Privacy Policy (DRAFT – Pending legal review)

Fast Cloud Consulting, Corp.

Privacy Policy

How Fast Cloud Consulting, Corp. collects, uses, and protects your information

Effective Date: May 18, 2026

Version: 2.0

1. Introduction

Fast Cloud Consulting, Corp. ("Company," "we," "us," or "our") is the legal entity that operates the public website at https://www.franfast.io and provides the FranFast Launchpad portal to authorized Customers.

This Privacy Policy describes how we collect, use, disclose, and safeguard information about individuals who interact with the website and the FranFast Launchpad portal (collectively, the "Service"). By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy.

Scope notice: This Privacy Policy applies to information processed through the public website and the FranFast Launchpad. Personal Data processed within the FranFast Franchise Execution & Network Management Platform (which is built on the Salesforce cloud infrastructure) is governed by the Salesforce Privacy Statement (available at https://www.salesforce.com/company/privacy/) and by the executed Master Subscription and Services Agreement (MSSA) between the Company and the Customer organization, including the Salesforce Service Terms of Use attached to the MSSA as Exhibit A. For Customer Data processed within the FranFast platform on Salesforce, the Customer is the data controller and Salesforce is the data processor; the Company acts as a Salesforce-authorized reseller and value-added service provider.

This Privacy Policy should be read together with our Terms of Service, our Cookie Policy, and, where applicable, our Data Processing Addendum.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.

"Usage Data" means data collected automatically through the Service, such as IP address, browser type, pages visited, and device identifiers.

"Customer" means an organization that has subscribed to the Service.

"Authorized User" means an individual authorized by a Customer to use the Service on the Customer's behalf.

"Visitor" means any individual who interacts with our Service or website but is not an Authorized User.

3. Information We Collect

3.1 Information You Provide Directly

We collect Personal Data that you provide directly to us, including:

  • Account information: name, email address, organization, job title.
  • Authentication credentials: passwords (stored hashed; never accessible to us in plain form), multi-factor authentication artifacts.
  • Profile information: profile picture, contact preferences.
  • Communication content: messages you send to our support team or through the Service.
  • Billing information (for Customers): billing contact, payment method (processed through Stripe; we do not store payment card numbers).

3.2 Information Collected Automatically

When you use the Service, we automatically collect certain Usage Data, including:

  • IP address and approximate geographic location (city or country level).
  • Browser type and version, operating system, device type.
  • Pages visited, time spent on pages, referring website.
  • Service interactions: logins, feature usage, configuration changes.
  • Cookies and similar technologies (see Cookie Policy).

3.3 Information from Third Parties

If you sign in to the Service using a third-party identity provider (such as Google), we receive certain information from that provider, typically your name, email address, and profile picture. We do not receive your third-party account password.

3.4 Customer Data

Customers and their Authorized Users may upload, enter, or otherwise provide data to the Service ("Customer Data") that may include Personal Data of third parties (for example, prospective franchisees). We process Customer Data on behalf of and according to the instructions of the Customer, as set forth in our Data Processing Addendum. The Customer is the controller of such Personal Data, and we are the processor.

4. How We Use Information

We use the information we collect for the following purposes:

  • To provide, maintain, and improve the Service.
  • To process transactions and send transaction-related notifications (such as account confirmation, password reset, billing notices).
  • To respond to inquiries and provide customer support.
  • To monitor and analyze usage patterns to improve features and performance.
  • To detect, prevent, and address security incidents, fraud, and abuse.
  • To comply with legal obligations and enforce our Terms of Service.
  • With your consent, to send marketing communications (you may opt out at any time).
  • To maintain the security, integrity, availability, and performance of the Service, including logging, monitoring, abuse prevention, and fraud detection activities.

5. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, our legal bases for processing your Personal Data are:

  • Performance of a contract: when processing is necessary to provide the Service to you or your organization.
  • Consent: when you have given us specific consent to process your Personal Data (e.g., marketing communications).
  • Legitimate interests: when processing is necessary for our legitimate business interests, such as improving the Service or preventing fraud, provided such interests are not overridden by your rights and freedoms.
  • Legal obligation: when processing is required to comply with applicable law.

6. How We Share Information

We do not sell Personal Data, and we do not sell or share Personal Data for cross-context behavioral advertising purposes. We share information only as described below:

6.1 Subprocessors

We engage third-party subprocessors to provide the Service. A current list of our subprocessors, including the data they process and where they are located, is available at https://www.franfast.io/subprocessors/.

6.2 With Your Customer Organization

If you use the Service as an Authorized User of a Customer organization, your Customer organization may have access to information about your activities within the Service, in accordance with the configuration set by the Customer.

6.3 Legal Disclosure

We may disclose information if required to do so by law or in response to valid requests by public authorities (such as a court order or government inquiry). We will notify the affected Customer or individual to the extent legally permitted.

6.4 Business Transfers

If the Company is involved in a merger, acquisition, financing, or sale of all or a portion of its assets, your information may be transferred as part of such transaction. We will notify you of any such change in ownership or control of your Personal Data.

