California residents have specific legal rights regarding their personal information held by Stash, including rights to know what data is collected, request deletion or correction, opt out of sharing for behavioral advertising, and not be discriminated against for exercising these rights.
This analysis describes what Stash's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
These rights give California residents meaningful control over sensitive financial data held by Stash, including the ability to request deletion of Social Security numbers, bank credentials, and transaction history, subject to applicable legal exceptions.
Interpretive note: The scope of the GLBA exemption applicable to Stash's multi-affiliate platform is legally complex; the extent to which CCPA/CPRA rights apply to specific categories of financial data collected by Stash depends on a data-level GLBA coverage analysis that is not resolved in the policy text.
If you are a California resident, you can request a copy of the personal information Stash holds about you, ask for it to be deleted or corrected, and opt out of having it shared for targeted advertising purposes by contacting Stash at privacy@stash.com.
How other platforms handle this
We use your information for the following purposes: ... In accordance with applicable legal requirements, for advertising and marketing purposes, including to send you information about products or services that may be of interest to you...
If you are a California resident, you may have certain rights under the California Consumer Privacy Act (CCPA). These rights may include: the right to know about personal information collected, disclosed, or sold; the right to delete personal information collected from you; the right to opt-out of t...
California law gives residents the right to know what personal information we collect, use, share or sell; to delete personal information under certain circumstances; to opt-out of the sale or sharing of their personal information; to correct inaccurate personal information; to limit the use and dis...
Monitoring
Stash has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"California Residents Privacy Rights— Excerpt from Stash's Stash Privacy Policy
REGULATORY LANDSCAPE: The California Consumer Privacy Act as amended by the California Privacy Protection Agency Act (CPRA) grants California residents rights to access, deletion, correction, portability, and opt-out of sale or sharing of personal information. The California Privacy Protection Agency has rulemaking and enforcement authority. Financial institutions subject to GLBA are partially exempt from CCPA for data collected and processed in a manner covered by GLBA, but this exemption is entity-level, not data-level, meaning Stash may have CCPA obligations for data not covered by the GLBA exemption. The scope of the GLBA exemption in the context of Stash's multi-product platform (investment, banking, insurance) should be carefully mapped. GOVERNANCE EXPOSURE: Medium. The policy acknowledges California rights but the interaction between the GLBA exemption and CCPA/CPRA obligations is legally complex and fact-specific for a multi-affiliate financial services platform. Misclassifying data as GLBA-exempt when it is subject to CCPA could result in failure to honor valid consumer rights requests, creating regulatory exposure with the California Privacy Protection Agency. JURISDICTION FLAGS: California is the primary jurisdiction. Other states including Virginia, Colorado, Connecticut, Texas, and others have enacted comprehensive privacy laws with similar but not identical consumer rights frameworks; Stash's US-only scope means all state-level obligations in jurisdictions where customers reside may apply. CONTRACT AND VENDOR IMPLICATIONS: Service provider agreements must include CCPA/CPRA-compliant data processing terms prohibiting secondary use of personal information. Stash must be able to honor deletion and correction requests across all vendor systems holding consumer data, which requires comprehensive data mapping and vendor cooperation obligations. COMPLIANCE CONSIDERATIONS: Compliance teams should map personal information categories by affiliate and product line to determine which data is GLBA-exempt and which remains subject to CCPA/CPRA. Rights request workflows should be tested for operational completeness, including 45-day response timelines and extension procedures. The interaction between the anonymization carve-out and CCPA deidentification standards should be separately reviewed, as detailed above.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
These rights give California residents meaningful control over sensitive financial data held by Stash, including the ability to request deletion of Social Security numbers, bank credentials, and transaction history, subject to applicable legal exceptions.
If you are a California resident, you can request a copy of the personal information Stash holds about you, ask for it to be deleted or corrected, and opt out of having it shared for targeted advertising purposes by contacting Stash at privacy@stash.com.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Stash.