§ 01 · Scope
Our two roles, your two data streams.
This Policy applies to your relationship with Web It Fast. It covers two distinct data streams:
- Subscriber data — data we collect from you as the business owner who subscribes to the Service (your account, billing, support history, your direct activity in the dashboard). For Subscriber data, Web It Fast is the data controller — we decide what we collect, why, and how it is used.
- Visitor data — data that flows into your Tenant Site from your end-customers (booking submissions, contact-form messages, shop orders, AI-chat transcripts, page-view analytics). For Visitor data, you are the data controller and Web It Fast is the data processor acting on your documented instructions. Your obligations to your Visitors are described in Terms of Use §14.
Where this Policy uses defined terms (Subscriber, Tenant Site, Visitor, Subscriber Content) the meanings are taken from Terms of Use §2.
§ 02 · Collection
What we collect.
Information you give us directly.
- Account details — name, email address, business name, industry, and the configuration choices you make during onboarding and in the dashboard.
- Billing details — when self-service billing is live (Phase 7), payment method tokens, cardholder name, billing address, transaction history. Cardholder data is collected client-side by Stripe and tokenized; raw payment-card data never reaches Web It Fast servers.
- Support & build-request content — the messages, attachments, and screenshots you send to support or include in white-glove build tickets.
- Subscriber Content — the text, images, services, hours, menus, and other configuration you upload or generate through the dashboard. (We also host this on your behalf under the license in Terms of Use §7.)
Information we collect automatically.
- Server logs — IP address, user-agent, requested URL, response status, response time, and referrer for each request to the Service or to your Tenant Site.
- Security & abuse signals — failed-login counts, rate-limit hits, suspicious-traffic patterns, AI-token usage relative to your budget.
- Domain & TLS state — the result of hourly DNS verification (CNAME / A-record state) for your custom domain.
- Cookies & local storage — see §4.
Information from third-party services.
- Square — when you connect your Square account, we receive product catalog, order data, inventory levels, and OAuth identifiers for the purpose of bidirectional shop sync.
- Stripe (when live) — subscription status, payment outcome, dispute notifications.
- Anthropic — the AI provider returns generated text in response to prompts we send; that text becomes part of Subscriber Content if you choose to publish it.
What we do NOT collect.
- We do not collect biometric identifiers, government IDs, social-security numbers, or precise GPS location from Subscribers.
- We do not run third-party advertising trackers, ad-network pixels, or cross-site behavioral-advertising cookies on Tenant Sites or on the Web It Fast marketing site.
- We do not sell personal information to third parties (as the term “sell” is defined under CCPA / CPRA).
§ 03 · Use
How we use it.
We use Subscriber data for the following purposes:
- Operate the Service. Authenticate you, render your dashboard, serve your Tenant Site, run bookings, sync your shop catalog, generate AI suggestions.
- Billing. Charge your payment method, send invoices, handle refunds and disputes, send price-change notices required under Terms of Use §5.
- Support. Respond to your support requests and fulfill white-glove builds (see §5 below for the impersonation mechanism that supports this).
- Security & abuse prevention. Detect credential compromise, throttle abusive traffic, investigate AUP violations under Terms of Use §8.
- Service improvement. Aggregate, deidentified usage telemetry helps us prioritize roadmap. We do not use Subscriber Content as AI training data — see §8 below.
- Legal & compliance. Respond to subpoenas, court orders, and lawful regulatory requests; preserve evidence in connection with a dispute; enforce these Terms.
Under California law, the legal basis we rely on for each of these is the performance of our contract with you (the Terms of Use), our legitimate interest in operating and securing the Service, and compliance with our legal obligations.
§ 04 · Cookies
Cookies & tracking technologies.
Web It Fast uses cookies and equivalent local-storage mechanisms only for the following purposes:
- Strictly necessary — session authentication (your login cookie), CSRF protection, and the “is-superuser” flag used to gate the founder portal. These are first-party, session-scoped (or short-TTL) cookies. Disabling them prevents the Service from working.
- Preference — your dashboard's theme preference, the staged-draft preview toggle, and similar first-party settings. Stored locally; not transmitted to any third party.
- Tenant-site analytics — if you (the Subscriber) enable analytics on your Tenant Site, anonymized aggregate page-view counts and country-level geolocation derived from MaxMind GeoLite2 may be stored. You configure consent banners and disclosures for your Visitors.
We do not run third-party ad pixels, cross-site tracking cookies, or behavioral-advertising networks on the Web It Fast marketing site or on Tenant Sites.
§ 05 · Staff access
Who has access — including our staff.
Inside Web It Fast, access to Subscriber data and Visitor data is restricted to designated personnel under role-based controls. Today, Web It Fast and any contractors expressly engaged to fulfill build-requests or operate the Service.
Tenant impersonation — what it is, why it exists.
The Service includes an operational feature called tenant impersonation. When activated, it lets a designated Web It Fast staff member view, navigate, and act inside the Subscriber's dashboard exactly as the Subscriber would — including the ability to edit Subscriber Content, change configuration, and view Visitor data — without learning the Subscriber's password. We use this feature to:
- Investigate and resolve support tickets you submit.
