Stripe

Severity 4 · material

“During the Term, User may provide Feedback to Stripe and its Affiliates, which Stripe may use without restriction or obligation. Except as indicated in Section 1.4, Feedback is voluntary and User grants to Stripe, on behalf of itself and its Affiliates, a perpetual, worldwide, non-exclusive, irrevocable, royalty-free license to use that Feedback for any purpose.”

Stripe can use any feedback you give them for any purpose, forever, worldwide, and without paying you or having any obligations.

Any ideas, suggestions, or insights you share with Stripe can be freely used by them to develop new features or products without giving you credit or compensation.

Matches Authors Guild v. OpenAI (2023)

Severity 4 · material

“If User provides Content to Stripe, User agrees that it has obtained, as applicable, all necessary rights and permissions to share the Content and enable Stripe’s use of the Content. User grants to Stripe, on behalf of itself and its Affiliates, a perpetual, worldwide, non-exclusive, irrevocable, royalty-free license to use the Content to develop, improve, and provide Services and Stripe Technology and for Stripe’s internal business purposes.”

Stripe gets a permanent, worldwide, royalty-free license to use any content you provide to them to develop and improve their services and for their own internal business.

Any data or content you share with Stripe can be used indefinitely to train their AI models and improve their products, without any compensation to you.

Matches Authors Guild v. OpenAI (2023)

Severity 3 · notable

“Stripe may make certain Services available to User on a trial basis free of charge until (i) the expiration or termination of the free trial, at which point the Fees stated on the Stripe Pricing Page will apply, or (ii) the start of any Subscription Plan that User has purchased, at which point that Subscription Plan will automatically commence.”

Stripe's free trials automatically convert to a paid subscription at the standard rates once the trial ends or you purchase a plan.

If you don't cancel your trial before it expires, you will automatically be charged for a full subscription.

Matches FTC v. Age of Learning (ABCmouse) — settled for $10M (2020)

Severity 3 · notable

“Subject to the requirements of Law, Stripe may revise the Fees and Subscription Plans at any time. Stripe will provide User with at least 30 days notice (or longer period if Law requires) of any increase in a Fee or any new Fees for any Service provided to User, or any materially adverse change in a Subscription Plan.”

Stripe can change its fees and subscription plans whenever it wants, but it will give you at least 30 days' notice for any price increases or major plan changes.

Your costs could increase with 30 days' notice, requiring you to adjust your budget or find an alternative service quickly.

Matches FTC v. MoviePass / Helios and Matheson Analytics (2021)

Severity 3 · notable

“User must disclose to User’s Customers in User’s Privacy Policy that Personal Data may be transferred, processed, and stored outside of Canada and, as a result, may be subject to disclosure as Law requires.”

You must tell your Canadian customers in your privacy policy that their personal data might be moved, processed, and stored outside of Canada, where it could be accessed by local laws.

You are responsible for informing your customers about international data transfers, and failing to do so could put you in breach of privacy regulations.

Matches Schrems II (Data Protection Commissioner v. Facebook Ireland) (2020)

Severity 3 · notable

“Stripe will provide some or all of the Services from systems located within the United States or other countries outside of the United Arab Emirates. As such, it is User’s obligation to disclose to User’s customers that payment data may be transferred, processed and stored outside of the United Arab Emirates and, as set forth in Stripe’s Privacy Policy and in accordance with the laws of Ireland, exclusive of conflict or choice of law rules, may be subject to disclosure as required by applicable Laws including Federal Law No. 4 of 2002, Federal Law 1 of 2006 Article 5 and Federal Law 4 of 2002 and to obtain from User’s customers all necessary consents under applicable Laws in relation to the foregoing.”

Stripe operates from the US or other countries outside the UAE, so you must inform your UAE customers that their payment data will be transferred and stored internationally, and get their consent.

You are responsible for ensuring your UAE customers consent to their payment data being processed outside their country, which is a critical compliance step.

