Legal · Privacy

Privacy Policy

Effective Date: January 15, 2026 Last Updated: January 15, 2026 Version: 1.0

VastConfluence LLC ("VastConfluence," "we," "us," or "our") respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy describes how we collect, use, disclose, retain, and safeguard your personal information when you visit our websites or use our services across our three brands: TechNanny (a pure-static CMS SaaS), BizNanny (a small-business cloud ERP), and Template Waterfall (a vertical-industry HTML template marketplace). It also explains the rights and choices available to you regarding your personal information.

1. Scope & Acceptance

This Privacy Policy applies to personal information processed by VastConfluence LLC in connection with our websites located at vastconfluence.com, technanny.com, biznanny.com, templatewaterfall.com, any associated subdomains, application programming interfaces ("APIs"), mobile applications, customer dashboards, designer portals, and any other online services that link to this Privacy Policy (collectively, the "Services").

By accessing or using the Services, creating an account, subscribing to a plan, uploading content, applying to our designer revenue-sharing program, completing a contact form, or otherwise interacting with us, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this Privacy Policy, please do not use the Services.

Quick Summary We collect only what we need to provide and improve our Services. We never sell your personal information. We comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable U.S. state privacy laws. You have rights over your data, and we make it straightforward to exercise them.

2. Data Controller

Unless stated otherwise, the data controller (or "business" under California law) responsible for your personal information is:

VastConfluence LLC, a limited liability company organized under the laws of the State of Wyoming, United States. Registered office and contact details for privacy matters are listed in Section 23 (Contact Us).

For business customers using BizNanny or TechNanny to process information about their own customers, employees, or end users, our customer is typically the controller of that information and VastConfluence acts as a processor (or "service provider") on the customer's behalf. Such processing is governed by our Data Processing Agreement (DPA).

3. Information We Collect

We collect personal information in the following categories. Not every category applies to every user; what we collect depends on which Services you use and how you interact with us.

3.1 Information You Provide Directly

  • Account information: name, email address, password (stored as a one-way hash), preferred language, time zone, and profile photo (if you choose to upload one).
  • Business information: company name, job title, website URL, industry, country, and tax identification numbers where required for invoicing or designer payouts.
  • Billing information: billing name, billing address, last four digits of your payment card, and card brand. Full payment card numbers and CVCs are processed and stored by our PCI-DSS Level 1 certified payment processors (Stripe and PayPal); VastConfluence does not store full card data on our servers.
  • Designer payout information: for designers participating in our Center Sharing Program, we collect bank account or payout-platform identifiers, tax forms (such as IRS Form W-8BEN, W-8BEN-E, or W-9), legal name, and country of tax residence to comply with U.S. tax reporting and anti-money-laundering obligations.
  • Content you create: websites, templates, design files, ERP records, customer data, product catalogs, sales orders, invoices, and any other materials you upload to or generate within the Services.
  • Communications: the contents of messages, support tickets, survey responses, and feedback you send to us.

3.2 Information Collected Automatically

  • Device and connection data: IP address, approximate location derived from IP, device type, operating system, browser type and version, screen resolution, language preference, and referring URL.
  • Usage data: pages viewed, features used, buttons clicked, login timestamps, session duration, error logs, and performance diagnostics.
  • Cookies and similar technologies: as described in Section 9 (Cookies & Tracking).

3.3 Information We Do Not Knowingly Collect

We do not knowingly collect or process: (a) the precise geolocation of any individual; (b) biometric identifiers; (c) genetic data; (d) information about racial or ethnic origin, political opinions, religious beliefs, trade-union membership, sex life, or sexual orientation; or (e) personal information about children under the age of 16. If you believe we have inadvertently collected any of the above, please contact us so we can delete it.

4. Sources of Information

We obtain personal information from the following sources:

  • Directly from you when you register, subscribe, upload content, complete a form, or communicate with us.
  • Automatically through cookies and other tracking technologies when you use the Services.
  • From your employer or organization if you access the Services through a corporate account.
  • From service providers such as payment processors who confirm transactions, analytics providers, and identity-verification vendors.
  • From publicly available sources such as social-media profiles you have made public or business directories, when relevant to verifying your identity or eligibility.

