Legal
Privacy Policy
Effective date: April 7, 2026 | Last updated: April 7, 2026
Privacy
Your privacy is very important to us. This Privacy Policy explains how Bella Skin Institute (“we,” “us,” “our,” or “Company”) collects, uses, shares, and protects your personal information when you use the Bella Rewards Loyalty App (“App”).
Policy Overview
This Policy describes:
Who we are
What personal data do we collect
How and why we use it
Who we share it with
Your rights and choices
How we protect your information
By downloading, accessing, or using the App, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our practices, please do not use the App.
Who We Are
Bella Skin Institute is the owner and operator of the Bella Rewards Loyalty App.
Corporate Address:
Bella Skin Institute23622 Calabasas Rd #339
Calabasas, CA 91302
United States
Data Controller Designation: For applicable privacy laws, including the GDPR and CCPA, Bella Skin Institute is the Data Controller of your personal information.
Privacy Contacts
For General Privacy Inquiries:
Scope of This Policy
This Privacy Policy applies to:
Users of the Bella Rewards Loyalty App (iOS and Android)
Current, former, and prospective customers
Loyalty program members
Promotional and rewards program participants
This Policy applies regardless of whether you interact with us:
Through the App
Via email
Via SMS text messaging
Through social media
In person at our facilities
What Information We Collect
We collect information only when necessary to operate, maintain, and improve the App and loyalty program in compliance with applicable law.
1. Information You Provide Directly
When you create an account or use the App, we may collect:
Required Information:
Full name
Email address
Account login credentials
Optional Information (for enhanced rewards):
Phone number (to enable SMS notifications)
Date of birth
Marketing preferences
Loyalty Program Data:
Loyalty points balance
Rewards activity history
Redemption history
Offer and promotion engagement
2. Automatically Collected Information
When you use the App, we may automatically collect:
Device Information:
Device type (iPhone, Android)
Operating system and version
Unique device identifiers (IDFA, Android ID)
Device IP address
Device settings (language, timezone)
App Usage Data
3. Cookies and Tracking Technologies
We use the following tracking technologies:
Essential Technologies (no consent required):
Session cookies (for authentication and security)
Functional cookies (to remember your preferences)
Security tokens (to prevent fraud)
Analytics Technologies (explicit consent required):
Analytics cookies (to measure App usage)
Performance pixels (to track feature adoption)
SDKs and tracking pixels (to improve personalization)
You can manage permissions through your device settings.
4. Third-Party Login Data
Apple Sign-In
When you choose to sign in with Apple, we may receive:
Your name
Your email address
We do NOT:
Use Apple Sign-In data for advertising or marketing
Share Apple Sign-In data with third parties
Access additional Apple account information beyond what is required for authentication
Google Sign-In
When you choose to sign in with Google, we may receive:
Your name
Your email address
Basic profile information (photo, public profile)
We do NOT:
Use Google Sign-In data for advertising or marketing
Share Google Sign-In data with third parties
Access additional Google account information beyond what is required
Calendar Integration
Apple Calendar Access
The Bella Rewards App can connect to your Apple Calendar. With your permission, you can link your Apple account to enable this feature.
With your explicit permission, we may:
View calendar events relevant to the App's functionality
Create, update, or display calendar events related to App features
Calendar data we access:
Event titles
Event dates and times
Event descriptions (only if required for functionality)
We do NOT:
Access Apple Calendar data without your explicit permission
Use Apple Calendar data for advertising or marketing
Share Apple Calendar data with third parties
Store calendar data on our servers (processed in-app only)
Use calendar data to create user profiles or analytics
Calendar data retention: Calendar data is not stored by Bella Skin Institute. It is accessed directly from your device in real-time. When you revoke calendar access, no further access is permitted.
Revoking Access: You can revoke Apple Calendar access at any time through:
Settings > Bella Rewards App > Calendar
Bella Rewards App > Profile > Apple Calendar
Google Calendar Access
The Bella Rewards App can connect to your Google Calendar. With your permission, you can link your Google account to enable this feature.
