audit report
Stripe
Stripe's privacy policy accurately discloses its major data practices: it collects PII and device data, shares with payment partners and fraud-detection services, uses cookies and analytics (Google Analytics observed), and serves interest-based advertising. The policy explicitly states it does not sell data but does share with advertising partners—consistent with the observed tech stack (Intercom, Contentful, AWS). Data retention is tied to service provision plus legal/fraud-prevention needs. User rights (access, deletion, marketing opt-out) are clearly documented with jurisdiction-specific variations. The observed tech stack aligns with policy claims, though Stripe's own infrastructure dominance (stripecdn.com, stripeassets.com) means most third-party loading is within its own ecosystem.
findings
- note
Intercom chat support disclosed but minimally detailed
Stripe loads Intercom (intercom.io) for chat support, visible in inline patterns and network traffic. The privacy policy mentions sharing with 'service providers' broadly but does not explicitly name Intercom or detail what customer interaction data flows to it through chat.
intercom.io present in third_parties list Intercom listed in inline_patterns Policy mentions service providers for fraud/analytics but no specific call-out of chat/support vendors - note
Contentful and Increment loading not explicitly mentioned
Stripe loads Contentful CDN (ctfassets.net) and an API call to contentful.com, plus one hit to increment.com. These appear to be content management and publishing infrastructure, but the privacy policy does not specifically name Contentful or Increment as third-party processors, only referencing service providers generically.
ctfassets.net (4 hits) and contentful.com (1 hit) in third_parties increment.com (1 hit) in third_parties Policy lists named partners (Google Analytics, Visa, Facebook, LinkedIn) but not content/publishing vendors - info
No privacy-sensitive third parties detected
No analytics, advertising, tracking, or session replay vendors were observed on this page.
how we detected this → - info
Stripe's own multi-domain infrastructure suggests compartmentalized services
Stripe loads assets from stripe.dev, stripe.global, and stripe.partners alongside stripe.com. These distinct domains likely serve different business lines or geographic regions but are all Stripe-controlled. The policy does not break down how data flows across these domains or whether they have separate privacy controls.
stripe.dev, stripe.global, stripe.partners each have 1 hit Policy treats all Stripe entities as monolithic for data sharing purposes
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| AWS | amazonaws.com | hosting | 1 | not named |
| Contentful | contentful.com | api | 1 | not named |
| Contentful CDN | ctfassets.net | cdn | 4 | not named |
| Increment | increment.com | other | 1 | not named |
| Intercom | intercom.io | chat_support | 1 | not named |
| Stripe | stripecdn.com | cdn | 94 | not named |
| Stripe | stripeassets.com | cdn | 50 | not named |
| Stripe | stripe.com | payments | 3 | not named |
| Stripe | stripe.dev | hosting | 1 | not named |
| Stripe | stripe.global | hosting | 1 | not named |
| Stripe | stripe.partners | hosting | 1 | not named |
policy claims
source · https://stripe.com/privacy
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (9)
Google Analytics, Visa, WeChat Pay, Facebook, LinkedIn, credit bureaus, Financial Partners, payment processors, card networks
retention
Stripe retains personal data as long as it continues to provide services, and may continue retention after service ends to comply with legal obligations, enable fraud monitoring, and meet tax/accounting requirements, in accordance with applicable law retention periods and record retention obligations.
user rights
Users can access, rectify, delete, restrict, and export their personal data; withdraw consent; object to processing based on legitimate interests; opt out of marketing communications; and appeal decisions. Rights vary by jurisdiction (GDPR, CCPA, LGPD, PDPA, etc.).
response headers
- hsts
- yes
- csp
- yes
- server
- nginx
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://stripe.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://stripe.comprovenance
This audit was generated by running
stackpeek
against https://stripe.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.