5. How We Use Information

We use personal information for the following purposes, in each case only where we have a valid legal basis as described in Section 6:

  1. Service delivery: to provide, operate, maintain, and support TechNanny, BizNanny, Template Waterfall, and related products.
  2. Account management: to create and authenticate accounts, manage subscriptions, and enable account recovery.
  3. Payments and payouts: to process subscription payments, invoices, refunds, and recurring designer commission payouts.
  4. Customer support: to respond to inquiries, troubleshoot issues, and provide assistance.
  5. Product improvement: to understand usage patterns, diagnose errors, and improve features and reliability.
  6. Security and fraud prevention: to detect and prevent unauthorized access, account takeover, abuse, and fraud.
  7. Communications: to send transactional messages (such as receipts, security alerts, and policy updates) and, with your consent where required, marketing communications about new features and promotions.
  8. Legal compliance: to comply with applicable laws, tax obligations, court orders, and lawful government requests.
  9. Aggregate analytics: to produce de-identified or aggregated statistics that do not identify any individual.

We will not use your personal information for materially different, unrelated, or incompatible purposes without first providing notice and, where required, obtaining your consent.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process your personal information only when we have a lawful basis to do so. Our legal bases include:

  • Performance of a contract: processing necessary to deliver the Services you have subscribed to and fulfill our obligations to you.
  • Legitimate interests: processing necessary for our legitimate interests (or those of a third party), provided your rights and freedoms do not override those interests. This includes improving our Services, securing our infrastructure, and conducting reasonable direct marketing to existing customers.
  • Legal obligation: processing required to comply with applicable laws, including tax, accounting, and anti-money-laundering rules.
  • Consent: processing carried out with your specific, freely given consent, such as opting in to marketing emails or non-essential cookies. You may withdraw consent at any time.

Where we rely on legitimate interests, you have the right to object as described in Section 14.

7. How We Share Information

We do not sell your personal information for monetary consideration, and we do not engage in cross-context behavioral advertising. We share personal information only in the limited circumstances described below.

7.1 With Your Consent or at Your Direction

For example, when you publish a website using TechNanny, the website content you choose to publish becomes publicly accessible. When a designer lists a template on Template Waterfall, the listing details and the designer's chosen public profile become visible to potential buyers.

7.2 With Service Providers (Processors)

We share personal information with vetted vendors who perform services on our behalf under contractual confidentiality and data-protection obligations. See Section 8 for the categories of providers and key vendors.

7.3 With Other Customers (Designer Sharing Program Only)

For designers participating in our Center Sharing Program, we share commission and transaction data with the designer relating to end-customer subscriptions tied to the designer's templates. This data is limited to what is necessary to calculate and validate revenue-share payouts.

7.4 For Legal Reasons

We may disclose personal information if we reasonably believe disclosure is required to: (a) comply with applicable laws, lawful subpoenas, court orders, or government requests; (b) enforce our Terms of Service or other agreements; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of VastConfluence, our users, or the public.

7.5 In Connection with a Business Transaction

If VastConfluence is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction. We will notify you (for example, via email and/or a prominent notice on our website) of any change in ownership or in the uses of your personal information.

8. Service Providers (Sub-Processors)

The categories of third-party service providers we engage and representative vendors are:

Category Purpose Representative Vendors
Payment Processing Process subscription payments, refunds, designer payouts, and tax calculations Stripe, Inc.; PayPal Holdings, Inc.
Cloud Infrastructure & CDN Host, deliver, and secure the Services and customer-published websites Cloudflare, Inc.; Amazon Web Services, Inc.
Email & Transactional Messaging Send account, billing, and security emails Postmark; Amazon SES
Analytics Measure aggregated traffic, feature adoption, and performance Google Analytics 4; Cloudflare Web Analytics
Customer Support Manage support tickets and conversations Help-desk and ticketing platforms
Identity & Fraud Prevention Detect bots, prevent account takeover, and verify identity where required Cloudflare Turnstile; Stripe Radar
Tax & Compliance Calculate and remit applicable sales, VAT, and GST taxes; produce regulatory reports Stripe Tax; designated tax-form vendors

An up-to-date list of our key sub-processors is available on request. We require all service providers to maintain appropriate technical and organizational safeguards and to process personal information only for the purposes we authorize.

9. Cookies & Tracking Technologies

We and our service providers use cookies, local storage, pixels, and similar technologies for purposes including authentication, security, preference storage, and aggregate analytics. We classify these technologies as:

  • Strictly necessary: required for the Services to function (for example, keeping you signed in). These cannot be disabled.
  • Functional: remember preferences such as language and time zone.
  • Analytics: help us understand aggregate usage patterns to improve the Services.
  • Marketing (if applicable): used only with your consent in jurisdictions where consent is required.

You can manage non-essential cookies through our cookie banner, your browser settings, or by visiting our Cookie Policy. We honor recognized opt-out signals, including the Global Privacy Control (GPC), as described in Section 19.