With your explicit consent, we may:
View calendar events relevant to the App's functionality (such as points expiry dates)
Create, update, or display calendar events within the App
Retrieve event information to sync reminders
Google Calendar data we access:
Event titles
Event dates and times
Event descriptions (if required for functionality)
We do NOT:
Access Google Calendar data without your explicit permission
Use Google Calendar data for advertising or marketing
Share Google Calendar data with third parties
Use Google Calendar data for purposes unrelated to the App's core functionality
Store calendar data on our servers long-term (processed in-app only)
Compliance with Google APIs: Our use of information received from Google APIs complies fully with the Google API Services User Data Policy, including all Limited Use requirements.
Revoking Access: You may revoke Google Calendar access at any time via:
myaccount.google.com > Apps with account access > Bella Rewards > Remove access
Bella Rewards App > Profile > Google Calendar
Outlook Calendar Access (Microsoft)
The Bella Rewards App can connect to your Outlook Calendar. With your permission, you can link your Outlook account to enable this feature.
With your explicit permission, we may:
View calendar events relevant to App functionality
Create, update, or display points expiry calendar events
Outlook Calendar data we access:
Event titles
Event dates and times
Event descriptions (if required)
We do NOT:
Access Outlook Calendar without authorization
Use Outlook Calendar data for advertising
Share Outlook Calendar data with third parties
Use Outlook Calendar data beyond core App functionality
Store calendar data on our servers
Revoking Access: You can revoke access at any time through:
myaccount.microsoft.com > Privacy dashboard > Connected apps and experiences
Bella Rewards App > Profile > Outlook Calendar
How We Use Your Information
We use your information for the following purposes only:
Primary Purposes
Create and manage your Bella Rewards account
Authenticate your identity and secure your account
Track loyalty points, rewards, and redemptions
Process reward redemptions and deliver rewards
Communicate with you about rewards, offers, and promotions
Transactional Purposes
Send service-related notifications (order confirmations, points updates, redemption status)
Provide customer support and respond to inquiries
Process requests and complaints
App Improvement
Improve App functionality and user experience
Analyze usage patterns
Diagnose technical issues and errors
Monitor App performance and security
Legal and Compliance
Prevent fraud, misuse, and unauthorized access
Comply with legal obligations and court orders
Resolve disputes and enforce agreements
Maintain records for accounting and tax purposes
Security and Safety
Detect and prevent fraudulent transactions
Protect against unauthorized access and attacks
Maintain audit trails for compliance purposes
IMPORTANT: We do NOT sell your personal information to third parties for any reason, including marketing.
SMS Notifications and Communications
SMS Opt-In Process
The Bella Rewards App may send SMS (text message) notifications only to users who voluntarily opt in.
SMS notifications are limited to:
Points Expiry Notifications: Informing users when loyalty points are about to expire
Birthday Reward Notifications: Notifying users of available birthday rewards
SMS is disabled by default. You must actively opt in by:
- Providing your mobile phone number during onboarding or in the Profile section
- Explicitly enabling the SMS toggle in your account settings
- Confirming your consent to the following language:
“By enabling SMS notifications, I agree to receive text messages from Bella Skin Institute about points expiry and birthday rewards. Message and data rates apply according to my mobile carrier's plan. I understand that I can opt out at any time by replying STOP to any message or by disabling SMS notifications in my account settings.”
SMS Opt-Out Process
You can opt out of SMS notifications at any time by:
Disabling SMS in the App settings under Profile > Notifications > SMS
Replying STOP to any SMS message you receive from us. You will receive a one-time confirmation, and no further messages will be sent.
Your mobile carrier's standard message and data rates will apply.
Mobile Number Privacy and Data Handling
Bella Skin Institute STRICTLY PROTECTS your mobile phone number:
We do NOT:
Share, sell, rent, or disclose your phone number to third parties, affiliates, or partners
Use your phone number for marketing, advertising, or promotional campaigns beyond points expiry and birthday rewards
Share your phone number with marketing partners or analytics providers
Share your phone number with third-party SMS service providers (except as technically necessary for Twilio to deliver messages on our behalf)
Use your phone number for purposes other than those explicitly stated in this policy
Your phone number is used exclusively for:
Sending SMS notifications as described above
Delivering service-related communications directly to you
Providing customer support
Data Retention for SMS
Retention Timeline:
Mobile phone numbers are retained while you maintain an active account and have SMS enabled
If you opt out of SMS or close your account, the phone number is retained for 90 days only to ensure the opt-out is properly processed
After 90 days, the phone number is securely deleted from our systems
Deletion Process: Phone numbers are deleted using secure data destruction methods that render them unrecoverable.
