Stash Financial, Inc.
Privacy Policy
Effective: August 21st, 2023
Table of Contents
1. Introduction
Welcome to Stash! Your trust is important to us, and we’re committed to protecting the privacy and security of your personal information. The personal information you share with us helps us provide a great experience with Stash. That’s why we want to keep you informed of what personal information we collect, how it’s used, and when it is shared. We are dedicated to protecting the personal information we collect from you and ensuring that it is handled with care and attention.
1.1 Scope
This Privacy Policy applies to Stash Financial, Inc. and its affiliates Stash Investments LLC (our registered investment adviser), Stash Capital LLC (our registered broker dealer), Stash Cash Management LLC (our banking services affiliate), and Stash Insurance Services LLC (our insurance services affiliate). In this Privacy Policy, we refer to Stash Financial, Inc. and its affiliates as “Stash”. For Stash101 LLC, please refer to the Stash101 Privacy Policy.
This Privacy Policy describes how we collect, use, process, and disclose your personal information, in conjunction with your access to and use of the Stash Platform(collectively, the “Services”). Our Services are available to you through a variety of platforms, including, but not limited to, www.stash.com and www.stash.com/learn (collectively, the “Sites”), and our mobile applications, which are accessible through a variety of connected devices (collectively, the “App”). The Sites and the App are collectively referred to as the “Stash Platform.”
In addition to the information provided in this Privacy Policy, Stash is required by federal law to provide consumers with information regarding our collection and sharing of nonpublic personal information. Please see our Privacy Notice for more information.
1.2 Description of Users and Acceptance of Terms
This Privacy Policy applies to visitors to the Stash Platform who view publicly accessible content (“Visitors”) and customers who have signed up to access and use the Services offered by Stash through the Stash Platform (“Customers”).
By visiting or browsing the publicly accessible areas of the Sites or the App, Visitors are acknowledging that they have read, understood, and agree to be legally bound by this Privacy Policy and our Terms of Use. If you do not agree to any of the terms in this Privacy Policy or the Terms of Use, you may not access or use the Sites or the App.
By signing up, accessing, or using the Stash Platform or our Services, each Customer is agreeing to the terms of this Privacy Policy, the Terms of Use, and any applicable customer agreements (which can be found at https://www.stash.com/disclosurelibrary).
1.3 Exclusions
The following exclusions apply to this Privacy Policy:
- This Privacy Policy does not apply to anonymized or aggregated Customer data (i.e. information about our Customers that we combine together so that it no longer identifies or references an individual Customer). Anonymization is a data processing technique that removes or modifies personal information so that it cannot be associated with a specific individual. Types of data we may anonymize include transaction data, click-stream data, performance metrics, and fraud indicators. We may use anonymized or aggregate customer data for any business purpose, including to better understand Customer needs and behaviors, improve our products and services, conduct business intelligence and marketing, and detect security threats. We may perform our own analytics on anonymized data or enable analytics provided by third parties.
- This Privacy Policy does not apply to third-party products, websites, links, services, or the practices of companies that we do not own or control, including other companies you might interact with on or through the Services.
- Stash does not respond to general web browser “Do Not Track” settings and/or signals.
- The Stash Platform and Services are intended for citizens or lawful residents of the United States and who are located in the United States. The Stash Platform, the Services, and their servers are controlled and operated in the United States and are not intended to be accessed from outside the United States.
- If a Stash affiliate or Stash Platform displays a privacy policy that differs from this Privacy Policy, then the privacy policy displayed by the Stash affiliate or Stash Platform will apply to the collection, use, processing, and disclosure of your personal information by that Stash affiliate or through that Stash Platform.
2. Information We Collect or Receive
In the course of operating the Stash Platform and providing the Services, we collect or receive the following categories of information, which collectively comprise “Personal Information”.
