stripe.com Open in urlscan Pro
198.137.150.81 Public Scan

Back to summary

Submitted URL:
http://m.stripe.com/
Effective URL:
https://stripe.com/legal/privacy-center
Submission: On August 05 via api (August 5th 2024, 11:59:54 am UTC) from AE — Scanned from US

Form analysis
0 forms found in the DOM

Text Content

STRIPE LOGO

* Stripe Services Agreement
* Stripe Connected Account Agreement
* Stripe Payments Company Terms

* ACQUIRER TERMS

* Acquirer Disclosure
* Cross River Bank
* Deutsche Bank
* Goldman Sachs Bank USA
* PNC Bank
* Wells Fargo Bank

* Issuing Bank Terms
* Payment Method Terms
* User Bank Debit Authorizations
* Prohibited & Restricted Businesses

* OTHER PRODUCTS AND PROGRAMS

* Stripe Terminal Device EULA
* Stripe Terminal Purchase Terms
* Stripe Terminal Reseller Terms
* Stripe Atlas Agreement
* Stripe Climate Contribution Terms
* Stripe Partner Ecosystem

* STRIPE APPS

* App Developer Agreement
* App Marketplace Agreement

* PRIVACY

* Privacy Policy
* Cookies Policy
* Privacy Shield Policy
* Service Providers List
* Data Processing Agreement
* Data Transfers Addendum
* Stripe Privacy Center

* INTELLECTUAL PROPERTY

* Intellectual Property Notice
* Marks Usage

* E-SIGN Disclosure
* Licenses
* Consumer Terms

STRIPE PRIVACY CENTER

WELCOME TO THE STRIPE PRIVACY CENTER

Stripe respects the privacy of everyone that engages with our platform, and we
are committed to being transparent about our privacy processes and policies. We
are a platform that enables millions of businesses, and in order to provide our
services to our Business Users and End Users, we collect and process personal
data.

The Stripe Privacy Center contains the answers to frequently asked questions
about how we collect and use personal data, the rights that individuals have in
relation to personal data held by Stripe, and how Stripe complies with
international data protection laws.

All materials have been prepared for general information purposes only. The
information presented is not legal advice, is not to be acted on as such, may
not be current and is subject to change without notice.

Below is a list of terms that will help “you” navigate the Privacy Center:

“YOU”

MEANING

STRIPE EXAMPLES

Business User

Stripe provides services to entities (“Business Users”) who directly and
indirectly provide us with “End Customer” Personal Data in connection with those
Business Users’ own business and activities.

Stripe user or merchant Platform User Connect Accounts

End Customer

When you do business with, or otherwise transact with, a Business User
(typically a merchant using Stripe Checkout, e.g. when you buy a pair of shoes
from a merchant that uses Stripe for payment processing) but are not directly
doing business with Stripe, we refer to you as an “End Customer.”

Individual using Identity Cardholder using Checkout

End User

When you directly use an End User Service (such as when you sign up for Link, or
make a payment to Stripe Climate in your personal capacity), for your personal
use, we refer to you as an “End User.”

User of Link Personal contributor to Stripe Climate

Representative

When you are acting on behalf of an existing or potential Business User (e.g.
you are a founder of a company, or administering an account for a merchant who
is a Business User), we refer to you as a “Representative.”

Beneficial owner Shareholder, officer, director Account representative

Visitor

When you visit a Site without being logged into a Stripe account or otherwise
communicate with Stripe, we refer to you as a “Visitor.” (e.g. you send Stripe a
message asking for more information because you are considering being a user of
our products).

Stripe Sessions attendee Stripe Site visitor

CONTENTS

HOW WE COLLECT, DISCLOSE, AND USE PERSONAL DATA

* Is Stripe acting as a data controller or a data processor?

* Which Stripe entities are involved?

* What are your data controller activities?

* How does Stripe use personal data to improve its products and services?

* As a Stripe User and as a data controller, what does GDPR mean for me?

* Who are Stripe’s sub-processors and how are they vetted?

* From where does Stripe collect information used for fraud prevention and
security purposes?

* How does Stripe use Personal Data to prevent fraud?

* I heard that Stripe is collecting additional information about my account
from a third party and/or my other Stripe account(s). Why is Stripe
collecting this information?

* Does Stripe collect precise location data?

* In addition to its sub-processors, what other third parties does Stripe share
information with?

* What Business User and Representative data does Stripe share with a payment
method to facilitate Business Users’ enabling the payment method?

* What data about End-Customers and their transactions is used by Radar and
what data does Stripe share with its Radar Business Users?

* As a Business User, what notice do I provide to my End Customers about
Stripe?

* Are there any jurisdictional nuances to Stripe’s use of service providers in
verifying the identity of Stripe’s business users?

* Data Obtained from Third Parties

* Does Stripe Record Calls?

U.S. PRIVACY DISCLOSURES

* Categories of Personal Information Collected and Disclosed Under the CCPA

* What sensitive personal information under the California Consumer Privacy Act
(CCPA) does Stripe collect and for what purposes does Stripe use that data?

* Does Stripe “sell” or “share” my personal information under the CCPA?

* How long will Stripe keep my data?

* California Privacy Rights Metrics

STRIPE LEGAL BASES TABLES

* What legal basis does Stripe rely on to process personal data as a data
controller?

* End Users

* End Customers

* Representatives

* Visitors

DATA PROCESSING AGREEMENT

* What is a Data Processing Agreement (DPA) and how can I get one with Stripe?

INFORMATION ABOUT STRIPE PRODUCTS

* How do you implement Privacy by Design at Stripe?

* Stripe Identity

* Stripe’s Card Image Verification

* Stripe Connect At a Glance

* I am a user with a Custom connected account. Does Stripe also collect
information about my Custom connected account from a third party?

* What responsibilities do Connect platforms with custom accounts have to allow
their users to update or correct information associated with their accounts?

* I am a user with a Custom connected account. Will data collected from a third
party be visible to my customers?

* What are Stripe ACS, Transaction Authentication, and Behavioral Biometrics?

* Promotional Emails Feature

* Stripe Delegated Authentication

* Link

* Stripe Capital

* Financial Connections

* Are there instances when Stripe receives non-Stripe transaction history?

* Refunds to End Customer Bank Account

* Stripe Frontier

DATA PROTECTION OFFICER

* Does Stripe have a Data Protection Officer (DPO)?

* Quebec Act

INTERNATIONAL DATA TRANSFERS

* How is Stripe dealing with its international data transfers?

* Is Stripe certified under the EU-U.S Data Privacy Framework?

* How does Stripe’s certification under the EU-U.S. DPF impact my organization?

* How do the SCCs and UK Addendum impact my organization?

* How to get a copy of the SCCs or UK Addendum?

YOUR RIGHTS AND CHOICES

* How do I exercise my data protection rights?

* When does Stripe continue to process data after it has received a deletion
request or objection to the processing?

* What data may be shared or made available to enable me to see Stripe ads on
other sites?

* Does Stripe honor the Global Privacy Control (GPC) opt-out preference signal?

* Can I turn off tracking and advanced fraud signals?

* How do I delete my account?

* How do I delete my Custom Connect account?

* How do I delete my Express Connect account?

* How long will Stripe keep my data?

* What is the Privacy Policy for Stripe Media Services?

* Does Stripe localize storage of data in India?

* Where can I lodge my complaint on data handling in India?

* Notification IT Rules 2021

COOKIES & OTHER TECHNOLOGY

* How does Stripe use cookies?

* What is Stripe.js?

* What are advanced fraud signals?

* Why are advanced fraud signals not ad tracking?

* What obligations should merchants keep in mind relating to cookie technology
on their sites?

* How does Stripe remember payment method details for Link?

* What obligations should Link users keep in mind relating to cookie technology
on their sites?

* Does Stripe use CAPTCHA to protect its website from fraud and abuse?

* Contact our Privacy Team

* Where can I learn more about Stripe’s security practices?

HOW WE COLLECT, DISCLOSE, AND USE PERSONAL DATA

IS STRIPE ACTING AS A DATA CONTROLLER OR A DATA PROCESSOR?

The answer is both.

The “data controller” is the entity which determines the purposes and means of
the data processing taking place. The “data processor” is an entity acting on
behalf and under the instructions of a controller in processing personal data.

Stripe is a data controller when it determines the purposes and means of the
processing taking place. These data processing activities include (1) providing
the Stripe products and services, (2) monitoring, preventing and detecting
fraudulent payment transactions and other fraudulent activity on the Stripe
platform, (3) complying with legal or regulatory obligations applicable to the
financial sector to which Stripe is subject, and (4) analyzing, developing and
improving Stripe’s products and services. Please see this Privacy Center
article for more information on Stripe’s controller activities.

Stripe is a data processor where it is facilitating payment transactions on
behalf of and at the direction of a Business User. Our Business Users direct us
to take payment from cardholders / End Customers.

Stripe is considered a processor when directed to process payments (i.e., Stripe
receives instructions about whom to pay, how much to pay, when to pay).

As a platform provider, we need to ensure consistency across our platform, and
that includes consistency with respect to the commitments that we give about how
we operate our platform. We contract with all of our Business Users (including
some of the world’s largest companies) on this basis.

WHICH STRIPE ENTITIES ARE INVOLVED?

For most of our services, it is either Stripe, Inc., the US parent company
operating under US law, or Stripe Payments Europe, Limited (“SPEL”), an Irish
company operating under Irish law, the data controller responsible for Personal
Data collected and processed in relation to Stripe Services.

The Stripe entity responsible for your data will depend on your location, the
product or service you use with us and whether Stripe is acting as a controller
and/or data processor.

If you are located outside of the Americas (e.g., European Economic Area
(“EEA”), Switzerland or the United Kingdom, countries located in Asia Pacific
(“APAC”)), SPEL is the primary entity responsible for the processing of your
personal data. Some of the payment processing services offered by Stripe are
services that may be only provided for by an authorised payment services
provider or electronic money institution. In this case, SPEL and the Stripe
local regulated entity (defined as those who are licensed, authorized or
registered by a Local Regulatory Authority) will act as joint controllers of
your Personal Data.

Please see our table below for more information on who is your controller in
these jurisdictions:

LOCATION OF USER

PURPOSE OF PROCESSING

NAME OF STRIPE ENTITY

LOCATION OF STRIPE ENTITY

EEA

Provision of certain authorised payment services in the EEA and Switzerland

Please see https://stripe.com/ie/ssa

Stripe Technology Europe, Limited (the e-money licensed entity with the Central
Bank of Ireland)

Ireland

EEA

All other activities.

SPEL

Ireland

United Kingdom & Switzerland

Provision of authorised payment services in the UK.

Please see https://stripe.com/gb/ssa

Stripe Payments UK, Ltd. (the e-money licensed entity with the UK FCA)

United Kingdom

United Kingdom & Switzerland

All other activities.

SPEL

Ireland

United Kingdom

Provision Stripe Capital product and related services to Stripe users in the UK.

Stripe Capital Europe, Limited

Ireland

Stripe affiliates also provide local support services in certain countries where
Stripe operates. These entities act as data processors on behalf of Stripe, Inc.
or SPEL, depending on the jurisdiction. You will find the most up-to-date list
of the Stripe affiliates on this page.

For certain products, Stripe may act as an independent controller (e.g. Stripe
Capital), a data processor or both (e.g. Stripe Identity). Please see the
Privacy Center article for each specific product for more information.

