Does Stripe require disclosure in my privacy policy?

Yes. Stripe is an independent data controller for payment processing and must be named in your privacy policy. Under GDPR and CCPA, you must disclose that payment data is shared with Stripe as a third party. Stripe processes payments under PCI-DSS compliance standards, and this relationship must be transparent to users before they submit payment information.

What specific data does Stripe collect from my customers?

Stripe collects billing name and address, email address, payment card details, transaction amounts and history, IP address, and device fingerprint data for fraud prevention. Importantly, payment card details are processed by Stripe's servers, not stored on your website. All card data remains under Stripe's control and PCI-DSS compliance.

Does Stripe require a cookie consent banner?

Yes. Stripe sets two essential cookies: __stripe_mid (1-year expiration) and __stripe_sid (30-minute expiration), both used for fraud prevention and session management. While these are strictly necessary cookies, most jurisdictions (GDPR, ePrivacy Directive) still require you to disclose them in a cookie banner or privacy policy, even if opt-in consent isn't required.

Where is my payment data transferred, and who controls it?

Payment data is transferred to Stripe Inc., headquartered in the United States. Stripe is certified under the EU-US Data Privacy Framework, enabling compliant data transfers from EU users. Stripe acts as an independent data controller for payment processing, meaning they have their own legal obligations under GDPR. You should review Stripe's privacy policy at https://stripe.com/privacy for their full data handling practices.

Payments

Privacy policy clauses for Stripe

Stripe is a payment processing platform that securely handles credit card transactions, subscriptions, and fraud detection. Websites use Stripe to accept payments without storing sensitive card data on their own servers, reducing security and compliance risks.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Stripe collects

Your privacy policy must disclose each of the following data types when you use Stripe.

Payment card details (processed by Stripe, NOT stored on your server)

Billing name and address

Email address

IP address

Device fingerprint (fraud prevention)

Transaction amounts and history

When does Stripe trigger privacy obligations?

Installation triggers immediate data flows

The moment Stripe is integrated into your checkout or payment form, three categories of personal data begin flowing to Stripe Inc (a US-based independent data controller):

Common compliance pitfalls

Cookie	Duration	Category	Purpose
__stripe_mid	1 year	strictly necessary	Fraud prevention
__stripe_sid	30 minutes	strictly necessary	Session identifier

Pitfall 1: Missing or vague processor disclosure in privacy policy

The mistake: Saying "we work with third parties to process payments" without naming Stripe or describing what data is shared.

Why it happens with Stripe: Stripe's infrastructure is hidden from users (they never see Stripe's domain in most flows), so founders assume they can stay vague. GDPR Articles 13/14 explicitly require naming the processor and data categories; CCPA Section 1798.100(d) requires disclosure of third parties who receive data. Regulators and auditors specifically check payment policy language because it's high-risk.

Consequence: Regulatory fines (GDPR: up to €20 million or 4% of revenue; CCPA: up to $7,500 per violation), customer complaints, and failure of privacy audits.

Pitfall 2: No Data Processing Agreement (DPA) in place

The mistake: Integrating Stripe without executing Stripe's DPA, assuming the privacy policy alone suffices.

Why it happens with Stripe: Stripe's DPA is easy to overlook because Stripe doesn't require an explicit "signature" in the traditional sense—it's accepted via Stripe's dashboard or email. Small teams confuse having Stripe's privacy link with having a DPA.

Consequence: GDPR non-compliance (Article 28 requires a written contract). Data Protection Authorities (e.g., CNIL, ICO, DPA in Austria) will flag this immediately in an audit. Fines and processing suspension.

Pitfall 3: Over-consenting for fraud-prevention cookies

The mistake: Requiring users to consent to `__stripe_mid` and `__stripe_sid` via a cookie banner, when they should be treated as strictly necessary and exempt from consent under ePrivacy Directive Article 5(3) and UK-PECR.

Why it happens with Stripe: Cookie-consent platforms default all cookies to "marketing" or "analytics," and teams don't audit Stripe's cookie list. Or teams apply blanket consent policies without mapping which Stripe cookies are necessary vs. optional.

Consequence: False consent claims (regulators check this), poor UX (unnecessary consent walls), and potential fines for misclassifying necessary cookies as optional.

Privacy policy clauses for Stripe

What data Stripe collects

When does Stripe trigger privacy obligations?

Installation triggers immediate data flows

Regulations triggered by payment processing

First concrete step

Where data goes

Cookies set by Stripe

Common compliance pitfalls

Pitfall 1: Missing or vague processor disclosure in privacy policy

Pitfall 2: No Data Processing Agreement (DPA) in place

Pitfall 3: Over-consenting for fraud-prevention cookies

Legal note

Sample privacy policy clause

What regulators look for

Priority audit areas

Frequently asked questions

Does Stripe require disclosure in my privacy policy?

What specific data does Stripe collect from my customers?

Does Stripe require a cookie consent banner?

Where is my payment data transferred, and who controls it?

Don't ship without Bandit.