2.1 Categories of Personal Information
When you register to become a Customer, you will be asked to provide us with certain information about you, such as:
- Your name, alias, date of birth, citizenship and passport number, visa information, home address, telephone number, email address, Social Security number, bank account number, bank routing number, bank account login credentials, bank name, employer name, employment status, and job position.
- Certain features of the Services will allow you to link your credit card, debit card, and bank accounts to your Stash account(s) by providing your account number, card number, and other identifying information relating to your debit or credit card, billing address, and similar information.
- Whether you are a “politically exposed person,” whether you are a “control person” (pursuant to FINRA Rule 3210), annual income range, total net worth range, and other information as appropriate for our legitimate business needs.
- We may collect information derived or resulting from voluntary surveys. We may also collect Personal Information when you voluntarily provide us with Personal Information as a Visitor, such as when you use our “Contact Us” form.
- We may record any customer service calls and maintain such recordings to better improve our Services.
- We may collect information for purposes of identify verification, government-issued identification documents and self-portrait photographs (“Selife”); and other information required by federal and industry laws and regulations.
If you have provided us with any Personal Information, you may access, review, and/or make changes by making the changes in your registered account settings page or by contacting us at support@stash.com or (800) 205-5164.
2.2 Nonpublic Personal Information
When you register to become a Customer, and at certain times following initial registration during the provision of our Services to you, we will also collect your nonpublic personal information, which means (i) any information you provide to us to obtain a financial product or service from us, (ii) any information about you resulting from any transaction involving a financial product or service between you and us, (iii) any information about a transaction, purchase or sale you are seeking to execute through the Stash Platform, or (iv) any information we otherwise obtain about you in connection with providing a financial product or service to you (collectively, the “Nonpublic Personal Information”). We may also collect Nonpublic Personal Information from Visitors who are consumers of our Platform.
2.3 Investment Style Information
When you register as a Customer, you will be asked to provide information about your investment preferences and investment style, such as, your risk tolerance, time horizon, liquidity needs, investment objectives, and investment experiences (collectively, the “Investment Style Information”). Investment Style Information may be updated or modified by you following initial registration during the provision of our Services to you.
2.4 Geolocational Information
Certain features and functionalities of the Services are based on your location. In order to provide these features and functionalities while you are using a mobile device, we may, with your consent, automatically collect geolocation information from your mobile device, wireless carrier, or certain third-party service providers. Such information is collectively called "Geolocational Information." You may decline to allow us to collect such Geolocational Information, in which case Stash may not be able to provide certain features or functionalities to you.
2.5 Information We Collect From You Automatically
We may automatically collect or receive information about you, your use of the Stash Platform, your interactions with us and our advertising and/or marketing messaging, as well as information regarding your computer or other devices used to access the Stash Platform, such as:
- Online Identifiers: operating system, browser name and version, and/or personal IP addresses.
- Biometric information: distinguishing physical or behavioral biological human characteristics used to identify a person, including, but not limited to, fingerprints, hand or facial geometry or patterns, voice characteristics, typing cadence, and signatures, and screen behavior, either singly or in combination with other identifying data.
- Device Information: type of device, device ID, Universally Unique Identifier, advertising identifiers (“IDFA” or “AdID”), operating system and version, wireless carrier, and network type.
- Usage Data: authentication data, security questions, click-stream data, public social networking posts, login data, transaction data and use of the Stash Platform (including, but not limited to, linking your external bank account to the Stash Platform, depositing funds onto the Stash Platform, or purchasing an investment), and other data collected via web beacons, pixel tags, embedded links, cookies, and other similar tracking techniques.
- Cookies: A cookie is a piece of information that the computer that hosts the Stash Platform gives to your browser when you access the Stash Platform. Our cookies help provide additional functionality to the Stash Platform and help us analyze the Stash Platform usage more accurately. For example, the Stash Platform may set a cookie on your browser that allows you to access the Stash Platform without needing to reenter your password each time. In all cases in which we use cookies, we will not collect Personal Information unless we obtain your permission. Please refer to the “help” section on your browser’s toolbar for information on how to receive notifications when you are receiving a new cookie and how to turn cookies off. If you do not want Stash to place cookies in your browser, you can opt-out by setting your browser to reject cookies or to notify you when a website tries to put a cookie in your browser software. If you choose to disable cookies in your browser, you can still use the Stash Platform, although your ability to use some of the features may be affected.
