Privacy Policy

Privacy Policy
 
 

Last updated July 17, 2025

This Privacy Notice for bastinelli creations llc (doing business as bastinelli

knives) ("we," "us," or "our"), describes how and why we might access,

collect, store, use, and/or share ("process") your personal information

when you use our services ("Services"), including when you:

Visit our website at https://bastinelliknives.com/ or any website of

ours that links to this Privacy Notice

Engage with us in other related ways, including any sales,

marketing, or events

Questions or concerns? Reading this Privacy Notice will help you

understand your privacy rights and choices. We are responsible for making

decisions about how your personal information is processed. If you do not

agree with our policies and practices, please do not use our Services. If

you still have any questions or concerns, please contact us at

bastinelliknives@gmail.com.

 

SUMMARY OF KEY POINTS

This summary provides key points from our Privacy Notice, but you

can find out more details about any of these topics by clicking the

link following each key point or by using our table of contents below

to find the section you are looking for.

What personal information do we process? When you visit, use, or

navigate our Services, we may process personal information depending on

how you interact with us and the Services, the choices you make, and the

products and features you use. Learn more about personal information you

disclose to us.

Do we process any sensitive personal information? Some of the

information may be considered "special" or "sensitive" in certain

jurisdictions, for example your racial or ethnic origins, sexual orientation,

and religious beliefs. We do not process sensitive personal information.

Do we collect any information from third parties? We do not collect any

information from third parties.

How do we process your information? We process your information to

provide, improve, and administer our Services, communicate with you, for

security and fraud prevention, and to comply with law. We may also

process your information for other purposes with your consent. We process

your information only when we have a valid legal reason to do so. Learn

more about how we process your information.

In what situations and with which parties do we share personal

information? We may share information in specific situations and with

specific third parties. Learn more about when and with whom we share

your personal information.

How do we keep your information safe? We have adequate

organizational and technical processes and procedures in place to protect

your personal information. However, no electronic transmission over the

internet or information storage technology can be guaranteed to be 100%

secure, so we cannot promise or guarantee that hackers, cybercriminals, or

other unauthorized third parties will not be able to defeat our security and

improperly collect, access, steal, or modify your information. Learn more about

how we keep your information safe.

What are your rights? Depending on where you are located

geographically, the applicable privacy law may mean you have certain

rights regarding your personal information. Learn more about your privacy rights.

How do you exercise your rights? The easiest way to exercise your

rights is by submitting a data subject access request, or by contacting us.

We will consider and act upon any request in accordance with applicable

data protection laws.

Want to learn more about what we do with any information we

collect? Review the Privacy Notice in full.

 

TABLE OF CONTENTS

1. WHAT INFORMATION DO WE COLLECT?

2. HOW DO WE PROCESS YOUR INFORMATION?

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR

PERSONAL INFORMATION?

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL

INFORMATION?

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

7. HOW LONG DO WE KEEP YOUR INFORMATION?

8. HOW DO WE KEEP YOUR INFORMATION SAFE?

9. DO WE COLLECT INFORMATION FROM MINORS?

10. WHAT ARE YOUR PRIVACY RIGHTS?

11. CONTROLS FOR DO-NOT-TRACK FEATURES

12. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY

RIGHTS?

13. DO WE MAKE UPDATES TO THIS NOTICE?

14. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

15. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE

COLLECT FROM YOU?

 

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you

register on the Services, express an interest in obtaining information about

us or our products and Services, when you participate in activities on the

Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information that we

collect depends on the context of your interactions with us and the

Services, the choices you make, and the products and features you use.

The personal information we collect may include the following:

names

phone numbers

email addresses

mailing addresses

billing addresses

 

Sensitive Information. We do not process sensitive information.

Payment Data. We may collect data necessary to process your payment if

you choose to make purchases, such as your payment instrument number,

and the security code associated with your payment instrument.

We don't store your payment information.

.

Social Media Login Data. We may provide you with the option to register

with us using your existing social media account details, like your

Facebook, X, or other social media account. If you choose to register in this

way, we will collect certain profile information about you from the social

media provider, as described in the section called "HOW DO WE HANDLE

YOUR SOCIAL LOGINS?" below.

All personal information that you provide to us must be true, complete, and

accurate, and you must notify us of any changes to such personal

information.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer

our Services, communicate with you, for security and fraud prevention, and

to comply with law. We process the personal information for the following

purposes listed below. We may also process your information for other

purposes only with your prior explicit consent.

We process your personal information for a variety of reasons,

depending on how you interact with our Services, including:

To facilitate account creation and authentication and otherwise

manage user accounts. We may process your information so you

can create and log in to your account, as well as keep your account

in working order.

To deliver and facilitate delivery of services to the user. We may

process your information to provide you with the requested service.

To respond to user inquiries/offer support to users. We may

process your information to respond to your inquiries and solve any

potential issues you might have with the requested service.

To send administrative information to you. We may process your

information to send you details about our products and services,

changes to our terms and policies, and other similar information.

To fulfill and manage your orders. We may process your

information to fulfill and manage your orders, payments, returns, and

exchanges made through the Services.

To request feedback. We may process your information when

necessary to request feedback and to contact you about your use of

our Services.

To send you marketing and promotional communications. We

may process the personal information you send to us for our

marketing purposes, if this is in accordance with your marketing

preferences. You can opt out of our marketing emails at any time.

For more information, see "WHAT ARE YOUR PRIVACY RIGHTS?"

below.

To save or protect an individual's vital interest. We may process

your information when necessary to save or protect an individual’s

vital interest, such as to prevent harm.

3. WHAT LEGAL BASES DO WE RELY ON TO

PROCESS YOUR INFORMATION?

