Privacy Notice

This Privacy Notice for Jack Vance Inc. dba Bella Vacations (we, us, or our) describes how and why we may access, collect, store, use, and share (process) your personal information when you use our services (Services), including when you visit our website at bellavacations.com, engage with us about luxury travel planning, or contact us in any other way.

Bella Vacations is a luxury travel design company specialising in bespoke journeys and curated experiences tailored to your preferences. To deliver our services, we collect information necessary for trip planning, booking, and keeping you informed throughout your journey.

Questions or concerns? Reading this notice will help you understand your rights and choices. If you do not agree with our practices, please do not use our Services. For any question, write to us at chadd@bellavacations.com.

Summary of Key Points

This summary covers the essentials. Full detail follows in the sections below.

What personal information do we process? We process information you provide when you contact us about travel, including your name, contact details, travel preferences, and payment information. We also collect device and usage information automatically when you visit our Services.

Do we process sensitive personal information? Where necessary and with your consent, yes. Financial information for processing payments, passport details for travel arrangements, and similar.

Do we collect information from third parties? Occasionally, from public databases, marketing partners, and similar sources, to improve the relevance of what we send you.

How do we process your information? To deliver our Services, communicate with you, ensure security, prevent fraud, and comply with law. We process information only when we have a valid legal reason.

With whom do we share it? Only with trusted service providers (payment processors, accommodation partners, transport providers, analytics tools) and only as needed to fulfil your travel plans.

How do we keep it safe? Through reasonable technical and organisational measures. No system is perfectly secure, but we work to protect what you share with us.

What are your rights? Depending on where you live, you may have rights to access, correct, or delete the information we hold about you, and to withdraw consent. Details below.

Table of Contents

1. What information do we collect

Personal information you disclose to us

In short: We collect personal information that you provide to us voluntarily.

We collect personal information that you voluntarily provide when you contact us about travel planning, participate in activities on the Services, or otherwise communicate with us. The personal information we collect may include:

• Names
• Email addresses
• Phone numbers
• Mailing and billing addresses
• Job titles
• Contact preferences
• Authentication data
• Debit and credit card numbers

Sensitive information

Where necessary and with your consent or as otherwise permitted by applicable law, we process the following categories of sensitive information: financial data, passport numbers, and similar information required to arrange international travel.

Payment data

We collect data necessary to process payments, such as the payment instrument number and security code. All payment data is handled and stored by Stripe. Their privacy notice is available at stripe.com/legal/privacy-center and stripe.com/au/privacy.

All personal information you provide to us must be true, complete, and accurate, and you should notify us of any changes to it.

Information automatically collected

In short: Some information, such as your IP address and browser or device characteristics, is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate our Services. This information does not reveal your specific identity but may include device and usage information such as IP address, browser type, operating system, language preferences, referring URLs, country, location, and how and when you use our Services. This is primarily used to maintain the security and operation of our Services, and for internal analytics and reporting.

Like many businesses, we also collect information through cookies and similar technologies (see Section 6). The information we collect includes:

• Log and Usage Data. Service-related, diagnostic, and performance information our servers automatically collect.
• Device Data. Information about your computer, phone, or other device used to access the Services.
• Location Data. Information about your device location, which can be either precise or imprecise depending on your settings.

Google API

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Information collected from other sources

In short: We may collect limited data from public databases, marketing partners, and other outside sources.

To enhance our ability to provide relevant offers and services to you, we may obtain information from other sources such as public databases, joint marketing partners, affiliate programs, and data providers. This may include mailing addresses, job titles, email addresses, phone numbers, IP addresses, social media profiles, and similar information used for targeted communication and event promotion.

2. How do we process your information

In short: We process your information to provide, improve, and administer our Services, communicate with you, ensure security, prevent fraud, and comply with law. We may also process information for other purposes with your consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services:

• To deliver and facilitate delivery of services. We may process your information to provide you with the requested travel planning, booking, and concierge services.
• To respond to inquiries and offer support. We may process your information to respond to your questions and resolve any issues with the requested service.
• To send administrative information. Details about our products and services, changes to terms and policies, and similar communications.
• To fulfil and manage your bookings. Including payments, changes, and refunds processed through the Services.
• To enable communication between us. Including any user-to-user features.
• To request feedback. To contact you about your experience with our Services.
• To send marketing and promotional communications. Only in accordance with your marketing preferences. You can opt out at any time.
• To deliver targeted advertising. Content and advertising tailored to your interests, location, and similar.
• To protect our Services. Including fraud monitoring and prevention.
• To identify usage trends. Understanding how our Services are used so we can improve them.
• To measure marketing effectiveness. Understanding which campaigns are most relevant to you.
• To save or protect vital interests. When necessary to prevent harm to an individual.

