Stripe persistent cookies set on `donate.python.org` not mentioned in privacy notice

croemer · January 3, 2026, 2:33pm

Inspecting the code behind donate.python.org I noticed that Stripe is being used, with stripe fingerprinting the user and setting a persistent cookie (for a year).

Such tracking may not be compatible with the PSF privacy notice which does not include Stripe as a third party service - nor does it mention anything about tracking cookies. Some cookies are attached to all requests to donate.python.org - so you are the controller in this case (as far as I understand).

The stripe cookie is also sent when I make a request to python.org (also there seem to be Google Analytics cookies there? I haven’t figured out where they come form - but there shouldn’t be any per your privacy policy). Maybe these date from before your switch to Plausible?

EWDurbin · January 5, 2026, 8:51pm

I don’t understand what is going on with Google Analytics there either as it was removed from most PSF properties including python.org in April of 2025. We did not deploy Google Analytics at anytime for the donate.python.org page. It does appear that the __ga cookie is loaded on a stripe domain though based on your screenshot.

Regarding the questions on the privacy notice, I’ve asked the folks more adept in such matters to respond.

Deb · January 5, 2026, 10:16pm

Stripe is a little bit newer for us so I’m going to have to look into the details here. Thanks for sharing what you saw.