Privacy Policy

Fail Fast Inc. (Delaware, United States) (“Fail Fast,” “we,” “us”) operates a multi-tenant SaaS ERP platform with AI-assisted features. This Policy explains how we collect, use, disclose, and protect data when you use our website and platform.

This Policy applies to (i) website visitors, (ii) business account users (employees/contractors), and (iii) third-party data entered by our customers into the platform (e.g., end customers, vendors, contacts), to the extent Fail Fast processes such data.

Fail Fast may act as a Data Controller and/or Data Processor depending on context:

As Controller: we process account administration, billing, security, support, B2B marketing, and service operations data.

As Processor: we process business and communications data uploaded or connected by our customers strictly under their documented instructions. In those cases, the customer is the Controller for its end-users’ data.

We collect information to operate the service:

Account Data: name, email, phone, role/title, company details, credentials, and preferences.

Business Data (customer-provided): accounting, invoices, inventory, orders, CRM, documents, and other operational records.

Communications Data: support messages and requests, and (if enabled) messaging data tied to integrations such as WhatsApp.

Technical & Usage Data: IP, device/browser, logs, usage events, performance metrics, and security telemetry.

Integrations: OAuth tokens/credentials or API keys authorized by the customer to connect third-party services.

Depending on jurisdiction and data type, we process data under one or more of:

Contract performance (providing the SaaS service).

Legitimate interests (security, fraud prevention, service improvements).

Consent (where applicable).

Legal obligations (tax, accounting, lawful requests).

We use information for:

Service Delivery: provide, maintain, and improve the platform.

Security: authentication, access controls, auditing, abuse detection, and fraud prevention.

Support: respond to requests and troubleshoot incidents.

Service Analytics: aggregated metrics to improve reliability and performance.

Certain platform features may rely on third-party AI models and/or models operated by Fail Fast.

When third-party services are used, data is transmitted solely to provide the customer-requested functionality and under reasonable security measures.

By default, Fail Fast does not use identifiable customer business data (including messaging content) to train or fine-tune shared or general-purpose models.

We may improve and evaluate our models and features using aggregated or de-identified data where permitted by law and contract.

If a customer chooses to enable training or fine-tuning using its own identifiable data (e.g., to adapt the system to common questions or customer-specific workflows), we will do so only with the customer's explicit authorization (opt-in) and under applicable agreements (e.g., data processing addenda), including access controls, minimization, and retention safeguards.

Our platform may integrate with the WhatsApp Business Platform (Cloud API) to enable communications tied to the customer’s operations.

Ownership & Control: the phone number, WhatsApp Business Account (WABA), and related assets are owned and controlled by the customer. Fail Fast acts as a technology provider/processor under customer authorization.

Consent & Preferences: the customer is responsible for obtaining opt-in, honoring preferences, and complying with applicable WhatsApp policies.

Limited Use: we process message content and metadata only to provide the customer-requested functionality (e.g., send/receive, routing, operational traceability within the ERP).

Platform retention: Cloud API message retention on the platform infrastructure may be limited (e.g., up to 30 days) per WhatsApp Business Platform documentation.

Customers may disable the integration or revoke permissions at any time.

Customers may connect third-party services via APIs (including Google and Meta) using OAuth, API keys, or similar mechanisms.

We access and process only the data necessary to provide the requested feature.

We do not sell data or use it for advertising. We do not combine API-derived data to build advertising profiles.

Customers are responsible for authorizing connections, selecting appropriate permissions/scopes, and obtaining required consents from their end users.

Tokens and credentials are stored using industry-standard security measures and can be revoked by the customer.

When we process data obtained via Meta APIs, we do so under applicable platform terms and our contractual obligations.

Purpose limitation: data is used only to deliver the customer-authorized functionality.

Data minimization: we request/process only what is necessary.

Security: reasonable access controls, logging, and safeguards apply.

We do not sell personal information.

We may share data in these scenarios:

Vendors/Subprocessors: providers supporting hosting, security, analytics, and operations.

Customer-Activated Integrations: transmission to third parties connected/configured by the customer.

Legal Requirements: to comply with law or valid legal process.

Corporate Transactions: merger, acquisition, or restructuring (with reasonable safeguards).

Hosting: we use cloud infrastructure (e.g., AWS in the United States) to operate the service.

We may use additional providers in a limited manner (e.g., deployment/monitoring) depending on the active architecture.

Where applicable, we maintain agreements with subprocessors and reasonable security measures.

We retain data while accounts are active and as needed to provide the service, comply with legal obligations, and resolve disputes.

Upon termination, customers may request export or deletion, subject to legal retention requirements.

For messaging integrations (such as WhatsApp), certain retention constraints may be governed by the platform provider.

We apply reasonable security measures including encryption in transit, access controls, multi-tenant logical isolation, monitoring, and hardening practices. No system is 100% secure; we work to reduce risk and respond to incidents.

As a US-based company, data may be processed in the United States or other countries where our providers operate. We implement reasonable safeguards consistent with applicable law.

Depending on your jurisdiction, you may have rights to access, correct, delete, port, object, or restrict processing.

If you are an end user of a customer, you should typically contact the customer (the account controller). Fail Fast acts as a processor for those data.

For requests related to data under Fail Fast control, contact legal@fail-fast.ai.

Our services are not intended for individuals under 18. We do not knowingly collect children’s personal information.

We may update this Policy. We will post the current version on our website and update the date. Continued use indicates acceptance of the updated Policy.

Legal inquiries: legal@fail-fast.ai. Security concerns: security@fail-fast.ai.