Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Stripe is a leading global payment processing platform used by millions of businesses to accept online and in-person payments. For European businesses, Stripe processes payment data within the EU, is PCI DSS certified, and provides comprehensive GDPR compliance documentation including DPAs and SCCs. The primary legal basis for payment processing is contract performance. Stripe's fraud detection (Stripe Radar) uses device fingerprinting and behavioural signals, which constitutes additional personal data processing that is justified by legitimate interest and legal obligation.
Stripe is a global technology company that builds economic infrastructure for the internet. Its core product is a payment processing platform that enables businesses to accept credit cards, debit cards, bank transfers, buy-now-pay-later options, and dozens of other payment methods online and in person. Stripe also provides products for billing and subscriptions (Stripe Billing), fraud prevention (Stripe Radar), identity verification (Stripe Identity), tax automation (Stripe Tax), and marketplace payments (Stripe Connect).
Stripe processes cardholder data (card number, expiry, CVV), billing addresses, email addresses, IP addresses, device fingerprints (for Stripe Radar fraud detection), transaction history, and for Stripe Identity: government ID images and selfies. The legal basis varies by data category: contract performance for payment processing, legal obligation for AML/KYC requirements, and legitimate interest for fraud prevention.
Stripe.js sets the __stripe_mid (machine ID, 1 year) and __stripe_sid (session ID, 30 minutes) cookies for fraud prevention via Stripe Radar. These are placed on the payment page domain, not as third-party cookies. The purpose is fraud detection and security, providing a legitimate interest legal basis. Most cookie consent frameworks exempt strictly necessary fraud prevention cookies from consent requirements, but this should be verified with your DPO.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Stripe processes European payment transactions within the EU. Stripe is certified PCI DSS Level 1, the highest level of payment card security certification. Stripe''s EU entity (Stripe Payments Europe, Limited) is an authorised payment institution regulated by the Central Bank of Ireland. This EU regulatory status means Stripe is subject to both GDPR and financial services regulation for European transactions.
Sign the Stripe Data Processing Agreement from the Stripe Dashboard. Add Stripe to your privacy policy describing payment data processing, fraud detection, and the legal bases used. Include the Stripe.js fraud prevention cookies in your cookie policy (classified as strictly necessary security cookies). For Stripe Identity deployments, conduct a DPIA for identity document processing. Implement Stripe Customer deletion for erasure requests while respecting financial record retention requirements.
Websites using Stripe must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard Stripe payment processing. It may become relevant for large-scale e-commerce platforms processing payment data at high volume, or for marketplaces where Stripe Connect involves multiple parties sharing financial data.
Sample consent text
Payments on this website are processed by Stripe. When you make a payment, Stripe collects your payment card information and billing details to process your transaction. Stripe also uses device information for fraud prevention. See our privacy policy and Stripe's privacy policy for full details.
Third-party domains contacted
stripe.comjs.stripe.comapi.stripe.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __stripe_mid | persistent | 1 year | Stripe machine identifier for fraud prevention via Stripe Radar — strictly necessary security cookie |
| __stripe_sid | session | 30 minutes | Stripe session identifier for fraud detection during active payment sessions |
Stripe is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Yes. Stripe provides a GDPR DPA, processes EU payment data within the EU via its Irish-regulated entity, and is PCI DSS Level 1 certified. Sign the Stripe DPA from the Stripe Dashboard before processing EU personal data.
Contract performance (Art. 6(1)(b)) for processing the payment transaction. Legal obligation (Art. 6(1)(c)) for fraud prevention, AML, and financial regulatory record-keeping. Legitimate interest (Art. 6(1)(f)) for Stripe Radar fraud scoring. No consent is required for standard payment processing.
The __stripe_mid and __stripe_sid cookies are strictly necessary for fraud prevention (Stripe Radar). Most GDPR implementations classify these as strictly necessary security cookies exempt from consent requirements. Verify this classification with your DPO and document the justification.
Stripe processes European payment transactions via its EU-regulated Irish entity within the EU. Some ancillary services (analytics, ML model training) may involve US processing with SCCs. The core payment processing for EU merchants stays within the EU.
Describe: that payments are processed by Stripe, the categories of data (payment card details, billing address, device information for fraud detection), the legal bases (contract performance, legal obligation, legitimate interest for fraud prevention), and link to Stripe's privacy policy.
Generally not for standard payment processing. A DPIA becomes relevant for: Stripe Identity (processing government ID images), large-scale marketplace deployments (Stripe Connect), or platforms processing payments for sensitive goods or services.
Delete the Stripe Customer object via the Stripe API (DELETE /v1/customers/{id}). Note that Stripe must retain certain transaction records for legal and financial compliance purposes (typically 7-10 years). Communicate to data subjects that financial transaction records have a mandatory retention period.
Stripe being GDPR-compliant as a processor does not automatically make your platform compliant. You remain the data controller and must: sign the DPA, include Stripe in your privacy policy, have a lawful basis for payment data processing, and handle customer data subject requests appropriately.