- Third-Party analytics: We may use third-party analytics services (for example, we use Google Analytics, Mixpanel, Braze, and others), and/or incorporate one or more third-party technologies that may collect Usage Data, Online Identifiers, and/or Device Information to evaluate your use of the Stash Platform, compile reports on activity, analyze performance metrics, and collect and evaluate other information relating to the Stash Platform and mobile and Internet usage. For more information on these third parties, including how to opt-out from certain data collection, please visit www.mixpanel.com/privacy/ or www.braze.com/privacy/. For Google, you can use the Google Analytics opt-out browser add-on at https://tools.google.com/dlpage/gaoptout?hl=en. Please be advised that if you opt-out of any service, you may not be able to use the full functionality of the Stash Platform.
2.6 Children’s Data
Stash does not knowingly collect or receive Personal Information from children under the age of 18, except as described in this Privacy Policy or in the privacy policies of certain Stash affiliates or certain Stash Sites. Generally, if a user submitting personal information is suspected of being younger than 18 years of age, Stash will require the user to close their account and will not allow the user to continue using our Services. We will also take steps, as appropriate, to delete the information. Please notify us if you know of any individuals under the age of 18 using our Services, so we can determine what actions should be taken to protect these children.
Notwithstanding the above, if you establish a Stash custodial account with us that is governed by the Uniform Gifts to Minors Act or the Uniform Transfers to Minors Act that is for the benefit of a child under the age of 13, only the individual establishing the account provides Personal Information to us necessary to establish the account for the child under the age of 13. Subsequent to the creation of the account, we will only collect and use Personal Information related to the child for the limited purpose of providing the Services, and except as set forth in this Privacy Policy, such information will not be shared with third parties for any purpose not required or permitted by law, including marketing.
3. Sources of Personal Information
3.1 Information Collected by or Received from Third-Party Sources
We may also collect Personal Information about you from third-party sources, such as banking verification services, consumer reporting agencies, unaffiliated third-party service providers, brokers, banks, or government databases. We may combine data we collect about you from third-party data sources with data we collect from you and may use and share such data as described in this Privacy Policy. All information we collect or receive from such third-party sources is referred to as “Third-Party Information.”
- We use Plaid Inc. (“Plaid”) for account linking services and to gather your data from financial institutions. This data may include historical and ongoing information, including transaction information, from time to time from all your sub-accounts (e.g., checking, savings, and credit card) accessible through a single set of account credentials, even if only a single sub-account is designated by you. By using our Services, you grant us and Plaid the right, power, and authority to act on your behalf to access and transmit your personal and financial information from the relevant financial institution. You agree to your personal and financial information being transferred, stored, and processed by Plaid in accordance with the Plaid Privacy Policy (https://plaid.com/legal/#end-user-privacy-policy).
- We also use certain third-party service providers to assist with operating the Stash Platform, including, but not limited to, detecting or preventing fraud, spam, abuse, security incidents, and other harmful or illegal activity, conducting security investigations or risk assessments, or verifying or authenticating certain information or identifications provided by you. You agree to Stash sharing your information with such third-party service providers.
