Legal

Privacy Policy

Prosper Privacy Policy

Effective Date: January 21, 2026
Last Updated: January 21, 2026
Company: Enbrite LLC (Pennsylvania) (operator of Prosper Finance) (“we,” “us,” “our”)
Address: Northwest Registered Agent LLC (Attn: Enbrite LLC - Prosper Finance), 502 W 7TH ST, STE 100, ERIE, PA 16502-1333
Support: support@prosperfinance.app
Privacy: privacy@prosperfinance.app

This Privacy Policy explains how Prosper Finance (the “Services,” referred to as “Prosper” for short) collects, uses, discloses, and retains personal information when you use our website, web app, and related services. Prosper is a US-focused bookkeeping and reporting platform for small businesses and prosumer use.

California Notice at Collection (CCPA/CPRA)

We provide a Notice at Collection at or before the point we collect personal information. You can view our current Notice at Collection here: /privacy/california.

Summary (high-level):

Categories collected: identifiers and contact details; account credentials; workspace/business information; connected bank account metadata; transaction data; optional invoices; audit logs; device/browser data; support communications; and (if enabled) AI inputs/outputs related to your use of AI features.
Purposes: to provide and operate the Services (including categorization and reporting), secure accounts, prevent fraud, troubleshoot errors, communicate with you, improve the Services, and comply with law.
Retention: we retain personal information for the time periods described in the Data retention section below (including a per-category table).
Sale/Share: We do not sell or share personal information as those terms are defined under the CCPA/CPRA.

1) Plain-English summary

Here’s the short version:

We collect information you provide (like your name, email, and business details), information generated by your use (like audit logs), and information from your connected financial accounts (like transactions and account metadata) to deliver bookkeeping and reporting.
We use service providers to run Prosper (for example: Plaid for bank connectivity, Supabase for authentication and database hosting, Sentry for error monitoring, OpenAI for optional AI features, and Stripe if you pay for a subscription).
We do not sell or share personal information as those terms are defined under the CCPA/CPRA.
We do not use ad tracking or cross-context behavioral advertising. We use essential cookies plus product analytics and error monitoring.
You can request access, correction, or deletion of your personal information. California residents have additional rights described below.

2) Scope

This Policy applies to personal information we collect when you:

visit our websites,
create or use a Prosper account,
connect a financial account through Plaid,
use categorization, bookkeeping, reporting, or assistant features,
contact support, or
otherwise interact with us.

What this Policy does not cover

Third-party services you choose to connect (for example, your bank, Plaid, or payment processors). Their privacy practices are governed by their own policies.
Information we process as a service provider/processor on behalf of another business (if applicable). In those cases, the controller’s privacy policy may apply.

3) Personal information we collect

We collect the following categories of personal information (some may be considered “personal information” or “sensitive personal information” under certain laws, including the CCPA/CPRA).

A) Identifiers and contact information

Name, email address, phone number (if provided), mailing address (if provided)
Account identifiers and internal IDs
Business contact details you add (for example, vendor/customer contact info in invoices, if you use that feature)

B) Account credentials and authentication data

Login credentials (such as password or authentication tokens)
Multi-factor authentication data (if enabled)
Security-related logs (for example, sign-in history, session metadata)

C) Workspace and business information

Business name, business type, industry/category (if provided)
Workspace settings and preferences
Team/role assignments (if you add teammates)

D) Connected account metadata and transaction data

Connected account metadata (for example, institution name, account type, last four digits where available, connection status)
Transaction data (for example, merchant/description, transaction date, amount, category, and any user-added notes, tags, or attachments)

E) Invoices and bookkeeping artifacts (optional)

If you use invoicing or related features, we may collect:

Invoice details (for example, invoice number, line items, amounts, taxes, due dates)
Customer/vendor details you input for invoicing
Supporting documents you upload (if enabled)

F) Audit logs and operational records

Records of actions taken in the Services (for example, edits to transactions, category changes, exports, integrations connected/disconnected)
Administrative logs and access logs needed to run and secure the Services

G) Device, browser, and usage data

IP address, browser type, device identifiers, operating system
Approximate location derived from IP address
Pages/screens viewed, clicks, feature usage, referring URLs
Cookies and similar technologies (see Cookies/analytics)

