handle personal data in compliance with data privacy laws in different regions based on the location of the individuals whose data it processes. The Stripe privacy policy includes jurisdiction-specific provisions that reflect several data protection regulations, including:
- The EU’s General Data Protection Regulation (GDPR)
- Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD)
- Several Canadian privacy laws, including the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and some provincial laws
- Switzerland’s Federal Act on Data Protection (FADP)
For end users in the US, Stripe applies both federal and state-level privacy laws. The Stripe privacy policy states that US-based individuals have the right to opt out of the sale or sharing of their personal information and to limit how their sensitive personal information is used or shared.
If you send Stripe your customers’ personal data, you’re required to give customers a way to exercise those opt-out rights.
Read more about global privacy policies.
Does Stripe require you to have a privacy policy?
Stripe’s privacy policy states that you are directly responsible for making disclosures to your customers about your own data collection and use.
This means you must be transparent with your customers about how you use their personal data, which includes disclosing that you share it with Stripe. Typically, this is done through a privacy policy.
Stripe’s data processing agreement (DPA) also requires transparency. Stripe’s DPA covers both your obligations and Stripe’s regarding personal data processing. It explicitly obligates you to provide “all necessary information (including by means of offering a transparent and easily accessible public privacy notice).” In other words, a privacy policy.
How to align your business with privacy laws and Stripe’s privacy requirements
As a business using Stripe, your data handling practices must meet the requirements of relevant global privacy regulations. Stripe includes many of these legal obligations as a formal part of your contract through its own specific terms.
Meet consent requirements under global data privacy laws
Your DPA with Stripe requires you to have a valid legal basis for processing personal data. Where required by law, you must obtain all necessary consents from customers for both your own and Stripe’s data processing activities.
Unsure about what type of consent you need? Learn the differences between opt-in and opt-out consent and which you need under different global privacy laws.
Under laws like the GDPR, you typically need to obtain explicit user consent before you collect individuals’ personal information.
While many US states use an opt-out consent model, generally prior consent is required if the data to be processed is categorized as sensitive or belongs to children. This is especially relevant if you use Stripe’s identity verification services, as these can require processing sensitive personal data like biometric information.
You must provide a clear way for customers to opt out of the sale or sharing of their personal information even if it’s not considered sensitive. You must also provide a way to limit how their sensitive data is used where required by state law.
Follow purpose limitation principles
If you receive data from Stripe, you can only use it for the specific purposes that you have disclosed to users in your privacy policy, and only if you have obtained the proper consent where required by law.
Follow data minimization principles
Practice data minimization by collecting only the personal data that is strictly necessary for your stated purpose. Doing so will help you comply with laws like the GDPR and avoid the risk of collecting or sharing data that is prohibited or unnecessary.
This principle is especially important for transaction data. Certain types of financial information are considered sensitive personal information under many US state privacy laws and are therefore subject to stricter rules.
Be transparent with your users
Your privacy policy must clearly explain how your business uses Stripe’s business services and what that use means for your customers’ personal data. Below is a non-exhaustive checklist of what to include in your privacy policy.
- Describe how your business collects, uses, and shares personal data with Stripe and for what purposes. Note that Stripe may use the data according to its own privacy policy.
- Inform users that data shared with Stripe may be further shared by Stripe, including with its service providers or affiliates.
- Include links to Stripe’s privacy policy.
- If you use Stripe’s identity verification services, be explicit that customers may be required to share sensitive personal information with Stripe.
- Explain users’ rights under relevant laws and how they can exercise them, such as the right to object (under the GDPR) and the right to opt out (under the CCPA/CPRA).
- If you use tools that access or store data on user devices — such as the Stripe.js or SDKs — include:
- A disclosure that your website or app uses third-party tracking technologies, including Stripe
- A description of the types of data collected and how they are used
- Opt-out mechanisms where required by law
- Clear, accessible links that enable users to exercise those choices
- Share your contact details for users to reach out with any questions or concerns they may have about your data policies or their rights. Include information about your Data Protection Officer (DPO) if you have one, or any other qualified corporate privacy contact.
Your privacy policy must be written in clear, non-legal language for anyone to understand. It should also be easily accessible on your website or app. Most businesses share their privacy policies on the footer of their website, on their app’s menu, or both if applicable.
You are also responsible for keeping the policy up to date with changes to data protection laws, Stripe’s terms, or your own data handling practices.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.