3.2 Information Collected by or Through Third-Party Advertising
We may share information about you with third parties that Stash has selected and approved for external ad distribution and ad optimization (including tailoring, behavioral or contextual targeting or retargeting, analyzing, managing, reporting, and optimizing of ads). Third parties may also use cookies, pixel tags, and other technologies to collect information about you for such purposes. Pixel tags enable us and these third-party advertising companies to recognize a browser’s cookie when a browser visits the site on which the pixel tag is located in order to learn which advertisement brings a user to a given site. In addition, we may receive information about you from advertisers and/or their service providers, such as advertising identifiers, IP addresses, and post-conversion data. You may learn more about cookies and your ability to opt out of certain third-party advertising cookies by visiting the following website: http://www.aboutads.info/choices. If you do not want your information to be collected and used by third-party tracking technologies, you can exercise some choice over such tracking by visiting the Network Advertising Initiative Opt-Out Tool (http://optout.networkadvertising.org) or the Digital Advertising Alliance Opt-Out Tool (https://optout.aboutads.info). Even if you disable tracking, keep in mind that you may still receive interest-based advertising, including from third parties with whom your information had been previously disclosed or advertising from third parties that is not based on your interests and preferences.
3.3 Opt-In Consent to Marketing
Distinct from the general third-party advertising described in the above section 3.2, Stash will not share your Personal Information with non-affiliated third parties that may use your Personal Information to market to you without first obtaining your opt-in consent. By providing your opt-in consent, Stash may share your Personal Information with such non-affiliated third parties, and you permit such non-affiliated third parties to send marketing advertisements to you. If you have opted-in for this kind of sharing of your Personal Information, then you may: (i) choose to opt-out of such sharing; and/or (ii) request certain information regarding our disclosure of your Personal Information to such non-affiliated third parties in accordance with Section 8 below, in each case by contacting us by following the instructions in the “Contact Us” section below.
4. How The Information Is Used
Our primary purpose in collecting information about you is to provide you with a secure, smooth, efficient, and customized experience. We may use information about you to (1) provide, understand, improve, and develop the Stash Platform and Services, (2) create and maintain a trusted and safe environment (such as to comply with our legal obligations), and (3) provide, personalize, measure, and improve our advertising and marketing.
4.1 Provide, Improve, and Develop the Stash Platform and Services
We may use Personal Information to provide, improve, and develop the Stash Platform and Services, including, for example:
- To enable you to access and use the Stash Platform and Services.
- To fulfill our contractual obligations to you or any requests by you for support.
- To provide you with personalized suggestions and recommendations about trade recommendations, budgeting, saving money, spending, or other financial products, services, or offers that we believe may help you, based on information about your transactions, purchases, or account balances.
- To maintain or service Customer accounts, process or fulfill orders and transactions, or verify Customer information.
- To engage third-party service providers to perform certain functions on our behalf, including, for example, website hosting, mailing information, maintaining databases, ID verification, processing applications, processing, and completing transactions.
- To operate, protect, improve, and optimize the Stash Platform and Services, such as by performing analytics and conducting research, such as by compiling aggregated and anonymized information about our Customers’ demographics, interests, and behaviors, in order to better understand our Customer base and to develop new products, features or services.
We process your Personal Information for these purposes given our legitimate interest in improving the Stash Platform and Services and our Customers’ experience with it, and where it is necessary for the adequate performance of our contractual obligations with you. Further, to the extent you add a widget to the App through the interactive instructions displayed on your iOS or Android device, you are expressly authorizing Stash to display certain of your Personal Information, including but not limited to the value of your account, outside of the App on your iOS or Android device.
4.2 Create and Maintain a Trusted and Safe Environment
We may use Personal Information to create and maintain a trusted and safe environment, including, for example:
- To comply with our legal obligations, including detecting and preventing fraud, spam, abuse, security incidents, and other harmful or illegal activity, or to conduct security investigations and risk assessments.
- To verify or authenticate information or identifications provided by you, or to conduct checks against databases and other information sources, including background or police checks, to the extent permitted by applicable laws and with your consent where required.
- To ensure compliance with and enforce our Terms of Use, Privacy Policy, other policies, Disclosures, Notices, Agreements or Terms, and Conditions.
- To resolve any disputes with any of our Customers and enforce our agreements with third parties.
- To conduct debugging to identify and repair errors.