In Short: We only process your personal information when we believe it is

necessary and we have a valid legal reason (i.e., legal basis) to do so

under applicable law, like with your consent, to comply with laws, to provide

you with services to enter into or fulfill our contractual obligations, to protect

your rights, or to fulfill our legitimate business interests.

If you are located in the EU or UK, this section applies to you.

The General Data Protection Regulation (GDPR) and UK GDPR require us

to explain the valid legal bases we rely on in order to process your personal

information. As such, we may rely on the following legal bases to process

your personal information:

Consent. We may process your information if you have given us

permission (i.e., consent) to use your personal information for a

specific purpose. You can withdraw your consent at any time. Learn

more about withdrawing your consent.

Performance of a Contract. We may process your personal

information when we believe it is necessary to fulfill our contractual

obligations to you, including providing our Services or at your

request prior to entering into a contract with you.

Legitimate Interests. We may process your information when we

believe it is reasonably necessary to achieve our legitimate business

interests and those interests do not outweigh your interests and

fundamental rights and freedoms. For example, we may process

your personal information for some of the purposes described in

order to:

Send users information about special offers and discounts on

our products and services

Understand how our users use our products and services so

we can improve user experience

Legal Obligations. We may process your information where we

believe it is necessary for compliance with our legal obligations, such

as to cooperate with a law enforcement body or regulatory agency,

exercise or defend our legal rights, or disclose your information as

evidence in litigation in which we are involved.

Vital Interests. We may process your information where we believe

it is necessary to protect your vital interests or the vital interests of a

third party, such as situations involving potential threats to the safety

of any person.

If you are located in Canada, this section applies to you.

We may process your information if you have given us specific permission

(i.e., express consent) to use your personal information for a specific

purpose, or in situations where your permission can be inferred (i.e.,

implied consent). You can withdraw your consent at any time.

In some exceptional cases, we may be legally permitted under applicable

law to process your information without your consent, including, for

example:

If collection is clearly in the interests of an individual and consent

cannot be obtained in a timely way

For investigations and fraud detection and prevention

For business transactions provided certain conditions are met

If it is contained in a witness statement and the collection is

necessary to assess, process, or settle an insurance claim

For identifying injured, ill, or deceased persons and communicating

with next of kin

If we have reasonable grounds to believe an individual has been, is,

or may be victim of financial abuse

If it is reasonable to expect collection and use with consent would

compromise the availability or the accuracy of the information and

the collection is reasonable for purposes related to investigating a

breach of an agreement or a contravention of the laws of Canada or

a province

If disclosure is required to comply with a subpoena, warrant, court

order, or rules of the court relating to the production of records

If it was produced by an individual in the course of their employment,

business, or profession and the collection is consistent with the

purposes for which the information was produced

If the collection is solely for journalistic, artistic, or literary purposes

If the information is publicly available and is specified by the

regulations

We may disclose de-identified information for approved research or

statistics projects, subject to ethics oversight and confidentiality

commitments

4. WHEN AND WITH WHOM DO WE SHARE YOUR

PERSONAL INFORMATION?

In Short: We may share information in specific situations described in this

section and/or with the following third parties.

We may need to share your personal information in the following situations:

Business Transfers. We may share or transfer your information in

connection with, or during negotiations of, any merger, sale of

company assets, financing, or acquisition of all or a portion of our

business to another company.

When we use Google Maps Platform APIs. We may share your

information with certain Google Maps Platform APIs (e.g., Google

Maps API, Places API). Google Maps uses GPS, Wi-Fi, and cell

towers to estimate your location. GPS is accurate to about 20

meters, while Wi-Fi and cell towers help improve accuracy when

GPS signals are weak, like indoors. This data helps Google Maps

provide directions, but it is not always perfectly precise.

5. DO WE USE COOKIES AND OTHER TRACKING

TECHNOLOGIES?

In Short: We may use cookies and other tracking technologies to collect

and store your information.

We may use cookies and similar tracking technologies (like web beacons

and pixels) to gather information when you interact with our Services.

Some online tracking technologies help us maintain the security of our

Services and your account, prevent crashes, fix bugs, save your

preferences, and assist with basic site functions.

We also permit third parties and service providers to use online tracking

technologies on our Services for analytics and advertising, including to help

manage and display advertisements, to tailor advertisements to your

interests, or to send abandoned shopping cart reminders (depending on

your communication preferences). The third parties and service providers

use their technology to provide advertising about products and services

tailored to your interests which may appear either on our Services or on

other websites.

To the extent these online tracking technologies are deemed to be a

"sale"/"sharing" (which includes targeted advertising, as defined under the

applicable laws) under applicable US state laws, you can opt out of these

online tracking technologies by submitting a request as described below

under section "DO UNITED STATES RESIDENTS HAVE SPECIFIC

PRIVACY RIGHTS?"

Specific information about how we use such technologies and how you can

refuse certain cookies is set out in our Cookie Notice.

6. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

In Short: If you choose to register or log in to our Services using a social

media account, we may have access to certain information about you.

Our Services offer you the ability to register and log in using your third-

party social media account details (like your Facebook or X logins). Where

you choose to do this, we will receive certain profile information about you

from your social media provider. The profile information we receive may

vary depending on the social media provider concerned, but will often

include your name, email address, friends list, and profile picture, as well

as other information you choose to make public on such a social media

platform.

We will use the information we receive only for the purposes that are

described in this Privacy Notice or that are otherwise made clear to you on

the relevant Services. Please note that we do not control, and are not

responsible for, other uses of your personal information by your third-party

social media provider. We recommend that you review their privacy notice

to understand how they collect, use, and share your personal information,

and how you can set your privacy preferences on their sites and apps.

7. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as necessary to fulfill the

purposes outlined in this Privacy Notice unless otherwise required by law.