SMS and CCPA Compliance
For California Residents (CCPA):
Your mobile phone number is NOT considered a "sale" of personal information under CCPA
We do not monetize or transfer your phone number to third parties
SMS notifications are not marketing communications under CCPA
Email and Push Notifications
Marketing Communications
We may contact you via:
Push notifications
Opt-Out Options
You can opt out of marketing communications at any time by:
Clicking the unsubscribe link in any email
Adjusting App notification settings under Profile > Notifications
Email Marketing Compliance (CAN-SPAM)
All promotional emails we send include:
Clear identification that the message is promotional
Our valid physical mailing address
A clear, easy-to-use unsubscribe mechanism
Processing of unsubscribe requests within 10 business days
We do not use misleading subject lines, false headers, or deceptive content.
Who We Share Your Information With
We share your information only when necessary and with appropriate safeguards.
- Service Providers (hosting, analytics, messaging)
- Affiliates under common control
- Legal & Regulatory Authorities, when required by law
- Business Transfers (merger, acquisition, or sale of assets)
- Data Processing Agreements
All third parties who access personal data are required to sign Data Processing Agreements (or Business Associate Agreements under HIPAA) that include:
Commitment to process data only as instructed
Implementation of appropriate security measures
Prohibition on further sharing
Compliance with GDPR, CCPA, and other applicable laws
Data Retention
We retain your personal data only as long as necessary to fulfill the purposes described in this policy.
- Operate the loyalty program
- Meet legal, accounting, or regulatory requirements
- Resolve disputes
Data Deletion Process
When data is no longer needed, it is:
Securely deleted using methods that render it unrecoverable
Anonymized (removing identifiers so it cannot be linked to you)
Archived if required for legal compliance
Data Security
We take your security seriously and implement reasonable technical and organizational safeguards to protect your information.
Security Measures
Encryption
Secure servers
Access controls
Limitations
Important: No system is 100% secure. We cannot guarantee absolute protection against all threats. You are responsible for:
Maintaining the confidentiality of your login credentials
Using a strong, unique password
Enabling two-factor authentication if available
Using the App on secure networks only
Your Privacy Rights
GDPR Rights
You have the following rights under the GDPR:
1. Right to Access
You have the right to obtain a copy of the personal data we hold about you, including:
What personal data do we process
How we use it
Who we share it with
How long do we retain it
2. Right to Correction
You have the right to correct incomplete or inaccurate personal data.
How to exercise:
Update your profile directly in the App under Settings
3. Right to Erasure (“Right to be Forgotten”)
You have the right to request deletion of your personal data when:
You no longer consent to processing
The data is no longer necessary for our purposes
You object to processing on the basis of legitimate interest
The data was unlawfully processed
Exceptions: We may retain data when required by law (tax, accounting, fraud prevention).
4. Right to Restrict Processing
You have the right to restrict processing of your data when:
You dispute the accuracy of the data
Processing is unlawful
We no longer need the data
You object to processing
5. Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) and have it transferred to another service provider.
This right applies only to:
The data you provided to us
Data we process based on your consent
Data necessary to fulfill our contract with you
6. Right to Object
You have the right to object to the processing of your data when we rely on legitimate interest as the legal basis, including objections to:
Direct marketing communications
Analytics and profiling
Other processing for our business interests
7. Right to Withdraw Consent
You have the right to withdraw your consent for any processing at any time. This does not affect the lawfulness of processing before withdrawal.
How to exercise:
Adjust settings in the App (SMS, notifications, calendar access)
8. Right to Lodge a Complaint
You have the right to lodge a complaint with your local Data Protection Authority if you believe we have violated your rights.
