Privacy Policy
Privacy Policy
Last updated July 17, 2025
This Privacy Notice for bastinelli creations llc (doing business as bastinelli
knives) ("we," "us," or "our"), describes how and why we might access,
collect, store, use, and/or share ("process") your personal information
when you use our services ("Services"), including when you:
Visit our website at https://bastinelliknives.com/ or any website of
ours that links to this Privacy Notice
Engage with us in other related ways, including any sales,
marketing, or events
Questions or concerns? Reading this Privacy Notice will help you
understand your privacy rights and choices. We are responsible for making
decisions about how your personal information is processed. If you do not
agree with our policies and practices, please do not use our Services. If
you still have any questions or concerns, please contact us at
bastinelliknives@gmail.com.
SUMMARY OF KEY POINTS
This summary provides key points from our Privacy Notice, but you
can find out more details about any of these topics by clicking the
link following each key point or by using our table of contents below
to find the section you are looking for.
What personal information do we process? When you visit, use, or
navigate our Services, we may process personal information depending on
how you interact with us and the Services, the choices you make, and the
products and features you use. Learn more about personal information you
disclose to us.
Do we process any sensitive personal information? Some of the
information may be considered "special" or "sensitive" in certain
jurisdictions, for example your racial or ethnic origins, sexual orientation,
and religious beliefs. We do not process sensitive personal information.
Do we collect any information from third parties? We do not collect any
information from third parties.
How do we process your information? We process your information to
provide, improve, and administer our Services, communicate with you, for
security and fraud prevention, and to comply with law. We may also
process your information for other purposes with your consent. We process
your information only when we have a valid legal reason to do so. Learn
more about how we process your information.
In what situations and with which parties do we share personal
information? We may share information in specific situations and with
specific third parties. Learn more about when and with whom we share
your personal information.
How do we keep your information safe? We have adequate
organizational and technical processes and procedures in place to protect
your personal information. However, no electronic transmission over the
internet or information storage technology can be guaranteed to be 100%
secure, so we cannot promise or guarantee that hackers, cybercriminals, or
other unauthorized third parties will not be able to defeat our security and
improperly collect, access, steal, or modify your information. Learn more about
how we keep your information safe.
What are your rights? Depending on where you are located
geographically, the applicable privacy law may mean you have certain
rights regarding your personal information. Learn more about your privacy rights.
How do you exercise your rights? The easiest way to exercise your
rights is by submitting a data subject access request, or by contacting us.
We will consider and act upon any request in accordance with applicable
data protection laws.
Want to learn more about what we do with any information we
collect? Review the Privacy Notice in full.
TABLE OF CONTENTS
1. WHAT INFORMATION DO WE COLLECT?
2. HOW DO WE PROCESS YOUR INFORMATION?
3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR
PERSONAL INFORMATION?
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL
INFORMATION?
5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?
7. HOW LONG DO WE KEEP YOUR INFORMATION?
8. HOW DO WE KEEP YOUR INFORMATION SAFE?
9. DO WE COLLECT INFORMATION FROM MINORS?
10. WHAT ARE YOUR PRIVACY RIGHTS?
11. CONTROLS FOR DO-NOT-TRACK FEATURES
12. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY
RIGHTS?
13. DO WE MAKE UPDATES TO THIS NOTICE?
14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE
COLLECT FROM YOU?
1. WHAT INFORMATION DO WE COLLECT?
Personal information you disclose to us
In Short: We collect personal information that you provide to us.
We collect personal information that you voluntarily provide to us when you
register on the Services, express an interest in obtaining information about
us or our products and Services, when you participate in activities on the
Services, or otherwise when you contact us.
Personal Information Provided by You. The personal information that we
collect depends on the context of your interactions with us and the
Services, the choices you make, and the products and features you use.
The personal information we collect may include the following:
names
phone numbers
email addresses
mailing addresses
billing addresses
Sensitive Information. We do not process sensitive information.
Payment Data. We may collect data necessary to process your payment if
you choose to make purchases, such as your payment instrument number,
and the security code associated with your payment instrument.
We don't store your payment information.
.
Social Media Login Data. We may provide you with the option to register
with us using your existing social media account details, like your
Facebook, X, or other social media account. If you choose to register in this
way, we will collect certain profile information about you from the social
media provider, as described in the section called "HOW DO WE HANDLE
YOUR SOCIAL LOGINS?" below.
All personal information that you provide to us must be true, complete, and
accurate, and you must notify us of any changes to such personal
information.
2. HOW DO WE PROCESS YOUR INFORMATION?
In Short: We process your information to provide, improve, and administer
our Services, communicate with you, for security and fraud prevention, and
to comply with law. We process the personal information for the following
purposes listed below. We may also process your information for other
purposes only with your prior explicit consent.
We process your personal information for a variety of reasons,
depending on how you interact with our Services, including:
To facilitate account creation and authentication and otherwise
manage user accounts. We may process your information so you
can create and log in to your account, as well as keep your account
in working order.
To deliver and facilitate delivery of services to the user. We may
process your information to provide you with the requested service.
To respond to user inquiries/offer support to users. We may
process your information to respond to your inquiries and solve any
potential issues you might have with the requested service.
To send administrative information to you. We may process your
information to send you details about our products and services,
changes to our terms and policies, and other similar information.
To fulfill and manage your orders. We may process your
information to fulfill and manage your orders, payments, returns, and
exchanges made through the Services.
To request feedback. We may process your information when
necessary to request feedback and to contact you about your use of
our Services.
To send you marketing and promotional communications. We
may process the personal information you send to us for our
marketing purposes, if this is in accordance with your marketing
preferences. You can opt out of our marketing emails at any time.
For more information, see "WHAT ARE YOUR PRIVACY RIGHTS?"
below.