WHAT ARE YOUR DATA CONTROLLER ACTIVITIES?

* Providing the Stripe products and services to Business Users and End Users,
including determining the third parties (banks and payment method providers)
to be utilized;
* Monitoring, preventing and detecting fraudulent payment transactions and
other fraudulent activity on the Stripe platform;
* Complying with legal or regulatory obligations applicable to the financial
sector to which Stripe is subject, including applicable anti-money laundering
screening and compliance with know-your-customer obligations; and
* Analyzing, developing and improving Stripe’s products and services.

HOW DOES STRIPE USE PERSONAL DATA TO IMPROVE ITS PRODUCTS AND SERVICES?

Stripe collects data, including personal data, while providing services to its
users. Stripe uses some of the data it collects to improve its products and
services, including by training the models it employs for fraud and loss
prevention and to analyze the performance of Stripe’s products as permitted by
applicable law and agreements.

Personal data is required to train Stripe’s fraud and loss prevention models,
including those employed by Stripe Radar and Stripe Identity. These products
rely in part on their ability to recognize certain characteristics that help
determine whether a transaction is fraudulent or unlikely to complete. For
example, they compare Personal Data presented in a specific transaction to
Personal Data collected in the past to identify when a fraudster is attempting
to perpetrate fraud, including to impersonate a Stripe User or their End
Customers.

In addition to using Personal Data to train its fraud and loss prevention
models, Stripe also uses transaction data to assess the functioning of its
current products and proposed product improvements. For instance, Stripe uses
data collected by its java script library stripe.js to assess the performance of
the checkout surfaces it provides to Business Users, and payment authorization
data to evaluate ways to improve authorization rates for Business Users. Stripe
uses Personal Data, such as IP address, to identify which pages and features a
user interacted with during a checkout session, so that it can assess the effect
different features have on the outcome of a checkout session.

Stripe uses pseudonymized or aggregated transaction data for these purposes in
certain circumstances. When Stripe communicates the results of its product
performance analytics to Business Users or for advertising purposes, it does so
only in aggregated or de-identified form that does not permit third-parties
outside of Stripe to associate that data with any particular End Customers.

You should consult your legal counsel regarding how best to disclose Stripe’s
data usage to your customers. But, here is a paragraph you could add to your
privacy policy if it doesn’t already include such a disclosure:

* We use Stripe for payments, analytics, and other business services. Stripe
may collect personal data including via cookies and similar technologies.
The personal data Stripe collects may include transactional data and
identifying information about devices that connect to its services. Stripe
uses this information to operate and improve the services it provides to us,
including for fraud detection, loss prevention, authentication, and analytics
related to the performance of its services. You can learn more about Stripe
and read its privacy policy at https://stripe.com/privacy.

AS A STRIPE USER AND AS A DATA CONTROLLER, WHAT DOES GDPR MEAN FOR ME?

As a data controller, Business Users are responsible for the relationship with
the data subject (i.e., your End Customer). You may instruct a third party (like
Stripe) to process the data, but it is your job to set the purpose (or
objectives) and legal basis for the processing.

The GDPR requires data controllers to use third parties who agree to abide by
certain contractual terms. To be sure of this, the data controller must have
Data Processing Agreements (“DPAs”) with each third party. Our DPA has been
designed to serve this purpose for you; it is strongly aligned with payment
transactions, so it should establish that you are compliant with GDPR from a
payments perspective.

WHO ARE STRIPE’S SUB-PROCESSORS AND HOW ARE THEY VETTED?

Please see our service providers page where we have a list of our most common
sub-processors, service providers and affiliates. Stripe identifies, evaluates,
and engages sub-processors through our vendor management program. We enter into
a contract with each sub-processor prior to sharing data with the sub-processor,
and each contract contains terms that provide for monitoring and audit. In
addition, all potential vendors are vetted and approved through Stripe’s
security review process before we begin using their services.

FROM WHERE DOES STRIPE COLLECT INFORMATION USED FOR FRAUD PREVENTION AND
SECURITY PURPOSES?

To prevent fraud and strengthen our security, we may collect information from
Business Users, End Customers, End Users, financial parties, and in some cases
third parties. For example, we collect and analyze information that helps us
identify bad actors and bots, including both transactional data (such as amount,
customer shipping address, date, and so on) and advanced fraud detection signals
(device and activity signals). Learn more.

Stripe also receives information from third parties to prevent and respond to
security incidents, and for protecting against other fraudulent activity. For
example, we may receive information from third parties about IP addresses that
malicious actors have compromised. Stripe may use Representatives' Personal Data
provided at onboarding to query third party databases regarding fraud and risk
signals associated with that data. The third party providers operating these
databases may use Stripe’s experience with the Personal Data queried to inform
their fraud and risk signals.

HOW DOES STRIPE USE PERSONAL DATA TO PREVENT FRAUD?

The Stripe products that use Personal Data to enable Stripe’s Business Users to
detect and prevent fraud include Stripe Radar, Stripe Identity, and Stripe
Merchant Risk Tooling. Stripe also employs internal risk models and other
product features, such as 3D Secure incorporated into Stripe’s Issuing product,
to prevent its products and services from being used for fraudulent activity.

Stripe Radar processes personal data as described here using its machine
learning model to produce scores indicating the likelihood that a payment method
is being offered by someone other than an authorized user. These scores are
designed to identify fraudulent transactions, they do not rate the character or
creditworthiness of the individuals involved in a particular transaction. Based
on the service selected by the Business User, Stripe may provide the Radar
scores to its Business Users to help them to combat fraud and provide a
mechanism for them to set rules to better manage transactions based on Radar
scores and other indicators of fraud.

Stripe Identity uses Personal Data, as described here, to combat fraud by
enabling Business Users to verify whether the person they are transacting with
is who they say they are. Identity compares biometric identifiers in a selfie
against government issued ID. Identity can also validate Personal Data, such as
name, date of birth, and government ID number, that an End Customer types into a
web form against government and third-party databases to determine if the
identity presented matches the government issued ID number.

Stripe’s internal risk models seek to combat fraud by recognizing when a
fraudster is attempting to use Stripe’s services for fraudulent purposes. For
instance, Stripe uses Radar scores internally to determine whether a payment
method offered to Stripe products such as Link, Frontier, Crypto Onramp, and
Bill Pay should be accepted or rejected as likely fraudulent. Stripe’s internal
risk models also use aggregated cardholder features to recognize when a large
number of transactions are likely being conducted by the same individual for
purposes of testing or cashing out stolen payment methods. Where Stripe
recognizes such activity, it will block transactions to prevent harm to itself,
its users, and others.

Stripe Merchant Risk Tooling leverages Stripe’s internal risk models to help
Stripe Connect Platforms identify indicators of potential fraud associated with
their Connected Accounts. Merchant Risk Tooling produces reasoned scores that
identify to Platform’s internal fraud teams when there are indicators consistent
with a Connected Account attempting to use the Platform’s services (and Stripe)
for fraudulent purposes. These scores are designed to supplement the Platforms’
due diligence related to their Connected Accounts and their business
activities. They do not score the character or creditworthiness of the
individuals involved in the Connected Accounts’ operations. The data factored
into Merchant Risk Tooling includes payments transaction data, business
representative details (such as IP address, physical address, and e-mail
address) business website content, and other information regarding the
businesses Business Users operate on Stripe.

Along with attempting to combat fraud at the merchant and Stripe-wide levels as
described above, Stripe also incorporates features in its individual products
that use Personal Data to prevent fraud. One such feature is 3D Secure
authentication, incorporated in Stripe Issuing. This feature is required by law
in certain jurisdictions and requires cardholders to authenticate using one or
more factors before they can complete an online transaction. Stripe and its
service providers use and store personal data including cardholder PANs, contact
information, and transaction history to authenticate cardholders using one time
passcodes and knowledge of past transactions. These measures help combat fraud
by increasing the likelihood that the person offering a card for payment is an
authorized user.

I HEARD THAT STRIPE IS COLLECTING ADDITIONAL INFORMATION ABOUT MY ACCOUNT FROM A
THIRD PARTY AND/OR MY OTHER STRIPE ACCOUNT. WHY IS STRIPE COLLECTING THIS
INFORMATION?

Stripe may collect additional information about your account to allow Stripe and
its financial partners to detect fraud and/or fulfill financial compliance
requirements. These requirements come from our financial partners or regulatory
obligations and are intended to prevent abuse of the financial system. Examples
of missing data fields include your address, phone number, social security
number, date of birth, employer identification number, or website URL. Stripe
may be able to fill in some of this information by leveraging data we have
collected from one of your other Stripe accounts or by obtaining data from a
third party. We will show Business Users the information that we are associating
with their account on your dashboard, and Business Users may update or correct
that information via your dashboard. Please see Stripe’s Privacy Policy for
additional information.

DOES STRIPE COLLECT PRECISE LOCATION DATA?

Devices such as mobile phones or computers may collect precise location data
using GPS technology. Stripe does not collect GPS data from devices and
browsers.

Depending on the Services you use and the Business Users’ implementation of our
Business Services, we will collect information (including IP addresses) through
cookies and similar technology. We will collect your IP address when you visit
our Sites. Please see our Cookie Policy to learn more. Stripe may use location
information, including approximate latitude and longitude, derived from End
Customers IP addresses to detect potentially fraudulent transactions.

We also receive approximate location information (such as country, city or
state) from third party providers such as MaxMind to help us determine the
approximate location of visitors to our website for marketing purposes (for
example, inviting you to local Stripe events).

IN ADDITION TO ITS SUB-PROCESSORS, WHAT OTHER THIRD PARTIES DOES STRIPE SHARE
INFORMATION WITH?

When we work with service providers in our capacity as a data processor for our
Business Users’ and End Users’ personal data, the GDPR calls these third-party
service providers a sub-processor. Sub-processors are service providers who have
or potentially will have access to or process personal data on behalf of Stripe.
These third parties are disclosed on our Stripe Service Providers List.

In addition to Stripe’s sub-processors, we may also share Business Users’
onboarding data and payment instrument information with third party business
partners when this is necessary to provide our services to our Business Users.
We do so, for example, for the purposes of offering payment processing services
to our Business Users or facilitating payment settlements.

Third parties to whom we may disclose personal data for this purpose are banks,
payment method providers and payment processors, including, but not limited to,
the following entities:

* American Express Payment Services Limited and American Express Payments
Europe S.L.
* Banking Circle S.A.
* Barclays Bank PLC
* Citibank Europe plc
* Credit Mutuel Arkea and Arkea Banking Services
* Currence iDEAL B.V.
* Klarna AB
* Mastercard Europe S.A.
* Polski Standard Płatności
* PPRO Financial Ltd.
* Swisscard AECS GmbH
* Visa Europe Limited

The data shared with payment method providers will depend on the payment
method(s) enabled on the Business User’s account.

In addition, Stripe shares personal data as we believe necessary to, among other
things, protect Stripe’s services, rights, privacy, safety and property of
Stripe, our users or others. For example, to protect our services, Stripe may
receive or disclose information about IP addresses that malicious actors have
compromised.

Please note that if you provide us with your payment method information (e.g. a
card number and expiration date) to store on file, Stripe will update your card
information if your information has changed or been updated to ensure your
transactions go through smoothly, including by working with your card issuer. If
you would prefer to not have your updated payment method details shared with us,
please reach out to your card issuing bank.