CCPA Rights (California Residents)
California law grants you the following rights:
1. Right to Know
You have the right to request and obtain information about:
The categories of personal information we collect
The purposes for collection and use
The categories of sources
The categories of third parties with whom we share data
2. Right to Delete
You have the right to request deletion of personal information we have collected, subject to exceptions:
Information necessary to provide services
Information required by law
Information needed to detect and prevent fraud
3. Right to Opt-Out of “Sales” or “Sharing”
Under CCPA, “sale” and “sharing” are broadly defined to include disclosure of personal information for behavioral advertising and cross-context marketing.
Important Disclosure: Bella Skin Institute does NOT sell or share your personal information for behavioral advertising or any commercial purpose. Therefore, this right does not apply.
If we begin selling or sharing data in the future, we will provide an opt-out mechanism.
4. Right to Non-Discrimination
You have the right not to be discriminated against for exercising your CCPA rights. We will not:
Deny you services or features
Charge different prices or rates
Provide different quality of service
Suggest that exercising rights will result in adverse treatment
5. Right to Correct Inaccurate Information
You have the right to correct inaccurate personal information.
How to exercise: Update your profile in the App
CCPA for Minors
If you are under 13, please ask your parent or guardian to read this Privacy Policy and contact us to manage your account.
Children's Privacy
The Bella Rewards App is not intended for children under 13 years old.
We do not knowingly collect personal information from children under 13.
If you believe we have collected information from a child under 13:
Contact us immediately.
We will delete such information promptly.
For users aged 13–18: If you are a minor, please ask your parent or guardian to review this policy and contact us with any questions.
Do Not Track (DNT)
The App does not respond to browser “Do Not Track” signals because:
The App is not a web browser
DNT signals are not applicable to mobile applications
You may manage tracking preferences via device settings.
HIPAA Compliance (Healthcare Data)
Important Clarification
Bella Skin Institute is a healthcare provider subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations.
This Bella Rewards App is NOT a healthcare platform and is not intended to store, process, or transmit Protected Health Information (PHI) or medical records.
What This App Does NOT Do
Does NOT collect medical diagnoses or treatment information
Does NOT store patient medical records
Does NOT process prescription information
Does NOT contain detailed medical histories
Does NOT transmit protected health information (PHI)
What This App DOES Do
Manages loyalty rewards and points
Tracks promotional offers
Sends reminders (non-medical in nature)
Stores optional contact information
If You Provide Health Information
If you voluntarily provide health-related information in the App (e.g., in customer support messages or comments):
We will treat such information as Protected Health Information (PHI) under HIPAA
We implement HIPAA-compliant safeguards, including:
Encryption of data in transit and at rest
Role-based access controls
Audit logs and monitoring
Secure deletion procedures
All service providers with access to PHI have signed Business Associate Agreements (BAAs) as required under HIPAA
PHI is used only for:
Treatment (providing healthcare services)
Payment (processing insurance or payment for services)
Healthcare Operations (administration, quality improvement, compliance)
HIPAA Rights
If you believe your health information has been mishandled, you have the right to:
- Access: Request access to your PHI
- Amendment: Request corrections to inaccurate PHI
- Restrictions: Request restrictions on certain uses or disclosures
- Accounting: Receive an accounting of disclosures of your PHI
- Complaint:File a complaint with Bella Skin Institute or the Department of Health & Human Services (HHS) Office for Civil Rights
HIPAA Notice of Privacy Practices
Bella Skin Institute's complete Notice of Privacy Practices governs how health information may be used and disclosed. This document is available:
In the App (Settings > Privacy)
In case of conflict: If there is a conflict between this Privacy Policy and the Notice of Privacy Practices, the Notice of Privacy Practices controls for health information matters.
Policy Updates and Changes
We may update this Privacy Policy from time to time to:
Reflect changes in our practices
Comply with new legal requirements
Improve clarity or accuracy
Respond to user feedback
Changes will be posted in the App and/or on our website with an updated “Last Updated” date.
Your continued use of the App after updates means you accept the updated policy.
Contact Us
If you have questions, requests, or complaints about this Privacy Policy or your personal data, contact us: