Stripe and Data Protection – What Belongs in the Privacy Policy

If a website operator integrates Stripe, every page that includes a payment function processes device and browser data, IP addresses and payment information of users in order to accept payments, detect fraud and provide the checkout experience. This page shows website operators in Germany which data Stripe processes according to the publicly available statements of the provider, which purposes and legal bases are typically relevant, and how these processing activities can be reflected in a privacy policy in a structured manner. The focus is on the client-side integration of Stripe via Stripe.js, Stripe Elements and Stripe Checkout on the operator's own website.

A. Purpose and Function of Stripe

Stripe is a payment service provider that offers website operators a technical and contractual infrastructure for accepting online payments. Accepted means of payment include, in particular, credit and debit cards, SEPA direct debits, wallet methods such as Apple Pay and Google Pay and various regionally widespread payment methods. As part of the checkout process, Stripe handles the capture of payment data, authorisation with the card issuer, settlement with acquirers and the subsequent payout to the website operator.

Beyond the actual payment, Stripe offers further functions such as subscription management (Stripe Billing), invoicing (Stripe Invoicing), risk and fraud prevention (Stripe Radar), identity verification (Stripe Identity) and hosted payment pages and links (Stripe Checkout). This page concentrates on the client-side integration on the operator's website, that is on the script integration via Stripe.js, the payment field components Stripe Elements and the hosted payment page Stripe Checkout. Functions used exclusively on the server side or in the Stripe dashboard (e.g. accounting exports or subscription reports) are not covered here.

As soon as the operator embeds the checkout function on a page, the Stripe script is loaded from the user's device. Stripe states in its publicly available notices that it also collects security and fraud-relevant signals during this process, in particular device and browser characteristics as well as behavioural indicators when payment data is entered.

B. Mandatory Disclosures in the Privacy Policy when Using Stripe

In addition to the general information about the website operator, the rights of data subjects and the supervisory authority, the GDPR requires the following specific disclosures regarding the use of tools such as Stripe: the purposes of the processing (Art. 13(1)(c) GDPR), the legal bases (Art. 13(1)(c) GDPR), the specific legitimate interests pursued where processing is based on a balancing of interests (Art. 13(1)(d) GDPR), the recipients or categories of recipients (Art. 13(1)(e) GDPR), information on transfers to third countries (Art. 13(1)(f) GDPR), the storage period or the criteria used to determine it (Art. 13(2)(a) GDPR) and – where data are not collected directly from the data subject – the categories of data processed (Art. 14(1)(d) GDPR).

The following sections break down these obligations specifically for the use of Stripe. As a matter of legal classification, a distinction must regularly be drawn between processing activities that Stripe carries out for the website operator on instruction, and processing activities that, according to the publicly available statements of the provider, Stripe carries out for its own purposes – in particular for fraud prevention and to comply with financial-supervisory obligations.

In practice, it does not appear necessary to describe every individual tool – including Stripe – with its own boilerplate clause in the privacy policy. While this "template-per-tool" approach has become widespread, it leads to long, lawyer-drafted texts that are repetitive and barely readable for users. A more appropriate approach is topic-oriented: the privacy policy describes processing activities by topic (server operation, sales and payment, tracking, newsletter …) and lists specific service providers such as Stripe as recipients in an annex. This is precisely the methodology of the matterius generator.

C. Provider of Stripe

According to the publicly available statements of the provider, the contracting party for website operators in the European Economic Area is, as a rule, Stripe Payments Europe, Limited, with its registered office at 1 Grand Canal Street Lower, Grand Canal Dock, Dublin D02 H210, Ireland. In addition, Stripe Technology Europe, Limited, with the same address, acts in respect of certain processing activities and is, according to Stripe, the GDPR main establishment in Europe. Which of these companies acts as contracting party in an individual case follows from the relevant contractual documents and is to be reviewed by the website operator.

The parent company is Stripe, Inc., based in the United States. According to the publicly available statements of the provider and the entry on the DPF list (https://www.dataprivacyframework.gov/participant/6436), Stripe, Inc. is certified under the EU-US Data Privacy Framework. Transfers to the United States may additionally be based on EU Standard Contractual Clauses where these are agreed.

The provider's privacy notice is available at https://stripe.com/privacy. Stripe's DPF policy is published at https://stripe.com/legal/data-privacy-framework. A Data Processing Agreement is provided at https://stripe.com/legal/dpa.

D. Data Processing in Stripe – Step-by-Step

E. Data Collected when Using Stripe

According to the publicly available statements of the provider, the following data are processed in particular when Stripe is used: the IP address and timestamp of the request, technical data on the browser, operating system and device, the payment information entered in the payment field (card number, expiry date, CVC; for SEPA: IBAN), name and billing/delivery address, where applicable email address and telephone number, order data (amounts, currencies, product references) as well as behavioural and device signals which Stripe evaluates for fraud prevention (e.g. typing patterns, mouse movements, device fingerprints).

These data can be classified into the following standardised data categories:

• Web server log data: IP address of the internet connection, date, time and time zone of the request, URL of the requested content, referrer, status code of the server response and amount of data transferred.
• Device data: device type, operating system, screen resolution and screen size, touch support.
• Browser information: browser name, browser version, where applicable installed extensions.
• Coarse location data: coarse location of the user determined on the basis of the IP address, e.g. for risk assessment as part of fraud prevention.
• Interaction data: typing, mouse and scrolling movements as well as input behaviour in the payment field, to the extent that Stripe evaluates these in order to detect anomalous behaviour.
• Technical telemetry data: technical error messages, loading times and similar metrics on the functioning of Stripe components.

