shitfa.st logo

curated / scored / screenshot-backed

shitfa.st

HomeArchiveScore ItSubmitElite Slop

Editorial / legal

Privacy Policy

Last updated: 5 June 2026

This Privacy Policy explains how shitfa.st(“we”, “us”, “our”) collects and uses personal data when you visit our website or submit content to us. We try to keep this short and human. If anything is unclear, email privacy@shitfa.st.

1. Who we are (Data Controller)

The data controller responsible for your personal data is the editorial team operating shitfa.st as an independent online publication.

Trading name: shitfa.st
Privacy contact: privacy@shitfa.st
Editorial / takedown contact: editor@shitfa.st

We will provide a postal correspondence address on request (email privacy@shitfa.st) where one is required to exercise a data protection right.

If you are in the EU/EEA and want to contact us about data protection, use the email above — we do not have a mandatory EU representative as our processing is occasional and low-risk (GDPR Art. 27(2)).

2. What we collect and why

a) When you just visit the site

  • Standard server logs: IP address (hashed within 24 hours), user agent, requested URL, referrer, timestamp. Used to keep the site online, debug, and prevent abuse. Legal basis: legitimate interest (Art. 6(1)(f) GDPR).
  • Cookies / local storage: only your consent choice and (if you opt in) analytics cookies. See §6.

b) When you submit a website

Through the “Submit a Site” form we collect: the URL, your optional notes, and a hashed version of your IP address (for rate-limiting and spam prevention). We do not ask for your name or email. Legal basis: legitimate interest in moderating submissions (Art. 6(1)(f)).

c) When you email us

Your email address, name (if provided), and message. We use this only to reply to you and to keep a record of takedown / correction requests. Legal basis: legitimate interest, and where applicable our legal obligation to honour data subject rights (Art. 6(1)(c) and (f)).

3. Analytics

a) Google Analytics 4 (GA4)

We use Google Analytics 4, provided by Google Ireland Ltd. GA4 sets cookies (typically _ga, _ga_*) and collects: pseudonymous client identifier, pages viewed, events (clicks, scroll), approximate location derived from IP, device/browser info. We have configured GA4 with IP anonymisation/truncation enabled, Google Signals disabled, Google-signals-based advertising features disabled, and EU data regions where Google offers them. We retain GA4 event data for 2 months (the shortest GA4 allows).

GA4 is loaded only after you give consent via our cookie banner. Legal basis:your consent (Art. 6(1)(a) GDPR; PECR / ePrivacy Art. 5(3) for cookies). You can withdraw consent at any time using the “Cookie settings” link in the footer.

b) Our own analytics

We also run a lightweight first-party analytics beacon hosted on our own infrastructure. It records: page path, referrer, screen size, country (derived from IP and then discarded), and a daily-rotating hash of (IP + user agent + salt) so we can roughly count unique visitors without persistent cookies or cross-site tracking. No personal data is shared with third parties from this beacon. We retain aggregated stats for 12 months and the raw event log for 30 days. Legal basis:legitimate interest (Art. 6(1)(f)). Because the beacon is cookieless and pseudonymised, it does not require ePrivacy consent in most jurisdictions; however, if your consent banner choice is “Reject”, we still disable it.

c) Ahrefs Web Analytics

We use Ahrefs Web Analytics, provided by Ahrefs Pte. Ltd. (Singapore), to measure aggregate traffic (page views, referrers, approximate country, and device/browser type). Ahrefs Web Analytics is cookieless: it sets no cookies, stores no persistent identifier on your device, and does not track you across other websites. Because it processes no personal data in a way that requires consent and uses no cookies, it loads on every page and runs under legitimate interest (Art. 6(1)(f) GDPR) rather than consent. You can still block it with any tracker-blocking browser extension. Legal basis: legitimate interest (Art. 6(1)(f)).

4. International transfers

Google Analytics may transfer data to the United States. Such transfers rely on the EU–US Data Privacy Framework (Google LLC is certified) and Standard Contractual Clauses where applicable. Ahrefs Web Analytics processes data through Ahrefs Pte. Ltd. in Singapore; because it is cookieless and handles no personal data on our behalf, such transfers rely on Standard Contractual Clauses where applicable. Our own analytics data is stored on servers in the EU.

5. Recipients of your data

We do not sell your data. We share data only with:

  • Google Ireland Ltd / Google LLC — GA4 (only if you consented).
  • Ahrefs Pte. Ltd. — cookieless Ahrefs Web Analytics (aggregate traffic only).
  • Our hosting provider — to operate the site and run our own analytics.
  • Authorities — if we are legally required to (e.g. valid court order).

6. Cookies and similar technologies

NamePurposeTypeLifetime
shitfast.consentStores your consent choiceStrictly necessary12 months
_ga, _ga_*GA4 analytics (only with consent)Analyticsup to 2 years

Ahrefs Web Analytics is deliberately absent from this table: it is cookieless and sets nothing on your device, so there is no cookie to list or consent to give for it (see §3c).

You can change your choice any time via “Cookie settings” in the footer or by clearing your browser storage.

7. Retention

  • Server logs: 24 hours before IP is hashed; logs deleted after 30 days.
  • Submission records: kept while the entry remains relevant for our editorial archive (typically up to 24 months), unless removed earlier on request.
  • Spam attempts: 90 days.
  • Email correspondence: 24 months from last contact, unless we need it longer for a legal claim.
  • GA4: 2 months; our own analytics: raw 30 days, aggregates 12 months.

8. Your rights (GDPR / UK GDPR)

If you are in the EU, EEA, UK or Switzerland, you have the right to:

  • access the personal data we hold about you (Art. 15);
  • rectification (Art. 16);
  • erasure / “right to be forgotten” (Art. 17);
  • restriction of processing (Art. 18);
  • data portability (Art. 20);
  • object to processing based on legitimate interest (Art. 21), including the right to object to our own analytics;
  • withdraw consent at any time (Art. 7), where we rely on consent (e.g. GA4).

To exercise any of these rights, email privacy@shitfa.st. We will respond within 30 days (extendable to 90 days for complex requests, per Art. 12(3)).

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your residence, place of work, or where the alleged infringement occurred.

9. Site owner takedown requests

shitfa.st is a satirical, editorial archive. We believe our commentary is protected speech and is justified by the legitimate interest of our readers. However, we will always remove a website entry on request from its owner, no questions asked, even if we believe we are within our rights to keep it published.

How to request removal

  1. Email editor@shitfa.st from an email address tied to the domain (e.g. you@yourdomain.com), or from the WHOIS contact email, or include a temporary DNS TXT record (shitfast-takedown=<timestamp>) so we can verify ownership.
  2. Tell us the URL(s) you want removed. You don't need to give a reason.
  3. We will:
    • acknowledge within 3 working days;
    • take the entry down within 7 working days of verifying ownership;
    • confirm removal in writing.
  4. We will also remove the entry's screenshots and OG image, and add the URL to a “do not re-add” list.

If you are not the site owner but believe content about a site infringes your own rights (defamation, copyright, etc.), email the same address with details and we will review.

10. Children

The site is not directed at children under 16 and we do not knowingly process data of children under 16. If you believe we have, please email privacy@shitfa.st and we will delete it.

11. Security

We use TLS in transit, hash IP addresses at rest, and limit access to submission data to the editors. No system is 100% secure; we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of a personal data breach where required by Art. 33–34 GDPR.

12. Changes to this policy

We may update this policy. The “Last updated” date at the top will reflect the latest revision. Material changes will be highlighted on the homepage for at least 14 days.

13. Contact

Back to the homepage or browse the archive.