H) Support and communications

Messages you send to support and related metadata
Feedback and survey responses (if offered)
Communications preferences

I) AI inputs/outputs (only if you use AI features)

Prompts, messages, and other inputs you submit to AI features
AI-generated outputs returned to you (for example, suggested categories or explanations)
Minimal context sent to support the feature (for example, transaction description and merchant strings), as described in AI Processing / AI Features

4) Sources of personal information

We collect personal information from:

You (when you sign up, configure a workspace, connect accounts, categorize transactions, create invoices, upload files, or contact support)
Connected services you authorize (such as Plaid and financial institutions via Plaid)
Your devices and browser (through cookies, logs, and analytics)
Service providers that help us operate the Services (for example, hosting, monitoring, and support tooling)

5) How we use personal information

We use personal information to:

A) Provide, operate, and maintain the Services

Create and manage accounts and workspaces
Import, organize, and display transactions and bookkeeping records
Provide categorization, reporting, and export features
Process payments (if applicable)

B) Improve and develop the Services

Understand how users interact with features (product analytics)
Fix bugs, troubleshoot errors, and optimize performance
Evaluate and improve categorization logic (including AI-assisted features where enabled)
Improve our categorization systems, including training and evaluating internal machine-learning models using aggregated or de-identified information (for example, cleaned transaction text and confirmed category labels), where permitted by law and subject to safeguards described in this Policy.

C) Communicate with you

Send service-related communications (for example, confirmations, security notices, support replies)
Provide updates about features and changes to the Services

D) Security, fraud prevention, and integrity

Protect accounts and prevent unauthorized access
Detect and prevent fraud, abuse, or suspicious activity
Monitor and maintain the security of the Services

E) Legal, compliance, and business operations

Comply with applicable laws and lawful requests
Enforce our terms and protect our rights and users
Maintain records for audits, dispute resolution, and compliance

6) Disclosures of personal information (service providers/subprocessors)

We disclose personal information to service providers and subprocessors who perform services on our behalf. We require them to use personal information only to provide services to us (consistent with applicable law and contracts) and to protect it.

Current subprocessors may be listed here: /subprocessors.

Categories of recipients

Bank connectivity provider: Plaid (to connect financial institutions and import transaction data)
Hosting, database, authentication, and storage: Supabase (to operate core app infrastructure)
Error monitoring and diagnostics: Sentry (to identify and fix stability issues)
AI processing provider (optional features): OpenAI (to provide AI-assisted categorization and assistant features where enabled)
Payments (if applicable): Stripe or another payment processor (Stripe)
Customer support tooling (if applicable): tools that help us manage support tickets and communications
Professional advisors: legal, accounting, and security advisors as needed
Law enforcement / legal requests: when required to comply with law or protect rights

What we do not do

We do not sell or share personal information as those terms are defined under the CCPA/CPRA.
We do not disclose personal information for cross-context behavioral advertising.

7) Financial Data (Plaid)

Prosper uses Plaid to help you connect your financial accounts and import information you authorize.

What data is involved

Depending on your permissions and the connection, Prosper may receive and process:

Account metadata: institution name, account type, account nickname (if any), and identifiers such as last four digits where available
Transactions: merchant/description, amount, date, and other transaction fields made available through your connection
Connection and token data: technical data needed to maintain the connection (for example, access tokens or connection tokens)

What we do with Plaid data

We use Plaid-connected data to:

import and display transactions,
support categorization, bookkeeping workflows, and reporting,
reconcile and detect duplicates or errors,
maintain connection health and troubleshoot sync issues.

What we do not do with Plaid data

We do not use Plaid data for targeted advertising.
We do not sell or share Plaid data as defined by the CCPA/CPRA.

Plaid and your financial institution

Plaid and your bank may have their own privacy practices. Your use of Plaid is subject to Plaid’s terms and privacy policy, and your bank’s policies.

8) AI Processing / AI Features

Prosper offers AI-assisted features (for example, categorization suggestions and an assistant experience). You control whether to use these features where offered.

Internal categorization models (non-LLM)

Prosper may use internal machine-learning models to suggest transaction categories. To improve these models for all customers, we may use aggregated or de-identified information derived from confirmed categorizations (for example, cleaned merchant/description text and category labels) and we do not attempt to re-identify that information.