We will only keep your personal information for as long as it is necessary

for the purposes set out in this Privacy Notice, unless a longer retention

period is required or permitted by law (such as tax, accounting, or other

legal requirements). No purpose in this notice will require us keeping your

personal information for longer than the period of time in which users have

an account with us.

When we have no ongoing legitimate business need to process your

personal information, we will either delete or anonymize such information,

or, if this is not possible (for example, because your personal information

has been stored in backup archives), then we will securely store your

personal information and isolate it from any further processing until deletion

is possible.

8. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We aim to protect your personal information through a system of

organizational and technical security measures.

We have implemented appropriate and reasonable technical and

organizational security measures designed to protect the security of any

personal information we process. However, despite our safeguards and

efforts to secure your information, no electronic transmission over the

Internet or information storage technology can be guaranteed to be 100%

secure, so we cannot promise or guarantee that hackers, cybercriminals, or

other unauthorized third parties will not be able to defeat our security and

improperly collect, access, steal, or modify your information. Although we

will do our best to protect your personal information, transmission of

personal information to and from our Services is at your own risk. You

should only access the Services within a secure environment.

9. DO WE COLLECT INFORMATION FROM

MINORS?

In Short: We do not knowingly collect data from or market to children

under 18 years of age or the equivalent age as specified by law in your

jurisdiction.

We do not knowingly collect, solicit data from, or market to children under

18 years of age or the equivalent age as specified by law in your

jurisdiction, nor do we knowingly sell such personal information. By using

the Services, you represent that you are at least 18 or the equivalent age

as specified by law in your jurisdiction or that you are the parent or

guardian of such a minor and consent to such minor dependent’s use of

the Services. If we learn that personal information from users less than 18

years of age or the equivalent age as specified by law in your jurisdiction

has been collected, we will deactivate the account and take reasonable

measures to promptly delete such data from our records. If you become

aware of any data we may have collected from children under age 18 or

the equivalent age as specified by law in your jurisdiction, please contact

us at bastinelliknives@gmail.com.

10. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: Depending on your state of residence in the US or in some

regions, such as the European Economic Area (EEA), United Kingdom

(UK), Switzerland, and Canada, you have rights that allow you greater

access to and control over your personal information. You may review,

change, or terminate your account at any time, depending on your country,

province, or state of residence.

In some regions (like the EEA, UK, Switzerland, and Canada), you have

certain rights under applicable data protection laws. These may include the

right (i) to request access and obtain a copy of your personal information,

(ii) to request rectification or erasure; (iii) to restrict the processing of your

personal information; (iv) if applicable, to data portability; and (v) not to be

subject to automated decision-making. If a decision that produces legal or

similarly significant effects is made solely by automated means, we will

inform you, explain the main factors, and offer a simple way to request

human review. In certain circumstances, you may also have the right to

object to the processing of your personal information. You can make such a

request by contacting us by using the contact details provided in the

section "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below.

We will consider and act upon any request in accordance with applicable

data protection laws.

If you are located in the EEA or UK and you believe we are unlawfully

processing your personal information, you also have the right to complain

to your Member State data protection authority or UK data protection

authority.

If you are located in Switzerland, you may contact the Federal Data

Protection and Information Commissioner.

Withdrawing your consent: If we are relying on your consent to process

your personal information, which may be express and/or implied consent

depending on the applicable law, you have the right to withdraw your

consent at any time. You can withdraw your consent at any time by

contacting us by using the contact details provided in the section "HOW

CAN YOU CONTACT US ABOUT THIS NOTICE?" below.

However, please note that this will not affect the lawfulness of the

processing before its withdrawal nor, when applicable law allows, will it

affect the processing of your personal information conducted in reliance on

lawful processing grounds other than consent.

Opting out of marketing and promotional communications: You can

unsubscribe from our marketing and promotional communications at any

time by clicking on the unsubscribe link in the emails that we send, or by

contacting us using the details provided in the section "HOW CAN YOU

CONTACT US ABOUT THIS NOTICE?" below. You will then be removed

from the marketing lists. However, we may still communicate with you —

for example, to send you service-related messages that are necessary for

the administration and use of your account, to respond to service requests,

or for other non-marketing purposes.

Account Information

If you would at any time like to review or change the information in your

account or terminate your account, you can:

Log in to your account settings and update your user account.

Upon your request to terminate your account, we will deactivate or delete

your account and information from our active databases. However, we may

retain some information in our files to prevent fraud, troubleshoot problems,

assist with any investigations, enforce our legal terms and/or comply with

applicable legal requirements.

Cookies and similar technologies: Most Web browsers are set to accept

cookies by default. If you prefer, you can usually choose to set your

browser to remove cookies and to reject cookies. If you choose to remove

cookies or reject cookies, this could affect certain features or services of

our Services.

If you have questions or comments about your privacy rights, you may

email us at bastinelliknives@gmail.com.

11. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile

applications include a Do-Not-Track ("DNT") feature or setting you can

activate to signal your privacy preference not to have data about your

online browsing activities monitored and collected. At this stage, no uniform

technology standard for recognizing and implementing DNT signals has

been finalized. As such, we do not currently respond to DNT browser

signals or any other mechanism that automatically communicates your

choice not to be tracked online. If a standard for online tracking is adopted

that we must follow in the future, we will inform you about that practice in a

revised version of this Privacy Notice.

California law requires us to let you know how we respond to web browser

DNT signals. Because there currently is not an industry or legal standard

for recognizing or honoring DNT signals, we do not respond to them at this

time.

12. DO UNITED STATES RESIDENTS HAVE

SPECIFIC PRIVACY RIGHTS?

In Short: If you are a resident of California, Colorado, Connecticut,

Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota,

Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island,

Tennessee, Texas, Utah, or Virginia, you may have the right to request

access to and receive details about the personal information we maintain

about you and how we have processed it, correct inaccuracies, get a copy

of, or delete your personal information. You may also have the right to

withdraw your consent to our processing of your personal information.