To save or protect an individual's vital interest. We may process
your information when necessary to save or protect an individual’s
vital interest, such as to prevent harm.
3. WHAT LEGAL BASES DO WE RELY ON TO
PROCESS YOUR INFORMATION?
In Short: We only process your personal information when we believe it is
necessary and we have a valid legal reason (i.e., legal basis) to do so
under applicable law, like with your consent, to comply with laws, to provide
you with services to enter into or fulfill our contractual obligations, to protect
your rights, or to fulfill our legitimate business interests.
If you are located in the EU or UK, this section applies to you.
The General Data Protection Regulation (GDPR) and UK GDPR require us
to explain the valid legal bases we rely on in order to process your personal
information. As such, we may rely on the following legal bases to process
your personal information:
Consent. We may process your information if you have given us
permission (i.e., consent) to use your personal information for a
specific purpose. You can withdraw your consent at any time. Learn
more about withdrawing your consent.
Performance of a Contract. We may process your personal
information when we believe it is necessary to fulfill our contractual
obligations to you, including providing our Services or at your
request prior to entering into a contract with you.
Legitimate Interests. We may process your information when we
believe it is reasonably necessary to achieve our legitimate business
interests and those interests do not outweigh your interests and
fundamental rights and freedoms. For example, we may process
your personal information for some of the purposes described in
order to:
Send users information about special offers and discounts on
our products and services
Understand how our users use our products and services so
we can improve user experience
Legal Obligations. We may process your information where we
believe it is necessary for compliance with our legal obligations, such
as to cooperate with a law enforcement body or regulatory agency,
exercise or defend our legal rights, or disclose your information as
evidence in litigation in which we are involved.
Vital Interests. We may process your information where we believe
it is necessary to protect your vital interests or the vital interests of a
third party, such as situations involving potential threats to the safety
of any person.
If you are located in Canada, this section applies to you.
We may process your information if you have given us specific permission
(i.e., express consent) to use your personal information for a specific
purpose, or in situations where your permission can be inferred (i.e.,
implied consent). You can withdraw your consent at any time.
In some exceptional cases, we may be legally permitted under applicable
law to process your information without your consent, including, for
example:
If collection is clearly in the interests of an individual and consent
cannot be obtained in a timely way
For investigations and fraud detection and prevention
For business transactions provided certain conditions are met
If it is contained in a witness statement and the collection is
necessary to assess, process, or settle an insurance claim
For identifying injured, ill, or deceased persons and communicating
with next of kin
If we have reasonable grounds to believe an individual has been, is,
or may be victim of financial abuse
If it is reasonable to expect collection and use with consent would
compromise the availability or the accuracy of the information and
the collection is reasonable for purposes related to investigating a
breach of an agreement or a contravention of the laws of Canada or
a province
If disclosure is required to comply with a subpoena, warrant, court
order, or rules of the court relating to the production of records
If it was produced by an individual in the course of their employment,
business, or profession and the collection is consistent with the
purposes for which the information was produced
If the collection is solely for journalistic, artistic, or literary purposes
If the information is publicly available and is specified by the
regulations
We may disclose de-identified information for approved research or
statistics projects, subject to ethics oversight and confidentiality
commitments
4. WHEN AND WITH WHOM DO WE SHARE YOUR
PERSONAL INFORMATION?
In Short: We may share information in specific situations described in this
section and/or with the following third parties.
We may need to share your personal information in the following situations:
Business Transfers. We may share or transfer your information in
connection with, or during negotiations of, any merger, sale of
company assets, financing, or acquisition of all or a portion of our
business to another company.
When we use Google Maps Platform APIs. We may share your
information with certain Google Maps Platform APIs (e.g., Google
Maps API, Places API). Google Maps uses GPS, Wi-Fi, and cell
towers to estimate your location. GPS is accurate to about 20
meters, while Wi-Fi and cell towers help improve accuracy when
GPS signals are weak, like indoors. This data helps Google Maps
provide directions, but it is not always perfectly precise.
5. DO WE USE COOKIES AND OTHER TRACKING
TECHNOLOGIES?
In Short: We may use cookies and other tracking technologies to collect
and store your information.
We may use cookies and similar tracking technologies (like web beacons
and pixels) to gather information when you interact with our Services.
Some online tracking technologies help us maintain the security of our
Services and your account, prevent crashes, fix bugs, save your
preferences, and assist with basic site functions.
We also permit third parties and service providers to use online tracking
technologies on our Services for analytics and advertising, including to help
manage and display advertisements, to tailor advertisements to your
interests, or to send abandoned shopping cart reminders (depending on
your communication preferences). The third parties and service providers
use their technology to provide advertising about products and services
tailored to your interests which may appear either on our Services or on
other websites.
To the extent these online tracking technologies are deemed to be a
"sale"/"sharing" (which includes targeted advertising, as defined under the
applicable laws) under applicable US state laws, you can opt out of these
online tracking technologies by submitting a request as described below
under section "DO UNITED STATES RESIDENTS HAVE SPECIFIC
PRIVACY RIGHTS?"
Specific information about how we use such technologies and how you can
refuse certain cookies is set out in our Cookie Notice.
6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?
In Short: If you choose to register or log in to our Services using a social
media account, we may have access to certain information about you.
Our Services offer you the ability to register and log in using your third-
party social media account details (like your Facebook or X logins). Where
you choose to do this, we will receive certain profile information about you
from your social media provider. The profile information we receive may
vary depending on the social media provider concerned, but will often
include your name, email address, friends list, and profile picture, as well
as other information you choose to make public on such a social media
platform.
We will use the information we receive only for the purposes that are
described in this Privacy Notice or that are otherwise made clear to you on
the relevant Services. Please note that we do not control, and are not
responsible for, other uses of your personal information by your third-party
social media provider. We recommend that you review their privacy notice
to understand how they collect, use, and share your personal information,
and how you can set your privacy preferences on their sites and apps.
