Logo

FAST PRIVACY POLICY

Effective Date: May 5, 2026 Last Updated: May 5, 2026

1. Introduction

This Privacy Policy describes how Pi Squared Inc. ("Company," "we," "us") collects, uses, and discloses personal information in connection with Fast, including the Fast App (app.fast.xyz), the Fast marketplace (shop.fast.xyz), the Fast SDK, and the FastSet payment and settlement network (collectively, the "Services").

2. Data Controller
Entity Pi Squared Inc., Delaware Corporation
Address 301 N Neil St #503, Champaign, IL 61820, USA
Contact contact@fast.xyz

3. Information We Collect

Account Data. When you create a Fast App account, we collect and store your passkey public key credential (WebAuthn). We do not collect or store your private key material or biometric data. Biometric verification (fingerprint, face recognition) occurs entirely on your device and is controlled by your device's operating system. We may also collect your email address, name, or other identifiers you provide during account creation.

On-Chain Data (Public). Wallet addresses, transaction hashes, amounts, timestamps, and smart contract interactions. This data is public and immutable by nature of the underlying public ledgers.

fastUSD Transaction Data. Transaction amounts, timestamps, counterparty identifiers, and balance information for fastUSD prepaid credit transactions within the Fast ecosystem.

Payment Data. When you fund your account through Stripe (credit card, debit card, or ACH), Stripe collects and processes your payment information directly. The Company receives a transaction confirmation, amount, payment method type, and Stripe transaction identifier. The Company does not receive or store your full card number or bank account details. Stripe's collection and use of your payment data is governed by Stripe's privacy policy.

Marketplace Transaction Data. When you make purchases through shop.fast.xyz, we collect transaction details including items purchased, merchant information, amounts, and shipping information you provide. Shipping information (name, address, phone number) is shared with merchants and fulfillment partners solely for order delivery.

Agent Wallet Data. If you create Agent Wallets, we collect records of agent creation, delegation scope, funding transactions, and agent activity within the Fast ecosystem.

Technical Data. IP addresses, device type, browser type, connection data, and session timestamps. IP addresses are processed through geolocation services (e.g., MaxMind GeoIP2) to derive approximate geographic location. This data is used for: (a) OFAC sanctions screening — determining whether a connection originates from a comprehensively sanctioned jurisdiction; (b) geoblocking enforcement — restricting access from jurisdictions where the Services are unavailable; and (c) network security — detecting anomalous access patterns, VPN/proxy usage, and potential abuse. IP-derived geolocation data may be shared with compliance vendors (e.g., Chainalysis, TRM Labs) for sanctions screening and with infrastructure providers (e.g., Cloudflare) for access control.

Communication Data. Name, email, and message content if you contact our support team.

Analytics Data. Aggregated usage patterns, feature engagement, error logs, and performance data collected through analytics tools.

We do NOT collect: private keys, seed phrases, biometric data, or government-issued IDs.

4. Legal Bases for Processing (GDPR Article 6)

Legitimate Interest (Art. 6(1)(f)): Network security, fraud prevention, service optimization.

Legal Obligation (Art. 6(1)(c)): OFAC sanctions screening, geoblocking, AML compliance, law enforcement requests.

Contract Performance (Art. 6(1)(b)): Operating the Services, processing fastUSD transactions, and providing support.

Consent (Art. 6(1)(a)): Marketing communications and non-essential analytics (where you opt in).

5. How We Use Information

  • Operating and maintaining the Services
  • Processing fastUSD transactions and maintaining account balances
  • Facilitating marketplace purchases and order fulfillment
  • Processing fiat and cryptocurrency on-ramp transactions
  • Sanctions screening (OFAC SDN List and international lists)
  • Geoblocking enforcement
  • Network security and fraud prevention
  • Service improvement and bug fixes
  • Responding to support inquiries and service notifications
  • Complying with legal obligations

6. Data Sharing

Payment Processors. Stripe receives payment data for fiat on-ramp transactions. Third-party swap providers receive data necessary for cryptocurrency on-ramp transactions.