These rights may be limited in some circumstances by applicable law. More

information is provided below.

Categories of Personal Information We Collect

The table below shows the categories of personal information we have

collected in the past twelve (12) months. The table includes illustrative

examples of each category and does not reflect the personal information

we collect from you. For a comprehensive inventory of all personal

information we process, please refer to the section "WHAT INFORMATION

DO WE COLLECT?"

Category Examples Collected

A. Identifiers

Contact details, such as real name,

alias, postal address, telephone or

mobile contact number, unique

personal identifier, online identifier,

Internet Protocol address, email

address, and account name

YES

B. Personal information

as defined in the

California Customer

Records statute

Name, contact information,

education, employment, employment

history, and financial information

YES

C. Protected

classification

characteristics under

state or federal law

Gender, age, date of birth, race and

ethnicity, national origin, marital

status, and other demographic data

NO

D. Commercial

information

Transaction information, purchase

history, financial details, and payment

information

NO

E. Biometric information Fingerprints and voiceprints NO

F. Internet or other

similar network activity

Browsing history, search history,

online behavior, interest data, and

interactions with our and other

websites, applications, systems, and

advertisements

NO

G. Geolocation data Device location NO

H. Audio, electronic,

sensory, or similar information

Images and audio, video or call

recordings created in connection with our business activity NO

I. Professional or

employment-related

information

Business contact details in order to

provide you our Services at a

business level or job title, work

history, and professional

qualifications if you apply for a job

with us

NO

J. Education Information Student records and directory

information

NO

K. Inferences drawn

from collected personal

information

Inferences drawn from any of the

collected personal information listed

above to create a profile or summary

about, for example, an individual’s

preferences and characteristics

NO

L. Sensitive personal

Information

NO

We may also collect other personal information outside of these categories

through instances where you interact with us in person, online, or by phone

or mail in the context of:

Receiving help through our customer support channels;

Participation in customer surveys or contests; and

Facilitation in the delivery of our Services and to respond to your

inquiries.

We will use and retain the collected personal information as needed to

provide the Services or for:

Category A - As long as the user has an account with us

Category B - As long as the user has an account with us

Category H - As long as the user has an account with us

Sources of Personal Information

Learn more about the sources of personal information we collect in "WHAT

INFORMATION DO WE COLLECT?"

How We Use and Share Personal Information

Learn more about how we use your personal information in the section,

"HOW DO WE PROCESS YOUR INFORMATION?"

Will your information be shared with anyone else?

We may disclose your personal information with our service providers

pursuant to a written contract between us and each service provider. Learn

more about how we disclose personal information to in the section, "WHEN

AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?"

We may use your personal information for our own business purposes,

such as for undertaking internal research for technological development

and demonstration. This is not considered to be "selling" of your personal

information.

We have not disclosed, sold, or shared any personal information to third

parties for a business or commercial purpose in the preceding twelve (12)

months. We will not sell or share personal information in the future

belonging to website visitors, users, and other consumers.

Your Rights

You have rights under certain US state data protection laws. However,

these rights are not absolute, and in certain cases, we may decline your

request as permitted by law. These rights include:

Right to know whether or not we are processing your personal data

Right to access your personal data

Right to correct inaccuracies in your personal data

Right to request the deletion of your personal data

Right to obtain a copy of the personal data you previously shared

with us

Right to non-discrimination for exercising your rights

Right to opt out of the processing of your personal data if it is used

for targeted advertising (or sharing as defined under California’s

privacy law), the sale of personal data, or profiling in furtherance of

decisions that produce legal or similarly significant effects

("profiling")

Depending upon the state where you live, you may also have the following

rights:

Right to access the categories of personal data being processed (as

permitted by applicable law, including the privacy law in Minnesota)

Right to obtain a list of the categories of third parties to which we

have disclosed personal data (as permitted by applicable law,

including the privacy law in California, Delaware, and Maryland)

Right to obtain a list of specific third parties to which we have

disclosed personal data (as permitted by applicable law, including

the privacy law in Minnesota and Oregon)

Right to review, understand, question, and correct how personal data

has been profiled (as permitted by applicable law, including the

privacy law in Minnesota)

Right to limit use and disclosure of sensitive personal data (as

permitted by applicable law, including the privacy law in California)

Right to opt out of the collection of sensitive data and personal data

collected through the operation of a voice or facial recognition

feature (as permitted by applicable law, including the privacy law in

Florida)

How to Exercise Your Rights

To exercise these rights, you can contact us by submitting a data subject

access request, by emailing us at bastinelliknives@gmail.com, or by

referring to the contact details at the bottom of this document.

Under certain US state data protection laws, you can designate an

authorized agent to make a request on your behalf. We may deny a

request from an authorized agent that does not submit proof that they have

been validly authorized to act on your behalf in accordance with applicable

laws.

Request Verification

Upon receiving your request, we will need to verify your identity to

determine you are the same person about whom we have the information

in our system. We will only use personal information provided in your

request to verify your identity or authority to make the request. However, if

we cannot verify your identity from the information already maintained by

us, we may request that you provide additional information for the purposes

of verifying your identity and for security or fraud-prevention purposes.

If you submit the request through an authorized agent, we may need to

collect additional information to verify your identity before processing your

request and the agent will need to provide a written and signed permission

from you to submit such request on your behalf.

Appeals

Under certain US state data protection laws, if we decline to take action

regarding your request, you may appeal our decision by emailing us at

bastinelliknives@gmail.com. We will inform you in writing of any action

taken or not taken in response to the appeal, including a written

explanation of the reasons for the decisions. If your appeal is denied, you

may submit a complaint to your state attorney general.