Matches Schrems II (Data Protection Commissioner v. Facebook Ireland) (2020)

Severity 3 · notable

“Stripe will provide some or all of the Service from systems located within the United States or other countries outside of Indonesia. It is User’s obligation to disclose to User’s Customers that Data may be transferred, processed and stored outside of Indonesia and, as set forth in Stripe’s Privacy Policy, may be subject to disclosure as required by applicable Laws, and to obtain from User’s Customers all necessary consents under applicable Laws in relation to the foregoing.”

Stripe operates from the US or other countries outside Indonesia, so you must inform your Indonesian customers that their data will be transferred and stored internationally, and get their consent.

You are responsible for ensuring your Indonesian customers consent to their data being processed outside their country, which is a critical compliance step.

Matches Schrems II (Data Protection Commissioner v. Facebook Ireland) (2020)

Severity 3 · notable

“Stripe will provide some or all of the Service from systems located within the United States or other countries outside of Malaysia. It is User’s obligation to disclose to User’s Customers that Data may be transferred, processed and stored outside of Malaysia and, as set forth in Stripe’s Privacy Policy, may be subject to disclosure as required by applicable Laws, and to obtain from User’s Customers all necessary consents under applicable Laws in relation to the foregoing.”

Stripe operates from the US or other countries outside Malaysia, so you must inform your Malaysian customers that their data will be transferred and stored internationally, and get their consent.

You are responsible for ensuring your Malaysian customers consent to their data being processed outside their country, which is a critical compliance step.

Matches Schrems II (Data Protection Commissioner v. Facebook Ireland) (2020)

Severity 3 · notable

“User is responsible for (a) disclosing to User’s Customers that Stripe will provide some or all of the Services using infrastructure located within the United States or other countries outside of Mexico, and that Personal Data may be transferred, processed and stored outside of Mexico; and (b) obtaining from User’s Customers all necessary consents under Law related to the transfer, processing or storage of Personal Data outside of Mexico.”

You are responsible for telling your Mexican customers that Stripe uses infrastructure outside Mexico, meaning their personal data will be transferred and stored internationally, and for getting their consent.

You must ensure your Mexican customers consent to international data transfers, which is a key compliance requirement for your business.

Matches Schrems II (Data Protection Commissioner v. Facebook Ireland) (2020)

Severity 3 · notable

“Stripe will provide some or all of the Service from systems located within the United States or other countries outside of Thailand. It is User’s obligation to disclose to User’s Customers that Data may be transferred, processed and stored outside of Thailand and, as set forth in Stripe’s Privacy Policy, may be subject to disclosure as required by applicable Laws, and to obtain from User’s Customers all necessary consents under applicable Laws in relation to the foregoing.”

Stripe operates from the US or other countries outside Thailand, so you must inform your Thai customers that their data will be transferred and stored internationally, and get their consent.

You are responsible for ensuring your Thai customers consent to their data being processed outside their country, which is a critical compliance step.

Matches Schrems II (Data Protection Commissioner v. Facebook Ireland) (2020)

Severity 4 · material

“User agrees to waive the provisions of Article 1266 paragraphs (2) and (3) of the Indonesian Civil Code and therefore this Agreement may be terminated (either partly or wholly, either temporary or permanently) without the need for a court decision.”

You agree to waive specific Indonesian legal protections, allowing Stripe to terminate your agreement, partially or fully, without needing a court order.

Stripe can unilaterally end your service in Indonesia without judicial oversight, removing a key legal safeguard for your business.

Matches PayPal Account Hold / Freeze Class Action — settled for $4M (2021)

Severity 3 · notable

“Unless otherwise agreed in writing, Stripe may terminate this Agreement or close User’s Stripe Account at any time. Stripe will notify User in accordance with Law.”

Stripe can terminate your agreement or close your account at any time, providing you with notice as legally required.

