Privacy

Your privacy is very important to us. This Privacy Policy explains how Bella Skin Institute (“we”, “us”, or “our”) collects, uses, shares, and protects your personal information when you use the Bella Rewards Loyalty (“App”).

This Policy describes:

• Who we are
• What personal data do we collect
• How and why we use it
• Who we share it with
• Your rights and choices

Please read this Policy carefully. By downloading, accessing, or using the App, you agree to the collection and use of information in accordance with this Privacy Policy.

Who We Are

Bella Loyalty Rewards App is owned and operated by:

Bella Skin Institute
23622 Calabasas Rd #339,
Calabasas, CA 91302
United States

For applicable privacy laws, including the GDPR and CCPA, Bella Skin Institute is the Data Controller of your personal information.

Scope of This Policy

This Privacy Policy applies to:

• Users of the Bella Rewards Loyalty App
• Current, former, and prospective customers
• Loyalty program members
• Promotional and rewards program participants

This Policy applies regardless of whether you interact with us online, through the App, via email, SMS, social media, or in person.

What Information We Collect

We only collect information that is necessary to operate and improve the App and loyalty program.

Information You Provide to Us

When you register or use the App, we may collect:

• Full name
• Email address
• Phone number
• Date of birth (if required for rewards eligibility)
• Account login credentials
• Loyalty points, rewards activity, and redemption history
• Marketing preferences

Automatically Collected Information

When you use the App, we may automatically collect:

• Device information (device type, operating system, unique device identifiers)
• IP address
• App usage data (pages viewed, features used, time spent)
• Log files and diagnostic data

Cookies & Tracking Technologies

We may use cookies, SDKs, pixels, and similar technologies to:

• Enable App functionality
• Track App performance
• Analyse user behaviour
• Improve rewards personalisation

You can manage permissions through your device settings.

How We Use Your Information

We use your information to:

• Create and manage your Bella rewards account
• Track points, rewards, and redemptions
• Communicate with you about rewards, offers, and promotions
• Send service-related notifications
• Improve App functionality and user experience
• Provide customer support
• Prevent fraud and misuse
• Comply with legal obligations

We do not sell your personal information.

Marketing Communications

We may contact you via:

• Email
• Push notifications
• SMS

You can opt out of marketing communications at any time by:

• Using the unsubscribe link in emails
• Adjusting App notification settings
• Contacting us directly

Transactional and service messages may still be sent.

Who We Share Your Information With

We may share your information only when necessary, including with:

• Service Providers (hosting, analytics, messaging)
• Marketing & Analytics Partners
• Affiliates under common control
• Legal & Regulatory Authorities, when required by law
• Business Transfers (merger, acquisition, or sale of assets)

All third parties are required to protect your data and use it only for specified purposes.

Social Media & Third-Party Platforms

If you interact with us via social media or connect your account using a third-party service:

• Those platforms operate independently
• Their privacy policies apply
• We are not responsible for their data practices

Data Retention

We retain your personal data only for as long as necessary to:

• Operate the loyalty program
• Meet legal, accounting, or regulatory requirements
• Resolve disputes

Data is securely deleted or anonymised when no longer needed.

Data Security

We take reasonable technical and organisational measures to protect your information, including:

• Encryption
• Secure servers
• Access controls

However, no system is 100% secure, and we cannot guarantee absolute security.

HIPAA & Protected Health Information (PHI)

Bella Skin Institute is a healthcare provider subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations.

Use and Disclosure of Protected Health Information

In the course of operating the Programme and providing healthcare services, Bella Skin Institute may collect, use, store, and disclose certain health-related information that constitutes “Protected Health Information” (“PHI”) as defined under HIPAA.

PHI will be used and disclosed only as permitted or required by HIPAA, including for purposes of:

• Treatment, payment, and healthcare operations
• Administration of the Bella Skin Institute Rewards Programme, where applicable
• Legal, regulatory, or compliance obligations

Rewards Programme Limitations

The Bella Skin Institute Rewards App is not intended to store full medical records. Participation in the Programme does not require users to submit detailed medical histories, diagnoses, or treatment plans through the App.

Loyalty points, rewards, promotions, or Programme participation do not influence medical judgment, clinical decision-making, or treatment recommendations.

Third-Party Service Providers

Bella Skin Institute may engage trusted third-party service providers (including technology or hosting providers) to support the operation of the App and Programme. Where such providers may have access to PHI, Bella Skin Institute will maintain appropriate Business Associate Agreements (BAAs) as required under HIPAA.