Because this improvement uses aggregated or de-identified information, it may not be offered as an opt-out. You can still control optional AI Features (where offered) and you can delete your account, subject to our retention obligations described in this Policy.

What information may be processed by AI

If you use AI features, we may process:

transaction descriptors (merchant strings, memo/description),
transaction attributes (amount, date, category context),
user-provided notes or labels you include in the request,
your messages/prompts to the assistant and the assistant’s responses.

How AI is used

We use AI features to:

suggest categories and explanations,
draft summaries and insights,
help you search, understand, or organize your bookkeeping data.

Third-party AI provider

When AI features are enabled, we may send limited information to OpenAI (or a similar provider) to generate responses and suggestions. We send only what is reasonably necessary to provide the feature.

Human review

We do not routinely have humans review your AI prompts or outputs. However, we may access related data to:

provide support you request,
debug issues and prevent abuse,
comply with law, or
protect the security and integrity of the Services.

Important note about AI

AI output may be incorrect. You are responsible for reviewing and confirming categories, labels, and bookkeeping decisions before relying on them for tax filings, financial statements, or other important decisions.

9) Cookies/analytics

We use cookies and similar technologies for:

A) Essential cookies

Required to operate the Services, such as:

authentication and session management,
security features and fraud prevention,
load balancing and basic functionality.

B) Product analytics

We may use analytics tools to understand feature usage and improve performance (for example: which features are used most, aggregate usage patterns, and interaction flows). We configure analytics to support product improvement, not advertising.

C) Error monitoring

We use error monitoring tools (for example, Sentry) to diagnose crashes and performance issues.

Your choices

You may control cookies through your browser settings.
Where provided, you can manage non-essential cookies via our cookie controls or preferences in-app.
Because we do not sell or share personal information (as defined under the CCPA/CPRA), we do not use cookies for cross-context behavioral advertising.

10) Data retention

We keep personal information only as long as reasonably necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law (for example, tax, accounting, anti-fraud, and dispute-resolution obligations).

Retention depends on factors such as:

whether your account is active,
your settings and deletion actions,
legal obligations and limitation periods,
security and fraud-prevention needs.

Retention by category (bookkeeping-focused)

The table below summarizes typical retention periods for a bookkeeping app. Actual retention may vary based on account status, user actions, backups, legal holds, and compliance requirements.

Category	Examples	Primary purpose	Typical retention	Deletion notes
Account identifiers & contact info	name, email, phone (if provided)	account creation, support, security	For life of account + up to 30–90 days after closure	Delete or de-identify after closure unless needed for security, fraud, or legal hold
Credentials & authentication data	password hash, tokens, MFA status, sign-in history	security, account access	Life of account; sign-in history 12–24 months	Tokens rotate/expire; keep logs longer if needed for incident investigations
Workspace/business info	business name, settings, roles	provide Services	Life of account + 30–90 days	Export available; delete with workspace deletion unless legal hold
Bank connection metadata	institution name, account type, connection status, last four	maintain connections	Life of connection + 30–90 days	Remove connection → revoke tokens where possible and purge stale metadata
Transaction data	merchant, amount, date, categories, notes	bookkeeping, reporting, tax readiness	While account active; after closure up to 7 years if user chooses archival (recommended for tax)	Provide user controls: delete/export. If user deletes, purge within reasonable time unless legal hold
Invoices (optional)	invoice line items, customer/vendor details	invoicing, records	While account active; after closure up to 7 years if retained for records	Users can delete invoices; some records may be needed to resolve disputes
Uploads/attachments (optional)	receipts, statements, documents	evidence, workflows	While attached record exists + 30–90 days	Deleting record triggers deletion; backups may persist briefly
Audit logs	user actions, change history	integrity, security, troubleshooting	2–7 years (depending on risk posture)	Keep longer if needed for fraud prevention or dispute resolution
Device/browser data	IP, device info, usage events	security, analytics	30 days to 12 months (aggregate metrics may persist)	Prefer aggregation/de-identification after short windows
Error monitoring data	stack traces, crash logs	reliability and debugging	30 days to 12 months	Configure to minimize sensitive fields
Support communications	tickets, emails, chat	customer support	Up to 3 years	Keep longer if needed for disputes or legal compliance
AI inputs/outputs	prompts and AI responses (if enabled)	provide AI features, improve UX	Short-lived by default (e.g., 30–180 days) unless user saves content	Minimize what is stored; allow user deletion/export where feasible
Legal/compliance records	legal holds, consent logs	compliance	As required by law	Overrides other retention schedules