Stripe can stop providing services and shut down your account without needing a specific reason, potentially disrupting your business operations.

Matches PayPal Account Hold / Freeze Class Action — settled for $4M (2021)

Severity 2 · minor

“Stripe is not obligated to retain data that it receives from or through User after the Term, except as (a) required by Law; (b) reasonably required for Stripe to perform any post-termination obligations; (c) this Agreement otherwise states; or (d) the parties otherwise agree in writing.”

After your contract ends, Stripe isn't required to keep your data, unless the law says they must or you've made other arrangements.

You need to make sure you've downloaded all your data before terminating your service, or it could be permanently deleted.

Severity 2 · minor

“Unless User and Stripe otherwise agree in writing or if Law requires, payment obligations are non-cancelable and Fees paid are non-refundable.”

Unless you and Stripe agree otherwise in writing, your payment obligations are non-cancelable, and any fees you've paid are non-refundable.

If you decide to stop using Stripe's services mid-term, you generally won't get a refund for any prepaid fees.

Severity 4 · material

“User is solely responsible for any losses, damages or costs that User or others may suffer arising out of or relating to hacking, tampering, or unauthorized access of the Services, User’s Stripe Account, or Protected Data, or User’s failure to use or implement anti-fraud or data security measures, except to the extent that those losses, damages, or costs are caused by Stripe’s gross negligence, fraud, or willful misconduct.”

You are solely responsible for any losses from hacking, tampering, or unauthorized access to your Stripe account or data, or if you fail to use their security tools. Stripe is only liable if they were grossly negligent, fraudulent, or intentionally malicious.

If your account is compromised, even if it's not directly your fault, Stripe puts the burden of responsibility and financial loss almost entirely on you.

Matches Capital One Data Breach Class Action — settled for $190M (2022)

Severity 3 · notable

“Except for Excluded Claims, a party’s total aggregate liability for damages and Losses for all claims arising out of or relating to the Agreement (including Data Incident Losses) is limited to the total Fees User paid to Stripe (excluding all pass-through fees levied by Financial Providers) during the 12 month period before the first event giving rise to liability. User’s payment obligations, including Fees, Assessed Fines and Taxes are not limited by this Section 8.4.”

Stripe's total liability for any damages, including data incidents, is capped at the total fees you paid them in the 12 months before the problem occurred.

If Stripe causes significant damage, the most you can recover is limited to what you paid them in the preceding year, which might be far less than your actual losses.

Matches Capital One Data Breach Class Action — settled for $190M (2022)

Severity 3 · notable

“In any dispute, litigation, arbitration, or other legal proceeding arising out of or relating to this Agreement, the arbitrator or court will award to the prevailing party, if any, its reasonable attorneys’ fees and costs incurred in connection with such proceeding. Notwithstanding the foregoing, if User is liable for any amounts owed under this Agreement, User is also liable for all costs incurred by the other party (including but not limited to Stripe, if applicable) during collection of those amounts. Such collection costs include reasonable attorneys' fees and expenses, costs of any arbitration or court proceeding, collection agency fees, applicable interest, and any other related costs.”

If there's a legal dispute, the winning side gets their legal fees covered; however, if you owe Stripe money, you're responsible for all their collection costs, including attorney fees and interest.

If you fall behind on payments, Stripe can pursue you for the debt and make you pay all their legal and collection expenses, significantly increasing your financial burden.

Severity 3 · notable

“Except for Excluded Claims, to the maximum extent permitted by Law, neither party will have any liability in relation to this Agreement for any indirect, consequential, special, reliance, incidental, or punitive damages, lost revenue, profits, savings or goodwill, business interruption, personal injury, property damage, or loss of data, whether in contract, negligence, strict liability, tort, or other legal or equitable theory, even if these losses, damages, or costs are foreseeable, and whether or not any party has been advised of their possibility.”