7. HOW LONG DO WE KEEP YOUR INFORMATION?
In Short: We keep your information for as long as necessary to fulfill the
purposes outlined in this Privacy Notice unless otherwise required by law.
We will only keep your personal information for as long as it is necessary
for the purposes set out in this Privacy Notice, unless a longer retention
period is required or permitted by law (such as tax, accounting, or other
legal requirements). No purpose in this notice will require us keeping your
personal information for longer than the period of time in which users have
an account with us.
When we have no ongoing legitimate business need to process your
personal information, we will either delete or anonymize such information,
or, if this is not possible (for example, because your personal information
has been stored in backup archives), then we will securely store your
personal information and isolate it from any further processing until deletion
is possible.
8. HOW DO WE KEEP YOUR INFORMATION SAFE?
In Short: We aim to protect your personal information through a system of
organizational and technical security measures.
We have implemented appropriate and reasonable technical and
organizational security measures designed to protect the security of any
personal information we process. However, despite our safeguards and
efforts to secure your information, no electronic transmission over the
Internet or information storage technology can be guaranteed to be 100%
secure, so we cannot promise or guarantee that hackers, cybercriminals, or
other unauthorized third parties will not be able to defeat our security and
improperly collect, access, steal, or modify your information. Although we
will do our best to protect your personal information, transmission of
personal information to and from our Services is at your own risk. You
should only access the Services within a secure environment.
9. DO WE COLLECT INFORMATION FROM
MINORS?
In Short: We do not knowingly collect data from or market to children
under 18 years of age or the equivalent age as specified by law in your
jurisdiction.
We do not knowingly collect, solicit data from, or market to children under
18 years of age or the equivalent age as specified by law in your
jurisdiction, nor do we knowingly sell such personal information. By using
the Services, you represent that you are at least 18 or the equivalent age
as specified by law in your jurisdiction or that you are the parent or
guardian of such a minor and consent to such minor dependent’s use of
the Services. If we learn that personal information from users less than 18
years of age or the equivalent age as specified by law in your jurisdiction
has been collected, we will deactivate the account and take reasonable
measures to promptly delete such data from our records. If you become
aware of any data we may have collected from children under age 18 or
the equivalent age as specified by law in your jurisdiction, please contact
us at bastinelliknives@gmail.com.
10. WHAT ARE YOUR PRIVACY RIGHTS?
In Short: Depending on your state of residence in the US or in some
regions, such as the European Economic Area (EEA), United Kingdom
(UK), Switzerland, and Canada, you have rights that allow you greater
access to and control over your personal information. You may review,
change, or terminate your account at any time, depending on your country,
province, or state of residence.
In some regions (like the EEA, UK, Switzerland, and Canada), you have
certain rights under applicable data protection laws. These may include the
right (i) to request access and obtain a copy of your personal information,
(ii) to request rectification or erasure; (iii) to restrict the processing of your
personal information; (iv) if applicable, to data portability; and (v) not to be
subject to automated decision-making. If a decision that produces legal or
similarly significant effects is made solely by automated means, we will
inform you, explain the main factors, and offer a simple way to request
human review. In certain circumstances, you may also have the right to
object to the processing of your personal information. You can make such a
request by contacting us by using the contact details provided in the
section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below.
We will consider and act upon any request in accordance with applicable
data protection laws.
If you are located in the EEA or UK and you believe we are unlawfully
processing your personal information, you also have the right to complain
to your Member State data protection authority or UK data protection
authority.
If you are located in Switzerland, you may contact the Federal Data
Protection and Information Commissioner.
Withdrawing your consent: If we are relying on your consent to process
your personal information, which may be express and/or implied consent
depending on the applicable law, you have the right to withdraw your
consent at any time. You can withdraw your consent at any time by
contacting us by using the contact details provided in the section "HOW
CAN YOU CONTACT US ABOUT THIS NOTICE?" below.
However, please note that this will not affect the lawfulness of the
processing before its withdrawal nor, when applicable law allows, will it
affect the processing of your personal information conducted in reliance on
lawful processing grounds other than consent.
Opting out of marketing and promotional communications: You can
unsubscribe from our marketing and promotional communications at any
time by clicking on the unsubscribe link in the emails that we send, or by
contacting us using the details provided in the section "HOW CAN YOU
CONTACT US ABOUT THIS NOTICE?" below. You will then be removed
from the marketing lists. However, we may still communicate with you —
for example, to send you service-related messages that are necessary for
the administration and use of your account, to respond to service requests,
or for other non-marketing purposes.
Account Information
If you would at any time like to review or change the information in your
account or terminate your account, you can:
Log in to your account settings and update your user account.
Upon your request to terminate your account, we will deactivate or delete
your account and information from our active databases. However, we may
retain some information in our files to prevent fraud, troubleshoot problems,
assist with any investigations, enforce our legal terms and/or comply with
applicable legal requirements.
Cookies and similar technologies: Most Web browsers are set to accept
cookies by default. If you prefer, you can usually choose to set your
browser to remove cookies and to reject cookies. If you choose to remove
cookies or reject cookies, this could affect certain features or services of
our Services.
If you have questions or comments about your privacy rights, you may
email us at bastinelliknives@gmail.com.
11. CONTROLS FOR DO-NOT-TRACK FEATURES
Most web browsers and some mobile operating systems and mobile
applications include a Do-Not-Track ("DNT") feature or setting you can
activate to signal your privacy preference not to have data about your
online browsing activities monitored and collected. At this stage, no uniform
technology standard for recognizing and implementing DNT signals has
been finalized. As such, we do not currently respond to DNT browser
signals or any other mechanism that automatically communicates your
choice not to be tracked online. If a standard for online tracking is adopted
that we must follow in the future, we will inform you about that practice in a
revised version of this Privacy Notice.
