Privacy Policy

Bastion - Privacy Notice

Welcome to Bastion Platforms US, LLC website (https://bastion.com/) (the "Site"). We are called "we", "us", "our", or "Bastion" in this Privacy Notice (the "Notice").

Bastion provides web 3.0 infrastructure services, including enabling creating and purchasing non-fungible tokens (“NFTs”) (our "services") to organizations (our “Customers”).

This Notice explains how we use information about you if:

• you visit and browse our Site.
• you contact us.
• you sign up for newsletters or other marketing from us.
• you work for one of our Customers.

Under UK and EU data protection law, Bastion is the data controller. 

If you use our Customer’s services: 

• that Customer is usually the data controller. Please contact the Customer for their privacy notice. 
• Bastion is a separate data controller for limited ways we manage your Bastion wallet and work to improve our services, which we explain here. 

We collect:

Account information (user ID).

Bastion wallet information (public wallet address, private key).

We use this to:

• carry out NFT and other digital asset actions connected to your Bastion wallet
• enable private key recovery.

Our legal reason for this is:

We do this to comply with our legal obligations, in our legitimate interest (in complying with our agreement with the Customer that is providing services to you), or with your consent. 

We collect:

Account information and Bastion wallet information.

Usage information including technical, browsing and location information (as explained below, under 'If you visit and use our Site').

Communications information (as explained below, under 'If you contact or engage with us') including your feedback about Bastion.

We use this to:

• understand how you use our Site and services, and analyze and improve our Site and services (including our marketing).
• share aggregated and anonymized analytics and insights. 
• keep our Site and services secure, including taking steps to detect and prevent fraud.

Our legal reason for this is:

We do this in our legitimate interest (where we consider these are not overridden by your rights) or, where required, with your consent. 

We will keep this information for as long as necessary (usually the length of the agreement with the Customer and for six years after the agreement ends). 

Please also read: Who do we share your information with?, Where do we store your information?, and What rights do you have?

What information do we collect and how do we use it?

Here we explain what personal information we collect about you, how we use it, and the relevant legal reason (called a 'lawful basis') for each way that we use it. 

If you'd like to learn more about the legal reasons we can use personal information, we explain these in the "What do each of these legal reasons mean?" section below.

If you visit and use our Site

We collect:

Technical information - Technical information may include: Internet Protocol (IP) address, login information, browser type and version, browser plug-in types and versions, device IDs, social login ID/email address, time zone setting, operating system and platform, hardware version, device settings (e.g. language and time zone), file & software names and types (associated with your device and/or the Services), battery & signal strength, information relating to your mobile operator or Internet Service Provider (ISP).

Browsing information - Information about your Site visit may include: the full Uniform Resource Locators (URL), clickstream to, through and from our Site (including date and time), pages and services you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), demographic information (including age and gender), traceable campaign links (e.g. in emails, or via tracking URLs) or other information from analytics, advertising or search engine providers, methods used to browse away from the page.

Location data (only if you opt-in) - Location data includes coordinates (latitude/longitude) of your location, country or region (based on your full or partial IP address), and/or Google Analytics information. We may combine this with your Identifier for Advertisers (IFA) or ID for Vendors (IDFV) code for your Apple device or the Android ID for your Android device or a similar device ID, so we can recognize your mobile browser or device when you return to the Site.

We only collect location data if you give us permission (via our website cookie banner). You can change this permission by changing your cookie, browser or device settings (as applicable).

We use this to:

• understand how individuals use our Site and services, and how we can improve.
• ensure content on our Site is presented effectively for you and for your device.
• provide you with information and services you request from us or we think you may be interested in.
• provide location services (if you ask or permit us to), so we can deliver content or other services that are dependent on knowing where you are, like checking for fraudulent transfers and transactions.
• if you visit our website and opt-in to cookies, we may display Bastion ads to you on other websites

Our legal reason for this is:

We do this in our legitimate interests (where we consider these are not overridden by your rights) or, where required, with your consent  (e.g. to non-strictly necessary cookies).