Neither you nor Stripe are responsible for indirect damages like lost profits, business interruption, or data loss, even if those losses were predictable.

If a Stripe outage causes you to lose significant revenue, you cannot recover those specific losses from Stripe.

Matches Capital One Data Breach Class Action — settled for $190M (2022)

Severity 3 · notable

“Subsections 8.3 and 8.4 of Section 8 (Limitation of Liability) are replaced by the following: 8.3 Excluded Damages. Except for Excluded Claims, to the maximum extent permitted by Law, neither party will be liable to the other party or to the other party’s Affiliates in connection with this Agreement or the Services, whether during or after the Term, for any lost profits, personal injury, property damage, loss of data, business interruption, or any damages that do not arise directly and immediately from any act or omission of such party (such as indirect, incidental, consequential, exemplary, moral, loss of a chance, or punitive damages), even if such losses, damages, or costs were foreseeable or even if User or Stripe have been advised of their possibility. 8.4 Limitation of Liability. Except for Excluded Claims, to the maximum extent permitted by Law, neither party will be liable to the other party or to the other party’s Affiliates in connection with this Agreement or the Services (including Data Incident Losses), whether during or after the Term, for any losses, damages, or costs that, in the aggregate, exceed the greater of: (i) the amount of fees actually paid by User to Stripe (excluding fees passed on to Financial Providers) in the 12 months period before the event giving rise to the liability; and (ii) R$2,500.00. User’s payment obligations, including Fees, Assessed Fines and Taxes are not limited by this Section 8.4.”

Stripe is not liable for indirect damages like lost profits or data, and their total liability for any damages, including data incidents, is capped at the greater of your last 12 months' fees or R$2,500.00.

If Stripe causes significant damage, your recovery is limited to a relatively small amount compared to potential business losses, and you can't claim for indirect damages.

Matches Capital One Data Breach Class Action — settled for $190M (2022)

Severity 3 · notable

“The limitations on liability do not apply to Non-excludable Conditions. To the extent that the Australian Consumer Law permits, a party’s liability for breach of a Non-excludable Condition is limited, at the party’s option, to (i) in the case of services, supplying the services again or payment of the cost of having the services supplied again; and (ii) in the case of goods, replacing the goods, supplying equivalent goods or repairing the goods, or payment of the cost of replacing the goods, supplying equivalent goods or having the goods repaired.”

For certain legal protections, like those under Australian Consumer Law, Stripe's liability is limited to either re-providing the service or goods, or paying for them to be re-provided or repaired.

Even for breaches of consumer law, Stripe's financial responsibility is capped at the cost of fixing or replacing the service, not necessarily your full damages.

Matches Capital One Data Breach Class Action — settled for $190M (2022)

Severity 3 · notable

“Notwithstanding anything else in this Agreement, to the maximum extent permitted by Law, Stripe provides no warranty, indemnity, or support for Preview Services and Stripe’s aggregate liability for Preview Services is limited to USD$1,000.”

Stripe offers no warranty, support, or protection for any "Preview Services" (beta features) you use, and their total liability for these is capped at USD$1,000.

If a beta feature breaks or causes issues, Stripe isn't responsible for fixing it or for damages beyond a small amount.

Matches Capital One Data Breach Class Action — settled for $190M (2022)

Severity 2 · minor

“Neither party will be liable for any failure or delay in performance to the extent caused by a Force Majeure Event. Nothing in this Section 11.13 will excuse User’s payment obligations to Stripe.”

Neither you nor Stripe are responsible for delays or failures caused by events outside of anyone's control, like natural disasters. However, you still have to pay Stripe.

Even if a major event prevents Stripe from fully delivering services, you are still obligated to make your payments.

