Stripe

Payment processor for e-commerce and mobile applications.

5.3/10

How we calculate ratings →

Handling

Does the policy allow personally-targeted or behavioral marketing? Yes

0/10

Score

Yes

Yes, but you may opt-out

35%

Yes, but you must opt-in

70%

100%

Citation

We may use your Personal Data to assess your eligibility for, and offer you, other End User Services or promote existing End User Services. Where allowed by law (including with your opt-in consent where required), we use and share End User Personal Data with others so that we may market our End User Services to you, including through interest-based advertising.

If you have begun a purchase, we share Personal Data with that Business User in connection with our provision of Services and that Business User may use your Personal Data to market and advertise their products or services, subject to the terms of their privacy policy. Please review your merchant’s privacy policy to learn more, including your rights to stop their use of your Personal Data for marketing purposes.

Where allowed by applicable law, we use and share Representative Personal Data with others so that we may advertise and market our Services to you. Subject to applicable law (including any consent requirements), we may advertise to you through interest-based advertising and emails and seek to measure the effectiveness of our ads.

As allowed by law, we use and share Visitor Personal Data with others so that we may advertise and market our Services to you. Subject to applicable law (including any consent requirements), we may advertise our Services to you through interest-based advertising and emails, and seek to measure the effectiveness of our ads.

Does the service allow you to permanently delete your personal data? Yes, by contacting someone

3/5

Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as "permanently deleted" and satisfies the parameters for this question.

Score

Yes, by contacting someone

60%

Yes, using an automated mechanism

100%

N/A

The service doesn't collect any personal information.

100%

Citation

If you have a Stripe user account, you can close your account in the settings of your Stripe dashboard. [...] Once you complete the account closure steps, we will delete your data in accordance with applicable law.

If you signed up for Link on the Link website or when you’ve made a purchase from a business that uses Link, you can delete your account by going to the settings page on the Link website, or by following this guide.

If you are a customer who’s had your identity verified by a Stripe Identity user(s), we need to verify and authenticate your request in order to delete your information. In order to authenticate your request, please send an email to privacy@stripe.com to begin the process. Please include the name and date of birth that you submitted (either by way of ID document or keyed-in data), along with the names and websites of your merchant(s) who verified you via Stripe Identity.

When does the policy allow law enforcement access to personal data? When reasonably requested

3/5

Score

Always

This includes cases in which law enforcement either runs the service or has a known backdoor into (or relationship with) the service.

Not specified

When reasonably requested

60%

Only when required by a court order or subpoena

80%

N/A (no personal data to share)

The service would have no personal data to share with law enforcement.

100%

Never (special legal jurisdiction)

The service operates in a jurisdiction in which sharing data with law enforcement is never required.

100%

Citation

We share Personal Data as we believe necessary: [...] (v) to respond to valid legal process requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.

In certain situations, we may be required to disclose Personal Data in response to lawful requests from officials (such as law enforcement or security authorities).

Does the service allow third-party access to private personal data? Yes, all parties specified (including non-critical service providers such as advertisers)

3/10

This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a plethora of user information).

Note that whether the policy allows sharing aggregated user data does not affect this question.

If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).

If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question).

Score

Yes

The policy allows sharing personal data with third parties (not just critical service providers), and does not explicitly list the third parties.

Yes, all parties specified (including non-critical service providers such as advertisers)

30%

Yes, not all parties specified (but only to critical service providers)

70%

Yes, all parties specified (only to critical service providers)

80%

100%

Notes

A list of their sub-processors and service providers can be found here.

Some providers listed, such as Marketo and Google, are used for marketing and analytical tracking purposes, respectively.

Transparency

Does the policy require users to be notified in case of a data breach? Not necessarily

0/7

Is the policy's history made available? Only the date it was last modified

3/5

Will affected users be notified when the policy is meaningfully changed? Yes

5/5

Does the policy outline the service's general security practices? Somewhat

1/3

Score

Somewhat

The policy provides only a very vague overview of its security practices.

30%

Yes

60%

Yes, including audits

"Reviews," "monitoring," etc. also count as audits.

80%

Yes, including independent audits

Independent "reviews," "monitoring," etc. also count as independent audits.

100%

N/A

The service doesn't collect any personal information.

100%

Citation

We make reasonable efforts to provide a level of security appropriate to the risk associated with the processing of your Personal Data. We maintain organizational, technical and administrative measures designed to protect Personal Data covered by this Policy against unauthorized access, destruction, loss, alteration or misuse. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure.

Notes

Stripe is a certified PCI Service Provider, though that shouldn't justify their lack of a proper overview of their security practices.

Collection

Is it clear why the service collects the personal data that it does? Yes

10/10

Does the policy list the personal data it collects? Yes, generally

7/10

Score

The policy does not claim to not collect personal data, but it also doesn't provide any meaningful insight into the types of personal data it collects.

Only summarily

The policy uses overly vague language to provide a summary of the types of collected personal data.

30%

Yes, generally

All general categories of collected personal data are listed, though not all types of personal data are explicitly mentioned (for example, the list might use a phrase like 'such as' when listing types of personal data).

70%

Yes, exhaustively

All types of collected personal data are listed specifically

100%

N/A (no personal data is collected)

100%

Notes

While their list seems exhaustive in size, it is filled with vague wording like "such as" and "for example", making it difficult to verify so.

Does the service allow the user to control whether personal data is collected or used for non-critical purposes? On an opt-out basis, for all non-critical data/uses

6/10

Does the service collect personal data from third parties? Yes, but for critical data only

7/10

Last Updated

August 8, 2023

Sources

Source #1 ↗

Contributors

Deivedux