- Fulfill $99 white-glove build requests (see Terms of Use §13).
- Investigate suspected breaches of the Terms or security incidents under a good-faith belief of harm to Visitors or the Service.
- Respond to a valid subpoena, court order, or lawful regulatory request.
Logging & controls.
Every impersonation session is recorded in an internal audit log capturing:
- Which staff member initiated the session;
- Which tenant account was accessed;
- The session start time and end time;
- A count of actions taken during the session.
The impersonation feature is not accessible to Visitors, to other Subscribers, or to any third party. It is not used for marketing, advertising, or AI training.
Cross-reference — consent and waiver
By continuing to use the Service, you consent to the impersonation access described in this section. The legal authorization and the waiver of liability for changes or errors made by staff during an authorized impersonation session are stated in
Terms of Use §6 (“Authorized access by Web It Fast staff”).
§ 06 · Subprocessors
The vendors we rely on.
Web It Fast uses a small number of third-party services to operate the Service. These vendors process Subscriber data and/or Visitor data on our behalf, under contracts that require them to maintain at least the level of protection described in this Policy.
| Vendor | Purpose | Data category | Location |
| Hetzner Online GmbH | Hosting infrastructure (compute, storage, network) | All Service data at rest and in transit | United States & EU |
| Anthropic, PBC | Large-language-model API for AI features (Claude Sonnet 4.6, Haiku 4.5) | AI prompts (synthesized from Subscriber Content), AI responses | United States |
| Square, Inc. | POS & payments integration; bidirectional shop catalog sync | Product catalog, orders, OAuth identifiers | United States |
| Stripe, Inc. | Subscription billing (when Phase 7 ships); payment method tokenization | Tokenized payment instruments, billing metadata | United States |
| Caddy / Let's Encrypt (ISRG) | On-demand TLS certificate issuance for tenant custom domains | Tenant domain names | United States |
| MaxMind, Inc. | GeoLite2 country lookup for Visitor analytics | Visitor IP → country (lookup is local; no data leaves the Service) | n/a (local data file) |
The vendors above process data only to deliver their contracted function. They do not have a right to use Subscriber data or Visitor data for their own purposes, and they are not permitted to sell or share it for advertising.
If a vendor changes, is added, or is removed, we will update this list. Material changes that introduce a new category of data sharing will be communicated under §15.
§ 07 · Visitor data
Your Visitors' data: you are the controller.
For data submitted by Visitors to your Tenant Site — bookings, contact-form messages, shop orders, AI-chat transcripts, email signups — you are the data controller and Web It Fast is the data processor acting under your instructions, as documented in Terms of Use §14.
What this means in practice:
- You are responsible for the privacy notice your Visitors see on your Tenant Site, including a description of the data you collect, how it is used, and who it is shared with.
- You are responsible for obtaining any consents required by applicable law (cookie consent, marketing-email consent, age verification, etc.).
- You are responsible for responding to Visitor data-subject access, correction, deletion, opt-out, and portability requests within the timelines required by the law that applies to that Visitor.
- Web It Fast will not use Visitor data for any purpose other than performing the Service for you and the security/abuse-prevention purposes in §3.
A separate Data Processing Addendum (DPA) describing the controller / processor relationship in more detail will be published as a companion document. Until then, this section and Terms of Use §14 govern.
§ 08 · AI
AI features & data flow.
The Service includes AI features powered by Anthropic's Claude family of models (currently Claude Sonnet 4.6 for content generation and chat, Claude Haiku 4.5 for short headline tasks).
When you (or, on your direction, a Visitor) trigger an AI feature, the Service constructs a prompt that may include:
- Your business name, industry, hours, services, and other Subscriber Content needed to ground the response;
- The specific request you typed (e.g., a question to the chat, an FAQ topic to expand);
- System instructions that we maintain to keep the model's output on-task.
That prompt is sent to Anthropic's API. The API returns generated text. The prompt and the response are logged for a short period for abuse-prevention, debugging, and token-budget accounting; that log is access-controlled and not used for any other purpose.
Web It Fast does not provide your Subscriber Content or your Visitor data to Anthropic, or to any other provider, for use in training their AI models. Anthropic's API is a stateless inference endpoint by contract; we do not opt in to any training-data program.
Information about AI output ownership, accuracy disclaimers, and your responsibility for what you publish lives in Terms of Use §10.
§ 09 · Retention
How long we keep things.
- Subscriber account & Subscriber Content — for the life of your Subscription, plus the 30-day data-export window described in Terms of Use §19. After that window, production data is deleted; residual encrypted backup copies may persist for up to a further 90 days before being overwritten in the normal course.
- Visitor data — retained for as long as you, the controller, instruct, subject to your own retention policy. Visitor data is included in the same 30-day export window on Subscription termination.
- Billing records — retained for the period required by applicable tax, accounting, and consumer-protection law (typically up to seven years for US federal tax purposes).
- Security logs & impersonation audit logs — retained for at least twelve months for security investigation purposes; longer if a relevant investigation is open.