Severity 2 · minor

“Stripe provides the Services and Stripe Technology “as is”, and to the maximum extent permitted by Law, Stripe does not make any, and disclaims all, warranties (other than those stated as a “warranty” in this Agreement) and statutory guarantees, the implied warranties of fitness for a particular purpose, merchantability and non-infringement, and the implied warranties arising from any course of dealing, course of performance or usage in trade. Stripe does not warrant that User’s use of the Services and Stripe Technology will be uninterrupted or error-free or that User's use of the Services and Stripe Technology comply with Law.”

Stripe provides its services 'as is,' meaning they don't promise that your use will be uninterrupted, error-free, or even that it will comply with all laws.

This is standard for SaaS, but it means Stripe isn't liable for service outages, bugs, or if your specific use case violates a law.

Severity 3 · notable

“Subject to Section 9.2 (Limitations on Indemnity), User will indemnify Stripe, its Affiliates, and their directors, employees, and agents for all Losses arising from User’s use of the Services or Stripe Technology, gross negligence, willful misconduct, fraud, or material breach of the Agreement.”

You must protect Stripe and cover their losses if your use of their services, gross negligence, fraud, or a major breach of the agreement causes them harm.

If your actions lead to a lawsuit or financial loss for Stripe, you are on the hook to pay their legal fees and damages.

Matches T-Mobile Data Breach Settlement — settled for $350M (2022)

Severity 4 · material

“Stripe may modify this Agreement (or any portion of it) at any time by posting a revised version of the modified portion(s) on the Stripe Legal Page or by notifying User. The modified Agreement is effective upon posting or as stated in the notice, if Stripe notifies User. By continuing to use Services after the effective date of any modification to this Agreement, User agrees to be bound by the modified Agreement. User is responsible for checking the Stripe Legal Page regularly for modifications to this Agreement.”

Stripe can change any part of this agreement at any time by just posting it on their legal page or sending you a notice. If you keep using their services, you automatically agree to the new terms.

You are responsible for constantly checking Stripe's legal page for changes, and you could unknowingly agree to new terms that significantly impact your business.

Matches Italian DPA (Garante) v. WhatsApp — settled for $6M (2022)

Severity 4 · material

“Modifications of the terms of this Agreement will come into effect 10 days after Stripe posts the modified version on the Stripe Legal Page (or, if a longer period is required by applicable Law or specified in a notice by Stripe, that longer period).”

Stripe can change the terms of this agreement, and those changes become effective just 10 days after they post the updated version on their legal page.

You have a very short window to review and understand significant changes to your contract, or you'll be bound by them without much notice.

Matches Italian DPA (Garante) v. WhatsApp — settled for $6M (2022)

Severity 3 · notable

“Subject to the requirements of Law, Stripe may revise the Fees and Subscription Plans at any time. Stripe will provide User with at least 30 days notice (or longer period if Law requires) of any increase in a Fee or any new Fees for any Service provided to User, or any materially adverse change in a Subscription Plan.”

Stripe can change its fees and subscription plans whenever it wants, but it will give you at least 30 days' notice for any price increases or major plan changes.

Your service terms or costs could change with 30 days' notice, requiring you to adapt or potentially seek other providers.

Matches X Corp. Verified User Class Action (2024)

Severity 3 · notable

“Stripe may modify or discontinue any aspect of the Services or Stripe Technology, including imposing conditions on use of the Services or Stripe Technology or ceasing to offer a Service or Stripe Technology in a specific country or region. Stripe will provide User reasonable notice if the modification or discontinuation would materially reduce the functionality of a Service or Stripe Technology that User is then using, except where Stripe determines such notice would (i) create a security risk for Stripe; or (ii) cause Stripe (or its Affiliates, as applicable) to violate Law or breach an obligation to a Governmental Authority or Financial Provider.”

Stripe can change or stop offering any part of its services, including in specific countries, and can add new conditions for use. They will give you notice for major changes, unless it's a security or legal issue for them.

Stripe can alter core features or even remove services you rely on, potentially with little to no warning if they deem it a security or legal necessity.

Matches X Corp. Verified User Class Action (2024)