California law requires us to let you know how we respond to web browser
DNT signals. Because there currently is not an industry or legal standard
for recognizing or honoring DNT signals, we do not respond to them at this
time.
12. DO UNITED STATES RESIDENTS HAVE
SPECIFIC PRIVACY RIGHTS?
In Short: If you are a resident of California, Colorado, Connecticut,
Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota,
Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island,
Tennessee, Texas, Utah, or Virginia, you may have the right to request
access to and receive details about the personal information we maintain
about you and how we have processed it, correct inaccuracies, get a copy
of, or delete your personal information. You may also have the right to
withdraw your consent to our processing of your personal information.
These rights may be limited in some circumstances by applicable law. More
information is provided below.
Categories of Personal Information We Collect
The table below shows the categories of personal information we have
collected in the past twelve (12) months. The table includes illustrative
examples of each category and does not reflect the personal information
we collect from you. For a comprehensive inventory of all personal
information we process, please refer to the section "WHAT INFORMATION
DO WE COLLECT?"
Category Examples Collected
A. Identifiers
Contact details, such as real name,
alias, postal address, telephone or
mobile contact number, unique
personal identifier, online identifier,
Internet Protocol address, email
address, and account name
YES
B. Personal information
as defined in the
California Customer
Records statute
Name, contact information,
education, employment, employment
history, and financial information
YES
C. Protected
classification
characteristics under
state or federal law
Gender, age, date of birth, race and
ethnicity, national origin, marital
status, and other demographic data
NO
D. Commercial
information
Transaction information, purchase
history, financial details, and payment
information
NO
E. Biometric information Fingerprints and voiceprints NO
F. Internet or other
similar network activity
Browsing history, search history,
online behavior, interest data, and
interactions with our and other
websites, applications, systems, and
advertisements
NO
G. Geolocation data Device location NO
H. Audio, electronic,
sensory, or similar information
Images and audio, video or call
recordings created in connection with our business activity NO
I. Professional or
employment-related
information
Business contact details in order to
provide you our Services at a
business level or job title, work
history, and professional
qualifications if you apply for a job
with us
NO
J. Education Information Student records and directory
information
NO
K. Inferences drawn
from collected personal
information
Inferences drawn from any of the
collected personal information listed
above to create a profile or summary
about, for example, an individual’s
preferences and characteristics
NO
L. Sensitive personal
Information
NO
We may also collect other personal information outside of these categories
through instances where you interact with us in person, online, or by phone
or mail in the context of:
Receiving help through our customer support channels;
Participation in customer surveys or contests; and
Facilitation in the delivery of our Services and to respond to your
inquiries.
We will use and retain the collected personal information as needed to
provide the Services or for:
Category A - As long as the user has an account with us
Category B - As long as the user has an account with us
Category H - As long as the user has an account with us
Sources of Personal Information
Learn more about the sources of personal information we collect in "WHAT
INFORMATION DO WE COLLECT?"
How We Use and Share Personal Information
Learn more about how we use your personal information in the section,
"HOW DO WE PROCESS YOUR INFORMATION?"
Will your information be shared with anyone else?
We may disclose your personal information with our service providers
pursuant to a written contract between us and each service provider. Learn
more about how we disclose personal information to in the section, "WHEN
AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?"
We may use your personal information for our own business purposes,
such as for undertaking internal research for technological development
and demonstration. This is not considered to be "selling" of your personal
information.
We have not disclosed, sold, or shared any personal information to third
parties for a business or commercial purpose in the preceding twelve (12)
months. We will not sell or share personal information in the future
belonging to website visitors, users, and other consumers.
Your Rights
You have rights under certain US state data protection laws. However,
these rights are not absolute, and in certain cases, we may decline your
request as permitted by law. These rights include:
Right to know whether or not we are processing your personal data
Right to access your personal data
Right to correct inaccuracies in your personal data
Right to request the deletion of your personal data
Right to obtain a copy of the personal data you previously shared
with us
Right to non-discrimination for exercising your rights
Right to opt out of the processing of your personal data if it is used
for targeted advertising (or sharing as defined under California’s
privacy law), the sale of personal data, or profiling in furtherance of
decisions that produce legal or similarly significant effects
("profiling")
Depending upon the state where you live, you may also have the following
rights:
Right to access the categories of personal data being processed (as
permitted by applicable law, including the privacy law in Minnesota)
Right to obtain a list of the categories of third parties to which we
have disclosed personal data (as permitted by applicable law,
including the privacy law in California, Delaware, and Maryland)
Right to obtain a list of specific third parties to which we have
disclosed personal data (as permitted by applicable law, including
the privacy law in Minnesota and Oregon)
Right to review, understand, question, and correct how personal data
has been profiled (as permitted by applicable law, including the
privacy law in Minnesota)
Right to limit use and disclosure of sensitive personal data (as
permitted by applicable law, including the privacy law in California)
Right to opt out of the collection of sensitive data and personal data
collected through the operation of a voice or facial recognition
feature (as permitted by applicable law, including the privacy law in
Florida)
How to Exercise Your Rights
To exercise these rights, you can contact us by submitting a data subject
access request, by emailing us at bastinelliknives@gmail.com, or by
referring to the contact details at the bottom of this document.
Under certain US state data protection laws, you can designate an
authorized agent to make a request on your behalf. We may deny a
request from an authorized agent that does not submit proof that they have
been validly authorized to act on your behalf in accordance with applicable
laws.
Request Verification
Upon receiving your request, we will need to verify your identity to
determine you are the same person about whom we have the information
in our system. We will only use personal information provided in your
request to verify your identity or authority to make the request. However, if
we cannot verify your identity from the information already maintained by
us, we may request that you provide additional information for the purposes
of verifying your identity and for security or fraud-prevention purposes.