- To share your Personal Information with any of our parent companies, affiliates, subsidiaries, joint ventures, or other companies that we control, are controlled by, or are under common control with us.
- To share your Personal Information with any of our third-party service providers who perform services for us and help us operate our business.
- To comply with our obligations in the event of a corporate sale, merger, reorganization, sale of assets, dissolution, or similar event. If your Personal Information is part of the transferred assets, you will be notified via email and/or a prominent notice on our Platform of any change in ownership or uses of your Personal Information, as well as any choices you may have regarding your Personal Information.
- To comply with a court order or other lawful request or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of Stash, (iii) act in urgent circumstances to protect the financial security of users of the Stash Platform or the public against fraud or other harm, or (iv) protect against legal liability.
We process your Personal Information for these purposes given our legitimate interest in protecting the Stash Platform and Services, to measure the adequate performance of our contractual obligations with you, and to comply with applicable laws.
4.3 Provide, Personalize, Measure, and Improve our Advertising and Marketing
We may use Personal Information to provide, personalize, measure, and improve our advertising and marketing, including, for example:
- To send you promotional messages, marketing, advertising, and other information that may be of interest to you based on your preferences and your Personal Information (including information about Stash or partner campaigns and services).
- To personalize, measure, and improve our marketing and advertising efforts.
- To administer referral programs, rewards, surveys, sweepstakes, contests, or other promotional activities or events sponsored or managed by Stash or its third-party partners.
- To communicate with you in response to your inquiries and to provide you with any requested information and updates about our Services.
- To develop one or more automated models, algorithms, or similarly designed technologies that conduct profiling based on your Personal Information, characteristics, and preferences, in order to send you promotional messages, marketing, advertising, and other information that we think, may be of interest to you.
- To share your Personal Information with third parties, including but not limited to third-party market research firms for analysis purposes and to help such third parties generate anonymized and aggregated market research data for us, or to third-party marketing partners for external ad distribution and ad optimization (including targeting or retargeting, analyzing, managing, or optimizing of ads). However, under no circumstances will we ever sell your Personal Information to third parties.
We will process your Personal Information for the purposes listed in this section, given our legitimate interest in undertaking marketing activities to offer you products or services that may be of interest to you.
5. How We Protect Your Information
The security of your Personal Information is of utmost importance to us. Stash handles sensitive financial customer data, so we’ve taken steps to secure critical systems and information. For example, we use encryption to protect and secure all of your information, from personal data (like your Social Security number) to your transaction history. We take commercially reasonable technical, administrative, and physical safeguards to protect information from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. To learn more about how we protect your information, visit https://www.stash.com/security.
If you know or have reason to believe that your Personal Information or Stash account has been stolen, misappropriated, or otherwise compromised, or if you receive an unsolicited email or other electronic communication that appears to be from Stash but you suspect it may be from some other source or fraudulent, please contact us by following the instructions in the “Contact Us” section below.
6. Retention of Your Information
We will retain your Personal Information for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy or subsequently authorized. We will also retain and use your Personal Information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. If your customer relationship with Stash ends, we will not destroy your Information unless required or permitted by law. We will continue to treat your Personal Information in accordance with this Privacy Policy and applicable laws.
Information connected to you that is no longer necessary and relevant to provide our Services may be de-identified or aggregated with other non-personal data to provide insights that are commercially valuable to Stash, such as statistics of the use of the Services.
7. Communication Preferences
You have choices on the messages you choose to receive.
- As a user of the Services, we and/or our custodian(s) will send you administrative and transactional communications that are necessary to provide the Services, such as billing, brokerage, fraud, or service notifications.
- When you sign up for our Services or newsletter(s), we will send periodic emails to you regarding the Services or to tell you about services we believe will be of interest to you. To opt out of marketing emails from Stash, simply click the link labeled “unsubscribe” at the bottom of any such email we send you.