3. What legal bases do we rely on

In short: We only process your personal information when we believe it is necessary and we have a valid legal reason under applicable law.

If you are located in the EU or UK

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases on which we process your personal information. We may rely on the following:

• Consent. Where you have given us permission to use your personal information for a specific purpose. You can withdraw consent at any time.
• Performance of a Contract. Where we need to fulfil our contractual obligations to you, including providing our Services.
• Legitimate Interests. Where it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your rights and freedoms. For example: sending information about special offers, displaying relevant advertising, analysing how our Services are used, supporting marketing, diagnosing problems or preventing fraud, and understanding how to improve user experience.
• Legal Obligations. Where required to comply with our legal obligations, such as cooperating with a law enforcement body or regulatory agency.
• Vital Interests. Where necessary to protect your vital interests or those of a third party.

If you are located in Canada

We may process your information where you have given express or implied consent. You may withdraw your consent at any time. In exceptional cases, applicable law may permit us to process information without consent, including: where collection is clearly in your interest and consent cannot be obtained in time; for fraud detection and investigations; for business transactions meeting certain conditions; for insurance claim assessment; for identifying injured, ill, or deceased persons; where there are reasonable grounds to believe an individual may be a victim of financial abuse; for breach investigations; under subpoena or court order; for employment-related collection consistent with the purpose; for journalistic, artistic, or literary purposes; or where the information is publicly available as specified by the regulations.

4. When and with whom do we share information

In short: We may share information in specific situations and with specific categories of third parties, as outlined below.

Vendors, Consultants, and Other Service Providers. We share data with third parties who perform services for us or on our behalf and require access to do that work. We have contracts in place designed to safeguard your personal information. They cannot use it for anything other than the work we have asked of them, and they do not share it with any organisation apart from us.

The categories of third parties we may share personal information with are:

• Sales and marketing tools
• Testing tools
• Social networks
• Website hosting providers
• Ad networks
• Affiliate marketing programs
• AI platforms
• Cloud computing services
• Communication and collaboration tools
• Data analytics services
• Data storage providers
• Finance and accounting tools
• Government entities (where required by law)
• Order fulfilment service providers
• Payment processors
• Performance monitoring tools
• Product engineering and design tools
• Retargeting platforms

We may also share your personal information in the following situations:

• Business Transfers. In connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition.
• Google Maps Platform APIs. Where you make location-specific requests. By using our website and its map features, you agree to be bound by Google’s Terms of Service. We may store location information in your device cache; you may revoke consent by contacting us.
• Business Partners. To offer you certain products, services, or promotions related to luxury travel.

5. Our stance on third-party websites

In short: We are not responsible for the safety of information you share with third-party sites we may link to but are not affiliated with.

The Services may link to third-party websites, online services, or applications, and may include advertisements from third parties not affiliated with us. We make no guarantee regarding any such third parties, and we will not be liable for any loss or damage caused by their websites, services, or applications. The inclusion of a link does not imply our endorsement. Any data collected by third parties is not covered by this Privacy Notice. We recommend reviewing the privacy policies of any third party before sharing information with them.

6. Cookies and tracking technologies

In short: We may use cookies and similar tracking technologies to collect and store information.

We may use cookies and similar tracking technologies (web beacons, pixels) to gather information when you interact with our Services. Some help us maintain security, prevent crashes, fix bugs, save your preferences, and assist with basic site functions.

We also permit third parties and service providers to use online tracking technologies for analytics and advertising, including managing and displaying advertisements, tailoring them to your interests, and sending abandoned cart reminders.

Google Analytics

We may share your information with Google Analytics to track and analyse the use of the Services. To opt out of being tracked by Google Analytics, visit tools.google.com/dlpage/gaoptout. You can opt out of Google Analytics Advertising Features through Ads Settings. Other opt-out options: optout.networkadvertising.org and networkadvertising.org/mobile-choice. For Google’s privacy practices, see Google Privacy and Terms.