TRANSFER

Stripe will pass on personal data to affiliates and service providers or
sub-processors, if deemed strictly necessary to carry out contractual
obligations or for the data to be processed. Depending on the enabled payment
method(s), data may be transferred to the jurisdiction(s) of the respective
payment method(s). Before we engage any third party, we perform due diligence,
including a vendor security assessment. All of our service providers are subject
to contract terms designed to ensure that these service providers process
personal data only for the purposes of providing services to Stripe and in
accordance with our commitments to Users and applicable data protection laws.
Moreover, Stripe maintains and enforces a security program that addresses the
management of security and the security controls employed by Stripe, which
includes third party risk management. In addition, Stripe employees, agents, and
contractors acknowledge their data security and privacy responsibilities under
Stripe’s policies.

FINANCIAL CONNECTIONS

If you are an End Customer who has been asked to link your financial account
using Stripe, please visit the support webpage here to learn more about our
privacy practices. Or you can jump to the specific topics linked here:

* Linking my financial account and consent
* Data collected, stored, and shared from my linked account
* How Stripe accesses data from my linked account
* Relationship between Stripe and its service providers
* Data security
* Who can access data from my linked account and for what purposes
* Who will obtain my login credentials
* Requesting disconnection or data deletion
* Correcting my financial account information

WHAT BUSINESS USER AND REPRESENTATIVE DATA DOES STRIPE SHARE WITH A PAYMENT
METHOD TO FACILITATE BUSINESS USERS’ ENABLING THE PAYMENT METHOD?

Stripe makes it possible for its Business Users to enable payment methods
including card networks such as Visa and MasterCard, mobile and online payment
methods such as WeChat Pay and Alipay, and buy now pay later providers such as
Klarna and Afterpay. Certain payment methods are enabled by default when you
onboard with Stripe. After onboarding, for eligible users, Stripe may enable
additional payment methods after notifying you. Your Stripe dashboard allows you
to enable or disable payment methods at any time.

Stripe may share information regarding a Business User and the Business User’s
Representative with a payment method provider when a payment method is enabled
and when Stripe processes transactions involving the payment method. The payment
method provider may require Business Users’ and their Representatives' Personal
Data for a number of purposes, including complying with know your customer
(KYC), anti-money laundering, and other legal and compliance requirements,
preventing fraud, facilitating transactions, providing services to Business
Users, and servicing the payment method’s platform. For these purposes, Stripe
may provide payment method providers with Business User data, including but not
limited to business name, business type, merchant category codes, merchant ID,
transaction history, bank account information, and other transaction specific
information such as product type and tax amount that Stripe ascertains from that
data. Stripe may also provide payment methods with Business Users’
Representatives’ personal data, including name, address, contact information,
date of birth, tax identification number, and other government issued ID
information. The information Stripe shares with payment method providers is data
that Stripe has collected from the merchant or ascertained from data provided by
the merchant.

WHAT DATA ABOUT END-CUSTOMERS AND THEIR TRANSACTIONS IS USED BY RADAR AND WHAT
DATA DOES STRIPE SHARE WITH ITS RADAR BUSINESS USERS?

When processing payments, it’s valuable to Stripe, Business Users and End
Customers to enable legitimate transactions while also trying to prevent
fraudulent transactions, making online purchases safer for everyone involved.
Radar helps detect potentially fraudulent transactions for Stripe’s Business
Users (i.e., merchants) through machine learning and other techniques. To do
this, Radar leverages data collected across our Services.

Radar’s machine learning model produces transaction “scores” indicating the
model’s assessment of the likelihood that a transaction is fraudulent. Business
Users can leverage this score and use it to implement automated rules to
determine whether to allow, block, or flag transactions for additional review.
Business Users can use Radar as one of multiple inputs in making decisions with
respect to the potential for fraud in a transaction.

Radar uses data collected about the End Customer from various sources, including
payments transaction data, advanced fraud detection data, Bank Connections data,
IP address, and physical address information. Radar uses this data to assess
whether the payment method offered by the End Customer is likely unauthorized.

Stripe may share with the Business User and allow them to export (where allowed
by Law) certain information relevant to fraud detection, including:

* a transaction score that assesses the likelihood of the transaction becoming
a fraudulent charge-back,
* risk insights for that transaction,
* related payments made by the End-Customer to the Business User,
* other transaction data related to that End-Customer’s transaction with that
Business User (e.g., cardholder name, card information, and the payment
amount and date),
* device and browser information for the device used to make the transaction
with that Business User, and
* aggregated benchmarks.

AS A BUSINESS USER, WHAT NOTICE DO I PROVIDE TO MY END CUSTOMERS ABOUT STRIPE?

Under the terms of our agreements, Business Users are required to provide all
necessary notices and obtain all necessary rights and consents from their End
Customers to enable Stripe to lawfully collect, use, retain and disclose the
Personal Data as part of the Stripe Services. Business Users, as data
controllers, are responsible for the contents of their privacy notice and cookie
banner. As an example, here is a paragraph that you can consider adding to your
privacy notice (if you don’t already have such a disclosure):

We use Stripe for payments, analytics, and other business services. Stripe may
collect personal data including via cookies and similar technologies. The
personal data Stripe collects may include transactional data and identifying
information about devices that connect to its services. Stripe uses this
information to operate and improve the services it provides to us, including for
fraud detection, loss prevention, authentication, and analytics related to the
performance of its services. You can learn more about Stripe and read its
privacy policy at https://stripe.com/privacy.

Please be aware that the disclosure above is for illustrative purposes only and
is not legal advice. Please talk to your legal advisor to understand how to
comply with your obligations under applicable law.

To comply with our transparency obligations, we explain how our cookies are used
in our Cookie Policy and our Cookies Settings Dashboard sets out our list of
cookies. We remind our Business Users to review the cookies placed on their
website and to update their cookie banners accordingly.

ARE THERE ANY JURISDICTIONAL NUANCES TO STRIPE’S USE OF SERVICE PROVIDERS IN
VERIFYING THE IDENTITY OF STRIPE’S BUSINESS USERS?

GERMANY

Stripe, through its service providers, may use information from infoscore
Consumer Data GmbH to verify the identity of Stripe Business Users in Germany.
Information about infoscore Consumer Data GmbH is available here.

DATA OBTAINED FROM THIRD PARTIES

If you have been notified by Stripe that we obtained your data from a third
party, the following applies:

* Your Personal Data will be processed in accordance with Stripe’s Privacy
Policy, which describes:
* the identity and the contact details of Stripe;
* the contact details of Stripe’s Data Protection Officer;
* the purposes of the processing for which the Personal Data are intended as
well as the legal basis for the processing, which includes prospecting and
direct marketing, as permitted under applicable law;
* the recipients or categories of recipients of the Personal Data. In
addition to the recipients mentioned in the Stripe Privacy Policy, Personal
Data may be shared with Salesloft, Inc. as a processor of Stripe;
* that Stripe intends to transfer Personal Data to a recipient in a third
country and a reference to the appropriate or suitable safeguards and the
means to obtain a copy of them or where they have been made available (see
here and here for more information);
* the period for which the Personal Data will be stored and/or the criteria
used to determine that period;
* the existence of the right to request from Stripe access to and
rectification or erasure of Personal Data or restriction of processing
concerning the data subject and to object to processing as well as the
right to data portability or any other applicable rights under data
protection laws (see also here);
* the right to lodge a complaint with a supervisory authority.
* We may have obtained the following Personal Data from third parties: name,
business contact details (e.g., email, phone number, social media handle),
business address, company/employer information, role and position, and
industry.
* We use a number of third parties to obtain Personal Data from, including
Cognism Limited, ZoomInfo Technologies Inc., API Hub, Inc. dba Clearbit,
Crunchbase Inc., PitchBook Data, Inc., infoAnalytica, Inc., People Data Labs,
Inc., and Dealroom.co. These third parties collect Personal Data as separate
controllers in accordance with their own privacy policies. If you wish to
have your data removed from their respective database(s), please contact
those parties directly. Some of these parties may have obtained your data
from publicly accessible sources.
* We do not use Personal Data we have obtained from third parties for automated
decision-making.
* Where Stripe relies on legitimate interest to process your Personal Data,
such legitimate interest may be:
* B2B market research and analysis;
* B2B prospecting and selling; and
* B2B marketing and advertising.

DOES STRIPE RECORD CALLS?

In some situations, we may record voice or video calls we have with you. At the
start of the call, we disclose the fact that a call is being recorded and,
unless we are required to record the call, will ask for your consent to record
the call and/or offer you the option to decline the call being recorded. We may
use third-party systems to record calls, including Zoom and Salesloft.

The call recordings will be processed for the purposes stated at the start of
the call, typically for quality and training purposes, and in accordance with
Stripe’s Privacy Policy. We enable you to exercise your rights as a data subject
under applicable law with respect to these recordings as set out in Stripe’s
Privacy Policy. In the event that you request a copy of the recording, Stripe
may provide you with a redacted copy of the recording, or a (redacted)
transcript of the recording, where appropriate, and as permitted under
applicable law.

We normally retain call recordings for up to 1 year, and for Zoom recordings,
180 days. User support related phone calls are normally retained for 5 years as
Stripe is under a legal obligation to keep this data for 5 years.

After this, call recordings will be deleted, unless we have a valid legal ground
to keep the call recordings for a longer period of time.

U.S. PRIVACY DISCLOSURES

CATEGORIES OF PERSONAL INFORMATION COLLECTED AND DISCLOSED UNDER THE CCPA

Below are the categories of data we collect and how that information is used in
the last 12 months. We also disclosed this data for a business purpose within
the preceding 12 months.

CATEGORIES OF PERSONAL INFORMATION COLLECTED

PURPOSES:

DISCLOSED FOR A BUSINESS PURPOSE WITHIN THE PRECEDING 12 MONTHS TO:

Identifiers (e.g., a device identifier)

Identity verification, fraud prevention and security, to provide and advertise
our services, and to comply with law.

We may disclose the data, pursuant to applicable law, to: service enablers
(including service providers, financial partners servicing the financial
product), third parties like ad partners that help us advertise our products and
services, the merchant that you do business with (a.k.a. our business user), an
entity engaged in a business transfer/merger, law enforcement, courts,
governments and regulatory agencies.

Characteristics of protected classifications under California or federal law
(e.g., gender and age noted in ID documents that you submit so that Stripe can
verify your identity on behalf of your merchant - a.k.a. our business user)

Identity verification, fraud prevention and security, to provide our services,
and to comply with law.

We may disclose the data, pursuant to applicable law, to: service enablers
(including service providers and financial partners servicing the financial
product), the merchant that you do business with (a.k.a. our business user), an
entity engaged in a business transfer/merger, law enforcement, courts,
governments and regulatory agencies.

Commercial information (e.g., the merchant that you choose to do business with -
a.k.a. our business user may receive your transaction data)

Fraud prevention and security, to provide our services, to comply with law,
enforce our terms of services, and for other purposes consistent with your
consent and applicable law.

Biometric information (e.g., biometric identifiers from photo IDs used to
confirm your identity)

Identity verification, fraud prevention and security, and for other purposes
consistent with your consent and applicable law, such as to improve our
verification systems. Learn more.