If you contact or engage with us

We collect:

Contact information including basic contact information you choose to provide, for example:

• first and last name 
• work email address and phone number(s)
• company role/title 
• company name and address.
• sector / industry.

Communications information including your correspondence with us, for example if you get in touch with us to report a problem with our Site. This includes:

• emails
• texts & other digital messaging
• phone, audio or video calls
• any in-person conversations you have with us.

Event information, including registration, attendance and any accessibility requirements and dietary preferences.

We use this to:

• contact you if you have asked us to do so, including to respond to your queries, troubleshoot problems, and help with any issues you may have with our Services.
• provide you with information you might request about our Services.
• provide and administer in-person or virtual events for potential or current customers, including product demos.
• provide you with technical and other service updates (for example, if we update any Terms of Service).

Our legal reason for this is:

We do this in our legitimate interests (where we consider these are not overridden by your rights).

We may also do this to take steps to enter into any contract with you or to fulfill our obligations under any contract with you (including our Terms of Service with you).

Where required, we do this with your consent.

If you sign up for updates or other marketing from Bastion

We collect:

Contact information (as explained above).

Marketing preferences about what information you would or would not like to receive from us, and if you have opted out of any direct marketing.

We use this to:

• send you our newsletter, updates and other marketing material.
• send you surveys, campaigns or other occasional activities.
• ask you for feedback, including through surveys and other marketing research.

We may send these via emails or text, depending on your preferences.

Our legal reason for this is:

Where required, we do this with your consent. In certain circumstances, we may do this in our legitimate interests (where we consider these are not overridden by your rights).

You can opt-out of further marketing at any time by selecting the "unsubscribe" link at the end of our marketing emails.

If you contact or engage with us

We collect:

Contact information (as explained above).

Communications information including your correspondence with us, for example if you ask us questions about our services (including digital asset and key management; wallet and ledger management; risk and compliance, or analytics) or our agreement with the Customer you work for, or if you provide us with feedback. This includes:

• emails
• texts & other digital messaging
• phone, audio or video calls
• in-person conversations you have with us.

Compliance information including government identifiers, passports or other identification documents, dates of birth, beneficial ownership data, and due diligence data. 

We use this to:

• carry out and comply with our agreement with the Customer, including for any trial periods.
• administer and manage our product offering tiers and fees, invoicing and billing.
• administer and manage our relationship with the Customer, including communicating with you about administrative, legal and business matters.
• to comply with our legal obligations, including carrying out required checks on new customers, and to prevent money laundering or fraud.

Our legal reason for this is:

We do this in our legitimate interests (where we consider these are not overridden by your rights) in complying with Bastion’s agreement with the Customer you work for. 

If you apply to work for Bastion  

We collect:

Contact information (as explained above).

ID information including citizenship, nationality, passport or government ID, national insurance or identity number.

‍Communications (as explained above) and including information collected during any application, interview and assessment process.

‍Resume/CV information including education and work experience, skills and languages, professional qualifications, honors and awards, and references.

‍Background check information including criminal offense and other information obtained through background checks. 

We use this to:

• administer and process your application, assess your eligibility for a role and communicate with you about your application.
• conduct background checks and right to work or visa and immigration checks, where relevant and appropriate to the role you are applying for.
• comply with our legal obligations and employment-related requirements, including under income tax and national insurance requirements, and employment and immigration laws.

Our legal reason for this is:

We do this in our legitimate interests (where we consider these are not overridden by your rights) or, where required, we do this with your consent.

We may also do this to take steps to enter into any contract with you or to fulfill our obligations under any contract with you.

For certain sensitive data, we do this where necessary to carry out our obligations and to exercise Bastion or your specific rights in the field of employment and social security and social protection law; where necessary for reasons of substantial public interest; or, where required, with your explicit consent. 

Managing our business 

We may also need to process any of your personal information:

• in our legitimate interest in establishing, bringing or defending legal claims
• to comply with our legal obligations.

