What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages the Gramm-Leach-Bliley Act (GLBA), which requires Stash to provide a separate Privacy Notice for nonpublic personal information (the policy references this Notice explicitly); SEC and FINRA privacy and recordkeeping rules applicable to registered investment advisers and broker-dealers; the California Consumer Privacy Act as amended by the CPRA, enforced by the California Privacy Protection Agency; and the FTC Act's Section 5 standards for unfair or dece…

How does Stash's Stash Privacy Policy affect users?

Stash's data collection scope encompasses Social Security numbers, bank account credentials, government-issued identification, and identity verification photographs. The policy authorizes disclosure to affiliates, service providers, third-party marketing and analytics partners, and permits reclassification of data as anonymized or aggregated for unrestricted business use. Users retain the ability to request access to, deletion of, or correction of personal information, and to opt out of data sh…

How often is Stash's Stash Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Stash updates this document?

Yes. Watcher subscribers ($9.99/month) can add Stash to their watchlist and receive same-day email alerts whenever this document or any other Stash document changes.

CA-D-000061

Stash Privacy Policy

Stash

Last change detected March 15, 2026 Privacy policy

SHA-256: 13091adaeea2b1e2bf5… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Stash ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

1 High severity

7 Medium severity

2 Low severity

Summary

This document establishes Stash's data collection, use, and sharing practices for its investment, banking, and brokerage platform. Stash collects financial and identity data including Social Security numbers, bank login credentials, government-issued identification, and photographic identity verification, and authorizes sharing this information with affiliates, service providers, marketing partners, and analytics vendors. The policy permits use of data classified as anonymized or aggregated for any business purpose without further restrictions under this policy.

Technical / Legal Breakdown

This Privacy Policy, effective May 21, 2025, governs Stash Financial, Inc. and its affiliates (Stash Investments LLC, Stash Capital LLC, Stash Cash Management LLC, and Stash Insurance Services LLC) and describes how personal information is collected, used, processed, and disclosed in connection with the Stash Platform, including its website and mobile application. The policy states that Stash collects an extensive range of personal information including Social Security numbers, bank account credentials, government-issued identification, selfie photographs, geolocation data, device identifiers, behavioral and clickstream data, and financial data including net worth and income ranges; it further states that this information may be shared with affiliates, service providers, marketing partners, data analytics vendors, and third parties in connection with business operations and promotional activities. The policy asserts that anonymized or aggregated data falls entirely outside its scope and may be used for any business purpose without limitation, a broad carve-out that may interact with California Consumer Privacy Act protections depending on how anonymization is implemented and verified in practice. As a registered investment adviser, broker-dealer, and banking services provider, Stash's data practices engage multiple regulatory frameworks including the Gramm-Leach-Bliley Act, SEC and FINRA recordkeeping and privacy requirements, the FTC Act's unfair and deceptive practices standards, and the California Consumer Privacy Act as amended by the CPRA; the policy expressly provides California residents with rights to know, delete, correct, and opt out of sharing, but the breadth of the anonymization carve-out and the Do Not Track non-response posture may warrant further review under applicable state privacy frameworks.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

High — 1 provision

Bank Account Credential Collection

Stash collects your bank account login credentials, meaning the username and password you use to log into your external bank account, in addition to your Social Security number and other highly sensitive financial identifiers.

Added May 9, 2026 Rare

Medium — 7 provisions

Anonymized Data Carve-Out Compare →

Once Stash classifies your data as anonymized or aggregated, it says the privacy policy no longer applies and the data can be used for any business purpose, including being shared with third-party analytics providers.

Added May 9, 2026 Standard Seen across 189 platforms
Selfie and Government ID Collection for Identity Verification

Stash may collect a photo of your government-issued ID and a selfie photograph from you as part of verifying your identity when you sign up or use certain services.

Added May 9, 2026 Rare
Third-Party Data Sharing for Marketing and Analytics Compare →

Stash shares personal information with a range of third parties including marketing partners and analytics providers, in addition to service providers and affiliates, for purposes that include business intelligence and promotional activities.

Added May 9, 2026 Standard Seen across 246 platforms
California Residents Privacy Rights (CCPA/CPRA) Compare →

California residents have specific legal rights regarding their personal information held by Stash, including rights to know what data is collected, request deletion or correction, opt out of sharing for behavioral advertising, and not be discriminated against for exercising these rights.

Added May 9, 2026 Standard Seen across 262 platforms
Do Not Track Non-Response

Stash's website and platform will not honor the Do Not Track signal sent by your web browser, meaning tracking technologies will continue to operate regardless of this browser setting.

Added May 9, 2026 Rare
Geolocation and Device Data Collection Compare →

Stash collects geolocation data and device identifiers from users of its mobile application and website, which may include precise location information depending on device permissions granted.

Added May 9, 2026 Standard Seen across 251 platforms
GLBA Privacy Notice Reference Compare →

Federal law requires Stash to provide a separate Privacy Notice about how it collects and shares your nonpublic personal financial information; this notice is linked in the policy and covers additional rights and limitations not fully described in the main privacy policy.

Added May 9, 2026 Standard Seen across 262 platforms

Low — 2 provisions

Customer Service Call Recording

Stash may record telephone calls you make to customer service and keep those recordings.

Added May 9, 2026 Rare
Policy Change Notification Compare →

Stash reserves the right to update this privacy policy, and the policy describes how it will notify users of material changes.

Added May 9, 2026 Standard Seen across 178 platforms