10. AI Features & Automated Decision-Making

Some Services may include features powered by artificial intelligence or machine learning, such as content suggestions, search ranking, fraud detection, or automated workflow assistance. We disclose the following about our use of AI:

  • No solely automated decisions with legal or significant effects. We do not use automated decision-making, including profiling, in a way that produces legal effects concerning you or similarly significantly affects you, unless we have your explicit consent or another lawful basis and provide appropriate safeguards, including human review on request.
  • Customer content is not used to train third-party generative AI models. We do not share your private content (your websites, ERP records, or customer data) with third-party AI vendors for the purpose of training their models.
  • You may opt out of optional AI-assisted features at any time in your account settings. Disabling AI features does not affect your ability to use the core Services.

If you have questions about an AI-driven outcome that affects you (such as a fraud-prevention block), you may request human review by contacting info@vastconfluence.com.

11. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include, where appropriate:

  • TLS 1.2 or higher for all data in transit; HSTS enforced site-wide.
  • Encryption of data at rest using AES-256 or equivalent.
  • Passwords stored as one-way hashes using bcrypt or an equivalent strong algorithm; never in plaintext.
  • Payment card data handled exclusively by PCI-DSS Level 1 certified processors.
  • Role-based access controls, least-privilege principles, and multi-factor authentication for staff with access to production systems.
  • Continuous logging, monitoring, and intrusion detection.
  • Regular backups with tested restoration procedures.
  • Security training for personnel and contractual confidentiality obligations.

No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee absolute security. If you believe your account has been compromised, contact abuse@vastconfluence.com immediately.

12. Data Retention

We retain personal information only as long as necessary to fulfill the purposes described in this Privacy Policy, comply with our legal obligations, resolve disputes, and enforce our agreements. Typical retention periods are:

Category Retention Period
Account profile and credentials For the duration of the active account; deleted within 90 days of account closure unless legal obligations require longer retention.
Customer-uploaded content (websites, templates, ERP records) For the duration of the subscription; available for export for 30 days after cancellation; permanently deleted thereafter unless required by law.
Billing, invoicing, and tax records Minimum of 7 years to comply with U.S. and applicable foreign tax and accounting requirements.
Designer payout records and tax forms Minimum of 7 years per IRS and equivalent foreign requirements.
Server logs and security event data Up to 12 months, then deleted or aggregated.
Marketing preferences and consent records Until withdrawn; consent records kept for evidence as long as required by law.
Support tickets and communications Up to 3 years after resolution unless a longer retention is justified for legal, security, or audit reasons.

When we no longer need personal information, we will securely delete or anonymize it. If deletion is not technically feasible (for example, in encrypted backup archives), we will isolate the data from any further processing until deletion is possible.

13. International Data Transfers

VastConfluence is headquartered in the United States and uses globally distributed cloud infrastructure to operate the Services. Your personal information may therefore be transferred to, stored in, and processed in countries other than your country of residence, including the United States, where data-protection laws may differ.

When transferring personal information out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate transfer mechanisms, including:

  • The European Commission's Standard Contractual Clauses (2021) and the UK International Data Transfer Addendum;
  • Adequacy decisions, where applicable;
  • Supplementary technical and organizational measures, including encryption in transit and at rest.

You may request a copy of the relevant safeguards by emailing info@vastconfluence.com.

14. Your Privacy Rights

Subject to applicable law, you may have the following rights regarding your personal information:

  1. Right of access: obtain confirmation of whether we process your personal information and request a copy.
  2. Right to rectification: request that we correct inaccurate or incomplete information.
  3. Right to deletion (right to be forgotten): request deletion of your personal information, subject to legal exceptions.
  4. Right to restriction of processing: request that we limit how we use your data in certain circumstances.
  5. Right to data portability: receive your personal information in a structured, commonly used, machine-readable format and transmit it to another controller.
  6. Right to object: object to processing based on our legitimate interests or for direct marketing purposes.
  7. Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
  8. Right to non-discrimination: we will not discriminate against you for exercising your rights.
  9. Right to lodge a complaint: with a supervisory authority in your jurisdiction (see Sections 15–17 below).

To exercise any of these rights, email info@vastconfluence.com or use the privacy controls in your account settings. We respond to verifiable requests within 30 days (45 days under California law, with one extension permitted where reasonably necessary). We may need to verify your identity before fulfilling certain requests.

You may use an authorized agent to submit a request on your behalf. The agent must provide written proof of authorization, and we may require you to verify your identity directly.

15. California Privacy Notice (CCPA / CPRA)

This section provides additional disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), for California residents.