We may disclose the data, pursuant to applicable law, to: a service provider -
i.e., Amazon Web Services ("AWS"), an entity engaged in a business
transfer/merger, law enforcement, courts, governments and regulatory agencies.

Online activity information (e.g., information about devices and browsers across
certain business user sites that use Stripe and IP addresses associated with
those devices and browsers, and usage data)

Fraud detection and security, to comply with law, and to provide and advertise
our services.

Location Data (Learn more)

Fraud detection and security, in furtherance of compliance with legal
obligations, and to provide and advertise our services.

Audiovisual (e.g., visual, audio, or similar information, like photos you submit
so that Stripe can verify your identity on behalf of your merchant – a.k.a. our
business user)

Identity verification, fraud prevention and security, to provide our services,
and to comply with legal obligations.

We may disclose the data, pursuant to applicable law, to: service providers, the
merchant that you do business with (a.k.a. our business user), an entity engaged
in a business transfer/merger, law enforcement, courts, governments and
regulatory agencies.

Professional or Employment-Related Information

Recruiting and employment, and to comply with legal obligations.

We may disclose the data, pursuant to applicable law, to: service providers, an
entity engaged in a business transfer/merger, law enforcement, courts,
governments and regulatory agencies.

Categories of personal information described in Cal. Civ. Code 1798.80(e)(such
as name, address, telephone number, credit card or debit card number)

See above. Identity verification, fraud prevention and security, to provide and
advertise our services, and to comply with legal obligations.

WHAT SENSITIVE PERSONAL INFORMATION UNDER THE CALIFORNIA CONSUMER PRIVACY ACT
(CCPA) DOES STRIPE COLLECT AND FOR WHAT PURPOSES DOES STRIPE USE THAT DATA?

Stripe only processes sensitive personal information for the purposes specified
in section 7027(m) of the California Consumer Privacy Act Regulations, or
without the purpose of inferring characteristics about a consumer.

Sensitive Personal Information Categories

Purposes include:

Identification documents, including driver’s license, passport, and social
security (including any underlying sensitive information in the identity card,
such as racial or ethnic origin)

Identity verification, fraud prevention and security, to provide our services,
and to comply with legal obligations.

Biometric information

Identity verification, fraud prevention and security, and for other purposes
consistent with your consent and applicable law, such as to improve our
verification systems. Learn more.

Location Data Learn more.

Fraud detection and security, to comply with law, and to provide our services.
Learn more.

Account log-in, financial account in combination with any required security
access code, password, or credentials allowing access to an account

To provide our services (e.g., Financial Connections), comply with law, enforce
our terms of services, and for other purposes consistent with your consent and
applicable law.

DOES STRIPE “SELL” OR “SHARE” MY PERSONAL INFORMATION UNDER THE CCPA?

We do not transfer your personal data to third parties in exchange for payment.
However, as noted above, we may provide your personal data to third party
partners, such as advertising partners, analytics providers, and social
networks, who assist us in advertising our products and services to you. Because
these third parties may use the data Stripe provides for their own purposes
(such as to improve their ad delivery), Stripe's provision of data to these
parties may be considered a data “sale” or “sharing” as those terms are defined
under the CCPA and other applicable US privacy laws. To our knowledge, Stripe
does not sell personal information of minors under 16 years of age.

Within the past 12 months, the following categories of Personal Information
described in section 1798.80(e) of the California Civil Code have been “sold” or
“shared” (as defined under the CCPA) to third parties (including advertising
partners) who assist us in advertising our services:

Identifiers (e.g., a device identifier)

* Online activity information (e.g., information about devices and browsers
across certain business user sites that use Stripe and IP addresses
associated with those devices and browsers, and usage data)
* Geolocation Data (e.g., IP addresses)

You can opt out of targeted advertising and any related data “sales” or
“sharing” here.

HOW LONG WILL STRIPE KEEP MY DATA?

Stripe keeps Personal Data as necessary to achieve the purposes listed here. To
determine the appropriate retention periods for different categories of Personal
Data, we consider various criteria such as the jurisdiction you are located in,
the nature of our relationship with you, the types of products or services being
offered or provided to you, the nature and sensitivity of your Personal Data,
retention requirements under applicable laws and regulations, and other
legitimate interests we may pursue through retaining your Personal Data,
including detecting and preventing fraud and financial crimes, enforcing and
defending our legal rights, complying with valid legal process requests from
courts or competent authorities, improving the quality of our services, and
promoting our products and services as appropriate and as permitted by
applicable law and agreements.

For most jurisdictions, Stripe will generally keep Personal Data we obtain from
our Business Users for a period of five or more years from the end of the
business relationship with you, or the date of the last transaction, whichever
is later.

The table below outlines different categories of personal data collected, along
with the retention period or the criteria used to determine that period.

CATEGORIES OF PERSONAL DATA COLLECTED

RETENTION PERIOD OR THE CRITERIA USED TO DETERMINE THAT PERIOD

Non-sensitive Identifiers (e.g., name, postal address, email address, account
name)

Categories of personal information described in Cal. Civ. Code § 1798.80(e)
(such as name, address, telephone number, credit card or debit card number)

Commercial information (e.g., transaction data that the merchant you choose to
do business with - a.k.a. our business user - may receive)

Online activity information (e.g., certain information about devices and
browsers across certain business user sites that use Stripe, and usage data)

Audiovisual (e.g., visual, audio, or similar information, like photos you submit
so that Stripe can verify your identity on behalf of your merchant – a.k.a. our
business user)

For the duration necessary for Stripe to: (1) comply with law; (2) provide the
Stripe services, and; (3) pursue our legitimate interests, including detecting
and preventing fraud and financial crimes, enforcing and defending our legal
rights, complying with valid legal process requests from courts or competent
authorities, improving the quality of our services, and promoting our products
and services as appropriate and as permitted by applicable law and agreements.

Biometric information (e.g., biometric identifiers from photo IDs and selfies
used to confirm your identity)

No longer than 1 year, or upon revocation of your consent, whichever is
earlier.

Geolocation Data (e.g., IP addresses)

Professional or Employment-Related Information

Education information that is not publicly available as defined in the Family
Educational Rights and Privacy Act (20 U.S.C. § 1232g)

For the duration necessary for Stripe to: (1) comply with law; (2) make certain
employment and performance-related decisions; (3) address future hiring needs;
(4) ensure health and safety in the workplace; (5) conduct certain
administrative tasks, including to administer benefits; and (6) pursue our
legitimate interests, including enforcing and defending our legal rights and
complying with valid legal process requests from courts or competent
authorities.

Sensitive personal information, as defined by California law (Learn More)

For information regarding your government IDs (including the sensitive data
therein) and your location data, Stripe will retain that data for the duration
necessary to: (1) comply with law; (2) provide the Stripe services, and; (3)
pursue our legitimate interests, including detecting and preventing fraud and
financial crimes, enforcing and defending our legal rights, complying with valid
legal process requests from courts or competent authorities. For biometric data,
see above.

Where we rely on consent to collect your other sensitive personal information
(e.g, financial account login credentials), Stripe will no longer retain this
data upon your revocation of consent.

CALIFORNIA PRIVACY RIGHTS METRICS

The following includes aggregate metrics of data subject rights requests
received in the 2023 calendar year. This data reflects requests received from
individuals in California and may also include requests from individuals who do
not reside in California.

* Number of “request to know” received and complied with in whole or in part: 7
* Number of “requests to delete” received and complied with in whole or in
part: 7719
* Number of “request to correct” received: 0
* Average number of days taken to respond to a request to know or delete: 1

Due to the nature of Stripe’s products and services, when we receive a general
“request to delete,” our process is to direct the requestor to a page to action
their request depending upon the relationship they have with Stripe. We also
offer data subjects the opportunity to contact us, should they have any
questions or concerns.

Stripe may retain personal data where permitted by law, including to comply with
our legal obligations. For example, as a provider of payment services, Stripe is
required to comply with many regulations, including anti-terrorism and
anti-money laundering laws. These laws require Stripe to retain certain
information associated with Stripe users for a prescribed period of time after
account closure. Learn more about our retention obligations in our Privacy
Policy.

STRIPE LEGAL BASES TABLES

WHAT LEGAL BASIS DOES STRIPE RELY ON TO PROCESS PERSONAL DATA AS A DATA
CONTROLLER?

We rely upon a number of legal grounds to enable our use of your Personal Data.
In short, we use Personal Data to facilitate the business relationships we have
with our Business Users and End Users, to comply with our financial regulatory
and other legal obligations, and to pursue our legitimate business interests. We
also use Personal Data to complete transactions and to provide payment-related
services to our Business Users.

Our table below provides a detailed overview of why and how we use your Personal
Data.

For the purposes of the General Data Protection Regulation, we rely upon a
number of legal bases to enable our processing of your Personal Data.

END USERS

PROCESSING PURPOSE

CATEGORIES OF PERSONAL DATA

LEGAL BASES

Provide our Services. To provide services to you, including delivery, support,
personalization and messages related to the service.

Your name, contact information, payment information including Bank Account
Information and Bank Payments, and/or payment card number, CVC code and
expiration date.

Our contractual necessity to perform our contractual relationship with you,
under applicable data protection laws.

For the provision of our services including Link, Atlas and Identity. When we
process data based on your consent, you have the right to withdraw your consent
at any time without affecting the lawfulness of processing based on such consent
before the consent is withdrawn.

If you choose to use Link you agree to let Stripe store your payment method and
related information so that you can more readily make purchases with Business
Users who use Stripe to provide payment processing services (e.g. Stripe
Checkout).

Based on consent in processing this personal information.

Card Products and Financial Products including Issuing and Treasury Direct
Services.

We use your Personal Data to offer you card products and financial products and
services under the Stripe brand and/or under the brand of a Business User.

Your name, email address, phone number, postal address, transaction information,
password, PIN or similar credentials, card PANs, age, DOB, credit card number,
drivers license number, tax ID, cookie data, tags and beacons, IP address.

Our legitimate interests in promoting our products and in determining
eligibility for and offer new Stripe products and services.

Provide cryptocurrency-related services, including enabling End Users with Link
accounts to purchase cryptocurrency from licensed third-party cryptocurrency
exchange providers using a variety of payment methods and save certain personal
information to facilitate subsequent cryptocurrency-related transactions.

Your name, email address, date of birth, billing address, IP address,
information related to your cryptocurrency wallet (including wallet identifier,
access times, and IP address used to create and access the wallet), and
information related to your cryptocurrency purchases, including your transaction
history.

Based on consent in processing this personal information.

Offer our Services and Alert you of Changes to our Services.

For example, through Stripe Capital we offer capital loans to certain users who
can satisfy particular criteria and to help determine if you qualify for a loan
or not. Such information will be processed prior to the offer of a loan in order
to determine eligibility.

The name of the representative of business, physical address of business, and
the borrower's Stripe ID. The rest of the data processed concerns business
information and not personal data.

Our legitimate interests in promoting our products and in determining
eligibility for and offer new Stripe products and services.

Fraud Detection Services.

We use your Personal Data collected across our Services (e.g. Stripe Radar) to
detect and prevent fraud against us, our Business Users and financial partners,
including to detect unauthorized log-ins using your online activity.

Transaction information. This includes: name, email address, billing and/or
shipping address, payment method information (such as credit or debit card
number, bank account information or payment card image), merchant and location,
purchase amount, date of purchase, and in some cases, some information about
what you have purchased, phone number and tax-related ID.

