Privacy

Privacy Policy

Effective Date/Last Modified: March 20, 2025

1. Introduction

Bastazo, Inc., an Arkansas corporation ("Company", "we", “us” or “our”), respects your privacy and is committed to protecting it through our compliance with this privacy policy (“Policy”).

This policy describes the types of information we may collect from you or that you may provide when you visit the website https://www.bastazo.com (our "Website") and/or enter into a relationship with the Company for the provision of the Company’s operational technology security services, or any of our related services (collectively, our “Services”), and our practices for collecting, using, maintaining, protecting, and disclosing that information. This Policy has been crafted to align with international data protection standards and to address the complexities inherent in securing industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) environments.

By using the Website, or by providing personally identifiable information to us, you expressly consent to the collection and use of the information as described in this Policy. The purpose of this Policy is to provide you with clear and understandable information about our privacy practices.

2. Information We Collect

In the course of providing our Services, we may collect, receive, and process various categories of personal and technical data, including but not limited to the following:

  • Contact and identity information: full name, job title, employer, business address, professional email address, and telephone number.
  • Account and credential information: usernames, passwords, authentication tokens, and associated metadata required for access to our platforms and Services.
  • Technical and network data: Internet Protocol (“IP”) addresses, device identifiers, MAC addresses, system logs, session data, usage metrics, geolocation data, and related metadata collected during system interactions.
  • Client-supplied data: documentation and digital files voluntarily uploaded by clients, including network diagrams, security configurations, software inventories, vulnerability reports, and system architecture schematics.
  • Third-party data sources: information obtained through authorized integrations with external platforms and services, subject to your prior consent.

When you visit our Website, we may collect the following types of information through automated means or user-submitted forms:

  • Usage data: browser type, operating system, pages visited, time spent on pages, and clickstream data.
  • Device and technical information: IP address, device identifiers, and geolocation data.
  • Cookies and tracking technologies: we use or may use “cookies”, web beacons, and similar technologies to enhance user experience and analyze website traffic. Users can manage cookie preferences via their browser settings or through a cookie consent tool provided on our website.
  • Contact forms and submissions: information voluntarily submitted, such as name, email address, company name, and message content.

We may use both session cookies and persistent cookies to better understand how you interact with our Website and our Services, to monitor aggregate usage by our users and web traffic routing on our Website, and to improve our Website and Services. Authorized third parties may also place their own cookies on our Website and may collect personal information. For more information about how we use cookies and the cookies you are consenting to use by visiting our website, review our Cookie Policy attached as Exhibit A to this Policy.

3. Methods of Data Collection

Data is collected through multiple channels to ensure accuracy and completeness:

  • Direct collection: information provided directly by clients through onboarding, contractual engagements, and ongoing service interactions.
  • Automated collection: deployment of proprietary and third-party tools that facilitate real-time data collection during security assessments, monitoring, and analytics.
  • Third-party integrations: data collected via integration with external systems, applications, and data feeds, as explicitly authorized by our clients.
  • Website collection: data collected automatically through your interaction with our Website.

4. Use of Information

The information we collect is processed for purposes including, but not limited to, the following:

  • Service provision: to deliver, manage, and optimize our OT security services, including risk assessment, threat intelligence, incident response, and remediation planning.
  • Analytics and service improvement: to analyze trends, measure performance, and enhance the quality and effectiveness of our offerings.
  • Regulatory compliance: To comply with applicable legal obligations, regulatory requirements, industry standards (e.g., NIST SP 800-82, ISO/IEC 27001), and contractual commitments.
  • Marketing and business development: to inform clients and prospective clients of our services, industry developments, and promotional activities, in accordance with relevant data protection laws.
  • Website data uses:
    • To operate, maintain, and improve our Website and Services.
    • To respond to inquiries submitted through our contact forms.
    • To analyze website traffic and usage patterns for performance optimization.
    • To comply with legal obligations and enforce website terms of use.
    • To provide marketing communications, subject to user consent where required by law.