11) Security

We use reasonable administrative, technical, and organizational safeguards designed to protect personal information, including measures to:

restrict access based on least privilege,
encrypt data in transit and (where appropriate) at rest,
monitor for suspicious activity and errors,
maintain audit logging for important actions,
manage vulnerabilities and apply security updates.

No method of transmission or storage is 100% secure. You are responsible for maintaining the confidentiality of your credentials and for using appropriate security settings (for example, enabling MFA where available).

12) Your privacy rights

Your rights depend on where you live. This section focuses on California rights under the CCPA/CPRA and includes practical instructions for making requests.

A) California privacy rights (CCPA/CPRA)

If you are a California resident, you may have the right to:

1. Right to Know / Access
Request that we disclose: - the categories of personal information we collected about you, - the categories of sources, - the business or commercial purposes, - the categories of third parties to whom we disclose personal information, and - (where required) the specific pieces of personal information we collected about you.

2. Right to Delete
Request deletion of personal information we collected from you, subject to legal exceptions (for example, security, fraud prevention, and compliance).

3. Right to Correct
Request correction of inaccurate personal information, taking into account the nature of the information and the purposes of processing.

4. Right to Opt Out of Sale or Sharing
You may request we stop selling or sharing personal information.
Status: We do not sell or share personal information as those terms are defined under the CCPA/CPRA.

5. Right to Limit Use/Disclosure of Sensitive Personal Information (where applicable)
If we process “sensitive personal information” beyond what is necessary to provide the Services or other permitted purposes, you may have the right to limit that use/disclosure. As a bookkeeping service, we generally use sensitive information only to provide the Services, secure accounts, and prevent fraud.

6. Right to Non-Discrimination
You have the right not to receive discriminatory treatment for exercising privacy rights.

7. Rights related to automated decision-making (if applicable)
If we use automated processing in ways that trigger additional rights under California law, we will provide appropriate disclosures and controls. For Prosper, AI features are intended to assist bookkeeping workflows, and you may disable AI features where offered.

B) How to submit a request

You (or your authorized agent) can submit requests by:

Email: privacy@prosperfinance.app
Privacy Center (recommended): mailto:privacy@prosperfinance.app
In-app (for account holders): privacy controls or help/support flows (if offered)

Opt-out preference signals (GPC): If you use a browser or extension that sends a Global Privacy Control (GPC) signal, we will process it in a reasonable manner as an opt-out of sale/sharing where applicable. Because we do not sell or share personal information as defined by the CCPA/CPRA, GPC will not change how we handle data for advertising.

C) Verification

To protect your information, we will verify your identity before fulfilling certain requests (such as access, deletion, or correction). Verification may include:

confirming access to the email address on your account,
requesting account or workspace details, or
asking for other information necessary to reasonably verify identity.

If you do not have an account, we may request limited information to verify you, consistent with applicable law.

D) Authorized agents

You may designate an authorized agent to make requests on your behalf. We may require:

proof of the agent’s authorization, and
verification of your identity directly with us.

E) Timelines

We aim to confirm receipt of qualifying requests and respond within the timeframes required by applicable law. If we need more time, we may extend our response period as permitted by law and will notify you.

13) Children’s privacy

Prosper is not directed to children, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to Prosper, contact us at privacy@prosperfinance.app and we will take appropriate steps to delete it.

14) Changes

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Services or by other appropriate means. The Effective Date above shows when this Policy was last updated.

15) Contact

If you have questions about this Privacy Policy or our privacy practices, contact us:

Email: privacy@prosperfinance.app
Support: support@prosperfinance.app
Mail: Northwest Registered Agent LLC (Attn: Enbrite LLC - Prosper Finance), 502 W 7TH ST, STE 100, ERIE, PA 16502-1333