Privacy Policy

1. Who we are

Bella is a software platform operated by SBPM LLC, a Louisiana limited liability company. We provide a salon operating system used by salon operators to run their businesses — AI voice receptionist, SMS automation, payroll, marketing, color formulation, and analytics.

This policy explains what data we handle, how we handle it, and what rights you have over it. It applies to bella.salon, app.bella.salon, api.bella.salon, and any other service we operate under the Bella brand.

2. What we collect

We collect three categories of data:

a. Customer (salon operator) data

When a salon signs up for Bella, we collect business name, owner name, email, phone, billing address, the locations they operate, and the integrations they connect (Zenoti, QuickBooks, Google Ads, Google Business Profile). Payment details are handled by our payment processor (Stripe) and we never see or store full card numbers.

b. End-guest data (data the salon brings into Bella)

Salons import their own guest lists into Bella to operate marketing, booking, and review workflows. This includes guest name, phone number, email address, visit history, and stylist preferences. Bella does not own this data. The salon is the data controller; Bella is a data processor acting on the salon’s instructions under our Data Processing Agreement.

c. Operational telemetry

Standard web logs (IP, user agent, request paths, timestamps), product usage events, audit logs of user actions, and error/crash reports. This is used to keep the service running, detect abuse, and debug issues.

d. Ad-attribution cookies

When you click a Google, Microsoft, or Meta advertisement linking to bella.salon or to a Bella-hosted salon, we set a first-party cookie named _bella_click (90 days, SameSite=Lax, Secure on HTTPS). The cookie contains: a random surrogate identifier (UUID), the timestamp of the click, and optionally a hashed reference to the salon you clicked. No personal information is stored in the cookie. A second cookie named _bella_sess holds a random session identifier to deduplicate repeat clicks within a 30-minute window. These cookies exist solely to measure which advertisements produced a booking; they are not used for cross-site tracking, are never shared with third parties, and are read only by Bella’s own attribution endpoints. You can clear them at any time via your browser settings. We comply with state-level opt-out signals (Global Privacy Control) where required.

3. How we use your data

• To deliver the service. Reading your guest data and writing back to your POS to run the workflows you enabled.
• To bill you. Processing subscription charges through Stripe and emailing receipts.
• To support you. Reading your account when you contact support, only with your permission and only as needed to resolve your ticket.
• To improve the platform. Aggregated, de-identified usage analytics. We never train AI models on your data or your guests’ data.
• To detect abuse. Rate limiting, fraud detection, and incident response.

We do not sell your data. We do not share it with advertisers. We do not use it to train external AI models. Your guest list is yours.

4. Sub-processors

Bella uses a small number of vetted subprocessors to deliver the service. Each is reviewed for security posture before onboarding and on an annual cadence thereafter. The authoritative current list, with purpose, data categories, and region for each subprocessor, is maintained at /policy/subprocessors.html. Material changes to that list are reflected there and, where contractually required, notified to affected tenants directly.

Bank account data via Plaid

When a tenant connects a bank or credit card account, Bella uses Plaid Inc. (plaid.com/legal) as the financial-data network. Plaid collects information from the financial institution on the tenant's behalf, including: account display names, account types, transaction history, and account balances. Plaid handles the connection to the bank directly; Bella never sees or stores the tenant's online banking username or password. Bella does not enable Plaid Auth (the product that exposes full account and routing numbers); routing numbers are not transmitted to Bella under the current product configuration.

What Bella does with the data Plaid returns:

• Stores transactions in the tenant's database for classification, reconciliation, and proposal of QuickBooks entries (only after the tenant approves each proposed entry).
• Stores Plaid access tokens encrypted at rest. Tokens are never logged or returned over the wire.
• Does not sell, share, or use Plaid-sourced financial data for advertising or for any purpose other than running the bookkeeping automation the tenant signed up for.

How to revoke: the tenant opens Settings → Integrations and clicks Disconnect on any connected bank link. Bella immediately stops syncing, cancels any pending proposed entries, and instructs Plaid to remove the access token. Bella commits to deleting the ingested Plaid transaction data from primary storage within 30 days of disconnect; the automated deletion path is being landed alongside the broader offboarding pipeline. Backups age out per the Data Retention & Disposal Policy. Past entries already posted to QuickBooks remain in the tenant's books and can be reversed only by the tenant or their accountant inside QuickBooks itself.

Plaid's own privacy practices are governed by their end-user privacy policy at plaid.com/legal/end-user-privacy-policy. By connecting a bank through Plaid, the tenant also accepts Plaid's terms.

5. Data ownership and deletion

Your data is yours. If you cancel, you can request a full export within 30 days at no charge. Exports include a CSV of every guest record, a JSON of every workflow configuration, and a PDF of every TCPA consent record we hold for your guests. After 30 days post-cancellation, operational and customer data is deleted from primary storage on the schedule in our Data Retention & Disposal Policy, subject to the exceptions documented there (audit and provenance records retained for regulatory traceability, financial source documents retained for tax recordkeeping, TCPA consent records, legal hold, and obligations imposed by applicable law). Backups age out per the backup retention schedule.

You can also request deletion of any individual guest record at any time via your dashboard or by emailing [email protected] — we honor it within 30 days, with confirmation.

6. Security

Data is encrypted in transit and at rest. Multi-tenant isolation is enforced through request-scope middleware on every authenticated route, plus database-trigger invariants on financial-write paths. Role-based access controls. Append-only audit logs. SOC 2 readiness program active; Type I readiness target within 12 months. Interim policy documentation and control evidence available under NDA. See the Trust Center and Security Overview for full detail.

7. Your rights

Depending on where you live, you may have rights under GDPR, CCPA, or similar laws to access, correct, export, or delete your data. To exercise any of these, email [email protected] from the email address on your account. We respond within 30 days.

For end-guest data (data the salon brings to Bella), please contact the salon directly — they are the data controller. If they refer you to us, we will help facilitate.

8. How to reach us

SBPM LLC (operating Bella)
1597 Gause Blvd, Suite E
Slidell, LA 70458
Phone: (985) 542-1222
Privacy email: [email protected]
General contact: /contact