Our Commitment to Privacy
Online Account Registration
You may want to register with buffyboots.com to make shopping faster and easier. As a registered customer, you only have to enter your billing and shipping addresses and account information once; they will be securely stored in our database for your future use. Using your username and password you may access your account online at any time to add, delete or modify information. If you are using a computer at a public place, we encourage you to log out at the end of your session. Your information may be stored with us, but it will not be accessible to anyone else from that computer.
The Information Collected By buffyboots.com
When you shop with buffyboots.com, we obtain information we need to complete your transaction. This may include your name, shipping address, billing address, telephone number, credit/debit card number with expiration date and your email address. Under no circumstances do we ever share, sell or rent your personal information with outside parties.
How We Use The Information Collected
We use this information to confirm your credit/debit card information and to contact you if we have questions regarding your order. Your billing information may also be used for future Buffy Boots print mailings such as Buffy Boots catalogs. You may request to be removed from our mailing list at any time.
We use this information to ship the order you had placed.
Credit/Debit Card Information.
We use this information to process your online order, and we may also need to provide this information to the company or companies who process our credit card transactions.
After you place an order with buffyboots.com, you will receive an email confirmation that we have received your order. You will receive this email only if you have provided us with your correct email address. We may also need to contact you via email if we have questions regarding your order. Your email information may also be used for future Buffy Boots email newsletters which will include unsubscribing instructions. We would like to reiterate that under no circumstances do we ever share, sell or rent your personal information with outside parties.
Cookies And Their Use
LIMITATION ON LIABILITY
In no event shall Buffy Boots, its subsidiaries or its suppliers be liable to you or any third party for any indirect, incidental, consequential, special, exemplary, or punitive damages arising out of the use of the product, including, without limitation, loss of value of the product or any third party products that are used in or with the product, property damage, or loss of use of the product or any third party products that are used in or with the product, even if Buffy Boots has been advised of the possibility of such damages. Buffy Boots has no liability for any damage or destruction to consumer electronics devices, other personal property that are in the products, or any loss of data contained in the foregoing devices. Notwithstanding any damages that you might incur for any reason whatsoever (including, without limitation, all damages referenced herein and all direct or general damages in contract, tort (including negligence) or otherwise, the entire liability of Buffy Boots and any of its suppliers shall be limited to the amount actually paid by you for the product. Some jurisdictions do not allow the limitation or exclusion of certain warranties and conditions, and/or the disclaimer of some types of damages, so some of the above might not apply to you.
CREDIT CARD SECURITY POLICIES
Buffy Boots shall maintain a security policy that addresses how the company will protect cardholder data. This policy must be reviewed at least annually, and must be updated as needed to reflect changes to business objectives or the risk environment.
Employees shall not use or otherwise employ employee-facing technologies to store, process or otherwise handle cardholder data. Employee-facing technologies include remote-access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), email, and internet usage.
The policies and procedures delineated will apply to all employees and contractors involved in the processing, or other handling of cardholder data.
Incident Response Policy
The security manager shall establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations.
Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility. Some examples of security incidents that an employee might recognize in their day to day activities include, but are not limited to,
• Theft, damage, or unauthorized access (e.g., papers missing from their desk, broken locks, missing log files, alert from a security guard, video evidence of a break-in or unscheduled/unauthorized physical entry)
• Fraud – Inaccurate information within databases, logs, files or paper records
Reporting an Incident
The security manager should be notified immediately of any suspected or real security incidents involving cardholder data:
• Contact the security manager to report any suspected or actual incidents. The Internal Audit’s phone number should be well known to all employees and should page someone during non-business hours
• No one should communicate with anyone outside of their supervisor(s) or security manager about any details or generalities surrounding any suspected or actual incident. All communications with law enforcement or the public will be coordinated by security manager.
• Document any information you know while waiting for security manager to respond to the incident. If known, this must include date, time, and the nature of the incident. Any information you can provide will aid in responding in an appropriate manner.
Responses can include or proceed through the following stages: identification, severity classification, containment, eradication, recovery and root cause analysis resulting in improvement of security controls.
Contain, Eradicate, Recover and perform Root Cause Analysis
1. Notify applicable card associations.
Provide the compromised Visa accounts to Visa Fraud Control Group within ten (10) business days. For assistance, contact 1-(650)-432-2978. Account numbers must be securely sent to Visa as instructed by the Visa Fraud Control Group. It is critical that all potentially compromised accounts are provided. Visa will distribute the compromised Visa account numbers to issuers and ensure the confidentiality of entity and non-public information. See Visa’s “What to do if compromised” documentation for additional activities that must be performed.
Contact your merchant bank for specific details on what to do following a compromise.
Contact your relationship manager or call the support line at 1-(800)-347-3083 for further guidance.
2. Alert all necessary parties, including: Merchant bank, Local FBI Office, U.S. Secret Service (if Visa payment data is compromised), Local authorities (if appropriate)
3. Perform an analysis of legal requirements for reporting compromises in every state where clients were affected. The following source of information must be used: http://www.ncsl.org/programs/lis/cip/priv/breach.htm
4. Collect and protect information associated with the intrusion. In the event that forensic investigation is required the security manager will work with legal and management to identify appropriate forensic specialists.
5. Eliminate the intruder's means of access and any related vulnerabilities.
6. Research potential risks related to or damage caused by intrusion method used.
Root Cause Analysis and Lessons Learned
Not more than one week following the incident, members of security manager and all affected parties will meet to review the results of any investigation to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan. Review other security controls to determine their appropriateness for the current risks. Any identified areas in which the plan, policy or security control can be made more effective or efficient, must be updated accordingly.
Buffy Boots shall implement and maintain an security awareness program with the intent of ensuring all employees that process, store, or are otherwise involved in handling cardholder data are aware of the importance of cardholder data security.
Buffy Boots will ensure employees receive security awareness training upon hire and at least annually. The security awareness program must provide multiple methods of educating employees, including posters, letters, memos, web-based training, meetings, or promotions.
Buffy Boots will implement policies and procedures to manage service providers. This process must include the following:
• Maintain a list of service providers
• Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of the cardholder data the service providers possess
• Implement a process to perform proper due diligence prior to engaging a service provider
• Monitor service providers’ PCI DSS compliance status
• Please Note: Orders containing multiple items, including items marked for pre-order, will ship only when all items are available for shipping. No partial shipments will be made.
• We process and ship orders Monday thru Friday 8am to 5pm Pacific Standard Time. Orders placed after 2pm PST may be processed the following business day. Most orders ship within 2 business days**
• All orders are subject to approval based on the billing information provided.
• All orders may be placed on hold for further security verifications if billing and shipping information is different and/or the order total exceeds $100 USD.
• In the occasion that an item is out of stock or unavailable, your order may not be shipped until a Customer Care Representative has contacted you for further instructions.
• If a customer order is returned to Buffy Boots due to incorrect shipping information, we will notify the customer that it has been returned by the shipping company and we will refund the customer the purchase price of the product. S&H charges are non-refundable.
• We are not responsible for any item loss during the delivery or delivery time.
• Timely delivery is subject to the Terms of Service published by the carrier. Note that circumstances out of our control (like natural disasters, holiday delays, etc.) may produce shipping postponements.
• We ship to the 48 continental United States, Alaska, Hawaii, Puerto Rico, and Guam via The United States Postal Service (USPS).
• We ship to all APO, FPO, and DPO addresses via USPS.