California "Shine The Light" Law

California Civil Code Section 1798.83, also known as the "Shine The Light"

law, permits our users who are California residents to request and obtain

from us, once a year and free of charge, information about categories of

personal information (if any) we disclosed to third parties for direct

marketing purposes and the names and addresses of all third parties with

which we shared personal information in the immediately preceding

calendar year. If you are a California resident and would like to make such

a request, please submit your request in writing to us by using the contact

details provided in the section "HOW CAN YOU CONTACT US ABOUT

THIS NOTICE?"

13. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we will update this notice as necessary to stay compliant

with relevant laws.

We may update this Privacy Notice from time to time. The updated version

will be indicated by an updated "Revised" date at the top of this Privacy

Notice. If we make material changes to this Privacy Notice, we may notify

you either by prominently posting a notice of such changes or by directly

sending you a notification. We encourage you to review this Privacy Notice

frequently to be informed of how we are protecting your information.

14. HOW CAN YOU CONTACT US ABOUT THIS

NOTICE?

If you have questions or comments about this notice, you may email us at

bastinelliknives@gmail.com or contact us by post at:

bastinelli creations llc

109 Hangar road

Kissimmee, FL 34741

United States

15. HOW CAN YOU REVIEW, UPDATE, OR DELETE

THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country or state of residence in the

US, you may have the right to request access to the personal information

we collect from you, details about how we have processed it, correct

inaccuracies, or delete your personal information. You may also have the

right to withdraw your consent to our processing of your personal

information. These rights may be limited in some circumstances by

applicable law. To request to review, update, or delete your personal

information, please fill out and submit a data subject access request.

SECURITY PRIVACY

 

Bastinelli Creations llc

 

Information Security Policy for SAQ A 

PCI DSS Compliance


 
About this Document
This document contains the Bastinelli Creations LLC information security policies. Detailed standards and processes that support this policy are described in associated standards and procedures documentation. This document is for internal use only and is not to be distributed.

Table 1 - Revision History
Version
Date
Author
Description of Change
1.0
 
 
Security Policy Created
1.2
November 2010
 
Security Policy Updates
2.0
April 2011
GWG
Update for PCI DSS v2.0
2.1
March 2012
TF
Update Doc references for NTP processes in Sect. 10
2.2
March 2012
ME
Formatting Updates
3.0
June 2014
JJB
Update for PCI DSS v3.0
3.1
July 2015
JDB
Update for PCI DSS v3.1 and format standardization
3.2
July 2016
MRS
Update for PCI DSS v3.2
4.0
July 2022
MAH
Update for PCI DSS v4.0
 
 
 
 

Contents
About this Document                                                                                                                   2

Table 1 - Revision History                                                                                                          2

Contents                                                                                                                                         3

Introduction                                                                                                                                  5

Purpose / Scope                                                                                                                            5

Security Policy Ownership and Responsibilities                                                                   6

Additional Process and Standards Documents Referenced by this Security Policy       7

Table 2 – Security Process and Standards Documents Referenced by Policy                                      7

2       Secure Configurations are applied to all system components                                                            8

2.2       System components are configured and managed securely                                                                 8

Protect Stored Cardholder Data                                                                                                8

3.1       Processes and mechanisms for protecting stored account data are defined and understood           8

3.2        Storage of account data is kept to a minimum                                                                                              8

6       Development and Maintenance of Secure Systems and Software                                                    9

6.3       Security Vulnerabilities are Identified and Addressed.                                                                            9

6.4       Protection of Public-Facing Web Applications Against Attacks                                                      10

8       Identify and Authenticate Access to System Components                                                                   10

8.2       User Identification and Related Accounts for Users and Administrators are Strictly Managed throughout an Account’s Lifecycle                 10

8.3       Authentication for Users and Administrators                                                                                             10

9       Restrict Physical Access to Cardholder Data                                                                                                   11

9.4       Securely Store, Access, Distribute, and Destroy Media with Cardholder Data                      11

11     Regularly Test Security Systems and Processes                                                                                          12

11.3     Vulnerability Assessment Scans                                                                                                                            12

11.6     Change Detection on Payment Pages                                                                                                                 13

Maintain an Information Security Policy                                                                              13

12     Support Information Security with Organizational Policies and Programs                         13

12.8     Policies for Working with Third Party Service Providers (TPSPs)                                               13

12.10       Incident Response Plan Policies                                                                                                                      14

Appendix A – Management Roles and Responsibilities                                                     16

Assignment of Management Roles and Responsibilities for Security                                                      16

Table A1 - Management Security Responsibilities                                                                                                     16

Appendix B – Agreement to Comply                                                                                                                                     17

Agreement to Comply with Information Security Policies                                                                                17

 


 

Introduction
To safeguard Bastinelli Creations LLC ‘information technology resources and to protect the confidentiality of data, adequate security measures must be taken. This Information Security Policy reflects Bastinelli Creations LLC ‘commitment to comply with required standards governing the security of sensitive and confidential information. 

Bastinelli Creations LLC can minimize inappropriate exposures of confidential or sensitive information, loss of data and inappropriate use of computer networks and systems by complying with reasonable standards (such as Payment Card Industry Data Security Standard), attending to the proper design and control of information systems, and applying sanctions when violations of this security policy occur.

Security is the responsibility of everyone who uses Bastinelli Creations LLC ‘information technology resources. It is the responsibility of employees, contractors, business partners, and agents of Bastinelli Creations LLC. Each should become familiar with this policy's provisions and the importance of adhering to it when using Bastinelli Creations LLC ‘computers, networks, data and other information resources. Each is responsible for reporting any suspected breaches of its terms. As such, all information technology resource users are expected to adhere to all policies and procedures mandated by the <Name of the Information Technology Organization at the entity>.

