Why Stripe Requires Privacy Policy Disclosure
Stripe processes sensitive financial information on behalf of your customers. Under GDPR, CCPA, PCI DSS, and Stripe's own Terms of Service, you are required to disclose that a third-party payment processor handles customer data. Failing to do so can result in regulatory fines, Stripe account suspension, or loss of customer trust.
Even if Stripe handles all the card processing and you never see raw card numbers, you are still the data controller (or "business" under CCPA) responsible for telling customers what happens to their information. Whether you run an eCommerce store, a SaaS platform, or a mobile app, this disclosure is mandatory.
What Data Stripe Collects from Your Customers
Every Stripe transaction involves collecting multiple categories of personal data.
| Data Type | Details | Purpose |
|---|---|---|
| Card details | Card number, expiration date, CVC | Process payment transactions |
| Billing address | Street, city, state, postal code, country | Address verification (AVS), tax calculation |
| IP address | IPv4 or IPv6 address at checkout | Fraud detection, geolocation |
| Device fingerprint | Browser type, OS, screen resolution, timezone | Fraud prevention via Stripe Radar |
| Behavioral data | Mouse movements, typing patterns, session data | Radar machine learning fraud signals |
| Email for receipts | Customer email address | Send payment confirmations, invoices |
Data Collection by Stripe Product
Different Stripe products collect different types of data. Your disclosures should match the products you use.
| Stripe Product | Additional Data Collected |
|---|---|
| Payments | Card details, billing info, transaction metadata |
| Checkout | Email, phone, shipping address, saved payment methods |
| Billing | Subscription plans, renewal dates, usage data for metered billing |
| Connect | Connected account owner identity, bank details, tax IDs, business info |
| Radar | Device fingerprints, behavioral signals, IP geolocation, risk scores |
| Identity | Government ID images, selfie photos, biometric face data |
| Tax | Customer location, tax IDs, transaction amounts for tax calculation |
| Invoicing | Customer name, email, billing address, itemized purchase history |
| Link | Saved payment methods, email, phone for cross-merchant recognition |
PCI DSS Compliance and Your Privacy Policy
The Payment Card Industry Data Security Standard (PCI DSS) governs how card data must be handled. Stripe is a PCI Level 1 Service Provider, the highest certification level. When you use Stripe, you benefit from their compliance, but your privacy policy must still address how payment data flows.
Tokenization: Stripe replaces card numbers with tokens so raw card data never reaches your server. State this clearly in your policy.
PCI scope reduction: By using Stripe Elements or Checkout, you reduce your PCI compliance burden. Your policy should explain that card data is handled entirely by Stripe.
Data storage: Clarify that you do not store full card numbers. Stripe retains card data in their PCI-compliant infrastructure.
Encryption in transit: All data transmitted to Stripe uses TLS encryption. Mentioning this reassures customers about security.
Stripe Connect: Marketplace and Platform Disclosures
If you operate a marketplace or platform using Stripe Connect, your privacy obligations are more complex. Data flows between three parties: your platform, connected accounts (sellers or service providers), and Stripe itself. Your policy must address all three relationships.
Platform-to-Stripe Data Sharing
Disclose that your platform shares customer payment data with Stripe to facilitate transactions with connected accounts. Explain that Stripe acts as both a processor for your platform and a processor for connected accounts.
Connected Account Data
Stripe collects identity documents, bank account details, tax identification numbers, and business information from connected accounts during onboarding. If you facilitate this onboarding, disclose it in your policy.
Customer Data Visibility
Inform customers that connected accounts may have access to certain transaction data (order details, payment status) and that those accounts may have their own privacy policies.
Stripe Identity Verification Disclosures
Stripe Identity collects government-issued ID images, selfie photographs, and biometric face data for identity verification. This is some of the most sensitive personal data you can process, and several jurisdictions have specific biometric data laws (Illinois BIPA, Texas CUBI, Washington state biometric law).
ID document collection: Disclose that government ID images (passport, driver's license) are captured and transmitted to Stripe for verification.
Biometric data: Under laws like Illinois BIPA, you must obtain informed consent before collecting biometric identifiers. Your policy must explicitly state that facial geometry data is collected.
Retention period: Specify how long Stripe retains identity verification data. Stripe typically retains this data for the duration of the business relationship plus a regulatory retention period.
Stripe Radar: Fraud Detection Privacy Requirements
Stripe Radar uses machine learning to score transactions for fraud risk. It analyzes device fingerprints, IP addresses, behavioral patterns (how a user types, moves their mouse, and navigates your checkout), and transaction history across the entire Stripe network. Under GDPR Article 22, automated decision-making that significantly affects individuals requires specific disclosures.
Automated decision-making: Disclose that transactions may be automatically blocked or flagged based on Radar's risk assessment without human review.
Data signals used: List the types of data Radar analyzes: device fingerprints, IP geolocation, email reputation, card testing patterns, and cross-network transaction history.
Right to human review: Under GDPR, customers have the right to request human review of automated decisions. Your policy should explain how to exercise this right.
Legitimate interest basis: Fraud prevention is typically justified under the legitimate interests lawful basis. State this clearly and describe your balancing test.
