1. Privacy Policy Last updated: [Month Day, Year]

Bella Puglia Tours LLC (“Bella Puglia Tours,” “we,” “our,” “us”) respects your privacy. This Privacy Policy explains what personal information we collect, how we use it, how we share it, and your rights. It applies to our website, communications, and travel services.

Who We Are and Contact

• Controller: Bella Puglia Tours LLC

• Address: [Insert business address]

• Email: privacy@bellapugliatours.com

• Phone: [Insert phone]

• EU/UK representative (if applicable): [Insert rep company/name, address, email]

• Data Protection Officer (if appointed): [Insert or “Not applicable”]

Information We Collect

• You provide: name, email, phone, address, company (for groups), travel dates, preferences, passport names, dietary needs, accessibility/mobility considerations, special occasions, communications, feedback/testimonials.

• Payment data: processed by PCI-DSS compliant providers (e.g., Stripe/PayPal). We do not store full card numbers.

• Automatically collected: IP address, device/browser type, pages viewed, time on site, referring URLs, approximate location, cookie identifiers.

• From third parties: social/ad platforms, analytics partners, travel partners (hotels, drivers, guides), referrers.

How We Use Information

• Service delivery: design itineraries; coordinate with suppliers; manage bookings, payments, support.

• Personalization: dining, accessibility, celebrations, preferences.

• Communication: proposals, confirmations, updates, operational alerts, surveys.

• Marketing: newsletters, offers, retargeting (with consent where required).

• Security/compliance: fraud prevention, legal and tax obligations.

• Analytics/improvement: site performance, service optimization.

Legal Bases (GDPR/UK GDPR)

• Contract: to provide requested services.

• Legitimate interests: improve services, secure systems, limited marketing to existing clients.

• Consent: marketing to non-clients; cookies requiring consent; processing sensitive data (e.g., allergies) to protect vital interests and deliver requested accommodations.

• Legal obligation: tax, accounting, regulatory requirements.

Sensitive Information (Health/Dietary)

• Processed only when necessary and with your consent; shared strictly on a need-to-know basis with relevant suppliers.

How We Share Information

• Processors: payment providers, CRM/itinerary tools, email/SMS, analytics/ads, e-signature, cloud hosting—bound by contracts and confidentiality.

• Independent partners (controllers): accommodations, transport, guides, chefs, wineries, venues—only what’s necessary to deliver your services.

• Legal/business: to comply with law, protect rights/safety, or in M&A transactions.

• We do not sell personal information.

International Transfers

• We operate in the US and work with partners in Italy and elsewhere. For EEA/UK data, we use Standard Contractual Clauses and require appropriate safeguards.

Data Retention

• Client/booking records: up to 7 years after your trip, then deleted or anonymized.

• Marketing contacts: until you unsubscribe or 24 months of inactivity.

• Cookie/analytics data: per vendor defaults or until you delete cookies.

Your Choices and Rights

• Unsubscribe via email footer or contact us.

• Manage cookies via our Cookie Banner and browser settings.

• Subject to law, you may request access, correction, deletion, restriction, portability, or object to processing; withdraw consent at any time.

• How to exercise rights: privacy@bellapugliatours.com (we may verify identity).

• EU/UK: contact your data protection authority. California: see CCPA notice.

Security

• Encryption in transit/at rest, role-based access, MFA, least-privilege, vendor due diligence. No method is 100% secure; we continually improve.

Children’s Privacy

• Not directed to children under 16. We do not knowingly collect data from children under 16 without parental consent. Contact us to remove such data.

California Privacy Notice (CCPA/CPRA)

• Categories: identifiers, customer records, commercial data, internet activity, geolocation (approx), inferences, sensitive information (dietary/health with consent).

• Purposes and sharing: as above; processors and partners only. We do not sell personal information. We may “share” for cross-context behavioral ads; opt out via Cookie Banner or email.

• Rights: know/access, delete, correct, opt-out of sale/sharing, limit use of sensitive information, non-discrimination. Submit requests at privacy@bellapugliatours.com.

Third-Party Links

• External sites are governed by their own policies.

Changes

• We may update this Policy; the latest version will be posted with an updated date. Material changes will be highlighted on-site or emailed when appropriate.