We do not make any automated decisions about you which have a legal or other significant effect on you.

Who do we share your information with?

We may share your personal information with:

• our group companies. 
• our service providers, who only process your personal information on our behalf, as necessary to perform their support functions, and follow our instructions and data protection law. Service providers help us with website and data hosting, communication distribution, marketing lists management, customer service, market research, consultants, IT support and other services.
• our auditors, legal advisers and other professional advisers.
• potential investors, donors or financial backers, or in the context of any potential restructuring, sale, purchase or merger.
• any person to whom disclosure is necessary for us to protect our rights, property, or safety, our clients, or other third parties, and to enforce our rights under this Notice or under any agreement with you. This includes exchanging information with other companies and organizations for the purposes of detecting and preventing fraud and cyber-crime or other crime.
• if required to do so by court order or if we are under a duty to disclose your information to comply with (and/or where we believe we are under a duty to comply with) any legal obligation. This includes exchanging information with law enforcement agencies, regulators, or other similar government bodies.

Where do we store your information?

Bastion is based in the United States, and provides its services internationally. We may transfer your personal information outside the UK or outside of the EEA:

• to store it.
• to provide our services to you.
• to support our operations and management.
• where we are legally required to do so.

We will put legal protections in place to safeguard personal data transfers in compliance with data protection laws. These legal protections may include approved standard contractual clauses or adequacy decisions – for more information, please contact us at dataprivacy@bastion.com. 

How do we protect your information?

Information security is critical to Bastion. Our website uses secure end-to-end encryption to protect your information. All connections into our platform are secured using industry standard security and encryption.

All data we capture is stored in secured databases and data storage systems with strict access limitations. All data access requests are logged and monitored in accordance with any threat detection policies.

Bastion maintains an information security program designed to reasonably identify, respond to and mitigate risks to data. We deploy physical and logical security controls and conduct regular assessment and testing of such controls. 

Unfortunately, the transmission of information via the internet is not completely secure. We do our best to protect your personal information, but we cannot guarantee the security of your data transmitted to us, any transmission is at your own risk. Once we have received your information, we use strict procedures and security features to try to prevent unauthorized access.

Other websites

We may sometimes link to other websites. We are not responsible or liable for these websites, any content on them, or their policies and notices. A link does not mean we endorse the views of the linked website. We have no control over the availability of any of these websites.

How long do we keep your information for?

We will usually keep personal information:

• for as long as necessary for the original reasons we collected it, and
• for up to six years after that to identify any issues and resolve any legal proceedings.

We may keep your personal information for a longer period:

• in the event of a complaint,
• if we reasonably believe there is a prospect of legal proceedings,
• if we are aware of pending or ongoing legal proceedings, or
• in some circumstances, if applicable law says we must.

If you opt in to marketing from us, we will keep your relevant personal information for as long as you are receiving marketing. If you later decide to opt out (or object to any other use of your personal information), we may keep a record of your opt-out or objection so we can respect your preferences and demonstrate our compliance.

Anonymized data

We may anonymize your personal data to create anonymized data (like aggregated statistics). You cannot be identified from anonymized data, and it cannot be reverse engineered to re-identify individuals. This kind of data is no longer personal data.

We may keep and use this anonymized data to help us provide, develop and improve our Services, including to:

• better understand how people use Bastion and our services,
• develop useful insights and improvements to Bastion and our services, and
• to create whitepapers or other informational content, and to provide potential or current Customers with insight into our services.

Updating this Privacy Notice

This Notice was last updated September 17, 2023.

We may update this Notice from time to time, and will post any changes on this page.

If we make any substantial changes, we will notify you.

How can you contact us?

If you have any questions about this privacy notice or feedback for us, please contact us at dataprivacy@bastion.com or (888) 608-4151.

‍

UK / EEA

What do each of these legal reasons mean?

We must have a relevant legal reason (also called a 'lawful basis') for each way in which we use your personal information.