Security Safeguards

Bella Skin Institute implements reasonable administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of PHI in accordance with HIPAA Security Rule requirements. However, no system can be guaranteed to be 100% secure.

Participants are responsible for safeguarding their login credentials and using the App in a secure manner.

User Rights Under HIPAA

Where applicable, participants retain rights under HIPAA, including the right to:

• Request access to their PHI
• Request corrections to inaccurate PHI
• Request restrictions on certain uses or disclosures
• Receive an accounting of disclosures, as permitted by law

Requests related to PHI must be submitted directly to Bella Skin Institute using the contact information provided in the App or on the Website.

HIPAA Notices

Bella Skin Institute’s Notice of Privacy Practices governs how medical information may be used and disclosed, and how participants may access such information. In the event of a conflict between these Terms and the Notice of Privacy Practices, the Notice of Privacy Practices shall control.

International Data Transfers

Your data may be processed in countries outside your state or country of residence.

Where required, we ensure appropriate safeguards are in place in accordance with applicable law.

Your Privacy Rights

GDPR Privacy

Legal Basis for Processing Personal Data under GDPR

We may process Personal Data under the following conditions:

• Consent: You have given your consent for processing Personal Data for one or more specific purposes.
• Performance of a contract: Provision of Personal Data is necessary for the performance of an agreement with You and/or for any pre-contractual obligations thereof.
• Legal obligations: Processing Personal Data is necessary for compliance with a legal obligation to which the Company is subject.
• Vital interests: Processing Personal Data is necessary in order to protect your vital interests or those of another natural person.
• Public interests: Processing Personal Data is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Company.
• Legitimate interests: Processing Personal Data is necessary for the purposes of the legitimate interests pursued by the Company.

In any case, the Company will gladly help to clarify the specific legal basis that applies to the processing, and in particular, whether the provision of Personal Data is a statutory or contractual requirement, or a requirement necessary to enter into a contract.

Your Rights under the GDPR

The Company undertakes to respect the confidentiality of your Personal Data and to guarantee that you can exercise your rights.

You have the right under this Privacy Policy, and by law if you are within the EU, to:

• Request access to Your Personal Data. The right to access, update or delete the information we have on you. Whenever made possible, you can access, update or request deletion of Your Personal Data directly within your account settings section. If you are unable to perform these actions yourself, please contact us to assist you. This also enables you to receive a copy of the Personal Data we hold about you.
• Request correction of the Personal Data that we hold about you. You have the right to have any incomplete or inaccurate information that we hold about you corrected.
• Object to the processing of Your Personal Data. This right exists where we are relying on a legitimate interest as the legal basis for our processing, and there is something about your particular situation, which makes you want to object to our processing of Your Personal Data on this ground. You also have the right to object when we are processing Your Personal Data for direct marketing purposes.
• Request erasure of Your Personal Data. You have the right to ask Us to delete or remove Personal Data when there is no good reason for Us to continue processing it.
• Request the transfer of Your Personal Data. We will provide to You, or to a third-party You have chosen, Your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information which you initially provided consent for Us to use or where we used the information to perform a contract with you.
• Withdraw your consent. You have the right to withdraw your consent to the use of your Personal Data. If you withdraw your consent, we may not be able to provide you with access to certain specific functionalities of the Service.

Exercising of your GDPR Data Protection Rights

You may exercise your rights of access, rectification, cancellation and opposition by contacting Us. Please note that we may ask you to verify your identity before responding to such requests. If you make a request, we will try our best to respond to you as soon as possible.

You have the right to complain to a Data Protection Authority about our collection and use of Your Personal Data. For more information, if you are in the European Economic Area (EEA), please contact your local data protection authority in the EEA.

Under CCPA (California Residents)

You have the right to:

• Know what personal data we collect
• Request access or deletion
• Opt out of data “sales” (we do not sell data)
• Non-discrimination in exercising rights

Requests may require identity verification.

Children’s Privacy

The App is not intended for children under 13.

We do not knowingly collect personal data from children.

If we become aware of such a collection, we will delete the data promptly.

Do Not Track (DNT)

The App does not respond to browser Do Not Track signals.

You may manage tracking preferences via device settings.

Updates to This Policy

We may update this Privacy Policy from time to time.

Changes will be posted in the App and/or on our website with an updated “Last Updated” date.

Continued use of the App means you accept the updated Policy.

Contact Us

If you have questions, requests, or complaints about this Privacy Policy or your personal data, contact us:

Bella Skin Institute
Website: https://www.bellaskininstitute.com/contact