This includes web browsing information, usage data, referring URLs, location,
cookies data, device data and identifiers.

IP address and physical address.

Our legitimate interests in monitoring and detecting fraud to ensure we detect
activity that can have a harmful effect on our End Users.

Marketing and Advertising. We may use your Personal Data to assess your
eligibility for and offer you other Services. We use End User Personal Data for
interest-based advertising and marketing purposes. We do not share End Customer
Personal Data to third parties for their marketing purposes unless you give us
or the third party permission to do so.

Contact information including: name, email address, work phone number, and job
title.

Connection data such as IP address, and web behavior (page visited, length on
page, etc.)

Based on consent in processing this personal information.

Our legitimate interest in undertaking marketing activities to offer you
products or services that may be of interest to you.

Compliance and Harm Prevention. We process and share Personal Data as we believe
necessary: (i) to comply with applicable law, (ii) for compliance with rules
imposed by payment method in connection with use of that payment method (e.g.
network rules for Visa); (iii) to enforce our contractual rights; (iv) to secure
or protect the Services, rights, privacy, safety and property of Stripe, you or
others, including against other malicious or fraudulent activity and security
incidents; and (v) to respond to valid legal process requests from courts, law
enforcement agencies, regulatory agencies, and other public and government
authorities, which may include authorities outside your country of residence.

Any Personal Data we process, including information necessary for identity
verification such as government-issued IDs or selfie images.

Where these processing activities or disclosures are necessary to comply with
our legal obligations, for the protection of a person's vital interests, for
reasons of public interest, for reasons of substantial public interest, or for
the purposes of Stripe’s or a third party’s legitimate interest in keeping
Stripe secure, preventing a breach of the law, harm or crime, enforcing or
defending legal rights, claims, or obligations, facilitating the collection of
taxes and prevention of tax fraud or preventing loss or damage.

END CUSTOMERS

PROCESSING PURPOSE

CATEGORIES OF PERSONAL DATA

LEGAL BASES

Provide our Services to Business Users, including to process online payment
transactions or in-person checkout, to calculate applicable sales tax, to
invoice and bill, and to calculate their revenue.

If you are an End Customer, when you make payments to, send shopping cart
reminders, get refunds from, begin a purchase or otherwise transact with a
Business User through Stripe’s Services or a Stripe-provided device, Stripe will
receive your transaction information. Depending on how the Business User has
integrated our Business Services, we may receive this information directly from
you, the Business User or another service provider to you or the Business User.

Transaction Information (including from Checkout, Payment Processing and
Treasury/Issuing Use). Your name, email, billing and/or shipping address,
payment method information (such as credit or debit card number, bank account
information or payment card image), merchant and location, purchase amount, date
of purchase, and in some cases, some information about what you have purchased,
phone number and tax-related ID. The payment method information that we collect
will depend upon the payment method that you choose to use from the list of
available payment methods offered by the Business User as part of the “checkout”
process for your purchase. We may also receive your transaction history with the
Business User.

Transaction-Related Information / Purchase Interests. Information typed into a
checkout field that is not ultimately submitted to the Business User.

Our legitimate interests in providing the Stripe products and services. Stripe
processes this personal data given its legitimate interest in improving the
Services and where it is necessary for the adequate performance of the contract
with the Business Users.

Provide our Services to Business Users, to order payment methods on a
per-customer basis on behalf of the Business User, to implement fraud thresholds
chosen by the Business User, and to verify your payment method.

Verification Information. Your age (when purchasing age restricted goods) or
information about you being the person who is authorized to use a payment
method.

The information collected will be the information that you choose to share for
these purposes, which may include your government ID, your photo, your live
image, and Personal Data apparent from the physical payment method (e.g. credit
card image).

Our legal obligations in respect of our financial and regulatory obligations.

Reduce fraud and enhance security. We will use Personal Data about your
identity, including information that you provide, to perform verification
Services for Stripe or for the Business Users that you are doing business with
and to reduce fraud and enhance security.

In some cases you may provide a “selfie” along with an image of your identity
document, and we will use technology to compare and calculate whether they match
and can be “verified.” We will use information from our service providers and
our Services to help verify your identity and fraud prevention.

Based on consent in processing this personal information.

Our legitimate interests in detecting, monitoring and preventing fraud and
unauthorized payment transactions.

Radar and Card Verification Services. We use Personal Data of End Customers to
detect and prevent fraud for Business Users, including to detect fraudulent
payment cards using payment card images and unauthorized log-ins using online
activity. In providing such services, we may provide Business Users that have
requested such services with limited Personal Data about End Customers so that
the Business Users can assess the fraud risk associated with an attempted
transaction by its End Customer. We may also use payment card images to improve
our Business Services.

This includes web browsing information, usage data, referring URLs, location,
cookies data, device data and identifiers.

IP address and physical address.

Our legitimate interests in detecting, monitoring and preventing fraud and
unauthorized payment transactions.

Compliance and Harm Prevention. We share Personal Data as we believe necessary:
(i) to comply with applicable law, (ii) to comply with rules imposed by payment
method in connection with use of that payment method; (iii) to enforce our
contractual rights; (iv) to secure or protect the Services, rights, privacy,
safety and property of Stripe, you or others, including against other malicious
or fraudulent activity and security incidents; and (v) to respond to valid legal
process requests from courts, law enforcement agencies, regulatory agencies, and
other public and government authorities, which may include authorities outside
your country of residence.

Any Personal Data we process.

Our legal obligations where disclosures are necessary to comply with our legal
obligations.

Our legitimate interest in keeping Stripe secure, preventing a breach of the
law, harm or crime, enforcing or defending legal rights, claims, or obligations,
facilitating the collection of taxes and prevention of fraud or preventing loss
or damage.

REPRESENTATIVES

PROCESSING PURPOSE

CATEGORIES OF PERSONAL DATA

LEGAL BASES

Reduce fraud and enhance security. We will use Personal Data about your
identity, including information that you provide, to perform verification
Services for Stripe.

Onboarding and verification information that you choose to share for these
purposes, which may include your government ID, photo, live image, and Personal
Data apparent from the physical payment method (e.g. credit card image).

Our legal obligations in respect of our financial and regulatory obligations. We
process Personal Data to verify the identity of the Representatives of our
Business Users in order to comply with fraud monitoring, prevention and
detection obligations, laws associated with the identification and reporting of
illegal and illicit activity, such as AML (Anti-Money Laundering) and KYC
(Know-Your-Customer) obligations, and financial reporting obligations.

Advertising. We may use and share Representative Personal Data with others so
that we may advertise and market our products and services to you, including
through interest-based advertising subject to any consent requirements under
applicable law.

Contact information including: name, email address, work phone number, and job
title.

Connection data such as IP address, and web behavior (page visited, length on
page, etc.)

Based on consent in processing this personal information.

Communications.We may send you email marketing communications about Stripe
products and services, invite you to participate in our events or surveys, or
otherwise communicate with you for marketing purposes, provided that we do so in
accordance with applicable law, including any consent or opt-out requirements.

Contact information such as your name, email address, phone number.

Based on consent in processing this personal information.

Our legitimate interests in responding to inquiries, sending Service notices,
ensuring compliance with applicable laws, preventing fraud, improving our
services and providing customer support.

Tax and Atlas (Incorporation) Services. We may use your Personal Data to file
taxes on behalf of your associated Business User. If your Business User uses
Atlas, we may use your Personal Data to submit forms to the IRS on your behalf
and to file documents with other governmental authorities.

Your contact details, such as name, postal address, telephone number, and email
address; and financial and personal information about you, such as your
ownership interest in the Business User, your date of birth and government
identifiers associated with you and your organization (such as your social
security number, tax number, or Employer Identification Number). You may also
choose to provide bank account information.

Our compliance with legal obligations in respect of our financial and regulatory
obligations. We process Personal Data to verify the identity of the
Representatives of our Business Users in order to comply with fraud monitoring,
prevention and detection obligations, laws associated with the identification
and reporting of illegal and illicit activity, such as AML (Anti-Money
Laundering) and KYC (Know-Your-Customer) obligations, and financial reporting
obligations.

Our contractual necessity to perform our contractual relationship with you,
under applicable data protection laws.

VISITORS

PROCESSING PURPOSE

CATEGORIES OF PERSONAL DATA

LEGAL BASES

Communications. We use any contact information that you provide to us to respond
to any inquiries or requests for information you made; and if you have asked
about us or our Services, to send you marketing emails by either asking for your
consent or providing you an opt out in any messages we send.

Contact information such as your name, email address, phone number.

Information you have provided to us, such as the products you are interested in.

Based on consent in processing this personal information.

Our legitimate interests in responding to inquiries, sending Service notices and
providing customer support.

Advertising. When you visit our Sites, we (and our service providers) may use
Personal Data collected from you and your device to target advertisements for
Stripe Services to you on our Sites and other sites you visit (“interest-based
advertising”).

Information collected from cookies such as your device, browser ID, and pages on
our website which you have visited.

Based on consent in processing this personal information.

Our legitimate interest in undertaking marketing activities to offer you
products or services that may be of interest to you.

Fraud Detection. We use your Personal Data collected across our Services to
detect and prevent fraud against Stripe, our Business Users and financial
partners.

Advanced Fraud Signals information collected via cookies. This includes web
browsing information, usage data, referring URLs, location, cookies data, device
data and identifiers.

Our legitimate interests in detecting, monitoring and preventing fraud and
unauthorized payment transactions.

DATA PROCESSING AGREEMENT

WHAT IS A DATA PROCESSING AGREEMENT (DPA) AND HOW CAN I GET ONE WITH STRIPE?

A Data Processing Agreement (“DPA”) is a contract between a data controller and
a data processor that describes the roles and responsibilities of the parties
when personal data is processed. If you are a Business User, please visit our
FAQs page here to learn more about our DPA. Please contact us or your account
manager if you have any questions.

INFORMATION ABOUT STRIPE PRODUCTS

HOW DO YOU IMPLEMENT PRIVACY BY DESIGN AT STRIPE?

Privacy by design aims at building privacy and data protection up front and into
the design specifications and architecture of information and communication
systems and technologies to facilitate compliance with privacy and data
protection principles. We rely on our internal privacy team and a review process
for any new product launch. We are dedicated at every level of product
development —from engineering to product management—to making privacy a key
consideration. This helps ensure that people can trust the Stripe products that
they enjoy every day.

STRIPE IDENTITY

END CUSTOMERS

If you have been asked to verify your identity or have verified your identity
using Stripe Identity, please visit the support web pages here and here to learn
more about our privacy practices for Stripe Identity. Alternatively, you can
jump to the specific topics linked here:

* Stripe’s role in controlling and processing identity data in the US
* Understanding Stripe Identity
* Biometric verification
* Consent to use my identity information
* Security of my identity data
* What data is collected
* Identity data retention
* How I delete my identity data

BUSINESS USER THAT REQUESTED VERIFICATION

If you are a Business User that is using or intends to use Stripe Identity,
please visit the support web page here for additional guidance on what you can
tell your users and here and here for additional guidance on privacy
considerations for your business.

STRIPE’S CARD IMAGE VERIFICATION

If you have been asked by your merchant (i.e., a Stripe Business User) to scan
your credit card before completing your requested transaction, please visit the
support webpage here to learn more about Stripe’s Card Image Verification.