Merchants and Fulfillment Partners. When you make marketplace purchases, we share your shipping information and order details with the applicable merchant and fulfillment partners for order delivery. For orders fulfilled through the adapter path, your shipping information and order details are shared with Zinc API ("Zinc"), our third-party fulfillment intermediary, to complete your purchase. Zinc's privacy policy governs their use of that data.

Service Providers. Infrastructure, analytics, and compliance providers, bound by data processing agreements.

Legal Requirements. Court orders, subpoenas, government requests, and protection of rights and safety.

Business Transfers. In connection with a merger or acquisition, with notice to affected users.

We do not sell personal information. On-chain data is inherently public.

7. GDPR Rights (EU/EEA Users)

You have the right to access, rectify, erase, restrict processing, port your data, and object to processing. You may withdraw consent at any time.

On-chain limitation: On-chain data cannot be modified or deleted due to ledger immutability. Off-chain data subject to legal retention requirements may also be excluded from erasure.

To exercise rights: contact@fast.xyz. We verify your identity by matching request details against information already in our records. We respond within 30 days. You may lodge a complaint with your local data protection authority (https://www.edpb.europa.eu/).

8. CCPA Rights (California Residents)

You have the right to know what personal information we collect, request deletion, opt out of sale (we do not sell personal information), and request correction. We will not discriminate against you for exercising these rights.

Categories collected in the last 12 months:

Category Collected Purpose
Identifiers (IP, device ID, email, passkey public key) Yes Security, account management, geoblocking
Commercial info (fastUSD transactions, marketplace purchases) Yes Service, compliance
Financial info (Stripe transaction IDs, payment method type) Yes On-ramp processing
Internet activity Yes Analytics
Geolocation (from IP) Yes Sanctions compliance
Communications If provided Support

To submit a request: contact@fast.xyz. We verify your identity by matching request details against information already in our records before processing your request. We respond within 45 days.

9. International Transfers

Data is stored in the United States. For EEA transfers, we rely on Standard Contractual Clauses (SCCs). We implement encryption, access controls, and security audits as safeguards.

10. Data Retention

  • On-chain data: Permanent (ledger immutability)
  • fastUSD transaction records: Duration of account plus 7 years
  • Sanctions screening records (IP addresses, geolocation results, screening outcomes linked to OFAC compliance): 10 years, consistent with OFAC recordkeeping requirements (31 CFR 501.601)
  • Payment processor records (Stripe transaction IDs, amounts): Duration of account plus 7 years
  • General technical logs (device type, browser, session data not linked to sanctions screening): 12 months
  • Server logs: 90 days
  • Support communications: Duration of relationship plus 3 years
  • Aggregated analytics: Retained indefinitely (non-identifying)

Upon request, we delete off-chain personal information where not prohibited by law. Sanctions screening records are exempt from deletion requests due to legal retention obligations.

11. Security

We implement encryption in transit (TLS) and at rest, role-based access controls, network security monitoring, and secure development practices. All personnel sign confidentiality agreements. In the event of a data breach, we notify affected users within 72 hours and relevant authorities as required.

No system is completely secure. Users interact with the Services at their own risk.

12. Cookies

The Services use essential cookies for functionality and security, and may use analytics cookies with your consent. See our Cookie Policy for full details, including how to manage cookie preferences.

We honor Do Not Track signals.

13. Children

The Services are not intended for users under 18. We do not knowingly collect information from minors. If we discover such collection, we promptly delete it.

14. Changes

We may update this Privacy Policy periodically. Material changes will be posted with an updated date and, where feasible, communicated via email or website notice. Continued use constitutes acceptance.

15. Contact

Pi Squared Inc. 301 N Neil St #503, Champaign, IL 61820 Email: contact@fast.xyz

GDPR requests: 30 days response time. CCPA requests: 45 days response time.

Escalation:

END OF PRIVACY POLICY