5. Disclosure of Information

We may disclose personal and technical information to the following categories of recipients:

  • Affiliates and subsidiaries: entities within our corporate group, subject to equivalent data protection obligations.
  • Service providers and sub-processors: third parties who provide technical support, hosting, analytics, or other services integral to our operations, pursuant to appropriate data processing agreements.
  • Regulatory authorities and legal requests: governmental agencies, regulatory bodies, or law enforcement pursuant to lawful requests, subpoenas, or legal mandates.
  • Corporate transactions: in connection with any merger, acquisition, asset sale, or other business reorganization, subject to appropriate confidentiality obligations.

6. Legal Basis for Processing (Where Applicable)

In jurisdictions subject to comprehensive data protection laws, including but not limited to the General Data Protection Regulation (EU and UK GDPR) and the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), we rely on the following lawful bases:

  • Contractual necessity: processing necessary for the performance of a contract to which the data subject is a party.
  • Legitimate interests: processing necessary for the purposes of our legitimate interests, provided such interests are not overridden by the data subject’s rights.
  • Legal obligations: processing required for compliance with a legal or regulatory obligation.
  • Consent: processing based on the data subject’s explicit consent, particularly for marketing and non-essential data collection.

7. International Data Transfers

We may transfer personal data to jurisdictions outside the European Economic Area (EEA), including the United States and the United Kingdom. Such transfers are conducted in compliance with applicable data protection laws and are safeguarded through mechanisms such as:

  • European Commission Standard Contractual Clauses (SCCs).
  • UK International Data Transfer Addendum.
  • Binding Corporate Rules (BCRs) or equivalent certifications.

8. Data Security

We endeavor to implement and maintain robust and comprehensive security measures designed to protect the confidentiality, integrity, and availability of data, including:

  • Encryption: use of advanced encryption standards (e.g., AES-256) for data at rest and TLS for data in transit.
  • Access controls: role-based access, multi-factor authentication (MFA), and least privilege principles.
  • Network security: deployment of firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and network segmentation.
  • Monitoring and logging: continuous monitoring, audit logging, and anomaly detection.
  • Security assessments: regular vulnerability scanning, penetration testing, and third-party security audits.

9. Data Retention and Disposal

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy, or as required by applicable laws, including but not limited to statutory retention periods under U.S. federal and state regulations, UK Data Protection Act 2018, and EU GDPR. Upon expiration of the retention period, we implement secure disposal methods, such as cryptographic erasure and secure file deletion, in accordance with NIST SP 800-88 (Guidelines for Media Sanitization).

10. Data Subject Rights

Subject to jurisdiction-specific laws, you may exercise the following rights regarding the collection and use of your data:

  • Right of access: obtain confirmation as to whether personal data is being processed and access to such data.
  • Right to rectification: request correction of inaccurate or incomplete data.
  • Right to erasure: request deletion of personal data where legally permissible.
  • Right to restrict processing: request limitation on data processing under certain conditions.
  • Right to data portability: receive personal data in a structured, commonly used, and machine-readable format.
  • Right to object: object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent: withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.

We provide an opt-out choice for most types of communication, such as updates from us regarding new services and product releases (if any). You may opt out from the use of your personal information for those non-required communications. Your opt-out choice may be exercised by clicking on the link provided in the emails you receive or by sending an unsubscribe request to support@bastazo.com.

Clients cannot opt out of certain communications that are necessary for the provision of our Services. For example, we may use your email address to confirm your opening of an account, to send you notice of payments, to send you information about changes to our products and services, to provide those products or services, and to send notices and other disclosures as required by law. We may also communicate by phone to resolve customer complaints or investigate suspicious transactions. 

11. State Privacy Rights

California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia provide (now or in the future) their state residents with rights to:

  • Confirm whether we process their personal information.
  • Access and delete certain personal information.
  • Correct inaccuracies in their personal information, taking into account the information's nature processing purpose (excluding Iowa and Utah).
  • Data portability.
  • Opt-out of personal data processing for:
    • targeted advertising (excluding Iowa);
    • sales; or 
    • profiling in furtherance of decisions that produce legal or similarly significant effects (excluding Iowa and Utah).
  • Either limit (opt-out of) or require consent to process sensitive personal data. 

