Service

Privacy policy for Stripe

How to disclose Stripe Payments, Stripe Radar, and Stripe Identity without violating PCI scope.

Generate policy with Stripe Free · no signup · hosted public URL

What Stripe sees that you do not

Stripe Elements and Payment Intents are designed so the card number never touches your servers — that is what keeps you out of PCI DSS scope. But Stripe still sees the customer's name, email, billing address, IP, browser fingerprint (for Radar fraud scoring), and full transaction history. Your policy must disclose that the data is shared with Stripe directly, even though you never store it yourself.

Stripe Radar

Radar machine-learning fraud detection processes transaction signals across the entire Stripe network. If you enable Radar (most accounts do, by default), your policy must mention it. The generator outputs: "We use Stripe Radar, a fraud-prevention service operated by Stripe, to evaluate the risk of each transaction. Radar processes IP, device fingerprint, billing country, and aggregate signals from the broader Stripe network."

Ready to publish?

Answer six questions, get a hosted public URL the App Store, Google Play, and ad networks accept. No credit card.

Generate policy with Stripe

Frequently asked questions

Am I in PCI scope if I use Stripe?

If you use Stripe Elements or Checkout and never receive raw card numbers, you are SAQ A — the lightest PCI form. Disclosing Stripe in your privacy policy does not change PCI scope.

Should I publish Stripe's data processing addendum?

You agree to it when signing up. You do not have to publish it — referencing it in your privacy policy is enough.

Privacy policy for Stripe

What Stripe sees that you do not

Stripe Radar

Ready to publish?

Frequently asked questions

Related reading