Logo

Privacy Policy

Effective Date: May 5, 2026
Last Updated: May 26, 2026

1. Introduction

This Privacy Policy describes how Pi Squared Inc. ("Company," "we," "us") collects, uses, and discloses personal information in connection with Fast, including the Fast App (app.fast.xyz), the Fast marketplace (shop.fast.xyz), the Fast SDK, and the FastSet payment and settlement network (collectively, the "Services").

2. Data Controller

Entity: Pi Squared Inc., Delaware Corporation

Address: 301 N Neil St #503, Champaign, IL 61820, USA

Contact: contact@fast.xyz

3. Information We Collect

Account Data. When you create a Fast App account, we collect and store your passkey public key credential (WebAuthn). We do not collect or store your private key material or biometric data. Biometric verification, such as fingerprint or face recognition, occurs entirely on your device and is controlled by your device's operating system. We may also collect your email address, name, or other identifiers you provide during account creation.

On-Chain Data (Public). Wallet addresses, transaction hashes, amounts, timestamps, smart-contract interactions, and AllSet bridge interactions on Fast, supported EVM networks, or other supported networks. This data is public and immutable by nature of the underlying public ledgers.

fastUSD Transaction Data. Transaction amounts, timestamps, counterparty identifiers, wallet addresses, transaction hashes, wallet display data, transaction history, and app-mediated order/payment records for app-mediated fastUSD transactions through the Services.

Payment, Onboarding, and Offboarding Data. When you acquire or transfer supported assets through third-party onboarding, payment, or swap providers such as Coinbase, Stripe, Swapper Finance, or others, those providers collect and process payment, identity, and transaction information directly under their own terms and privacy policies. When you use AllSet smart contracts to bridge into or out of Fast, AllSet is not a provider; AllSet smart-contract interactions occur on public networks and may expose wallet addresses, transaction hashes, amounts, timestamps, supported asset and network information, and bridge status. The Company may receive limited transaction confirmations, amounts, payment method or provider types, wallet addresses, transaction hashes, order status, provider transaction identifiers, and decline, refund, reversal, chargeback, dispute, fraud, nonpayment, abuse, risk, or compliance status information received from third-party providers, banks, merchants, or fulfillment partners. The Company does not receive or store your full card number or bank account details through provider payment flows; those details are collected directly by the applicable third-party provider under its own terms and privacy policy.

Marketplace Transaction Data. When you make purchases through shop.fast.xyz, we collect transaction details including items purchased, merchant information, amounts, and shipping information you provide. Shipping information, including name, address, and phone number, is shared with merchants and fulfillment partners as needed for order delivery, returns, refunds, disputes, support, fraud prevention, tax, legal compliance, and related marketplace operations.

Agent Wallet Data. If you create Agent Wallets, we collect records of agent creation, delegation scope, funding transactions, and agent activity within the Fast ecosystem.

Technical Data. IP addresses, device type, browser type, connection data, and session timestamps. IP addresses are processed through geolocation services, such as MaxMind GeoIP2, to derive approximate geographic location. This data is used for: (a) OFAC sanctions screening - determining whether a connection originates from a comprehensively sanctioned jurisdiction; (b) geoblocking enforcement - restricting access from jurisdictions where the Services are unavailable; and (c) network security - detecting anomalous access patterns, VPN/proxy usage, and potential abuse. IP-derived geolocation data may be shared with compliance vendors, such as Chainalysis or TRM Labs, for sanctions screening and with infrastructure providers, such as Cloudflare, for access control.

Communication Data. Name, email, and message content if you contact our support team.

Analytics Data. Aggregated usage patterns, feature engagement, error logs, and performance data collected through analytics tools.

We do NOT collect private keys, seed phrases, or biometric data. Third-party onboarding, payment, swap, compliance, or identity providers may collect government-issued IDs or other identity information under their own terms and privacy policies.

4. Legal Bases for Processing (GDPR Article 6)

Legitimate Interest (Art. 6(1)(f)): Network security, fraud prevention, service optimization.

Legal Obligation (Art. 6(1)(c)): Applicable legal and compliance obligations, including sanctions screening, geoblocking, fraud or abuse prevention, and law enforcement requests.

Contract Performance (Art. 6(1)(b)): Operating the Services, processing app-mediated fastUSD transactions, and providing support.

Consent (Art. 6(1)(a)): Marketing communications and non-essential analytics where you opt in.