STRIPE CONNECT AT A GLANCE

DESCRIPTION

Stripe Connect is a payment software your third party platform provider
(Platform) may use to enable you to receive Stripe services (including payment
processing) and/or receive payouts.

DATA CONTROLLER/ DATA PROCESSOR

Stripe acts as both a data controller and data processor for the Platform. The
Stripe entity that acts as data controller/ data processor for data processed in
Europe is Stripe Payments Europe Limited (“SPEL”).

PERSONAL DATA

The personal data transmitted to Stripe usually involves first name, last name,
address, identification number, e-mail address, IP address, telephone number,
and other data necessary for payment processing.

PURPOSE

The transmission of the data is aimed at payment processing, ledger management,
and fraud prevention. The Business User / Platform will transfer personal data
to Stripe. The personal data exchanged between Stripe and the Business User /
Platform may be transmitted to verification agencies, and Business User data may
be shared with Platforms. This transmission is intended for the Platform to
manage its ledger and for Stripe to conduct identity and risk checks.

TRANSFER

Stripe will pass on personal data to affiliates and service providers or
sub-processors, if deemed necessary to carry out contractual obligations or for
the data to be processed.

For full details please see the applicable Privacy Policy of Stripe.

I AM A USER WITH A CUSTOM CONNECTED ACCOUNT. DOES STRIPE ALSO COLLECT
INFORMATION ABOUT MY CUSTOM CONNECTED ACCOUNT FROM A THIRD PARTY?

If you are a user with a Custom connected account, Stripe may collect additional
information about your account to enable fraud detection and fulfill financial
compliance requirements. These requirements for additional information come from
our regulators or financial partners and are intended to prevent abuse of the
financial system. Examples of missing data fields include your address, phone
number, social security number, date of birth, employer identification number,
or website URL. Stripe may leverage data we already have from one of your Stripe
accounts or Stripe may fill in some of this information by receiving data from a
third party. You may view the information that we are associating with your
account and update or correct that information by contacting the platform or
business that created your Stripe payment account. Please see Stripe’s Privacy
Policy for additional information.

WHAT RESPONSIBILITIES DO CONNECT PLATFORMS WITH CUSTOM ACCOUNTS HAVE TO ALLOW
THEIR USERS TO UPDATE OR CORRECT INFORMATION ASSOCIATED WITH THEIR ACCOUNTS?

You, the Platform, are responsible for all interactions with your Custom
accounts and for collecting all of the information needed to verify the Custom
account-holders. Since Custom account holders cannot log into Stripe, it is up
to you to build the user dashboard and communication channels. You are
responsible for actioning any request by a user to update or correct their
Stripe Custom account information.

I AM A USER WITH A CUSTOM CONNECTED ACCOUNT. WILL DATA COLLECTED FROM A THIRD
PARTY BE VISIBLE TO MY CUSTOMERS?

Card networks and issuers use statement descriptors to identify payments on a
cardholder’s bank statement. Statement descriptors usually include information
about the payment, such as the name and phone number of the seller. However, the
exact information displayed is ultimately up to a cardholder’s bank. If Stripe
updates your account’s business address, phone number, or email address, these
fields may be displayed on the statement descriptor within the cardholder’s bank
statement. However, the exact information displayed is ultimately up to the card
network or the cardholder’s bank. If any information is incorrect, please reach
out to the platform through which you receive charges to ensure you have
provided them with the most accurate information about you and your business.

WHAT ARE STRIPE ACS, TRANSACTION AUTHENTICATION, AND BEHAVIORAL BIOMETRICS?

WHAT IS STRIPE ACS?

Stripe ACS is Stripe’s transaction authentication solution for card issuers
(e.g., banks). Stripe ACS helps card issuers to authenticate transactions of
cardholders when they are making payments online using their cards.

WHAT IS BEHAVIORAL BIOMETRICS?

Behavioral biometrics is an innovative technology that can be used for the
purpose of preventing fraud and identifying legitimate transactions. Behavioral
biometrics leverages a combination of personal data and device characteristics
to distinguish between legitimate customers and fraudsters or bots.

HOW IS BEHAVIORAL BIOMETRICS DATA COLLECTED AND USED IN STRIPE ACS?

This processing is designed to verify a cardholder’s identity based on their
behavioral biometric data which is modeled based on data collected during each
authentication attempt.

This type of transaction authentication will typically observe interactions
within a system or device to verify a cardholder’s identity for the purposes of
authenticating online payments. The following elements may be processed during
the authentication process:

* Length of text field inputs
* Location of mouse pointer
* Modifier key details (e.g., CTRL, SHIFT)
* Timing and location of mouse clicks
* Timing and location of touch events
* Timing between keystrokes
* Window scroll position

For the purpose of fraud risk mitigation, this processing involves use of a
device identifier cookie (Ndcd, Device ID, DID) that aims to accurately analyze
biometrics data observed on a specific device. This cookie facilitates device
detection in order to enhance fraud detection and prevention as well as to
identify suspicious devices or devices that are behaving abnormally. This is a
first party, strictly necessary cookie that is active on the touch.tech and
touchtechpayments.com domains, and has a duration of 12 months. For more
information on how we use cookies, please see Stripe’s Cookie Policy.

PURPOSE OF PROCESSING AND STRIPE’S ROLE

Stripe may process biometric data relating to cardholders in order to assist
card issuers to authenticate payment transactions. This is done as part of
Stripe’s payment transaction authentication services provided to card issuers
(including for the purposes of meeting Strong Customer
Authentication requirements).

In providing these services to card issuers, Stripe acts as a data controller in
relation to cardholder data. Please see Stripe’s Privacy Policy to learn more
about our use of personal data.

As part of providing this authentication services to card issuers, Stripe
engages with a third party provider, Mastercard, which also acts as a data
controller. See Mastercard’s Privacy Notice for details on Mastercard’s
processing activities in this context.

CUSTOMERS RIGHTS AND CHOICES

Upon initiating a transaction, cardholders will have the option of providing
their consent to processing their behavioral biometrics data as part of the
transaction authentication flow. This will be presented to the cardholder during
the checkout flow on the merchant’s website or app when authentication is
requested from the card issuer. Cardholders will have the option to withdraw
their consent during each subsequent transaction flow.

To withdraw consent outside of a transaction flow, you can
email privacy-acs@stripe.com with the subject matter line “Stripe ACS - withdraw
consent”. In your email to withdraw consent, please provide: (a) the first 6
digits of your card number as this enables Stripe to identify your issuing bank
(please do not provide any digits other than the first 6 digits); and (b) the
phone number (including the country code) registered with your bank account that
is used for one-time passcodes.

We will action this withdrawal request as soon as possible after it is verified,
but please note that this can take up to 10 working days as we may need to
verify the request with your card issuer. You may also contact the card issuer
in order for the issuer to implement this withdrawal of consent by engaging with
Stripe.

To submit a request to exercise any of the other rights described in our Privacy
Policy, you may contact Stripe at privacy-acs@stripe.com.

PROMOTIONAL EMAILS FEATURE

FOR END CUSTOMERS AND PROSPECTIVE END CUSTOMERS OF OUR BUSINESS USERS

WHAT IS THE PROMOTIONAL EMAILS FEATURE?

Promotional Emails is a feature that gives Business Users who use “Stripe
Checkout” services a new tool to enable sending email promotional content to
their customers and prospective customers. When you visit a Business User’s
checkout page (that is powered by Stripe Checkout services), the Promotional
Email feature will enable Stripe to collect information about your preferences
to receive promotional emails from that merchant.

Promotional email preferences are collected whether or not you complete the
purchase or are just a prospective End Customer. “Prospective End Customer”
means you visited a Business User’s site and expressed an intent to make a
purchase by starting a purchase on the Business User’s checkout page, but did
not complete that purchase during that session. To be a “prospective End
Customer” for the promotional email feature, you also need to have started to
input your contact information into the checkout form, and then not delete that
information prior to the end of the session.

If you, prospective End Customer, indicate permission to receive news and
personalized offers by virtue of the opt-in/opt-out checkbox on your Business
User’s checkout form, the following personal data is provided to your Business
User so that your Business User can contact you to remind you of the items you
left in the checkout or to provide you news and personalized offers:

* Email (if provided by you).
* Items in your cart with that merchant (if any).

“Personalized offers” means promotional or marketing materials tailored to you,
such as coupons or advertisements based on the items in your cart or (in some
cases) your prior purchases from that Business User. Even if you opt-out of
personalized offers by a Business User, if you do business with that Business
User, they may still need to contact you in order to enable a purchase (e.g.,
for delivery or billing purposes) or in connection with customer support. Please
see your Business User’s privacy policy for more information.

WHAT IS STRIPE’S ROLE (DATA PROCESSOR/CONTROLLER) IN THE PROCESSING OF MY
PERSONAL DATA?

For the Promotional Emails feature, Stripe acts as a data processor or service
provider, meaning that Stripe is acting at the direction of the Business User
that has implemented this Stripe provided feature. The Stripe entity that acts
as a data processor for personal data is:

* Stripe Inc. in the United States.
* Stripe Payments Europe Limited outside of the United States, including Europe

WHAT PERSONAL DATA IS STRIPE COLLECTING?

Stripe’s Privacy Policy describes in more detail the personal data that Stripe
collects in connection with payment transactions.

WHAT PERSONAL DATA IS SHARED BY STRIPE WITH THE BUSINESS USERS I USE?

Whenever you complete a transaction on a Business User’s website that uses
Stripe services, as a service provider to that Business User, Stripe will share
your contact information with that Business User. Business Users use the
information that Stripe provides in accordance with its own privacy policy,
including in connection with your purchase.

WITH THE PROMOTIONAL EMAILS FEATURE:

* If you complete a purchase with a Business User, in addition to the
transaction-related information identified in our Privacy Policy (e.g., your
contact and billing information and the details of your transaction), Stripe
will also share with your Business User your personalized offers and news
preferences as determined by the opt-in/opt-out checkbox from your checkout
form.
* If you are a prospective End Customer (you start a purchase with your
Business User on their checkout form but do not complete that purchase), the
personal data that we share with your Business User depends on the following:
* If you have not inputted any personal data into your Business User’s
checkout form, then we will not share any personal data with that Business
User.
* If you have inputted personal data into your Business User’s checkout form:
* If the checkbox for receiving news and personalized offers is not enabled
when you leave your Business User’s checkout session, we will not share
any of that personal data.
* If the checkbox for receiving news and personalized offers is enabled
when you leave your Business User’s checkout session, we will share the
following information with that Business User:
* Email (if provided by you).
* Items in your cart with that merchant (if any).

End Customers and prospective End customers should always review the privacy
policy or notice of the Business Users they visit and do business with for
information about the Business User’s data collection practices and purposes
outside of this Stripe feature.

DOES STRIPE SHARE MY PERSONAL DATA WITH OTHER BUSINESS USERS?

No. Stripe does not share personal data collected in connection with purchases
(or attempted purchases) from one Business User’s checkout with another Business
User. Please see our Privacy Policy to learn more about our practices.

HOW DO I STOP PROMOTIONAL EMAILS FROM A MERCHANT?