Lawful bases include: 

• consent, 
• a contract with you,
• specified legitimate interests, and
• compliance with our legal obligations.

Consent

We use your personal information to send you promotional information if you have consented (where required by law). We may also send direct marketing without consent, where permitted by law (see 'legitimate interests', below).

We also rely on consent for some of our Site cookies. Please read our Cookie Notice.

Contract

We use your personal information if it is necessary to perform a contract you have with us (for example, our Site Terms of Service), or if you have asked us to take specific steps before entering that contract. 

We may send you service updates based on your contract with us (for example, to let you know if we make any significant changes to this Notice or any terms).

Legitimate interests

We may use your personal information if it is necessary for our legitimate interests or the legitimate interests of a third party, as long as those interests are not outweighed by your rights and interests.

Our legitimate interests include:

Administering, improving and expanding our Services

• Providing our Site, and identifying and resolving technical bugs.
• Getting your feedback and reviews.
• Gathering information and developing insights about how to use Bastion, including aggregating individuals' data.
• Developing and improving Bastion and our services.
• Implementing and improving our security measures, including detecting and preventing fraud and cyber-crime or other crime.
• Growing our organization and informing our promotional strategy.
• Assessing your suitability for employment/engagement with Bastion.
• Conducting internal and external analysis and reporting. 
• Conducting internal investigations, for example if a whistleblowing report is made. 
• Protecting the rights and interests of Bastion, our employees, applicants and others.

Marketing & advertising

• Marketing and promoting Bastion to an organization you work for or provide services to.
• Measuring or understanding the effectiveness of marketing we serve to you and others and delivering relevant marketing to you (including when you visit other websites).

Fulfilling agreements with our Customers and other organizations 

• Complying with any agreement we may have with an organization you work for or provide services to.
• Enforcing or applying our terms or other agreements with you or with an organization you work for or provide services to.
• Establishing, exercising or defending legal claims, whether in court, administrative or other proceedings. 

If you would like further information about any of our legitimate interests, please contact us at dataprivacy@bastion.com. 

Legal obligation

We may need to process any of  your personal information to comply with our legal obligations, including under applicable law, and/or any court orders. This may include compliance with know-your-client and anti-money laundering rules.

What rights do you have over your personal information?

If you are in the UK or the EU/EEA, in certain circumstances, you have the following rights:

• to be provided with a copy of your personal information,
• to ask us to correct or delete your personal information,
• to request that we restrict how we use your personal information (for example, while we investigate your concerns about the accuracy of data, or lawfulness of a certain use),
• to object to the further use of your personal information, including the right to object to marketing from us,
• to request that your provided personal data be moved to a third party, and
• where you have consented, to withdraw consent.

If you would like to exercise any of these rights in relation to the personal information we hold about you, you can contact us at dataprivacy@bastion.com. 

If you have any concerns, you have the right to lodge a complaint with a data protection supervisory authority:

• The Information Commissioner's Office (ICO) is the supervisory authority in the UK. You can visit their website here. 

If you are in the EU, you can find your local data protection authority here.

USA

If you are a resident of California, USA, the following section also applies to you:

CA Personal Information

Consistent with the "What Information Do We Collect” section above, we collect certain categories and specific pieces of information about individuals that are considered "Personal Information" in California ("CA Personal Information"). Specifically, we may collect the following types of CA Personal Information:

• Identifiers: name, title, organization, address, email address, phone number, date of birth, age, gender, and government identifiers; 
• ‍Internet or other electronic network activity information: internet protocol (IP) address, your login data, browser type and version, device IDs, time zone setting and location, browser plug-in types and versions, operating system and platform, pages and services you viewed or searched for, page response times, download errors, length of visits to certain pages, and page interaction information (such as scrolling, clicks, and mouse-overs);
• Audio, electronic, visual or similar information: phone, audio, or video calls, texts and other digital messaging, emails, and any in-person conversations you have with us. 
• ‍Geolocation data: IP address.