Contact

• Email: privacy@bellapugliatours.com

• Address: [Insert business address]

1. Cookie Policy Last updated: [Month Day, Year]

This Cookie Policy explains how Bella Puglia Tours uses cookies and similar technologies on our website.

What Are Cookies?

• Small files placed on your device to enable site functionality, analytics, personalization, and advertising.

Types of Cookies We Use

• Essential: enable basic functions like page navigation, security, and form submission. These cannot be switched off.

• Analytics/Performance: help us understand site usage to improve performance.

• Functionality: remember choices (language, region).

• Advertising/Targeting: deliver relevant ads and measure effectiveness.

Your Choices

• Use our Cookie Banner to accept/reject non-essential cookies.

• Adjust browser settings to block/clear cookies. Blocking some cookies may impact site functionality.

• Opt out of interest-based ads via platform settings and:

  • https://optout.aboutads.info

  • https://youradchoices.com

  • https://youronlinechoices.eu

Cookie Table (example template – update with your actual vendors)

• Essential

  • Cookie: __cf_bm (Cloudflare) — Purpose: bot management — Duration: 30 mins

  • Cookie: session_id (Site) — Purpose: maintain session — Duration: session

• Analytics

  • Cookie: _ga (Google Analytics) — Purpose: analytics — Duration: 2 years

  • Cookie: _gid (Google Analytics) — Purpose: analytics — Duration: 24 hours

• Advertising

  • Cookie: _fbp (Meta) — Purpose: ad targeting/measurement — Duration: 3 months

  • Cookie: IDE (Google Ads) — Purpose: ad delivery — Duration: 13 months (EU), 24 months (elsewhere)

Other Technologies

• Pixels, SDKs, and local storage used for analytics and advertising.

Updates

• We may revise this Cookie Policy; see “Last updated” date.

Contact

• privacy@bellapugliatours.com

1. Data Processing Addendum (Controller–Processor) Last updated: [Month Day, Year]

This Data Processing Addendum (“DPA”) forms part of any agreement between Bella Puglia Tours LLC (“Controller”) and the undersigned vendor (“Processor”) that processes Personal Data on Controller’s behalf.

1. Definitions

• “Personal Data,” “Processing,” “Controller,” “Processor,” “Data Subject,” and “Supervisory Authority” have meanings under GDPR/UK GDPR.

• “Applicable Data Protection Laws” means GDPR/UK GDPR, CCPA/CPRA (to the extent applicable), and other relevant laws.

1. Scope

• Processor will process Personal Data solely to provide the services described in the underlying agreement and this DPA, following Controller’s documented instructions.

1. Controller Responsibilities

• Controller ensures it has a lawful basis and provides required notices to Data Subjects.

1. Processor Obligations

• Process only on documented instructions from Controller.

• Confidentiality: ensure personnel confidentiality and limit access to those who need it.

• Security: implement appropriate technical/organizational measures (encryption, access controls, MFA, backups, secure development).

• Subprocessors: not engage any subprocessor without prior written authorization from Controller; maintain a current list; impose equivalent obligations; remain fully liable.

• Data Subject Requests: assist Controller in responding to access, correction, deletion, restriction, portability, and objection requests.

• Incident Response: notify Controller without undue delay (no later than 48 hours) after becoming aware of a Personal Data Breach; provide details and remediation steps.

• Assistance: assist with DPIAs and consultations with authorities where required.

• Deletion/Return: upon termination, delete or return Personal Data (at Controller’s choice) and delete existing copies, unless storage is required by law.

• Audits: make available information necessary to demonstrate compliance and allow audits by Controller or its auditor (with reasonable notice, confidentiality, and frequency limits).

1. International Transfers

• For EEA/UK Personal Data, Processor will use appropriate safeguards (e.g., EU/UK Standard Contractual Clauses). Where SCCs apply, they are incorporated by reference and completed as follows:

  • Module 2 (Controller to Processor).

  • Governing law: [Ireland/Netherlands] for EU; [England & Wales] for UK.

  • Annexes describe data categories and security measures.

1. Data Details (Annex I)

• Categories: client contact data, booking details, travel preferences, dietary/accessibility info (limited), communications.

