Stripe

Stripe

Basic information
Founded	2010
Legal Structure	Private
Industry	E-commerce, Financial services
Also known as
Official website	https://stripe.com/

Stripe Inc. is an Irish-American multinational financial services and software as a service (SaaS) company dual-headquartered in South San Francisco, California, United States, and Dublin, Ireland. The company primarily offers payment-processing software and application programming interfaces for e-commerce websites and mobile applications. Stripe is the largest private fintech company with a valuation of about $91 billion.

Stripe's business model focuses primarily on developers and enterprises rather than end consumers, resulting in products and policies that often disregard consumer needs.

Stripe charges standard processing fees of 2.9% + $0.30 for card-not-present transactions, its complex fee structure includes numerous add-ons that increase costs.^[1]

These include:^[1]

• Invoicing services: 0.4-0.5% on top of regular fees
• Billing services: 0.70% of volume
• International payments: 1.5% additional
• Same-day funding fees: 1.5% per transfer

These costs are ultimately passed to consumers through higher prices, while Stripe's developer-focused approach means consumer-facing features like dispute resolution and transparency take lower priority. The company's enterprise orientation is evident in its customer base: while serving over 5.3 million businesses globally, Stripe primarily caters to sophisticated entities rather than individual consumers or small merchants.^[2][3]

Stripe's dispute process heavily favors merchants over consumers. The company charges a $15 non-refundable fee for each charge-back, regardless of outcome. ^[1]

This practice discourages legitimate disputes by imposing costs on merchants that may then be passed back to consumers through various means. While Stripe offers fraud prevention tools like Radar, these primarily protect merchants rather than consumers.

The company's technical complexity creates barriers for consumers seeking resolution. Unlike traditional payment processors with dedicated consumer support, Stripe's developer-first approach means consumers must typically navigate dispute processes through merchant implementations that often lack transparency or customer service options.

Stripe has achieved significant market dominance in particular segments, especially among technology companies and startups. The company powers 92% of Y Combinator startups launched since 2019 and 75% of Forbes Cloud 100 companies.^[3] This dominance gives Stripe significant influence over how emerging businesses implement payment systems and handle consumer transactions.

Stripe's ecosystem lock-in strategies include complex API implementations that make migration to alternative providers difficult and costly. Once businesses build their payment infrastructure around Stripe's APIs, they face substantial switching costs that reduce competitive pressure on Stripe to improve consumer-facing features and protections.

In March 2026, an inquiry was requested from Stripe's privacy team aiming for clarification on how personal data is processed by third-party vendors and payment partners. The inquiry focused on several data privacy concerns and consumer privacy concerns: (1) whether third-party vendors could independently use personal data, (2) how deletion of data occurs following account closure, and (3) the data retention practices, including the retention policy among the broader payment ecosystem (third-parties).

Stripe's privacy team responded, stating that its suppliers, sub-processors, and vendors “process data only on Stripe’s documented instructions and only to provide services to Stripe.” This clarification has several important implications important for consumers.

First, the aforementioned vendors are processors, not controllers under this policy. Therefore, Stripe remains legally responsible for how consumers' data is used. Under GDPR privacy frameworks and United States privacy laws, a controller must supervise its processors, so Stripe is accountable for ensuring vendors follow terms and protect user data.

Second, vendors cannot decide how to use the data themselves. A processor cannot independently choose to use personal data for activities like advertising, product development or marketing analytics. Processors can only execute data activities specific to what their contract with Stripe instructs them to do.

Third, vendors cannot retain user data indefinitely. Stripes states: “When a Stripe account is closed, Stripe begins the process of restricting and ultimately deleting or de-identifying personal data associated with the account, subject to legal and regulatory retention requirements.” Generally, processors must delete the data when the service relationship end. The vendor’s retention policy reflects that of Stripe’s own policy on data retention. It's important to mention that "de-identifi[cation]" means user data components that are personally identifiable are scrubbed or masked, but the underlying transaction records may still exist.

Fourth, a restriction of auxiliary use of consumer data is in place. Without this restriction, vendors could possibly reuse payment data for their own purposes, such as for training their AI tools or analyzing user data. By stating that vendors only process data “to provide services to Stripe,” they claim those auxiliary uses are not allowed.

The fourth implication also helped to reveal a tangible boundary in the payment ecosystem during this inquiry. Stripe explains that while vendors are restricted processors, other parties in the payment ecosystem, like Visa and Mastercard, can act as independent controllers.

“Card networks, issuing and acquiring banks, and other payment partners can act as independent data controllers. When they do, they determine their own purposes and means for processing personal data.”

This is crucial because these types of controllers are not bound by Stripe's policy since they operate under their own framework. There are two things to take away from this:

1. Inside Stripe's vendor network, Stripe claims tight contractual control over its vendors...
2. ...but introducing the scope of the global payments network reveals Strip is just another participant. Therefore, not every company involved in a transaction is under Stripe's control.

This principle reaches data retention practices. According to Stripe, not all entities involved in a payment transaction fall under these contractual restrictions. During the inquiry, Stripe explained that several participants in the payments ecosystem operate independently of Stripe’s supplier agreements:

“their use and retention of personal data is governed by their own legal and regulatory frameworks and privacy notices, not by Stripe’s supplier data-processing agreements.”

While Stripe exercises contractual control over vendors operating as processors, other financial entities (e.g., Visa and Mastercard) may retain transaction data under their own instructions. In addition, Stripe notes, as a regulated payment services provider, they must comply with financial recordkeeping laws. Stripe indicates that anti-money-laundering (AML) and counter-terrorism financing regulations require payment providers to:

“obtain, verify, and record information that identifies businesses and persons to whom they provide services and to retain associated records for at least five years after the close of the customer relationship.”

The correspondence from this inquiry illustrates a concerning, layered structure of payment data governance. Multiple independent organizations may process or retain consumer transaction data under separate legal authorities. This reveals that Stripe is not the only entity legally obligated to keep user data. Even if Stripe deletes or de-identifies user data, other financial institutions involved in payment network may still legally retain their own records of the same transaction.

Areas of further investigation:

• There is still more work to be done in the realm of third-party transparency. Stripe did not disclose a complete list of suppliers, sub-processors, or independent controllers handling consumer data. We cannot know exactly who has access to our personal information.
• For data retention practices, while Stripe claims that account closure triggers data deletion/de-identification, they did not clarify how long independent controllers retain consumer data OR whether they PII components of the data are absolutely de-identified.
• There is little control over independent controllers. We have little recourse if independent controllers mishandle data. Stripe’s agreements only govern its direct suppliers, not external entities.

• Unknown safeguards during archival and backup process: Stripe states that archived personal data is separate from active systems and retained in compliance with AML and sector-specific rules, but we do not know how long the data remains accessible or how much consumer privacy is taken into account during the archiving technique.