If you submit the request through an authorized agent, we may need to
collect additional information to verify your identity before processing your
request and the agent will need to provide a written and signed permission
from you to submit such request on your behalf.
Appeals
Under certain US state data protection laws, if we decline to take action
regarding your request, you may appeal our decision by emailing us at
bastinelliknives@gmail.com. We will inform you in writing of any action
taken or not taken in response to the appeal, including a written
explanation of the reasons for the decisions. If your appeal is denied, you
may submit a complaint to your state attorney general.
California "Shine The Light" Law
California Civil Code Section 1798.83, also known as the "Shine The Light"
law, permits our users who are California residents to request and obtain
from us, once a year and free of charge, information about categories of
personal information (if any) we disclosed to third parties for direct
marketing purposes and the names and addresses of all third parties with
which we shared personal information in the immediately preceding
calendar year. If you are a California resident and would like to make such
a request, please submit your request in writing to us by using the contact
details provided in the section "HOW CAN YOU CONTACT US ABOUT
THIS NOTICE?"
13. DO WE MAKE UPDATES TO THIS NOTICE?
In Short: Yes, we will update this notice as necessary to stay compliant
with relevant laws.
We may update this Privacy Notice from time to time. The updated version
will be indicated by an updated "Revised" date at the top of this Privacy
Notice. If we make material changes to this Privacy Notice, we may notify
you either by prominently posting a notice of such changes or by directly
sending you a notification. We encourage you to review this Privacy Notice
frequently to be informed of how we are protecting your information.
14. HOW CAN YOU CONTACT US ABOUT THIS
NOTICE?
If you have questions or comments about this notice, you may email us at
bastinelliknives@gmail.com or contact us by post at:
bastinelli creations llc
109 Hangar road
Kissimmee, FL 34741
United States
15. HOW CAN YOU REVIEW, UPDATE, OR DELETE
THE DATA WE COLLECT FROM YOU?
Based on the applicable laws of your country or state of residence in the
US, you may have the right to request access to the personal information
we collect from you, details about how we have processed it, correct
inaccuracies, or delete your personal information. You may also have the
right to withdraw your consent to our processing of your personal
information. These rights may be limited in some circumstances by
applicable law. To request to review, update, or delete your personal
information, please fill out and submit a data subject access request.
SECURITY PRIVACY
Bastinelli Creations llc
Information Security Policy for SAQ A
PCI DSS Compliance
About this Document
This document contains the Bastinelli Creations LLC information security policies. Detailed standards and processes that support this policy are described in associated standards and procedures documentation. This document is for internal use only and is not to be distributed.
Table 1 - Revision History
Version
Date
Author
Description of Change
1.0
Security Policy Created
1.2
November 2010
Security Policy Updates
2.0
April 2011
GWG
Update for PCI DSS v2.0
2.1
March 2012
TF
Update Doc references for NTP processes in Sect. 10
2.2
March 2012
ME
Formatting Updates
3.0
June 2014
JJB
Update for PCI DSS v3.0
3.1
July 2015
JDB
Update for PCI DSS v3.1 and format standardization
3.2
July 2016
MRS
Update for PCI DSS v3.2
4.0
July 2022
MAH
Update for PCI DSS v4.0
Contents
About this Document 2
Table 1 - Revision History 2
Contents 3
Introduction 5
Purpose / Scope 5
Security Policy Ownership and Responsibilities 6
Additional Process and Standards Documents Referenced by this Security Policy 7
Table 2 – Security Process and Standards Documents Referenced by Policy 7
2 Secure Configurations are applied to all system components 8
2.2 System components are configured and managed securely 8
Protect Stored Cardholder Data 8
3.1 Processes and mechanisms for protecting stored account data are defined and understood 8
3.2 Storage of account data is kept to a minimum 8
6 Development and Maintenance of Secure Systems and Software 9
6.3 Security Vulnerabilities are Identified and Addressed. 9
6.4 Protection of Public-Facing Web Applications Against Attacks 10
8 Identify and Authenticate Access to System Components 10
8.2 User Identification and Related Accounts for Users and Administrators are Strictly Managed throughout an Account’s Lifecycle 10
8.3 Authentication for Users and Administrators 10
9 Restrict Physical Access to Cardholder Data 11
9.4 Securely Store, Access, Distribute, and Destroy Media with Cardholder Data 11
11 Regularly Test Security Systems and Processes 12
11.3 Vulnerability Assessment Scans 12
11.6 Change Detection on Payment Pages 13
Maintain an Information Security Policy 13
12 Support Information Security with Organizational Policies and Programs 13
12.8 Policies for Working with Third Party Service Providers (TPSPs) 13
12.10 Incident Response Plan Policies 14
Appendix A – Management Roles and Responsibilities 16
Assignment of Management Roles and Responsibilities for Security 16
Table A1 - Management Security Responsibilities 16
Appendix B – Agreement to Comply 17
Agreement to Comply with Information Security Policies 17
Introduction
To safeguard Bastinelli Creations LLC ‘information technology resources and to protect the confidentiality of data, adequate security measures must be taken. This Information Security Policy reflects Bastinelli Creations LLC ‘commitment to comply with required standards governing the security of sensitive and confidential information.
Bastinelli Creations LLC can minimize inappropriate exposures of confidential or sensitive information, loss of data and inappropriate use of computer networks and systems by complying with reasonable standards (such as Payment Card Industry Data Security Standard), attending to the proper design and control of information systems, and applying sanctions when violations of this security policy occur.