Certain CA Personal Information that we collect about you may be considered Sensitive Personal Information within the meaning of California Privacy Law, including: geolocation information (only with your permission, in order to provide location services) and government identifiers (to manage our Customer relationships). 

We only use and disclose Sensitive Personal Information as necessary in connection with the performance of services and the provision of goods, compliance with federal, state, or local laws, and as otherwise permitted by CA Privacy Law.

Sources. We collect certain categories of CA Personal Information either directly from you or from other third parties as described in the "What Information Do We Collect" section above. The categories of third parties from whom we collect CA Personal Information include:

• Third-party partners (e.g., IT service providers, analytics service providers);
• Business partners;
• Commercial clients;
• Public sources; and 
• Publications. 

Purposes of use

We may use CA Personal Information for:

Business purposes, including:

• improving our Site and Services;
• operating our Site; 
• providing you with information and services you request from us or we think you may be interested in;
• providing you with location services (only if you ask or allow us to);
• carrying out and complying with our agreement with the Customer;
• administering and managing our product offering tiers and fees, invoicing and billing; and
• complying with our legal obligations, including carrying out required checks on new customers, and to prevent money laundering or fraud.

‍Commercial purposes, including:

• marketing communications (including direct marketing); 
• customer service;
• providing you with special offers and other information we believe will be of interest to you; and
• inviting you to participate in surveys and provide feedback to us.

Disclosures of CA Personal Information. 

We may disclose the categories of CA Personal Information described above for the business purposes described above to:

• our group companies;
• third party service providers that perform data processing activities on our behalf, subject to appropriate privacy and security obligations;
• government and other authorities as required by law; 
• potential purchasers and other parties in connection with the sale, purchase or merger of a business; and
• others to the extent necessary to comply with applicable law and as otherwise permitted under California Privacy Law.

We may disclose identifiers; internet or other electronic network activity information; audio, electronic, visual or similar information; geolocation data for the commercial purposes described above to:

• Third party service providers.

Retention of California Personal Information

We retain your CA Personal Information for as long as needed or permitted in light of the purpose(s) for which it was obtained. We will usually keep personal information:

• for as long as necessary for the original reasons we collected it, and
• for up to six years after that to identify any issues and resolve any legal proceedings.

We may keep your personal information for a longer period:

• in the event of a complaint,
• if we reasonably believe there is a prospect of legal proceedings,
• if we are aware of pending or ongoing legal proceedings, or
• in some circumstances, if applicable law says we must.

If you opt in to marketing from us, we will keep your relevant personal information for as long as you are receiving marketing. If you later decide to opt out (or object to any other use of your personal information), we may keep a record of your opt-out or objection so we can respect your preferences and demonstrate our compliance.

Your Rights

Subject to certain exceptions detailed in California Privacy Law, as a California resident, you have the right to request: 

• deletion of your CA Personal Information; 
• correction of inaccurate CA Personal Information; 
• the right to know / access the categories of CA Personal Information that we collect about you, including the specific pieces of CA Personal Information; 
• the categories of CA Personal Information disclosed for a business purpose; and
• information about the categories of CA Personal Information about you that we have shared (as such term is defined under CA Privacy Law) and the categories of third parties to whom the CA Personal Information was shared. 

Exercising Your Rights

If you are a California resident and wish to request the exercise of these rights as detailed above, please email dataprivacy@bastion.com or call us at (888) 608-4151.  We may apply any exceptions or other conditions available under law when responding to correction, deletion, or other requests. 

Do Not Track Signals

We do not currently respond to web browser “do not track” signals or other mechanisms that indicate your preference for not having information collected over time and across different web sites or digital apps following your visit to one of our Sites. We will not discriminate against you by offering you different pricing or products, or by providing you with a different level or quality of products, based solely upon this request.

Authorized Agents

To the extent that you elect to designate an authorized agent to make a request on your behalf, they must provide appropriate documentation including written signed permission from you, proof of your identity, and verification of their identity; or a valid, designated power of attorney as defined under the California Probate Code.