6.5 Aggregated or De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you for any purpose, including analytics, reporting, and product development.

7. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:

  • Authentication credentials: retained while the Account is active and for a reasonable period thereafter for security and audit purposes.
  • Usage logs: retained for at least 28 days in our log retention store and may be retained longer for security investigations and audit compliance.
  • Customer Data: retained according to the Customer's instructions and the Data Processing Addendum, with default retention while the Subscription is active and for up to sixty (60) days following termination, in accordance with the Company's internal Data Retention Matrix.
  • Communications: retained as necessary to respond to inquiries and maintain a record of customer support interactions.
  • Retention periods may vary where necessary to comply with legal obligations, resolve disputes, enforce agreements, or support legitimate security and operational requirements.

8. Data Security

We implement administrative, technical, and physical safeguards designed to protect Personal Data from unauthorized access, disclosure, alteration, and destruction. Our security program includes:

  • Encryption in transit (TLS 1.2 or higher, maintained at a B or greater grade on the Qualys SSL Labs rating) and at rest (AES-256), implemented in accordance with NIST SP 800-57.
  • Multi-factor authentication for administrative access.
  • Network segmentation, access controls, and intrusion detection.
  • Continuous compliance monitoring and an annual independent SOC 2 Type II examination.
  • Personnel security including background checks, training, and confidentiality obligations.
  • Documented incident response procedures.

No method of transmission over the Internet or method of electronic storage is one hundred percent secure. While we strive to use commercially acceptable means to protect Personal Data, we cannot guarantee its absolute security.

Certain security and infrastructure controls are implemented in coordination with trusted third-party service providers and subprocessors described in the Company's Subprocessor List.

9. International Data Transfers

The Service is operated in the United States. Personal Data we collect may be transferred to, and processed in, the United States and other countries outside your country of residence, where data protection laws may differ. Where required by applicable law, the Company relies on approved transfer mechanisms, including the European Commission's Standard Contractual Clauses and related safeguards, for international transfers of Personal Data.

10. Your Rights

10.1 Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the EEA, the UK, or Switzerland, you have the following rights with respect to your Personal Data:

  • Right of access: to request a copy of your Personal Data we hold.
  • Right to rectification: to request correction of inaccurate Personal Data.
  • Right to erasure: to request deletion of your Personal Data, subject to certain exceptions.
  • Right to restriction of processing: to request that we limit how we process your Personal Data.
  • Right to data portability: to receive your Personal Data in a structured, commonly used format.
  • Right to object: to object to certain processing activities, including direct marketing.
  • Right to withdraw consent: where processing is based on consent, you may withdraw that consent at any time.
  • Right to lodge a complaint with a supervisory authority.

10.2 Rights Under California Law (CCPA/CPRA)

If you are a California resident, you have the following rights:

  • Right to know what categories of Personal Data we collect, the sources, the purposes, and the categories of third parties with whom we share Personal Data.
  • Right to access the specific pieces of Personal Data we have collected about you.
  • Right to delete Personal Data we have collected, subject to certain exceptions.
  • Right to correct inaccurate Personal Data.
  • Right to limit use and disclosure of sensitive Personal Data.
  • Right to opt out of the sale or sharing of Personal Data (we do not sell Personal Data).
  • Right to non-discrimination for exercising your rights.

10.3 Other US State Privacy Laws

Residents of certain other US states (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) may have additional privacy rights under applicable state laws. We honor these rights in accordance with applicable state law.

Certain rights may be limited or subject to exceptions under applicable law.

To exercise any of your rights, please contact us at privacy@franfast.io. We will respond to your request within the time frame required by applicable law (typically thirty (30) days under GDPR, forty-five (45) days under CCPA, with possible extensions in certain cases).

We may need to verify your identity before responding to certain requests. If your request relates to Personal Data we process on behalf of a Customer organization, we will direct your request to that Customer.

11. Cookies and Similar Technologies

We use cookies and similar technologies as described in our Cookie Policy, available at https://www.franfast.io/cookie-policy/.

12. Children's Privacy

The Service is not directed to individuals under the age of 18, and we do not knowingly collect Personal Data from children. If we become aware that we have collected Personal Data from a child without verification of parental consent, we will take steps to delete such information.

13. Third-Party Links

The Service may contain links to third-party websites or services that we do not own or control. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party websites you visit.

14. Compliance and Trust Center

The Company undergoes an annual independent SOC 2 Type II examination of its security controls. Information about our security and compliance posture is available through our Trust Center at https://trust.fastcloudconsulting.com.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Privacy Policy at https://www.franfast.io/privacy-policy/ and, where reasonably practicable, by sending an email to your registered email address. Your continued use of the Service after the effective date of changes constitutes your acceptance of the updated Privacy Policy.

16. Contact Us

Fast Cloud Consulting, Corp.

1395 Brickell Ave., Suite 800, Miami, Florida, USA, 33131

Privacy inquiries: privacy@franfast.io

General inquiries: info@franfast.io

Legal notices: legal@franfast.io

Security and data protection: security@fastcloudconsulting.com