Security is the responsibility of everyone who uses Bastinelli Creations LLC ‘information technology resources. It is the responsibility of employees, contractors, business partners, and agents of Bastinelli Creations LLC. Each should become familiar with this policy's provisions and the importance of adhering to it when using Bastinelli Creations LLC ‘computers, networks, data and other information resources. Each is responsible for reporting any suspected breaches of its terms. As such, all information technology resource users are expected to adhere to all policies and procedures mandated by the <Name of the Information Technology Organization at the entity>.
Purpose / Scope
The primary purpose of this security policy is to establish rules to ensure the protection of confidential or sensitive information and to ensure protection of Bastinelli Creations LLC ‘information technology resources. The policy assigns responsibility and provides guidelines to protect Bastinelli Creations LLC ‘systems and data against misuse or loss.
This security policy applies to all users of computer systems, centrally managed computer systems, or computers that are authorized to connect to Bastinelli Creations LLC’ data network. It may apply to users of information services operated or administered by Bastinelli Creations LLC (depending on access to sensitive data, etc.). Individuals working for institutions affiliated with Bastinelli Creations LLC are subject to these same definitions and rules when they are using Bastinelli Creations LLC’ information technology resources.
This security policy applies to all aspects of information technology resource security including, but not limited to, accidental or unauthorized destruction, disclosure or modification of hardware, software, networks or data.
This security policy has been written to specifically address the security of Credit Card Data used by Bastinelli Creations LLC.
Credit card data stored, processed or transmitted with Bastinelli Creations LLC’ Merchant ID must be protected, and security controls must conform to the Payment Card Industry Data Security Standard (PCI DSS).
Cardholder data within this document is defined as the full Primary Account Number (PAN) which may also appear in conjunction with Cardholder Name, Service Code, or Expiration date. Sensitive Authentication Data within this document is defined as the Card Validation Code (CVC, CVV2, CID, CAV2 and CVC2), Credit Card PIN, and any form of magnetic stripe data from the card (Track 1, Track 2). Account Data within this document is defined by any combination of Cardholder Data and Sensitive Authentication Data.
Security Policy Ownership and Responsibilities
The manager is/are the assigned custodian(s) of this Security Policy. It is the responsibility of the custodian(s) of this security policy to publish and disseminate these policies to all relevant Bastinelli Creations LLC system users (including vendors, contractors, and business partners). In addition, the custodian(s) must see that the security policy addresses and complies with all standards Bastinelli Creations LLC is required to follow (such as the PCI DSS). This policy document will also be reviewed at least annually by the custodian(s) (and any relevant data owners) and updated as needed to reflect changes to business objectives or the risk environment.
Questions or comments about this policy should be directed to the custodian(s) listed above.
Additional Process and Standards Documents Referenced by this Security Policy
This policy document defines the Bastinelli Creations LLC security policies relating to the protection of sensitive data and particularly credit card data. Details on Bastinelli Creations LLC standards and procedures in place to allow these policies to be followed are contained in other documents referenced by this policy. Table 2 lists other documents that accompany this security policy document, which help define Bastinelli Creations LLC data security best practices.
Table 2 – Security Process and Standards Documents Referenced by Policy
Document Name
Location or Custodian
System Hardening and Configuration Standards
manager
Full Data Retention and Storage Procedures
manager
Vulnerability Discovery and Risk Ranking Process
manager
Operating Procedures
manager
Service Provider Compliance Validation Process
manager
Incident Response Plan
manager
2 Secure Configurations are applied to all system components
2.2 System components are configured and managed securely
In order to ensure system components are configured consistently and securely and reduce the opportunities available to an attacker, Bastinelli Creations LLC securely configures and manages system components as follows:
● Configuration standards[1] shall be developed, implemented, and maintained to:
○ Cover all system components.
○ Address all known security vulnerabilities.
○ Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.
○ Be updated as new vulnerability issues are identified, as defined in PCI DSS Requirement 6.3.1.
○ Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment. (PCI DSS Requirement 2.2.1)
● When a vendor default account(s) is used, the default password should be changed per PCI DSS Requirement 8.3.6.
● If a vendor default account(s) is not used, the account should be removed or disabled. (PCI DSS Requirement 2.2.2)
Protect Stored Cardholder Data
3.1 Processes and mechanisms for protecting stored account data are defined and understood
Bastinelli Creations LLC ensures documented processes and mechanisms for applying secure configurations to all system components are defined and understood, as follows:
● All security policies and operational procedures that are identified in this section shall be documented, kept up to date, in use, and known to all affected parties. (PCI DSS Requirement 3.1.1)
● Roles and responsibilities for performing activities in this section shall be documented, assigned, and understood.[2]
3.2 Storage of account data is kept to a minimum
To ensure that sensitive data is securely destroyed or deleted as soon as it is no longer needed, Bastinelli Creations LLC maintains a formal data retention policy that identifies what data needs to be retained, for how long, and where that data resides, as follows:
● Account data storage shall be kept to a minimum through implementation of data retention and disposal policies, procedures, and processes[3] that include at least the following:
○ Coverage for all locations of stored account data.
○ Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization.
○ Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements.
○ Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification.
○ Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy.
○ A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable. (PCI DSS Requirement 3.2.1)
6 Development and Maintenance of Secure Systems and Software
All system components must have appropriate software patches to protect against the exploitation and compromise of account data by malicious individuals and malicious software
Appropriate software patches must be evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For bespoke and custom software, numerous vulnerabilities can be avoided by applying software lifecycle (SLC) processes and secure coding techniques.
6.3 Security Vulnerabilities are Identified and Addressed.
● Bastinelli Creations LLC will identify and manage security vulnerabilities as follows: New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs), vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact, risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment and vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered. (PCI DSS Requirement 6.3.1)
● All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release and all other applicable security patches/updates are installed within an appropriate time frame as determined by Bastinelli Creations LLC (for example, within three months of release).(PCI DSS Requirement 6.3.3)
6.4 Protection of Public-Facing Web Applications Against Attacks
● All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows: A method is implemented to confirm that each script is authorized, a method is implemented to assure the integrity of each script and an inventory of all scripts is maintained with written justification as to why each is necessary.(PCI DSS Requirement 6.4.3).