• Data Subjects: clients, prospective clients, group participants.

• Duration: for the term of the agreement plus retention required by law.

• Processing: storage, transmission, organization, retrieval, disclosure to authorized recipients, deletion.

1. Security Measures (Annex II) – examples

• Encryption in transit/at rest; network segmentation; access control and MFA; logging/monitoring; vulnerability management; incident response plan; employee training; vendor risk management; regular backups and restoration testing.

1. Subprocessors (Annex III)

• List or link to current subprocessors (e.g., Stripe/PayPal, CRM, itinerary tool, email service, cloud hosting). Processor must maintain and notify of changes with an opportunity to object.

1. Priority

• If conflict arises, this DPA prevails over the underlying agreement with respect to data protection.

Signatures Controller: Bella Puglia Tours LLC Name/Title: [Insert] Date: [Insert] Processor: [Vendor legal name] Name/Title: [Insert] Date: [Insert]

1. Photo and Media Release Last updated: [Month Day, Year]

By participating in a Bella Puglia Tours experience, you may be photographed or filmed. This Release explains how we may use such content.

Grant of Rights

• You grant Bella Puglia Tours a worldwide, royalty-free, perpetual license to use, reproduce, display, distribute, edit, and create derivative works from photographs, video, and audio recordings featuring you (“Media”), for marketing and promotional purposes across websites, social media, advertising, PR, and print.

Consent and Opt-Out

• If you prefer not to appear in Media, notify your host or email privacy@bellapugliatours.com before or during your trip. We will use reasonable efforts to accommodate and avoid capturing identifiable images of you.

No Compensation

• You agree no compensation is due for such uses. This Release does not obligate us to use any Media.

Minor Participants

• For participants under 18, consent must be provided by a parent or legal guardian. We do not intentionally capture images of unaccompanied minors.

Privacy

• We will not identify you by full name without your additional consent.

Revocation

• You may revoke consent prospectively by emailing privacy@bellapugliatours.com; prior uses are unaffected.

Governing Law

• Commonwealth of Pennsylvania, USA; courts in Allegheny County have exclusive jurisdiction.

Signature (for contracts/events with formal consent) Participant Name: ____________________ Signature: ____________________ Date: _______ Parent/Guardian (if minor): ____________________

1. EU/UK Representative Appointment (Template) Last updated: [Month Day, Year]

Representative Appointment Bella Puglia Tours LLC (“Company”), a US-based entity without an establishment in the EEA/UK, appoints:

• EU Representative: [Company/Name, Address, Email]

• UK Representative: [Company/Name, Address, Email] to be its representative under Article 27 of the GDPR/UK GDPR for data subjects located in the EEA/UK.

Scope

• The Representative is authorized to be addressed by supervisory authorities and data subjects for issues related to processing of personal data and to maintain records of processing activities on behalf of the Company.

Responsibilities

• Maintain a record of processing activities (ROPA) provided by Company.

• Cooperate with supervisory authorities.

• Forward requests/complaints to Company without undue delay.

Term and Termination

• Effective on [Date] and continuing until terminated by either party with 30 days’ notice.

Accepted and agreed: Bella Puglia Tours LLC Name/Title: ____________________ Date: ______ EU Representative Name/Title: ____________________ Date: ______ UK Representative Name/Title: ____________________ Date: ______

1. Implementation Checklist

• Publish Privacy Policy and Cookie Policy; link in footer and all forms.

• Add Cookie Banner with granular controls (Accept All / Reject Non-Essential / Manage Preferences). Log consent.

• Update Google Analytics, Meta Pixel, and Ads settings to respect consent. Enable IP anonymization for GA where appropriate.

• Add “Do Not Sell/Share My Personal Information” link (CCPA) with an opt-out mechanism if using cross-context behavioral ads.

• Add data request form or simple instruction to email privacy@bellapugliatours.com.

• Update Terms & Conditions to link to the Privacy Policy and Cookie Policy.

• Vendor reviews: ensure contracts include DPAs (use the DPA above with your processors).

• If actively targeting EU/UK residents, appoint the EU/UK representative and list contact info in your Privacy Policy.