California Notice at Collection
California Notice at Collection (CPRA)
Short in-app notice
California Notice at Collection (CCPA/CPRA)
Effective: January 21, 2026
Business: Enbrite LLC (operator of Prosper Finance)
When you create an account, connect a bank, import transactions, or contact support, Prosper collects the personal information below to provide bookkeeping features, secure the service, and comply with law. This notice is provided at or before the point of collection. ([Legal Information Institute][1])
What we collect, why, and how long we keep it
1) Identifiers & contact info (name, email, phone, address, workspace/business info)
- Purpose: account setup, service delivery, support, service messages
- Retention: while your account is active; then up to 30 days after closure/deletion request (plus limited records as required below)
2) Account credentials & security data (Sensitive PI) (login credentials, MFA, security events)
- Purpose: authentication, account security, fraud prevention
- Retention: credentials while account is active; security events/logs typically up to 2 years
3) Bank connection metadata (Sensitive PI) (linked account identifiers/connection tokens via your bank-connection provider)
- Purpose: connect accounts and import transactions you request
- Retention: while account connection is active; deleted or de-identified within ~30 days after you disconnect (unless needed for security/fraud investigations)
4) Transaction & bookkeeping data (transactions, categories, ledger/bookkeeping outputs, notes you add)
- Purpose: bookkeeping, categorization, reporting, tax-ready records you control
- Retention: while account is active; if you close your account, we retain core bookkeeping records up to 7 years (typical financial/tax recordkeeping), unless you request deletion where an exception applies
5) Invoices (optional) (if you use invoicing features)
- Purpose: create/send invoices, reporting
- Retention: while active; then typically up to 7 years
6) Device/browser & diagnostics (IP address, device/browser details, app events, error logs)
- Purpose: maintain performance, prevent abuse, troubleshoot
- Retention: 13 months for product/security analytics; 90 days for raw error logs (then aggregated/de-identified)
7) Support communications (messages, attachments you submit)
- Purpose: customer support and troubleshooting
- Retention: typically up to 3 years after ticket closure
8) Audit logs (administrative actions and access logs)
- Purpose: security, integrity, compliance
- Retention: typically up to 7 years
Do we sell or share personal information?
No. Prosper does not sell or share personal information (as those terms are defined under the CCPA/CPRA) and does not use cross-context behavioral advertising. If you don’t sell/share, an opt-out link is not required (but you should state this in your Privacy Policy). ([Legal Information Institute][2])
More information
- Full California Notice at Collection: /privacy/california
- Privacy Policy: /privacy
(Notice must disclose categories, purposes, sold/shared, retention per category, and include a Privacy Policy link; and it can be provided via a link that jumps directly to the specific section containing the required details.) ([Legal Information Institute][1])
Full website notice
California Notice at Collection (CCPA/CPRA)
Effective: January 21, 2026
Business: Enbrite LLC (operator of Prosper Finance) (Northwest Registered Agent LLC (Attn: Enbrite LLC - Prosper Finance), 502 W 7TH ST, STE 100, ERIE, PA 16502-1333)
Contact: privacy@prosperfinance.app
This Notice describes (1) categories of personal information (including Sensitive PI where applicable) collected from California residents, (2) purposes for collection/use, (3) whether it is sold or shared, and (4) retention by category. ([Legal Information Institute][1])
We provide this Notice at or before the point of collection. ([Legal Information Institute][1])
Categories, purposes, sold/shared, and retention
| Category (incl. Sensitive PI where applicable) | Examples for Prosper | Purpose(s) | Sold/Shared? | Retention (duration or criteria) |
|---|---|---|---|---|
| Identifiers & contact | name, email, phone, address, workspace/business info | account creation, customer support, service communications | No | Life of account; then up to 30 days post-closure/deletion request, except where retention is required for legal/compliance or dispute resolution |
| Account credentials & security data (Sensitive PI) | login credentials, MFA, security events | authentication, fraud prevention, security monitoring | No | Credentials: life of account. Security events/logs: up to 2 years |
| Bank connection metadata (Sensitive PI) | linked account identifiers and connection tokens (via your bank-connection provider) | connect accounts; import transactions you request; maintain connection integrity | No | While connection is active; typically deleted/de-identified within ~30 days after disconnect, unless needed for security/fraud investigations |