15.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following CCPA categories of personal information: identifiers (e.g., name, email, IP address); commercial information (e.g., subscription history); internet or other electronic network activity (e.g., usage logs); geolocation data (approximate, derived from IP); professional or employment-related information (e.g., job title, company); and inferences drawn from the foregoing to create a basic profile of preferences (e.g., feature usage). Sources and purposes are described in Sections 3–5 above.

15.2 Sales and Sharing of Personal Information

VastConfluence does not sell personal information for monetary consideration, and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We have not done so in the preceding 12 months and have no plans to do so.

15.3 Sensitive Personal Information

To the extent we process information that may be classified as "sensitive personal information" under the CPRA (such as account log-in credentials), we use it only for the purposes permitted by Section 7027(m) of the CCPA Regulations — namely, to perform the Services, prevent fraud, ensure security, and verify identity. We do not use sensitive personal information to infer characteristics about you.

15.4 Your California Rights

California residents have the rights listed in Section 14, including the right to know, delete, correct, opt out of sale/sharing (which does not apply to us), limit the use of sensitive personal information, and to non-discrimination. To exercise these rights, email info@vastconfluence.com.

15.5 "Shine the Light" (California Civil Code §1798.83)

California residents may request information about disclosure of personal information to third parties for those parties' direct-marketing purposes. We do not disclose personal information for such purposes.

16. Other U.S. State Privacy Rights

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), Iowa, Indiana, Tennessee, Delaware, New Jersey, New Hampshire, Minnesota, Maryland, Rhode Island, or any other U.S. state with a comprehensive privacy law in effect, you may have rights similar to those described in Section 14, including the rights to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale of personal data, and certain types of profiling.

To exercise these rights, contact info@vastconfluence.com. If we deny your request, you may appeal by replying to our denial; we will respond to appeals within the timeframe required by your state's law (typically 45 to 60 days).

17. EU/UK/EEA Privacy Notice

If you are located in the European Economic Area, the United Kingdom, or Switzerland, this Privacy Policy together with Section 6 (Legal Bases) and Section 13 (International Transfers) constitutes the information required under Articles 13 and 14 of the GDPR and the corresponding provisions of UK GDPR.

You have the right to lodge a complaint with the data-protection supervisory authority in your country of residence, place of work, or place of the alleged infringement. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office at ico.org.uk.

VastConfluence has not appointed a Data Protection Officer because we are not required to do so under Article 37 of the GDPR. For all data-protection inquiries, contact our Privacy Team at info@vastconfluence.com.

18. Children's Privacy

The Services are not directed to, and we do not knowingly collect personal information from, children under the age of 16. If you are under 16, please do not use the Services or submit any personal information to us. If we learn that we have inadvertently collected personal information from a child under 16, we will delete it promptly. Parents or guardians who believe their child has provided us with personal information may contact info@vastconfluence.com.

VastConfluence complies with the U.S. Children's Online Privacy Protection Act (COPPA) and the corresponding provisions of state privacy laws addressing minors.

19. Do Not Track & Global Privacy Control

Some browsers transmit "Do Not Track" (DNT) signals. There is no industry-wide standard for how to respond to DNT signals, and we do not currently respond to them.

However, we honor the Global Privacy Control (GPC) signal as a valid opt-out request from California residents and residents of other states whose laws require us to do so. When we detect a GPC signal from your browser, we treat it as a request to opt out of any sale or sharing of your personal information.

20. Third-Party Links

The Services may contain links to third-party websites, services, or applications that are not operated by VastConfluence. This Privacy Policy does not apply to those third-party properties. We encourage you to review the privacy policies of any third party before providing personal information to them.

21. Data Breach Notification

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach where required by GDPR, and we will notify affected individuals without undue delay where required by GDPR, U.S. state breach-notification laws, or other applicable law. Notifications will describe the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures we are taking to address the breach and mitigate possible adverse effects.

22. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will provide notice by:

  • Posting the updated policy on this page with a revised "Last Updated" date;
  • Sending an email notification to the address associated with your account at least 30 days before the change takes effect, where required by law or where the change is material; and/or
  • Displaying a prominent in-product notice.

Your continued use of the Services after the effective date of an updated Privacy Policy constitutes your acceptance of the updated terms. If you do not agree to the updated policy, you must stop using the Services and may exercise your rights as described above.

23. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

VastConfluence LLC — Privacy Team

Registered Office: Wyoming, United States

General & Privacy Inquiries: info@vastconfluence.com
Abuse & Security Reports: abuse@vastconfluence.com
Appeals (Content / Account Restriction): appeals@vastconfluence.com

This Privacy Policy is published in English. Translations are provided for convenience; in case of any conflict, the English version prevails.