Purpose / Scope 
The primary purpose of this security policy is to establish rules to ensure the protection of confidential or sensitive information and to ensure protection of Bastinelli Creations LLC ‘information technology resources. The policy assigns responsibility and provides guidelines to protect Bastinelli Creations LLC ‘systems and data against misuse or loss.

This security policy applies to all users of computer systems, centrally managed computer systems, or computers that are authorized to connect to Bastinelli Creations LLC’ data network. It may apply to users of information services operated or administered by Bastinelli Creations LLC (depending on access to sensitive data, etc.). Individuals working for institutions affiliated with Bastinelli Creations LLC are subject to these same definitions and rules when they are using Bastinelli Creations LLC’ information technology resources.

This security policy applies to all aspects of information technology resource security including, but not limited to, accidental or unauthorized destruction, disclosure or modification of hardware, software, networks or data.

This security policy has been written to specifically address the security of Credit Card Data used by Bastinelli Creations LLC.

Credit card data stored, processed or transmitted with Bastinelli Creations LLC’ Merchant ID must be protected, and security controls must conform to the Payment Card Industry Data Security Standard (PCI DSS).  

Cardholder data within this document is defined as the full Primary Account Number (PAN) which may also appear in conjunction with Cardholder Name, Service Code, or Expiration date. Sensitive Authentication Data within this document is defined as the Card Validation Code (CVC, CVV2, CID, CAV2 and CVC2), Credit Card PIN, and any form of magnetic stripe data from the card (Track 1, Track 2). Account Data within this document is defined by any combination of Cardholder Data and Sensitive Authentication Data.

Security Policy Ownership and Responsibilities 
The manager is/are the assigned custodian(s) of this Security Policy.  It is the responsibility of the custodian(s) of this security policy to publish and disseminate these policies to all relevant Bastinelli Creations LLC system users (including vendors, contractors, and business partners). In addition, the custodian(s) must see that the security policy addresses and complies with all standards Bastinelli Creations LLC is required to follow (such as the PCI DSS).  This policy document will also be reviewed at least annually by the custodian(s) (and any relevant data owners) and updated as needed to reflect changes to business objectives or the risk environment.

Questions or comments about this policy should be directed to the custodian(s) listed above.


Additional Process and Standards Documents Referenced by this Security Policy
This policy document defines the Bastinelli Creations LLC security policies relating to the protection of sensitive data and particularly credit card data.  Details on Bastinelli Creations LLC standards and procedures in place to allow these policies to be followed are contained in other documents referenced by this policy.  Table 2 lists other documents that accompany this security policy document, which help define Bastinelli Creations LLC data security best practices.

Table 2 – Security Process and Standards Documents Referenced by Policy
            

Document Name
Location or Custodian
System Hardening and Configuration Standards
manager
Full Data Retention and Storage Procedures
manager
Vulnerability Discovery and Risk Ranking Process
manager
Operating Procedures
manager
Service Provider Compliance Validation Process
manager
Incident Response Plan
manager

 

 

2          Secure Configurations are applied to all system components
2.2       System components are configured and managed securely
In order to ensure system components are configured consistently and securely and reduce the opportunities available to an attacker, Bastinelli Creations LLC securely configures and manages system components as follows:

●      Configuration standards[1] shall be developed, implemented, and maintained to:

○      Cover all system components.

○      Address all known security vulnerabilities.

○      Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.

○      Be updated as new vulnerability issues are identified, as defined in PCI DSS Requirement 6.3.1.

○      Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment. (PCI DSS Requirement 2.2.1)

●      When a vendor default account(s) is used, the default password should be changed per PCI DSS Requirement 8.3.6.

●      If a vendor default account(s) is not used, the account should be removed or disabled. (PCI DSS Requirement 2.2.2)

Protect Stored Cardholder Data
3.1       Processes and mechanisms for protecting stored account data are defined and understood
Bastinelli Creations LLC ensures documented processes and mechanisms for applying secure configurations to all system components are defined and understood, as follows:

●      All security policies and operational procedures that are identified in this section shall be documented, kept up to date, in use, and known to all affected parties. (PCI DSS Requirement 3.1.1)

●      Roles and responsibilities for performing activities in this section shall be documented, assigned, and understood.[2] 

3.2        Storage of account data is kept to a minimum
To ensure that sensitive data is securely destroyed or deleted as soon as it is no longer needed, Bastinelli Creations LLC maintains a formal data retention policy that identifies what data needs to be retained, for how long, and where that data resides, as follows:

●      Account data storage shall be kept to a minimum through implementation of data retention and disposal policies, procedures, and processes[3] that include at least the following:

○      Coverage for all locations of stored account data.

○      Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization.

○      Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements.

○      Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification.

○      Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy.

○      A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable. (PCI DSS Requirement 3.2.1)

 

6          Development and Maintenance of Secure Systems and Software
All system components must have appropriate software patches to protect against the exploitation and compromise of account data by malicious individuals and malicious software

Appropriate software patches must be evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For bespoke and custom software, numerous vulnerabilities can be avoided by applying software lifecycle (SLC) processes and secure coding techniques. 

6.3       Security Vulnerabilities are Identified and Addressed.
●       Bastinelli Creations LLC will identify and manage security vulnerabilities as follows: New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs), vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact, risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment and vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered.  (PCI DSS Requirement 6.3.1)

●      All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release and all other applicable security patches/updates are installed within an appropriate time frame as determined by Bastinelli Creations LLC (for example, within three months of release).(PCI DSS Requirement 6.3.3)

6.4       Protection of Public-Facing Web Applications Against Attacks
●      All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows: A method is implemented to confirm that each script is authorized, a method is implemented to assure the integrity of each script and an inventory of all scripts is maintained with written justification as to why each is necessary.(PCI DSS Requirement 6.4.3).