| Transactions & bookkeeping data | transaction records, merchant details, categorizations, bookkeeping outputs, user-entered notes | deliver bookkeeping, categorization, reporting, exports, tax-ready records | No | Life of account; after closure, retain core bookkeeping/tax records typically up to 7 years (or longer if required by law or to resolve disputes) |
| Invoices (optional) | invoice details; client contact fields you enter | invoicing workflows; reporting | No | Life of account; then typically up to 7 years |
| Billing & payment records (if applicable) | subscription status, invoices/receipts from payment processor | billing, accounting, refunds, fraud prevention | No | Typically up to 7 years for financial recordkeeping and audits |
| Device/browser & usage; diagnostics | IP address, device/browser type, app events, crash/error data | service delivery, security, debugging, performance | No | Product/security analytics: 13 months. Raw error logs: 90 days (then aggregated/de-identified) |
| Support communications | support tickets, emails/messages, attachments you submit | customer support, troubleshooting, quality assurance | No | Typically up to 3 years after ticket closure |
| Audit logs | access logs, admin actions, system changes | security, integrity, compliance, incident response | No | Typically up to 7 years |
| AI assistant inputs/outputs (as applicable) | content you submit to the assistant and generated responses | provide assistant features; improve accuracy and usability (where permitted) | No | By default: retained up to 30 days for abuse monitoring/support, then deleted/de-identified, unless you choose to save history or it is stored in your bookkeeping records (which follow the transactions retention above) |
Sale/sharing and advertising
Prosper does not sell or share personal information and does not use cross-context behavioral advertising. Because we do not sell/share, a “Do Not Sell or Share” opt-out link is not required, but we state this in our Privacy Policy. ([Legal Information Institute][2])
Retention principle
We do not retain personal information (including sensitive personal information) longer than reasonably necessary for the disclosed purposes, and we disclose either a period or criteria per category. ([Justia][3])
Links
- Privacy Policy: /privacy ([Legal Information Institute][1])
- This Notice: /privacy/california
> If you present this Notice via link in-product/online, it must take the user directly to the specific section containing the required information (not the top of the Privacy Policy). ([Legal Information Institute][1])
Retention schedule block
Data Retention (Summary by Category)
We retain personal information (including sensitive personal information) only as long as reasonably necessary to fulfill the purposes described in this Privacy Policy and our California Notice at Collection, unless a longer retention period is required or permitted by law (for example, tax, accounting, compliance, dispute resolution, and security). ([Justia][3])
- Identifiers & contact (profile/workspace): for the life of the account, then typically up to 30 days after closure/deletion request (subject to legal/compliance holds).
- Account credentials & security data (Sensitive PI): credentials for the life of the account; security logs/events typically up to 2 years.
- Bank connection metadata (Sensitive PI): while the connection is active; typically deleted/de-identified within ~30 days after disconnect, unless needed for security/fraud investigations.
- Transactions & bookkeeping records: for the life of the account; after account closure, typically up to 7 years for financial/tax recordkeeping, audits, dispute resolution, and compliance.
- Invoices (optional) and billing/payment records (if applicable): typically up to 7 years for financial recordkeeping and audits.
- Device/browser & usage; diagnostics: product/security analytics typically 13 months; raw error logs typically 90 days, then aggregated/de-identified.
- Support communications: typically up to 3 years after ticket closure.
- Audit logs: typically up to 7 years for security, integrity, and compliance.
- AI assistant inputs/outputs (as applicable): typically up to 30 days for safety/abuse monitoring and support, then deleted/de-identified, unless you choose to save history or it becomes part of your bookkeeping records (then it follows the transactions retention schedule).
California Notice at Collection reference: /privacy/california
[1]: https://www.law.cornell.edu/regulations/california/11-CCR-7012 "Cal. Code Regs. Tit. 11, § 7012 - Notice at Collection of Personal Information" [2]: https://www.law.cornell.edu/regulations/california/11-CCR-7013 "Cal. Code Regs. Tit. 11, § 7013 - Notice of Right to Opt-Out of Sale/Sharing" [3]: https://law.justia.com/codes/california/code-civ/division-3/part-4/title-1-81-5/section-1798-100/ "California Civil Code § 1798.100"