The exact scope of these rights may vary by state. To exercise any of these rights or to appeal a decision regarding a consumer rights request, please contact support@bastazo.com. Requests to exercise these rights will be addressed in accordance with applicable legal requirements.

12. Children’s Data

Our business is not focused on, nor do we knowingly collect information from children under the age of 13. If a parent or guardian becomes aware that his or her child under 13 has provided us with personally identifiable information, he or she should contact us at support@bastazo.com. If we become aware that a child under 13 has provided us with personally identifiable information, we will remove that information.

13. Changes to this Policy

We reserve the right to amend or update this Policy at our discretion to reflect changes in legal obligations, technological advancements, or business practices. The latest version will be published on our Website, and the effective date of the most recent revision will be clearly indicated. We encourage periodic review of this Policy to stay informed.

14. Contact Us

For questions, concerns, or requests regarding this Policy or our data protection practices, please contact us at support@bastazo.com

EXHIBIT A

COOKIE POLICY

By visiting our Website with your browser settings adjusted to accept cookies you consent to our use of cookies as described in this policy.

What Are Cookies?

Cookies are small data files that are stored on your computer or other device when you visit a website. They allow the site to recognize your device on subsequent visits and remember your preferences.

Our Use of Cookies

We use cookies to allow our systems to recognize your device and collect website usage data. Cookies allow us to understand how our Website is used and to improve our Website and our Services. Some cookies may collect personal data in order to perform their intended functions. 

We may use both session cookies and persistent cookies to better understand how you interact with the Website. In addition, please be aware that other parties may also place their own cookies on the Website, and may collect or solicit personal information from you. A session cookie enables certain features of the website and is deleted from your computer when you disconnect from or leave the Website. A persistent cookie remains after you close your browser and may be used by your browser on subsequent visits to the Website.

We may match information we gather from cookies with other information you provide to us. We will only use such information as described in our Policy that is posted on our Website.

Cookie Type

Strictly necessary cookies

Anonymous cookies that allow visitors to navigate around our Website, use its features and access secure areas. The information gathered by these cookies may be used for security purposes, but is not used for marketing purposes. If the use of this type of cookies is not allowed, certain parts of our Website may not be used.

Analytics cookies

Anonymous cookies that help us improve our website by collecting information about how visitors use our Website. For example, we track what pages are visited the most often and what error messages are shown. GoogleAnalytics cookies are an example of this type of cookie.

The information gathered by these cookies is not used for targeted marketing and is not distributed to third parties.

Functionality cookies

Functionality cookies that allow us to remember visitor choices and preferences. Based on this information, we can show you more relevant information. For example, we may gather country and language preferences.

If you do not allow the use of this type of cookie, it will prevent the use of certain parts of our Website and will prevent us from remembering your preferences.

Advertising cookies

With our permission, this type of cookie is placed on our Website by third parties such as advertising networks. These cookies are used to:

  • Show relevant and personalized advertisements;
  • Measure the effectiveness of an advertising campaign; or
  • Remember your visit and share data collected with third parties, such as advertisers. Often these cookies are linked to website functionality provided by the third party.

Social Media cookies

Social media cookies collect information about social media usage. We may partner with third parties to provide you with connections to certain social networks, such as Facebook, Twitter, and LinkedIn, and to provide you with additional features. These cookies may also provide to the third parties the information about your visit so that they can present you with advertisements for our Services which may be of interest to you and help us track the effectiveness of our marketing efforts.

How to Block or Restrict Cookies

If you do not want us to place cookies on your device you can modify your browser settings. The “Help” feature on most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie and how to disable cookies. Additionally, you can disable or delete similar data used by browser add-ons, such as Flash cookies, by changing the add-on’s settings or visiting the website of the add-on’s manufacturer. Please note that you may not be able to use certain parts of our Website if you block cookies.