8 Identify and Authenticate Access to System Components
It is critical to assign a unique identification (ID) to each person with access to critical systems or software. This ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Detailed authentication procedures should be developed and documented to meet the following policies.
8.2 User Identification and Related Accounts for Users and Administrators are Strictly Managed throughout an Account’s Lifecycle
● Assign all users a unique ID before granting access to system components or cardholder data. (PCI DSS Requirement 8.2.1)
● Only use group, shared, or generic accounts, or other shared authentication credentials, when necessary, on an exception basis and manage as follows: (PCI DSS Requirement 8.2.2)
o Account use is prevented unless needed for an exceptional circumstance.
o Use is limited to the time needed for the exceptional circumstance.
o Business justification for use is documented.
o Use is explicitly approved by management.
o Individual user identity is confirmed before access to an account is granted.
o Every action taken is attributable to an individual user.
● Immediately revoke access for terminated users. (PCI DSS Requirement 8.2.5)
8.3 Authentication for Users and Administrators
● All user access to system components for users and administrators is authenticated via at least one of the following authentication factors: (PCI DSS Requirement 8.3.1)
o Something you know, like a password or passphrase.
o Something you have, like a token device or smart card.
o Something you are, like a biometric element.
● When passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user as follows: (PCI DSS Requirement 8.3.5)
o Set to a unique value for first-time use and upon reset.
o Forced to be changed immediately after the first use.
● When passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they must meet the following minimum level of complexity: (PCI DSS Requirement 8.3.6)
o A minimum length of 12 characters (or if the system does not support 12 characters, a minimum length of 8 characters).
o Contain both numeric and alphabetic characters.
● Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases they have used. (PCI DSS Requirement 8.3.7)
● When passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either: (PCI DSS Requirement 8.3.9)
o Passwords/passphrases are changed at least once every 90 days, OR
o The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.
o Factors are assigned to an individual user and not shared among multiple users.
o Physical and/or logical controls ensure only the intended account can use that factor to gain access.
9 Restrict Physical Access to Cardholder Data
Any physical access to locations that house cardholder data provide the opportunity for individuals to access data and to remove hardcopies and should be appropriately restricted. Detailed physical security procedures should be developed and documented to meet the following policies.
9.4 Securely Store, Access, Distribute, and Destroy Media with Cardholder Data
● Bastinelli Creations LLC will define specific procedures[4] to physically secure all media, including but not limited to paper receipts, paper reports. (PCI DSS Requirement 9.4.1)
● Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility and review the security of storage locations at least once every 12 months. (PCI DSS Requirement 9.4.1.1)
● Classify all media with cardholder data in accordance with the sensitivity of the data. (PCI DSS Requirement 9.4.2)
● Maintain strict control over the external distribution of media with cardholder data, including the following: (PCI DSS Requirement 9.4.3)
o Media sent outside the facility is logged.
o Send the media by secured courier or other delivery method that can be accurately tracked.
o Logs must show management approval, and tracking information. Retain media transfer logs.
o Ensure management approves all media with cardholder data that is moved from a secured area, including when media is distributed to individuals. (PCI DSS Requirement 9.4.4)
● Destroy hard-copy materials containing cardholder data when it is no longer needed for business or legal reasons, as follows: (PCI DSS Requirement 9.4.6)
o Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.
o Materials are stored in secure storage containers prior to destruction.
11 Regularly Test Security Systems and Processes
Vulnerabilities are continually being introduced by new software and discovered in current software. System components, processes, and bespoke and custom software must be tested frequently to ensure security controls continue to reflect a changing environment. Detailed testing procedures[5] should be developed and documented to meet the following policies.
11.3 Vulnerability Assessment Scans
● External vulnerability assessment scans must be performed at least every three months and after any significant change in the cardholder data environment (e.g., changes in firewall rules, or upgrades to products within the environment, etc.). (PCI DSS Requirement 11.3)
● External vulnerability scans must (PCI DSS Requirement 11.3.2)
o Be performed at least every three months, and after any significant change.
o Be performed by an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC), or by qualified personnel (if the scan is performed after any significant change).
o Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan.
o Contain no vulnerabilities that are scored 4.0 or higher by the CVSS.
o Run on all external IP addresses that could be used to gain access to the cardholder data environment. (PCI DSS Requirement 11.3)
● Ensure that results of each quarter’s internal and external vulnerability assessments are to be documented and retained for review. (PCI DSS Requirement 11.3)
11.6 Change Detection on Payment Pages
● Deploy a change-detection mechanism to alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser. This mechanism is configured to evaluate the received HTTP header and payment page at least once every seven days or periodically at a defined frequency that is the result of targeted risk analysis which is performed according to all elements specified in Requirement 12.3.1. (PCI DSS Requirement 11.6.1)
Maintain an Information Security Policy
Without strong security policies and procedures, many of the layers of security controls become ineffective at preventing data breach. Unless consistent policy and practices are adopted and followed at all times, security controls break down due to inattention and poor maintenance. The following documentation policies address maintaining the Bastinelli Creations LLC security policies described in this document.
12 Support Information Security with Organizational Policies and Programs
A strong security policy sets the security tone for Bastinelli Creations LLC and informs employees and vendors what is expected of them. All employees and vendors should be aware of the sensitivity of data and their responsibilities for protecting it.