- Server logs (IP, user-agent, etc.) — rotated and pruned on a regular schedule; not retained indefinitely.
§ 10 · Security
How we protect your data.
We maintain administrative, technical, and physical safeguards designed to protect Subscriber data and Visitor data against unauthorized access, accidental loss, and unlawful disclosure. Specific practices include:
- Encryption in transit — all traffic to the Service and to Tenant Sites is served over TLS, with certificates provisioned on demand via Caddy and Let's Encrypt.
- Encryption at rest — database storage at our hosting provider is encrypted at the volume level. OAuth tokens, API keys, and similar secrets stored in our database are additionally encrypted at the field level.
- Access controls — staff access requires multi-factor authentication. The impersonation feature in §5 is restricted to designated personnel.
- Backups — automated nightly PostgreSQL dumps with a verification cron that re-imports the dump and checks row counts. Backups are retained on a rolling schedule.
- Monitoring — external uptime checks, error-rate review, and per-tenant Anthropic-spend roll-ups (see Business Plan §15.3).
No system is perfectly secure. As described in Terms of Use §16, we do not warrant that Subscriber data or Visitor data will not be lost, corrupted, or accessed without authorization. In the event of a security incident that requires notice under applicable law, we will notify affected Subscribers without undue delay and in any case within the timelines required by that law.
§ 11 · Transfers
International data transfers.
Web It Fast is a United States business and the Service is operated primarily from the United States. Subscriber data and Visitor data are stored on infrastructure located in the United States (and, for some redundancy and CDN purposes, the European Union). If you access the Service or your Visitors interact with your Tenant Site from outside the United States, you understand that the data will be transferred to and processed in the United States.
The Service is currently offered to United-States-based businesses. If you direct the Service at the EU, the UK, or another jurisdiction with cross-border-transfer rules (such as the GDPR Article 44 et seq.), you are responsible for putting any additional safeguards required by that law in place between you and your Visitors. We are happy to sign a Standard Contractual Clauses addendum on request; contact us under §16.
§ 12 · Your rights
Your privacy rights.
California (CCPA / CPRA).
If you are a California resident, you have the right to:
- Know what personal information we collect about you, the sources, the purposes, and the categories of recipients;
- Access a copy of the personal information we hold about you;
- Correct inaccurate personal information;
- Delete personal information we hold about you, subject to the exceptions in Cal. Civ. Code § 1798.105(d);
- Opt out of sale or sharing — as noted in §2, we do not sell personal information and do not share it for cross-context behavioral advertising, so this right is effectively automatic for our practices;
- Limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond those allowed without a request under Cal. Civ. Code § 1798.121(a);
- Be free from retaliation for exercising any of the above rights.
To exercise any of these rights, contact us at privacy@webitfast.com. We may verify your identity using information already associated with your account. We will respond within the timelines required by law (currently 45 days for CCPA / CPRA requests, with one possible 45-day extension).
Other US state laws.
If you are a resident of a state with a comprehensive privacy statute (currently Virginia, Colorado, Connecticut, Utah, Texas, Florida, Oregon, Montana, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Indiana, Iowa, Kentucky, Rhode Island, and similar), you have analogous rights of access, correction, deletion, and opt-out. The same contact and verification process applies.
European Economic Area, UK, Switzerland.
If you are in the EEA, the UK, or Switzerland and the GDPR (or its UK / Swiss equivalent) applies to our processing of your data, you have additional rights to data portability, restriction of processing, objection to processing, and the right to lodge a complaint with your local data-protection authority.
Your Visitors' requests.
If we receive a privacy-rights request from one of your Visitors (e.g., a customer of your salon, restaurant, or trade business), we will forward it to you for response, since you are the controller of that data. You are responsible for handling it within the law's timeline.
§ 13 · Children
Children's privacy.
The Service is a business-to-business product and is not directed to children under 13. We do not knowingly collect personal information from any child under 13 as a Subscriber. If you become aware that a Visitor under 13 has submitted personal information through your Tenant Site, you are responsible for complying with the Children's Online Privacy Protection Act (COPPA) and any related state law. If you believe a child has provided personal information directly to Web It Fast (for example, by signing up as a Subscriber), contact us under §16 and we will delete it.
§ 14 · DNT & GPC
Do-Not-Track & Global Privacy Control.
Because Web It Fast does not use cross-site tracking cookies or behavioral-advertising pixels (see §4), there is no “tracking” for us to disable. We honor browser-level Global Privacy Control (GPC) signals as a valid opt-out of sale or sharing under California law, even though we do not engage in either practice.
§ 15 · Changes
Changes to this Policy.
We may update this Policy from time to time. Material changes (changes that adversely affect your privacy rights or that introduce a new category of data sharing) will be communicated by email to the address on your Account and by an in-dashboard banner at least thirty (30) days before the effective date. Non-material changes (clarifications, contact-information updates, addition of a new minor subprocessor under existing categories) may be made without notice. The last-updated date at the top of this page tells you when this Policy was last revised.
§ 16 · Contact
How to reach us.