7. How long we keep your information

In short: We keep your information only as long as necessary, unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). No purpose in this notice will require us to keep your personal information for longer than seven years.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it. If this is not possible (for example, because the information has been stored in backup archives), we will securely store it and isolate it from further processing until deletion is possible.

8. How we keep your information safe

In short: We aim to protect your personal information through a system of organisational and technical security measures.

We have implemented appropriate and reasonable technical and organisational security measures designed to protect any personal information we process. However, despite our safeguards, no electronic transmission over the Internet or information storage technology can be guaranteed to be one hundred per cent secure. While we will do our best to protect your personal information, transmission to and from our Services is at your own risk. You should only access the Services within a secure environment.

9. Information from minors

In short: We do not knowingly collect data from or market to children under eighteen years of age.

We do not knowingly collect, solicit data from, or market to children under eighteen, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least eighteen or that you are the parent or guardian of such a minor and consent to the minor’s use of the Services. If we learn that personal information from users less than eighteen years of age has been collected, we will deactivate the account and take reasonable measures to delete the data. If you become aware of any data we may have collected from a child under eighteen, please contact us at chadd@bellavacations.com.

10. Your privacy rights

In short: Depending on your state of residence in the US or in regions such as the European Economic Area (EEA), United Kingdom (UK), Switzerland, and Canada, you have rights that allow you greater access to and control over your personal information.

In some regions (such as the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. These may include: (i) the right to request access and obtain a copy of your personal information; (ii) the right to request rectification or erasure; (iii) the right to restrict processing; (iv) where applicable, the right to data portability; and (v) the right not to be subject to automated decision-making. You may also have the right to object to the processing of your personal information.

You can make such a request by contacting us using the details in Section 15 below. We will consider and act upon any request in accordance with applicable data protection laws.

If you are located in the EEA or UK and believe we are unlawfully processing your personal information, you have the right to complain to your Member State data protection authority or the UK data protection authority. If you are in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

Withdrawing your consent

If we are relying on your consent to process your personal information, you have the right to withdraw it at any time. This will not affect the lawfulness of processing before its withdrawal nor processing conducted on other lawful grounds.

Opting out of marketing

You can unsubscribe from our marketing communications at any time by clicking the unsubscribe link in our emails, replying STOP or UNSUBSCRIBE to SMS messages, or contacting us. You will be removed from marketing lists, though we may still send service-related messages necessary for the administration of your account.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Information sharing to subcontractors in support services, such as customer service, is permitted. All other use case categories exclude text messaging originator opt-in data and consent.

Cookies and similar technologies

Most web browsers are set to accept cookies by default. You can set your browser to remove or reject cookies, though this could affect certain features of our Services. You may also opt out of interest-based advertising by advertisers on our Services.

11. Controls for Do-Not-Track features

Most web browsers and some mobile operating systems include a Do-Not-Track (DNT) feature you can activate to signal your preference not to have data about your online browsing activities monitored. No uniform technology standard for recognising and implementing DNT signals has been finalised. As such, we do not currently respond to DNT browser signals. If a standard is adopted that we must follow in the future, we will inform you in a revised version of this Privacy Notice.

California law requires us to let you know how we respond to web browser DNT signals. Because there currently is no industry or legal standard for recognising or honouring DNT signals, we do not respond to them at this time.

12. United States residents and specific privacy rights

In short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have rights to access, correct, or delete personal information we hold about you, and to withdraw consent.

Categories of personal information we collect

We have collected the following categories of personal information in the past twelve months:

Category	Examples	Collected
A. Identifiers	Real name, postal address, phone, IP address, email, account name	Yes
B. California Customer Records statute information	Name, contact information, employment, financial information	Yes
C. Protected classification characteristics	Gender, age, date of birth, race, national origin, marital status	No
D. Commercial information	Transaction information, purchase history, payment information	Yes
E. Biometric information	Fingerprints and voiceprints	No
F. Internet activity	Browsing history, search history, interaction with our website	Yes
G. Geolocation data	Device location	Yes
H. Audio, electronic, sensory information	Images and audio created during our business activities	No
I. Professional or employment information	Business contact details for B2B Services	Yes
J. Education information	Student records and directory information	No
K. Inferences drawn from collected personal information	Profile or summary about an individual’s preferences and characteristics	Yes
L. Sensitive personal information	Citizenship status, debit and credit card numbers, drivers’ licenses, financial information, national origin, passport numbers, precise geolocation, and state ID card numbers	Yes

We only collect sensitive personal information as defined by applicable privacy laws or with your consent. We do not collect or process sensitive personal information to infer characteristics about you.