For the actual processing of the payment, typical order and contract data are added (name, address, email, order items, amounts, payment method, transaction identifiers), which the website operator processes in any event in the context of the sale.

F. Purposes when Using Stripe

The website operator uses Stripe primarily to handle payments in connection with its online business. The data processed by Stripe enable the operator to receive the purchase price owed, to assign the payment to the corresponding order, to comply with statutory record-keeping and retention obligations and to prevent payment defaults and fraud.

These purposes can be classified into the following standardised purpose categories:

• Provision of functionality: making the payment function available on the website, technical delivery of Stripe components, error detection and error correction during the payment process.
• Contract performance: handling the contract concluded between the website operator and the user, including payment processing, invoicing and reversal of payments (refunds, chargebacks).
• Security and abuse prevention: detecting and preventing fraud, identity abuse and card abuse as well as spam and bot defence in the payment process; in particular evaluation of device and behavioural signals for risk classification.
• Compliance with retention obligations: retention of payment and accounting data to comply with tax and commercial law obligations (e.g. § 147 AO, § 257 HGB).
• Compliance: compliance with statutory obligations, in particular under anti-money-laundering and financial-supervisory law.
• Enforcement of legal claims: assertion, exercise or defence of legal claims, in particular in the case of disputed payments and chargebacks.

G. Legal Bases when Using Stripe

In a first step, the tool must be assigned to a tool category: in the integration described here (Stripe.js, Stripe Elements, Stripe Checkout), Stripe falls primarily into the category sales/payment, supplemented – to the extent that Stripe uses the corresponding functions – by elements of the category security/abuse prevention (Stripe Radar). According to the publicly available statements of the provider, an assignment to the category tracking is not appropriate, as Stripe.js is intended for the payment function and fraud prevention rather than for reach measurement or advertising targeting.

In a second step, the following legal bases regularly come into consideration for the processing carried out in connection with Stripe:

• Art. 6(1)(b) GDPR (contract performance) for processing order and payment data, to the extent that this is necessary for the performance of the contract between the website operator and the user.
• Art. 6(1)(c) GDPR (legal obligation) for the retention of payment and accounting data under commercial and tax law obligations and for compliance with anti-money-laundering rules.
• Art. 6(1)(f) GDPR (legitimate interests) for fraud and abuse prevention (Stripe Radar) and for the secure provision of the payment function. Typical legitimate interests considered relevant include abuse prevention, security, enforcement of legal rights and efficiency.

To the extent that Stripe processes data as an independent controller for its own purposes (in particular group-wide fraud prevention and compliance with its own regulatory obligations), the legal bases for these processing activities follow from Stripe's own privacy notices. The specific legal basis is to be reviewed by the website operator in the individual case.

H. Specific Notes on Stripe

• Role of the provider: In its publicly available notices, Stripe states that, depending on the processing activity, it acts either as a processor (service provider) or as an independent controller. For processing activities aimed at fulfilling its own regulatory obligations (e.g. anti-money-laundering) and for network-wide fraud prevention, Stripe regularly acts as an independent controller according to these statements.
• DPA: Stripe provides a Data Processing Agreement at https://stripe.com/legal/dpa. Website operators that transmit personal data of their users to Stripe should incorporate this agreement.
• Third-country transfer: According to the provider, intra-group transfers to Stripe, Inc. in the United States are possible. Stripe, Inc. is certified under the EU-US Data Privacy Framework (https://www.dataprivacyframework.gov/participant/6436); EU Standard Contractual Clauses are used as an additional safeguard.
• Subprocessors: Stripe uses subprocessors for hosting, communications, fraud prevention and compliance. A current list is regularly linked in the Stripe Privacy Center (https://stripe.com/legal/privacy-center).
• Settings for the website operator: Risk and Radar rules can be configured in the Stripe dashboard. Website operators should consider which Stripe component is integrated (Stripe Elements, Stripe Checkout, Payment Links) and whether additional functions such as Stripe Identity are activated, as different processing activities may result.
• Cookies and § 25 TDDDG: Where cookies or comparable storage access are set during the payment process that are not strictly necessary within the meaning of § 25(2)(2) TDDDG, consent is required. To the extent that cookies are strictly technically necessary to carry out the payment process, reliance on the necessity exemption may be considered; the assessment is to be made in the individual case.

I. FAQ on Stripe and Data Protection

J. Conclusion on Data Protection at Stripe

Stripe enables website operators to accept online payments and processes order, payment and security data for that purpose. According to the publicly available statements of the provider, the contracting party for website operators in the EEA is, as a rule, Stripe Payments Europe, Limited in Dublin; the US parent company Stripe, Inc. is certified under the EU-US Data Privacy Framework. Which processing activities Stripe carries out as a processor and which as an independent controller follows from the relevant contractual documents and is to be reviewed by the website operator.

For the privacy policy of the website, it is usually of little benefit to include a separate, formulaic clause for Stripe. Such a "template-per-tool" approach makes the privacy policy long, unwieldy and hard to maintain and is in tension with the transparency requirement of Art. 12(1) GDPR, which requires concise, transparent, intelligible and easily accessible information. A more appropriate approach is a structured, topic-oriented one in which processing activities are described by topic block (server operation, sales and payment, tracking, newsletter …) and specific service providers such as Stripe are listed exclusively in an annex of recipients. The matterius generator implements this methodology in a structured way.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com