8          Identify and Authenticate Access to System Components
It is critical to assign a unique identification (ID) to each person with access to critical systems or software. This ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Detailed authentication procedures should be developed and documented to meet the following policies.

8.2       User Identification and Related Accounts for Users and Administrators are Strictly Managed throughout an Account’s Lifecycle
●      Assign all users a unique ID before granting access to system components or cardholder data. (PCI DSS Requirement 8.2.1)

●      Only use group, shared, or generic accounts, or other shared authentication credentials, when necessary, on an exception basis and manage as follows: (PCI DSS Requirement 8.2.2)

o   Account use is prevented unless needed for an exceptional circumstance.

o   Use is limited to the time needed for the exceptional circumstance.

o   Business justification for use is documented.

o   Use is explicitly approved by management.

o   Individual user identity is confirmed before access to an account is granted.

o   Every action taken is attributable to an individual user.

●      Immediately revoke access for terminated users. (PCI DSS Requirement 8.2.5)

8.3       Authentication for Users and Administrators
●      All user access to system components for users and administrators is authenticated via at least one of the following authentication factors: (PCI DSS Requirement 8.3.1)

o   Something you know, like a password or passphrase.

o   Something you have, like a token device or smart card.

o   Something you are, like a biometric element.

●      When passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user as follows: (PCI DSS Requirement 8.3.5)

o   Set to a unique value for first-time use and upon reset.

o   Forced to be changed immediately after the first use.

●      When passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they must meet the following minimum level of complexity: (PCI DSS Requirement 8.3.6)

o   A minimum length of 12 characters (or if the system does not support 12 characters, a minimum length of 8 characters).

o   Contain both numeric and alphabetic characters.

●      Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases they have used. (PCI DSS Requirement 8.3.7)

●      When passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either: (PCI DSS Requirement 8.3.9)

o   Passwords/passphrases are changed at least once every 90 days, OR

o   The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.

o   Factors are assigned to an individual user and not shared among multiple users.

o   Physical and/or logical controls ensure only the intended account can use that factor to gain access.

9          Restrict Physical Access to Cardholder Data
Any physical access to locations that house cardholder data provide the opportunity for individuals to access data and to remove hardcopies and should be appropriately restricted. Detailed physical security procedures should be developed and documented to meet the following policies.

 

9.4       Securely Store, Access, Distribute, and Destroy Media with Cardholder Data
●      Bastinelli Creations LLC will define specific procedures[4] to physically secure all media, including but not limited to paper receipts, paper reports. (PCI DSS Requirement 9.4.1)

●      Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility and review the security of storage locations at least once every 12 months. (PCI DSS Requirement 9.4.1.1)

●      Classify all media with cardholder data in accordance with the sensitivity of the data. (PCI DSS Requirement 9.4.2)

●      Maintain strict control over the external distribution of media with cardholder data, including the following: (PCI DSS Requirement 9.4.3)

o   Media sent outside the facility is logged.

o   Send the media by secured courier or other delivery method that can be accurately tracked.

o   Logs must show management approval, and tracking information.  Retain media transfer logs.

o   Ensure management approves all media with cardholder data that is moved from a secured area, including when media is distributed to individuals. (PCI DSS Requirement 9.4.4)

●      Destroy hard-copy materials containing cardholder data when it is no longer needed for business or legal reasons, as follows: (PCI DSS Requirement 9.4.6)

o   Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.

o   Materials are stored in secure storage containers prior to destruction.

11       Regularly Test Security Systems and Processes
Vulnerabilities are continually being introduced by new software and discovered in current software. System components, processes, and bespoke and custom software must be tested frequently to ensure security controls continue to reflect a changing environment. Detailed testing procedures[5] should be developed and documented to meet the following policies.

11.3     Vulnerability Assessment Scans
●      External vulnerability assessment scans must be performed at least every three months and after any significant change in the cardholder data environment (e.g., changes in firewall rules, or upgrades to products within the environment, etc.).  (PCI DSS Requirement 11.3)

●      External vulnerability scans must (PCI DSS Requirement 11.3.2)

o   Be performed at least every three months, and after any significant change.

o   Be performed by an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC), or by qualified personnel (if the scan is performed after any significant change). 

o   Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan. 

o   Contain no vulnerabilities that are scored 4.0 or higher by the CVSS.

o   Run on all external IP addresses that could be used to gain access to the cardholder data environment. (PCI DSS Requirement 11.3)

●      Ensure that results of each quarter’s internal and external vulnerability assessments are to be documented and retained for review. (PCI DSS Requirement 11.3)

11.6     Change Detection on Payment Pages
●      Deploy a change-detection mechanism to alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser.  This mechanism is configured to evaluate the received HTTP header and payment page at least once every seven days or periodically at a defined frequency that is the result of targeted risk analysis which is performed according to all elements specified in Requirement 12.3.1. (PCI DSS Requirement 11.6.1) 

Maintain an Information Security Policy
Without strong security policies and procedures, many of the layers of security controls become ineffective at preventing data breach.  Unless consistent policy and practices are adopted and followed at all times, security controls break down due to inattention and poor maintenance. The following documentation policies address maintaining the Bastinelli Creations LLC security policies described in this document.

12       Support Information Security with Organizational Policies and Programs
A strong security policy sets the security tone for Bastinelli Creations LLC and informs employees and vendors what is expected of them. All employees and vendors should be aware of the sensitivity of data and their responsibilities for protecting it. 

            

12.8     Policies for Working with Third Party Service Providers (TPSPs)
●      To conform to industry best practices, it is required that due diligence be performed before engaging with new service providers and is monitored for current service providers that store, process, or transmit cardholder data on Bastinelli Creations LLC’s behalf. Service providers, which could affect the Cardholder Data, are also in-scope of this policy.