How we use and share personal information

We have not sold or shared any personal information to third parties for a business or commercial purpose in the preceding twelve months. We have disclosed personal information to the categories of third parties listed in Section 4 for business or commercial purposes in the preceding twelve months.

Your rights

You have rights under certain US state data protection laws. These rights are not absolute, and in certain cases we may decline your request as permitted by law. They include:

• Right to know whether we are processing your personal data
• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to request deletion of your personal data
• Right to obtain a copy of the personal data you previously shared with us
• Right to non-discrimination for exercising your rights
• Right to opt out of processing your personal data for targeted advertising (or sharing as defined under California’s privacy law), the sale of personal data, or profiling that produces legal or similarly significant effects

Depending on your state, you may also have rights to access the categories of personal data being processed (Minnesota); to obtain a list of categories of third parties to whom we have disclosed personal data (California, Delaware, and Maryland); to obtain a list of specific third parties to whom we have disclosed personal data (Minnesota and Oregon); to review, understand, question, and correct how personal data has been profiled (Minnesota); to limit use and disclosure of sensitive personal data (California); and to opt out of the collection of sensitive data and personal data collected through voice or facial recognition features (Florida).

How to exercise your rights

To exercise these rights, contact us by emailing chadd@bellavacations.com or by submitting a data subject access request.

Under certain US state data protection laws, you can designate an authorised agent to make a request on your behalf. We may deny a request from an authorised agent that does not submit proof of valid authorisation.

Request verification

Upon receiving your request, we will need to verify your identity to ensure you are the same person about whom we have information. We will only use personal information provided in your request to verify your identity or authority to make the request. If we cannot verify your identity from information already on file, we may request additional information for verification and security purposes.

Appeals

Under certain US state data protection laws, if we decline to take action on your request, you may appeal our decision by emailing chadd@bellavacations.com. We will inform you in writing of any action taken or not taken, with a written explanation. If your appeal is denied, you may submit a complaint to your state attorney general.

California Shine The Light law

California Civil Code Section 1798.83, also known as the Shine The Light law, permits California residents to request and obtain from us, once a year and free of charge, information about categories of personal information disclosed to third parties for direct marketing purposes, and the names and addresses of those third parties. If you are a California resident and would like to make such a request, please write to us using the details in Section 15.

13. Other regions and specific privacy rights

In short: You may have additional rights based on the country you reside in.

Australia

We collect and process your personal information under the obligations and conditions set by Australia’s Privacy Act 1988. This Privacy Notice satisfies the notice requirements defined in the Privacy Act: what personal information we collect, from which sources, for which purposes, and other recipients of your personal information.

If you do not wish to provide the personal information necessary to fulfil the applicable purpose, this may affect our ability to provide our Services, in particular our ability to offer you the products and services you want and to respond to or help with your requests.

At any time, you have the right to request access to or correction of your personal information. You can make such a request by contacting us using the details in Section 16.

If you believe we are unlawfully processing your personal information, you have the right to complain about a breach of the Australian Privacy Principles to the Office of the Australian Information Commissioner.

14. Updates to this notice

In short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated date at the top of this Privacy Notice. If we make material changes, we may notify you either by prominently posting a notice on the site or by directly sending you a notification. We encourage you to review this Privacy Notice frequently.

15. How to contact us

If you have questions or comments about this notice, you may email us at chadd@bellavacations.com or write to us by post:

Jack Vance Inc. dba Bella Vacations
Pittsburgh, Pennsylvania
United States

16. Review, update, or delete your information

Based on the applicable laws of your country or state of residence, you may have the right to request access to the personal information we collect from you, details about how we have processed it, to correct inaccuracies, or to delete your personal information. You may also have the right to withdraw your consent to our processing.

These rights may be limited in some circumstances by applicable law. To request to review, update, or delete your personal information, please submit a data subject access request or email chadd@bellavacations.com.