5. How We Use Information

  • Operating and maintaining the Services

  • Processing app-mediated fastUSD transactions and maintaining transaction history, wallet display data, and app-mediated order/payment records where applicable

  • Facilitating marketplace purchases and order fulfillment

  • Facilitating third-party onboarding, swap, AllSet bridge, and offboarding flows

  • Sanctions screening, including OFAC SDN List and international lists

  • Geoblocking enforcement

  • Network security and fraud prevention

  • Service improvement and bug fixes

  • Responding to support inquiries and service notifications

  • Complying with legal obligations

6. Data Sharing

Payment, Onboarding, Swap Providers, and AllSet/Network Interactions. Third-party onboarding, payment, swap, compliance, or identity providers may receive information you provide to them, or limited transaction information we provide, as necessary for their processing, identity checks, compliance reviews, purchases, transfers, disputes, chargebacks, fraud prevention, reversals, recovery, or related transactions. Card networks, acquiring or issuing banks, payment processors, and similar payment-system participants may receive relevant information through the applicable third-party provider under that provider's terms, not because they receive it directly from the Company unless separately disclosed. AllSet is not a provider; AllSet smart contracts and supported networks may record or expose transaction data, and may execute smart-contract instructions, through public on-chain interactions necessary for bridge, offboarding, or transfer activity, and AllSet smart contracts may hold assets during bridge transactions. For public blockchain or smart-contract interactions, information may be visible to AllSet smart contracts, network participants, indexers, explorers, and other third parties because it is recorded on public ledgers, not because the Company controls or can delete that data.

Merchants and Fulfillment Partners. When you make marketplace purchases, we share your shipping information and order details with the applicable merchant and fulfillment partners for order delivery, returns, refunds, disputes, support, fraud prevention, tax, legal compliance, and related marketplace operations. For orders fulfilled through the adapter path, your shipping information and order details are shared with Zinc API ("Zinc"), our third-party fulfillment intermediary, to complete your purchase. Zinc's privacy policy governs their use of that data.

Service Providers. Infrastructure, analytics, and compliance providers, bound by data processing agreements.

Legal Requirements. Court orders, subpoenas, government requests, and protection of rights and safety.

Business Transfers. In connection with a merger or acquisition, with notice to affected users.

We do not sell personal information. On-chain data is inherently public.

7. GDPR Rights (EU/EEA Users)

You have the right to access, rectify, erase, restrict processing, port your data, and object to processing. You may withdraw consent at any time.

On-chain limitation: On-chain data cannot be modified or deleted due to ledger immutability. Off-chain data subject to legal retention requirements may also be excluded from erasure.

To exercise rights: contact@fast.xyz. We verify your identity by matching request details against information already in our records. We respond within 30 days. You may lodge a complaint with your local data protection authority (https://www.edpb.europa.eu/).

8. CCPA Rights (California Residents)

You have the right to know what personal information we collect, request deletion, opt out of sale (we do not sell personal information), and request correction. We will not discriminate against you for exercising these rights.

Categories collected in the last 12 months:

Category Collected Purpose
Identifiers (IP, device ID, email, passkey public key) Yes Security, account management, geoblocking
Commercial info (fastUSD transactions, marketplace purchases) Yes Service, compliance
Financial info (third-party provider transaction identifiers, including Coinbase, Stripe, or Swapper Finance where applicable, payment method type) Yes Onboarding, payment support, disputes, fraud prevention, compliance, reversals, and recovery
Internet activity Yes Analytics
Geolocation (from IP) Yes Sanctions compliance
Communications If provided Support

To submit a request: contact@fast.xyz. We verify your identity by matching request details against information already in our records before processing your request. We respond within 45 days.

9. International Transfers

Data is stored in the United States. For EEA transfers, we rely on Standard Contractual Clauses (SCCs). We implement encryption, access controls, and security audits as safeguards.

10. Data Retention

  • On-chain data: Permanent (ledger immutability)

  • fastUSD transaction records and app-mediated order/payment records: Duration of account plus 7 years

  • Sanctions screening records, including IP addresses, geolocation results, and screening outcomes linked to OFAC compliance: 10 years, consistent with OFAC recordkeeping requirements (31 CFR 501.601)

  • Payment processor and provider records, including provider transaction identifiers, amounts, and statuses: Duration of account plus 7 years

  • General technical logs, including device type, browser, and session data not linked to sanctions screening: 12 months

  • Server logs: 90 days

  • Support communications: Duration of relationship plus 3 years

  • Fraud, abuse, AUP enforcement, dispute, recovery, and legal request records: retained for the period necessary to investigate, enforce rights, resolve disputes, comply with law, and maintain audit records, generally account duration plus 7 years unless a longer period is required by law

  • Aggregated analytics: Retained indefinitely, non-identifying

Upon request, we delete off-chain personal information where not prohibited by law. Sanctions screening records are exempt from deletion requests due to legal retention obligations.

11. Security

We implement encryption in transit (TLS) and at rest, role-based access controls, network security monitoring, and secure development practices. All personnel sign confidentiality agreements. In the event of a data breach, we provide notices without undue delay and within timeframes required by applicable law.

No system is completely secure. Users interact with the Services at their own risk.

12. Cookies

The Services use essential cookies for functionality and security, and may use analytics cookies with your consent. See our Cookie Policy for full details, including how to manage cookie preferences.

We honor Do Not Track signals.

13. Children

The Services are not intended for users under 18. We do not knowingly collect information from minors. If we discover such collection, we promptly delete it.

14. Changes

We may update this Privacy Policy periodically. Material changes will be posted with an updated date and, where feasible, communicated via email or website notice. Continued use constitutes acceptance.

15. Contact

Pi Squared Inc. 301 N Neil St #503, Champaign, IL 61820 Email: contact@fast.xyz

GDPR requests: 30 days response time. CCPA requests: 45 days response time.

Escalation:

END OF PRIVACY POLICY