Any offers or promotional emails that you receive as a result of a Business
User’s use of the Promotional Emails feature are sent by Business Users (or
others identified in the message), and not by Stripe. I If you do not find value
in receiving these emails, please contact the Business User you are receiving
the messages from. Stripe requires that Business Users that choose to implement
the Promotional Email feature also provide the option to unsubscribe or opt-out
of receiving further promotional messages. It would be a breach of Stripe’s
terms of service for a Business User to not promptly comply with opt-out
requests.

HOW DOES THE DATA COLLECTION AND TRANSFER WORK?

The Promotional Email feature does not use cookies or track you across Business
Users. Information collected from the Business User’s checkout page is
transferred only to the Business User via API calls or webhooks. Webhooks are a
way for Stripe to send the information to the Business User automatically upon
their request. Your information provided at checkout is encrypted in transit
using HTTPS and TLS. See Security at Stripe for more information.

HOW DO I STOP THE SALE OF MY PERSONAL DATA IN CONNECTION WITH THIS FEATURE?

Stripe does not sell your personal data. See our Privacy Policy for more
information. The Promotional Emails feature is not the sale of personal data.
Rather, Stripe acts as a processor (or service provider) to Business Users for
the Promotional Email feature. Please contact your Business User to learn about
their personal data practices and how you can exercise rights to stop the sale
or processing of personal data provided under applicable law and/or their
privacy policy.

Stripe requires that Business Users that choose to implement the Promotional
Email feature also provide the option to unsubscribe or opt-out of receiving
further promotional messages. It would be a breach of Stripe’s terms of service
for a Business User to not promptly comply with opt-out requests.

FOR BUSINESS USERS

HOW TO USE THIS SERVICE AS A BUSINESS USER

If you are a business that is using or intends to use Stripe’s Promotional
Emails feature, please visit the support webpage for tips and guidance on
information to share with your End Customers and prospective End Customers
regarding privacy considerations in connection with the Promotional Emails
feature for your business.

STRIPE DELEGATED AUTHENTICATION

CARDHOLDERS

You may be given the option to enable on-device biometric verification and
provide your consent for Stripe to store your payment method details for future
transactions that use the same card. Please visit our support site to learn more
about our privacy practices for Stripe Delegated Authentication. Alternatively,
you can jump to a specific topic here:

* Why does the cardholder see Stripe when asked to authenticate a payment?
* What is Stripe Delegated Authentication?
* How is personal data used in Stripe Delegated Authentication?
* How can cardholders provide and withdraw their consent for the storage of
their payment method details?

LINK

We offer you the opportunity to store your payment methods with us so that you
can conveniently use it across certain merchants who are our Business Users – we
call this “Link” (formerly known as “Remember Me”). When you choose to use Link,
you agree to let us store your payment method so that you can more readily make
purchases through Link with Business Users of our payment processing Business
Services (e.g., name, card number, cvc, and expiration date). We will also
collect other Transaction Data, including billing address, shipping address,
email and phone number. Your payment method data is secured using PCI-DSS
standards.

Should you not have used Link and receive an SMS in error due to an inaccurate
number being inserted at the authentication flow stage you can opt out here and
your personal data will be deleted.

STRIPE CAPITAL

Stripe Capital provides Business Users with access to fast, flexible funding so
businesses can manage cash flows and invest in growth. Depending on your
business’s corporate structure, eligible Business Users may apply for one of two
Stripe Capital products: a loan or a merchant cash advance (“MCA”). Loans are
provided by Celtic Bank in partnership with Stripe Capital.

WHAT INFORMATION DOES STRIPE PROCESS FOR STRIPE CAPITAL?

We use existing data linked to your Stripe Account to evaluate your business’s
eligibility for Stripe Capital. You may also be asked to link additional data
sources, such as business bank accounts or business credit information, for
Stripe to evaluate in order to receive funding through Stripe Capital. The
following information may be considered prior to the offer of a loan or a MCA in
order to determine eligibility, including:

* Payment processing volume
* Payment processing growth
* Chargeback rate
* Customer base
* Duration of relationship with Stripe
* Bank account balances
* Transaction history
* Business credit history

Where Stripe is satisfied that a Business User meets particular criteria
established by Stripe and bank partners (as applicable), we will send the
Business User an email and dashboard notification notifying them of their
business’s eligibility for potential funding and invite them to apply for a loan
or a MCA.

Once you have received an offer and submitted an application to receive your
financing, we will use this above listed information to verify your business’s
eligibility and where your application is approved, to disburse the loan or the
MCA to your linked bank account.

THE LEGAL BASIS FOR USING YOUR INFORMATION

We will use your data where its use is in accordance with our legitimate
business interests. Analysis of our Business User’s information helps us to
manage our business for our legitimate interests. It allows us to:

* Verify the identity of our Business Users in order to comply with fraud
monitoring, prevention and detection obligations, applicable laws associated
with the identification and reporting of illegal and illicit activity, such
as AML (Anti-Money Laundering) and KYC (Know-Your-Customer) obligations, and
financial reporting obligations.
* Assess the level of financial risk to us, financial partners and to Business
Users involved in offering Business Users a loan or MCA.
* Enhance our learning models to allow us to better tailor our loans or MCAs
to, and decrease the risk to, you and other Business Users.

We will also process your data where it is necessary for a loan or MCA agreement
that you have entered into or because you have submitted an application to
receive funding so that you can enter into a loan or MCA agreement with us.

We may send you email marketing communications about Stripe Capital offers,
provided we do so in accordance with applicable law, including any consent
requirements.

WHO DOES STRIPE SHARE INFORMATION WITH?

Stripe does not share any Personal Data collected for Stripe Capital related to
Business Users in the UK. In the future, Stripe may share your agreement data
with third parties who purchase the right to receive repayments on your loan or
MCA.

WHAT IS STRIPE’S ROLE?

Stripe, Inc., or a wholly-owned subsidiary of Stripe, is the controller of your
data.

For Business Users located in the UK, the joint controllers of your data are
Stripe Payments Europe, Limited. (“SPEL”) and Stripe Capital Europe Limited,
Ltd. (“SCEL”). The loan or MCA provided under the loan agreement is solely
provided by SCEL.

HOW DO I OPT-OUT OF RECEIVING CAPITAL OFFERS?

Business Users have the option to unsubscribe or opt-out of receiving Capital
offers via the link included in Stripe Capital emails. Business Users may also
opt-out of dashboard notifications via the settings page of the Stripe
Dashboard. If you have any questions, please contact us.

FINANCIAL CONNECTIONS

ARE THERE INSTANCES WHEN STRIPE RECEIVES NON-STRIPE TRANSACTION HISTORY?

Yes. For example, Stripe enables the Business User to import non-Stripe data
through the Stripe Dashboard to consolidate their revenue data in one
place. Learn more. Separately, Stripe may also obtain your account transactions
from your financial account with your consent. Learn more.

REFUNDS TO END CUSTOMER BANK ACCOUNT

END CUSTOMERS

If you have been asked to provide your bank account and other information to
process a refund on behalf of your merchant (i.e., our Business User), please
visit the webpage here to learn more about our privacy practices for end
customer bank account refunds.

BUSINESS USER THAT USES STRIPE TO PROCESS REFUNDS

If you are a Business User that is using or intends to use Stripe to process
refunds, please visit the webpage here for additional guidance on privacy
considerations for your business.

STRIPE FRONTIER

WHAT IS STRIPE FRONTIER?

Frontier is an advance market commitment (AMC) that aims to accelerate the
development of carbon removal technologies by guaranteeing future demand for
them. It facilitates purchases from high-potential carbon removal companies on
behalf of buyers. Learn more at https://frontierclimate.com/.

WHAT INFORMATION DOES STRIPE FRONTIER COLLECT?

We will collect any information you choose to provide to us, for example,
through support tickets, emails or social media. When you respond to Stripe
emails or surveys, we collect your email address, name and any other information
you choose to include in the body of your email or responses. If you contact us
by phone, we will collect the phone number you use to call Stripe, as well as
other information you may provide during the call. We will also collect your
engagement data such as your registration for, attendance of, or viewing of
Stripe events and other interaction with Stripe personnel. See our privacy
policy for more information.

WHAT IS THE LEGAL BASIS FOR PROCESSING STRIPE FRONTIER INFORMATION?

We rely on consent to process your data. Where you proactively reach out to
Stripe and provide your data, Stripe will process your data based on
Stripe’s legitimate business interests (e.g. help answer your queries, and
provide customer support). With your permission or where allowed by law, we use
your personal data to market our services to you, invite you to participate in
our events or surveys, or otherwise communicate with you for our marketing
purposes, provided that we do so in accordance with applicable law, including
any consent or opt-out requirements.

IS MY DATA RELATING TO STRIPE FRONTIER TRANSFERRED?

We are a global business. Personal Data may be stored and processed in any
country where we do business. We may transfer your Personal Data to countries
other than your own country, including to the United States. These countries may
have data protection rules that are different from your country. When
transferring data across borders, we take measures to comply with applicable
data protection laws related to such transfer. In certain situations, we may be
required to disclose Personal Data in response to lawful requests from Officials
(such as law enforcement or security authorities). See our privacy policy for
more information.

WHAT ARE MY RIGHTS AND CHOICES WITH RESPECT TO THE INFORMATION COLLECTED FOR
STRIPE FRONTIER?

You may have choices regarding our collection, use and disclosure of your
Personal Data. If you no longer want to receive marketing-related emails from
us, you may opt-out via the unsubscribe link included in such emails or as
described here. We will try to comply with your request(s) as soon as reasonably
practicable. Depending on your location and subject to applicable law, you may
have the following rights described here with regard to the Personal Data we
control about you.

HOW DO I EXERCISE MY RIGHTS AS TO STRIPE FRONTIER?

EEA and UK . To exercise your rights, you may contact our DPO. If you are a
resident of the EEA or we have identified Stripe Payments Europe Limited as your
data controller, and believe we process your information within the scope of the
General Data Protection Regulation (GDPR), you may direct your questions or
complaints to the Irish Data Protection Commission. If you are a resident of the
UK, you may direct your questions or concerns to the UK Information
Commissioner’s Office.

California . If you are a consumer located in California, please review the
California Consumer Privacy Act (“CCPA”) section of our Privacy Policy.

See our privacy policy for additional jurisdiction-specific provisions.

ANY QUESTIONS ABOUT STRIPE FRONTIER AND THE PROCESSING OF YOUR DATA?

If you have any questions or complaints, please contact us.

DATA PROTECTION OFFICER

DOES STRIPE HAVE A DATA PROTECTION OFFICER (DPO)?

Yes, Stripe has appointed a Data Protection Officer (“DPO”), who can and they
can be reached via email.

QUEBEC ACT RESPECTING THE PROTECTION OF PERSONAL INFORMATION

WHO IS STRIPE’S PERSON IN CHARGE OF PERSONAL INFORMATION UNDER THE QUEBEC ACT
RESPECTING THE PROTECTION OF PERSONAL INFORMATION IN THE PRIVATE SECTOR, AND HOW
DO I CONTACT THEM?

Stripe’s Chief Privacy Officer is the person in charge of personal information.
You may contact them via email.

We are committed to protecting personal information and have established
policies and procedures that govern our treatment of personal information. These
policies and procedures include, among other things, the following:

* policies and procedures to protect personal information in our custody and
control from unauthorized access, use or disclosure.
* processes to respond to data subject requests and complaints in a timely and
effective manner.
* a framework for the retention and destruction of personal information to
ensure compliance with legal obligations, and to securely destroy personal
information once no longer required.
* a privacy framework that defines the roles and responsibilities for our
employees with respect to the treatment of personal information.
* providing our employees with regular privacy training and awareness.