- By providing your phone number, you expressly consent to Stash and/or its agents calling or texting you using an automated telephone dialing system and/or prerecorded messages, even if you incur charges for receiving such communications. For example, we may send you informational text messages to your mobile device in order to better service your account. You can revoke your consent to receiving informational text messages at any time by replying “STOP” or following any other instructions included in these text messages. For more information about receiving marketing communications through calling or texting, please see our Stash Messaging Terms and Conditions.
8. California Residents' Privacy Rights
Effective January 1, 2023, the California Privacy Rights Act (“CPRA”), in addition to the rights already established under the California Consumer Privacy Act of 2020 (“CCPA”) (collectively referred to in this notice as “CPRA”), allows California residents, upon a verifiable consumer request and subject to applicable exemptions, to request that we give you access, in a portable and (if technically feasible) readily usable form, to the specific pieces and categories of personal information that we have collected about you, the categories of sources for that information, the business or commercial purposes for collecting the information, and the categories of third parties with which the information was shared. Where CPRA is applicable, California residents may also have the right to submit a request for deletion of information under certain circumstances. Please note that the CPRA does not apply to non-public personal information collected by financial institutions governed by certain federal regulations. As a result, the CPRA does not apply to most of the personal information that Stash collects from you as a customer.
Stash will not discriminate against those who exercise their rights. Specifically, if you exercise your rights, we will not deny you services, charge you different prices for services, prevent you from applying for future employment with Stash, or provide you a different level or quality of services. To submit a data request, please contact us by following the instructions in the “Contact Us” section below. Please note that you may be required to verify your identity before further action is taken. Please be prepared to provide us with information such as: your first and last name, the last four digits of your Social Security number, and proof of California residency to verify your identity, along with identifying with specificity which CPRA right you wish to exercise. As a part of this process, government identification may be required. Consistent with California law, you may designate an authorized agent to make a request on your behalf. In order to designate an authorized agent to make a request on your behalf, you must provide a valid power of attorney, the requester's valid government-issued identification, and the authorized agent's valid government-issued identification.
We do not sell Personal Information to third parties. We do not sell the Personal Information of California residents that are less than 16 years of age, unless the resident (in the case of residents between 13 and 16 years of age) or the resident’s parent or guardian (in the case of residents who are less than 13 years of age) has affirmatively authorized the sale of the resident’s Personal Information. We do allow third parties to collect personal information through our Service and share personal information with third parties for the business purposes described in this Privacy Policy, including, without limitation, advertising and marketing on our Service and elsewhere based on users’ online activities over time and across different sites, services, and devices.
In the last 12 months, we collected certain categories of personal information including, but not limited to: identifiers (such as name, email address and IP address), Internet or other electronic network activity information (such as engagement with promotional messages and ads). For more details about the categories of information we collect and the categories of sources of this information, please see the “Information We Collect or Receive” and the “Sources of Personal Information” sections above. We share this information with the categories of third parties described in the “How the Information Is Used” section above.
California law permits consumers who are California residents to request and obtain from us once a year, free of charge, a list of the third parties to whom we have disclosed their Personal Information (if any) for their direct marketing purposes in the prior calendar year, as well as the type of Personal Information, disclosed to those third parties. Stash does not share Personal Information with third parties for their own direct marketing purposes without your prior consent. Accordingly, you can prevent the disclosure of your Personal Information to third parties for their direct marketing purposes by withholding or withdrawing consent.
9. Changes To This Privacy Policy
We may modify this Privacy Policy from time to time which will be indicated by changing the date at the top of this page. If we make any material changes, we will notify you by email (sent to the email address specified in your account), by means of a notice on the Stash Platform prior to the change becoming effective, or as otherwise required by law. Your continued access to or use of the Stash Platform after we make any changes to this Privacy Policy will be subject to the revised Privacy Policy.
10. Contact Us
If you have questions or concerns regarding this Privacy Policy, about Stash’s information handling practices, or if you have a complaint, please contact us by emailing us at support@stash.com, or calling us at (800) 205-5164.