●      Bastinelli Creations LLC shall maintain a documented list[6] of all applicable service providers in use and the services they provide. (PCI DSS Requirement 12.8.1)

●      A written agreement with all applicable service providers is required and must include an acknowledgement of the service providers’ responsibility for securing all cardholder data they receive from or on behalf of Bastinelli Creations LLC, or to the extent that they could affect the security of a cardholder data environment (PCI DSS Requirement 12.8.2).  In addition, the service provider must agree to provide compliance validation evidence on an annual basis. (PCI DSS Requirement 12.8.4).  Prior to engaging with an applicable service provider, a thorough due diligence process[7] should be followed. (PCI DSS Requirement 12.8.3)

●      Bastinelli Creations LLC shall review the PCI DSS attestation of compliance form(s) for its third-party service providers and confirmed that the third-party service providers are PCI DSS compliant for the services being used by the merchant. (PCI DSS Requirement 12.8.4). 

●      Bastinelli Creations LLC shall maintain a list[8] of which PCI DSS requirements are managed by each service provider, which are managed by Bastinelli Creations LLC, and any that are shared between the service provider and Bastinelli Creations LLC. (PCI DSS Requirement 12.8.5)

12.10   Incident Response Plan Policies
Incidents or suspected incidents regarding the security of the Cardholder Data Environment or cardholder data itself must be handled quickly and in a controlled, coordinated and specific manner.  An incident response plan (IRP) must be developed and followed in the event of a breach or suspected breach.  The following policies specifically address the Bastinelli Creations LLC IRP[9]:

●      Bastinelli Creations LLC must maintain a documented IRP and be prepared to respond immediately to a system breach. (PCI DSS Requirement 12.10)

●      The IRP must clearly define roles and responsibilities for response team members. (PCI DSS Requirement 12.10.1)

●      The IRP must define contact/communication strategies to be used in the event of a compromise including notification of payment brands.  (PCI DSS Requirement 12.10.1)

●      The IRP must define specific incident response procedures to be followed for different types of incidents.  (PCI DSS Requirement 12.10.1)

●      The IRP must document business recovery and continuity procedures.  (PCI DSS Requirement 12.10.1)

●      The IRP must detail all data backup processes.  (PCI DSS Requirement 12.10.1)

●      The IRP must contain an analysis of all legal requirements for reporting compromises of cardholder data (for example, California Bill 1386 which requires notification of affected consumers in the event of an actual or suspected compromise of California residents’ data).  (PCI DSS Requirement 12.10.1)

●      The IRP must address coverage and responses for all critical system components.  (PCI DSS Requirement 12.10.1)

●      The IRP must include or reference the specific incident response procedures from the payment brands.  (PCI DSS Requirement 12.10.1)


Appendix A – Management Roles and Responsibilities
Assignment of Management Roles and Responsibilities for Security 
As required by policy in Section 12.5 of this security policy, the following table contains the assignment of management roles for security processes.

Table A1 - Management Security Responsibilities
Name of Role, Group, or Department
Date Assigned
Description of Responsibility
MANAGEMENT
January 2020
Establish, document, and distribute security policies
MANAGEMENT
January 2020
Monitor, analyze, and distribute security alerts and information
MANAGEMENT
January 2020
Establish, document, and distribute security incident response and escalation policies
MANAGEMENT
January 2020
Administration of user accounts on systems in the cardholder data environment
MANAGEMENT
January 2020
Monitor and control all access to cardholder data

Appendix B – Agreement to Comply
Agreement to Comply with Information Security Policies 
All employees working with cardholder data must submit a signed paper copy of this form.  Bastinelli Creations LLC management will not accept modifications to the terms and conditions of this agreement.

 

Bastien COVES 

_________________________________________

Employee’s Printed Name

Management

_________________________________________

Employee’s Department

______4077854050____________________________________

Employee’s Telephone Number

______109 HANGAR ROAD, KISSIMMEE, FL 34741____________________________________

Employee’s Physical Address and Mail Location 

I, the user, agree to take all reasonable precautions to assure that Bastinelli Creations LLC internal information, or information that has been entrusted to Bastinelli Creations LLC by third parties, such as customers, will not be disclosed to unauthorized persons. At the end of my employment or contract with Bastinelli Creations LLC , I agree to return Bastinelli Creations LLC all information to which I have had access as a result of my position with Bastinelli Creations LLC .I understand that I am not authorized to use this information for my own purposes, nor am I at liberty to provide this information to third parties without the express written consent of the internal Bastinelli Creations LLC manager who is the designated information owner.

I have access to a copy of the Bastinelli Creations LLC Information Security Policies Manual, I have read and understand the manual, and I understand how it affects my job. As a condition of continued employment at Bastinelli Creations LLC, I agree to abide by the policies and other requirements found in that manual. I understand that non-compliance will be cause for disciplinary action up to and including system privilege revocation, dismissal from Bastinelli Creations LLC, and perhaps criminal and/or civil penalties.

I agree to choose a difficult-to-guess password as described in the Bastinelli Creations LLC Information Security Policies Manual, I agree not to share this password with any other person, and I agree not to write this password down unless it has been transformed in an unrecognizable way.

  I also agree to promptly report all violations or suspected violations of information security policies to the director of the Information Security department or identified responsible team.

_____________________________ _____________

Employee’s Signature


 
[1] System Hardening Standards
[2] PCI Security Roles and Responsibilities Matrix
[3] Data Retention Policy
[4] See the Physical Security Procedures document.
[5] See the Operating Procedures document.
[6]
[7] See the Service Provider Compliance Validation Process document.
[8] See the Service Provider Compliance Validation Process document.
[9] See the Incident Response Plan document.