INTERNATIONAL DATA TRANSFERS

The detail below is provided for informational purposes. It is not intended to
provide legal advice. Stripe urges Business Users to consult with counsel to
familiarize themselves with the requirements that govern their specific
situations.

HOW IS STRIPE DEALING WITH ITS INTERNATIONAL DATA TRANSFERS?

As a global business, Personal Data may be transferred to, and processed, in any
country where we do business, where our service providers do business or if you
use an international payment method or financial partner service, the countries
in which that payment method or financial partner operates.

We may transfer your Personal Data to countries other than your own country,
including to the United States. Stripe relies on a number of data transfer
mechanisms to legalize the transfer of Personal Data around the globe.

Stripe continues to have appropriate safeguards and compliance measures to
ensure an adequate level of protection of Personal Data transferred outside the
UK, EEA and Switzerland. Stripe’s measures may include:

* Transferring Personal Data from the originating to a country or recipient
that has been deemed to have an adequate level of data protection by relevant
privacy authorities, including the European Commission.
* The EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), which allows personal
data to flow freely between the EEA and certified organizations in the U.S.
The European Commission has adopted an adequacy decision confirming that
personal data can be transferred from the European Economic Area (“EEA”) to
certified U.S. organizations. The UK Government similarly confirmed that
organizations can rely on the UK Extension to the EU-U.S. DPF to transfer
data from the UK to certified U.S. organizations. Stripe’s parent entity,
Stripe, Inc, is certified under the EU-U.S DPF, the Swiss-US Data Privacy
Framework (“Swiss-U.S. DPF”) and the UK Extension to the EU-U.S. DPF (“UK
Extension”). Stripe relies on the DPF to transfer personal data from the EEA
and the UK to the US. The Swiss-U.S. DPF will not be relied upon by Stripe
until Switzerland recognises its adequacy consistent with Swiss law, but we
adhere to its required commitments in anticipation of their doing so. To
learn more about the DPF program, please visit
https://www.dataprivacyframework.gov/, and to view our certification, please
see here.
* The Standard Contractual Clauses (“SCCs”) approved by the European
Commission. SCCs are a transfer mechanism (in the form of a legal contract)
used by Stripe to provide a legal mechanism to transfer EU personal data
outside of the EEA/UK. These are required under EU data protection law (known
as the GDPR) and are incorporated into our agreements.
* The UK International Data Transfer Addendum (“UK Addendum”) issued by the
UK’s Information Commissioner’s Office to provide a legal mechanism to
transfer Personal Data from the UK. This mechanism is required under UK data
protection law (known as UK GDPR) and is incorporated into our agreements.
* Other alternative data transfer mechanisms approved by relevant privacy
authorities to enable the transfer of Personal Data to a third country.

Stripe respects the privacy of everyone that engages with our products and
services, and we are committed to being transparent about our privacy processes
and policies. To learn more about our commitment to privacy and data security,
please see our Privacy Policy, the rest of the Stripe Privacy Center, and the
Stripe Security Center.

We also want to highlight some of our supplementary measures to protect our
Business Users’ data from unauthorized access.

Stripe employs security controls and maintains and enforces a security program
that addresses the management of security. We also perform risk assessments and
implement and maintain controls for risk identification, analysis, monitoring,
reporting, and corrective action. Stripe maintains and enforces an asset
management program that appropriately classifies and controls hardware and
software assets throughout their life cycle. In addition, Stripe employees,
agents, and contractors acknowledge their data security and privacy
responsibilities under Stripe’s policies.

Stripe applies technical and organizational measures that include the following:

* Virtual access control to prevent data processing systems from being used by
unauthorized persons.
* Data access control to ensure that persons entitled to use a data processing
system gain access only to such Personal Data in accordance with their access
rights, and that Personal Data cannot be read, copied, modified or deleted
without authorization.
* Disclosure control to ensure that Personal Data cannot be read, copied,
modified or deleted without authorization during electronic transmission,
transport or storage on storage media (manual or electronic), and that it can
be verified to which companies or other legal entities Personal Data are
disclosed.
* Entry control to audit whether data have been entered, changed or removed
(deleted), and by whom, from data processing systems.
* Stripe relies on third party service providers to host its production
infrastructure. Those third parties apply physical access control to prevent
unauthorized persons from gaining access to the data processing systems
available at premises and facilities (including databases, application
servers, and related hardware), where Personal Data are processed.
* Availability control to ensure that Personal Data are protected against
accidental destruction or loss (physical/logical).
* Separation control to ensure that Personal Data collected for different
purposes can be processed separately.

By default, Stripe encrypts data at rest and data in transit. We further protect
your data with tools like audit logs, access management policies and
certifications as described on our Payments page in the section “Security and
compliance at the core”. Security controls implemented at Stripe include TLS 1.2
configuration of endpoints for data in transit, TLS and/or SSL encryption for
HTTPS and regular testing of infrastructure components. Two-step authentication
is available for an extra layer of security at Dashboard login.

We get requests for access to data from law enforcement, and we review each
request with the goal of responding with the minimum amount of required
information in response to legitimate, legally mandated requests.

If you have any questions, please contact us.

IS STRIPE CERTIFIED UNDER THE EU-U.S DATA PRIVACY FRAMEWORK?

Stripe has certified its participation in the EU-U.S. Data Privacy Framework
(“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data
Privacy Framework. Stripe relies on the DPF to enable international transfers.
In case the DPF is invalidated or Stripe is otherwise prevented from relying on
the DPF, we incorporate multiple transfer mechanisms to ensure that data
transfers can continue. If more than one data transfer mechanism applies, the
DPF takes precedence. Stripe will not rely on the Swiss-U.S. Data Privacy
Framework until each enters into force. You can learn more about our
certification and read the Stripe Data Privacy Framework Policy at
https://stripe.com/legal/data-privacy-framework.

HOW DOES STRIPE’S CERTIFICATION UNDER THE EU-U.S. DPF IMPACT MY ORGANIZATION?

The EU-U.S. DPF is a legal framework that allows organizations to transfer EEA
Personal Data to certified organizations in the U.S. Stripe’s Data Transfers
Addendum sets out the data transfer mechanisms that Stripe may rely on to carry
out international transfers of personal data, including the EU-U.S. DPF. You can
learn more about our certification and read the Stripe Data Privacy Framework
Policy at https://stripe.com/legal/data-privacy-framework. If you are a Business
User and would like to transfer data to us under the DPF, please contact us or
your account manager if you have any questions.

HOW DO THE SCCS AND UK ADDENDUM IMPACT MY ORGANIZATION?

SCCs are legal contracts entered into between parties that are transferring EEA
Personal Data outside of the EEA. Stripe may rely on the SCCs for transfers of
EEA data in our services. We have updated our Data Transfer Addendum and
agreements to incorporate the SCCs (where applicable).

HOW TO GET A COPY OF THE SCCS OR UK ADDENDUM?

You can review our Data Transfers Addendum which includes the latest data
transfer mechanisms, including the SCCs, the UK addendum and the Swiss addendum
here.

YOUR RIGHTS AND CHOICES

HOW DO I EXERCISE MY DATA PROTECTION RIGHTS?

Depending on your location and subject to applicable law, you may have the
followings rights:

* Right to access
* Right of rectification
* Right to data portability
* Right to restrict processing
* Right to object to processing
* Right to withdraw consent (where it is relied upon)
* Right to erasure/deletion
* Right to opt-out of receiving electronic communications from us
* Right to non-discrimination for exercising your rights
* Right to opt-out from a sale of personal information
* Right to opt-out of “sharing” under California privacy law (learn more)
* Right to limit the use or sharing of sensitive personal information (learn
more)
* Right to appeal Stripe’s response to your data subject request

Please read this section to find out more about specific rights. To submit a
request to exercise any of the rights described above, please reach out to us
by email, or via our form or by physical addresses listed in Contact Us.

You have the right to complain to your local data protection authority if you
are unhappy with our privacy practices.

HOW DO I ACCESS MY DATA?

If you are a Business User or Representative, you may login in to the Stripe
Dashboard to view personal information shared with Stripe.

If you are the End Customer of a Business User that uses Stripe services, the
Business User would be the correct party to respond to a data subject access
request related to your transactional information.

Depending on your location and subject to applicable law, you may have the right
to request confirmation of whether Stripe processes Personal Data relating to
you, and if so, to request a copy of that Personal Data. If you are an End User
or otherwise have a direct relationship with us, you may submit your access
request by email, or through our form. Please note that we may need to verify
your identity and your relationship with us before we can proceed with your
request.

In addition, Stripe's Data Access Tool provides self-service access to some of
the data from integrated Stripe products.

HOW DO I UNSUBSCRIBE FROM MARKETING EMAILS?

If you are a Business User or Visitor, you may unsubscribe from Stripe marketing
emails here. If you have any questions about how to opt-out of Stripe marketing
communications, please contact us here.

If you are a Link user, you may opt-out from marketing-related emails by using
the unsubscribe link in any marketing email you receive, or by managing your
subscription preferences in the Link website. To manage your preferences log
into your Link account, then navigate to your account settings. Turn “Marketing
emails - Receive updates and deals from Link and its partners” on or off. Your
email address will be opted out of email marketing communications as soon as
possible.

WHEN DOES STRIPE CONTINUE TO PROCESS DATA AFTER IT HAS RECEIVED A DELETION
REQUEST OR OBJECTION TO THE PROCESSING?

In certain circumstances, Stripe may be required by law to retain and process
your Personal Data even after a deletion request or objection to the
processing. For instance, Stripe is required to retain certain Personal Data it
receives from its Business Users to satisfy legal obligations under Know Your
Customer (KYC) and Anti-Money Laundering (AML) laws.

Stripe may also rely on compelling legitimate grounds to continue processing
your Personal Data. Stripe may act on such grounds, for instance, when it takes
steps to prevent fraud and financial crimes. When Personal Data is necessary to
enable or maintain the integrity of Stripe’s fraud detection and financial
models, Stripe may not be able to honor requests to delete or stop processing
that data. If Stripe honored such requests, fraudsters might take advantage of
its willingness to do so to seek deletion of data related to their past
fraudulent activities. Without such data, Stripe would be less able to
recognize similar activities in the future.

WHAT DATA MAY BE SHARED OR MADE AVAILABLE TO ENABLE ME TO SEE STRIPE ADS ON
OTHER SITES?

To enable visitors of Stripe.com to see Stripe ads on other sites, we use
advertising APIs and server-side pixels. The data that Stripe shares or makes
available to enable this advertising include identifiers, internet or other
similar network activity, IP addresses, and device characteristics. Any
potentially personally identifying details are hashed through cryptographic
SHA-256 hashing. Click the below links to learn more about the data that may be
shared or made available to enable this feature. You can disable the toggle in
the “advertising” section of our cookie settings page at any time.

Third party service

Data that we may share or make available

Service description

Learn more

stripe.com Open in urlscan Pro 198.137.150.81 Public Scan

Form analysis 0 forms found in the DOM

Text Content

stripe.com Open in urlscan Pro
198.137.150.81 Public Scan

Form analysis
0 forms found in the DOM