12.8 Policies for Working with Third Party Service Providers (TPSPs)
● To conform to industry best practices, it is required that due diligence be performed before engaging with new service providers and is monitored for current service providers that store, process, or transmit cardholder data on Bastinelli Creations LLC’s behalf. Service providers, which could affect the Cardholder Data, are also in-scope of this policy.
● Bastinelli Creations LLC shall maintain a documented list[6] of all applicable service providers in use and the services they provide. (PCI DSS Requirement 12.8.1)
● A written agreement with all applicable service providers is required and must include an acknowledgement of the service providers’ responsibility for securing all cardholder data they receive from or on behalf of Bastinelli Creations LLC, or to the extent that they could affect the security of a cardholder data environment (PCI DSS Requirement 12.8.2). In addition, the service provider must agree to provide compliance validation evidence on an annual basis. (PCI DSS Requirement 12.8.4). Prior to engaging with an applicable service provider, a thorough due diligence process[7] should be followed. (PCI DSS Requirement 12.8.3)
● Bastinelli Creations LLC shall review the PCI DSS attestation of compliance form(s) for its third-party service providers and confirmed that the third-party service providers are PCI DSS compliant for the services being used by the merchant. (PCI DSS Requirement 12.8.4).
● Bastinelli Creations LLC shall maintain a list[8] of which PCI DSS requirements are managed by each service provider, which are managed by Bastinelli Creations LLC, and any that are shared between the service provider and Bastinelli Creations LLC. (PCI DSS Requirement 12.8.5)
12.10 Incident Response Plan Policies
Incidents or suspected incidents regarding the security of the Cardholder Data Environment or cardholder data itself must be handled quickly and in a controlled, coordinated and specific manner. An incident response plan (IRP) must be developed and followed in the event of a breach or suspected breach. The following policies specifically address the Bastinelli Creations LLC IRP[9]:
● Bastinelli Creations LLC must maintain a documented IRP and be prepared to respond immediately to a system breach. (PCI DSS Requirement 12.10)
● The IRP must clearly define roles and responsibilities for response team members. (PCI DSS Requirement 12.10.1)
● The IRP must define contact/communication strategies to be used in the event of a compromise including notification of payment brands. (PCI DSS Requirement 12.10.1)
● The IRP must define specific incident response procedures to be followed for different types of incidents. (PCI DSS Requirement 12.10.1)
● The IRP must document business recovery and continuity procedures. (PCI DSS Requirement 12.10.1)
● The IRP must detail all data backup processes. (PCI DSS Requirement 12.10.1)
● The IRP must contain an analysis of all legal requirements for reporting compromises of cardholder data (for example, California Bill 1386 which requires notification of affected consumers in the event of an actual or suspected compromise of California residents’ data). (PCI DSS Requirement 12.10.1)
● The IRP must address coverage and responses for all critical system components. (PCI DSS Requirement 12.10.1)
● The IRP must include or reference the specific incident response procedures from the payment brands. (PCI DSS Requirement 12.10.1)
Appendix A – Management Roles and Responsibilities
Assignment of Management Roles and Responsibilities for Security
As required by policy in Section 12.5 of this security policy, the following table contains the assignment of management roles for security processes.
Table A1 - Management Security Responsibilities
Name of Role, Group, or Department
Date Assigned
Description of Responsibility
MANAGEMENT
January 2020
Establish, document, and distribute security policies
MANAGEMENT
January 2020
Monitor, analyze, and distribute security alerts and information
MANAGEMENT
January 2020
Establish, document, and distribute security incident response and escalation policies
MANAGEMENT
January 2020
Administration of user accounts on systems in the cardholder data environment
MANAGEMENT
January 2020
Monitor and control all access to cardholder data
Appendix B – Agreement to Comply
Agreement to Comply with Information Security Policies
All employees working with cardholder data must submit a signed paper copy of this form. Bastinelli Creations LLC management will not accept modifications to the terms and conditions of this agreement.
Bastien COVES
_________________________________________
Employee’s Printed Name
Management
_________________________________________
Employee’s Department
______4077854050____________________________________
Employee’s Telephone Number
______109 HANGAR ROAD, KISSIMMEE, FL 34741____________________________________
Employee’s Physical Address and Mail Location
I, the user, agree to take all reasonable precautions to assure that Bastinelli Creations LLC internal information, or information that has been entrusted to Bastinelli Creations LLC by third parties, such as customers, will not be disclosed to unauthorized persons. At the end of my employment or contract with Bastinelli Creations LLC , I agree to return Bastinelli Creations LLC all information to which I have had access as a result of my position with Bastinelli Creations LLC .I understand that I am not authorized to use this information for my own purposes, nor am I at liberty to provide this information to third parties without the express written consent of the internal Bastinelli Creations LLC manager who is the designated information owner.
I have access to a copy of the Bastinelli Creations LLC Information Security Policies Manual, I have read and understand the manual, and I understand how it affects my job. As a condition of continued employment at Bastinelli Creations LLC, I agree to abide by the policies and other requirements found in that manual. I understand that non-compliance will be cause for disciplinary action up to and including system privilege revocation, dismissal from Bastinelli Creations LLC, and perhaps criminal and/or civil penalties.
I agree to choose a difficult-to-guess password as described in the Bastinelli Creations LLC Information Security Policies Manual, I agree not to share this password with any other person, and I agree not to write this password down unless it has been transformed in an unrecognizable way.
I also agree to promptly report all violations or suspected violations of information security policies to the director of the Information Security department or identified responsible team.
_____________________________ _____________
Employee’s Signature
[1] System Hardening Standards
[2] PCI Security Roles and Responsibilities Matrix
[3] Data Retention Policy
[4] See the Physical Security Procedures document.
[5] See the Operating Procedures document.
[6]
[7] See the Service Provider Compliance Validation Process document.
[8] See the Service Provider Compliance Validation Process document.
[9] See the Incident Response Plan document.