How to Describe Stripe in Your Privacy Policy
Your privacy policy should include a dedicated section for payment processing. Here is what to cover, whether you run a Shopify store or a WooCommerce site:
Name the Processor
State: "We use Stripe, Inc. as our payment processor." Include Stripe's address (354 Oyster Point Blvd, South San Francisco, CA 94080) for GDPR compliance.
List the Data Shared
Enumerate the categories: payment card information, billing address, email, IP address, and device data. Do not use vague language like "payment information."
Explain the Legal Basis
For GDPR, state the lawful basis: contractual necessity for payment processing, legitimate interests for fraud prevention, and legal obligations for tax and financial regulations.
Link to Stripe's Policy
Include a direct link to https://stripe.com/privacy so customers can review Stripe's own data practices. This is required by Stripe's terms and recommended by GDPR transparency principles.
Mention International Transfers
Stripe processes data in the United States. If you have EU customers, disclose this transfer and note that Stripe participates in the EU-US Data Privacy Framework.
Common Mistakes to Avoid
Not naming Stripe at all
Saying "we use a third-party payment processor" is insufficient under GDPR. You must name Stripe explicitly.
Claiming you store card data
If you use Stripe Elements or Checkout, card data never touches your servers. Claiming otherwise is inaccurate and may alarm customers.
Ignoring Stripe.js data collection
Stripe.js collects device fingerprints and behavioral data for Radar. Failing to disclose this violates cookie and tracking transparency requirements.
Missing Stripe Connect disclosures
Marketplace operators must explain the three-way data flow (platform, connected account, Stripe). A single-party disclosure is incomplete.
Omitting automated decision-making
If Stripe Radar blocks transactions automatically, GDPR requires you to disclose automated decision-making and the right to human review.
Step-by-Step: Adding Stripe to Your Privacy Policy
Identify Which Stripe Products You Use
Audit your integration: Payments, Checkout, Billing, Connect, Radar, Identity, Tax, Invoicing, or Link. Each product has unique data collection.
Document the Data Stripe Collects
For each product, list the personal data: card details, billing addresses, IP addresses, device fingerprints, behavioral analytics, and email addresses.
Name Stripe as a Third-Party Processor
Add a clear statement naming Stripe, Inc. as your payment processor. Include a link to stripe.com/privacy.
Describe the Legal Basis for Processing
State the lawful basis: contractual necessity for orders, legal obligations for tax, and legitimate interests for fraud prevention.
Address PCI DSS Compliance
Explain that Stripe is a PCI Level 1 certified provider and that card data is tokenized so it never reaches your servers.
Add Product-Specific Disclosures
Include sections for Connect (multi-party data sharing), Identity (biometric data), and Radar (automated fraud detection) if applicable.
Frequently Asked Questions
Do I need to mention Stripe by name in my privacy policy?
Yes. Both GDPR and Stripe's own terms require you to name third-party processors. Your privacy policy should explicitly state that Stripe, Inc. processes payment data and link to Stripe's privacy policy.
What data does Stripe collect from my customers?
Stripe collects card numbers, expiration dates, CVC codes, billing addresses, IP addresses, device fingerprints, behavioral data through Stripe Radar for fraud detection, and email addresses for receipts. The exact data depends on which Stripe products you use.
Does Stripe store credit card numbers on my server?
No. When properly integrated, Stripe tokenizes card data so sensitive card numbers never touch your server. Stripe handles PCI compliance as a Level 1 Service Provider. Your privacy policy should clarify this distinction.
Do I need a privacy policy if I only use Stripe Checkout?
Yes. Even with Stripe's hosted Checkout page, you are still the merchant collecting payment for goods or services. You must disclose that customer data is shared with Stripe for payment processing and link to Stripe's privacy policy.
How does Stripe Radar affect my privacy policy?
Stripe Radar uses machine learning to analyze transaction patterns, device fingerprints, and behavioral signals for fraud detection. Under GDPR, automated decision-making that significantly affects individuals requires disclosure. Your policy should explain that fraud screening occurs and describe the data used.
What additional disclosures does Stripe Connect require?
Stripe Connect platforms must disclose multi-party data sharing: data flows between you (the platform), connected accounts (sellers/service providers), and Stripe. You must also explain that connected accounts may have their own privacy policies governing their use of customer data.
Is Stripe compliant with GDPR and CCPA?
Stripe is certified under the EU-US Data Privacy Framework and offers Data Processing Agreements for GDPR compliance. For CCPA, Stripe acts as a service provider. However, you as the merchant must still include proper disclosures in your own privacy policy.
Generate Your Stripe-Ready Privacy Policy
Create a customized privacy policy that properly discloses Stripe payment processing, Radar fraud detection, and all required PCI DSS language.
Structured around widely accepted GDPR, CCPA, and PCI DSS requirements. Not legal advice. Learn more about what happens without a privacy policy.
Related Resources
Privacy Policy for eCommerce
Online store compliance guide
Privacy Policy for SaaS
SaaS platform privacy requirements
Privacy Policy for Shopify
Shopify-specific privacy disclosures
Privacy Policy for WooCommerce
WooCommerce privacy policy guide
Privacy Policy for Apps
Mobile app privacy requirements
GDPR Privacy Policy Template
EU compliance guide and template
What Happens Without a Policy
Risks of missing privacy disclosures
Policy Generator
Create your compliant privacy policy