Legal Information

Privacy Policy

Effective Date: March 24, 2021
Last Updated: March 24, 2021

This EU/UK Privacy Notice explains how Vera Bradley Designs, Inc. (“Vera Bradley”) processes personal data that may be subject to the General Data Protection Regulation (“GDPR”). With respect to the personal data processing activities described in this Notice, Vera Bradley (“we” “our” “us”) acts as the data controller (the entity that determines the purposes and means of the data processing). This Notice also describes your rights and choices relevant to our processing of your personal data.

You may contact us for additional information about our data practices using the contact information at the bottom of this Notice.

PERSONAL DATA COLLECTION

Data You Provide to Us Vera Bradley may collect personal data directly from you. For example, when you create an account on our website, make a purchase, use our contact form, or otherwise communicate directly with us. This personal data may include your name, billing address, shipping address, email address, phone number, and other purchasing information.

Automatically Collected Data Vera Bradley uses various tools and technologies, such as cookies, web beacons, and web server logs, to collect data automatically when you visit our website or use our online services. This data may include IP addresses, device identifiers, referring URLs, time and length of visits, and pages viewed. For additional information regarding our use of these online tools and technologies, including your ability to opt out, please see our online privacy policy.

PERSONAL DATA PROCESSING

We may process your personal data to:

  • Communicate with you, transact with you, service your account, process your orders, and provide customer service
  • Provide you with information regarding our products and services
  • Facilitate, monitor, manage, analyze, and improve our services
  • Conduct research and analysis
  • Prevent and address fraud or other unlawful activity, breaches of our policies or terms, and threats or harm
  • Ensure the security and integrity of the personal data we process
  • Comply with applicable legal requirements

These personal data processing activities are carried out pursuant to the following legal bases:

  • The processing is necessary for us to provide you with the services and products you request, including pursuant to a contract we have with you or to respond to your inquiries regarding those services and products.
  • We have a legitimate interest in processing your personal data. For example, we have a legitimate interest in processing personal data for the following purposes:
    • Analyzing and improving safety and security, including by implementing and enhancing security measures
    • Maintaining and improving our products and services
    • Providing you with certain tailored communications, including developing and promoting our business
  • We have a legal obligation to process your personal data, such as to comply with applicable laws and other government regulations or to comply with a court order, binding law enforcement request, or other legal processes.
  • We have obtained your consent with respect to the processing of your personal data. When you consent to such processing, you can withdraw your consent at any time.

DISCLOSURE OF PERSONAL DATA

We may share personal data in the following ways:

  • Certain personal data may be shared (subject to contractual obligations) with our vendors and other service providers who perform necessary functions to facilitate our operations. For example, we may use third parties for cloud hosting services and document storage, and to help us provide customer support.
  • In some circumstances, we must share your personal data to comply with a legal obligation. For example, we may disclose your personal data to respond to a court order or other legal process, to establish or exercise our legal rights, to protect and defend our or others’ rights or property, or to prevent fraud or abuse.
    • Please note that in certain situations we may be obligated to disclose personal data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements in the United States or another country
  • With our affiliates or business partners as reasonably necessary or desirable, such as to help provide services to you or analyze and improve our website.
  • In the event of a business transaction, including negotiations of such a transaction, (for example, the sale, reorganization, assignment, liquidation, merger, or other transfer of all or a portion of Vera Bradley’s business to another business entity).

INTERNATIONAL DATA TRANSFER

Under certain circumstances, personal data may be transferred to Vera Bradley in the United States or another country for processing. Please be aware that the data protection laws and regulations that apply to your personal data in other countries may differ from the laws in the EU and the UK.

Appropriate legal mechanisms and safeguards are applied to personal data transfers in accordance with applicable law. For further information about how your personal data is transferred out of the EU, please contact us by email at internationalcare@verabradley.com or by phone at +1-888-855-8372.

SECURITY

Vera Bradley employs physical, electronic, and organizational safeguards to protect the confidentiality and security of personal data we maintain.

Although we use reasonable measures to help protect your personal data, including against unauthorized use or disclosure, we cannot guarantee the security of information provided over the Internet or stored in our databases. For example, encryption of certain personal data submitted through our website, including credit card numbers, helps prevent unauthorized access to such data as it is transmitted over the Internet. Nevertheless, transmission via the Internet and online digital storage are not completely secure, so we cannot guarantee the security of your personal data.

DATA RETENTION

We will store your personal data for no longer than is necessary for the performance of our obligations or to achieve the purposes for which the information was collected, or as may be permitted under applicable law. To determine the appropriate retention period, we will consider the amount, nature, and sensitivity of the data; the potential risk of harm from unauthorized use or disclosure of the data; the purposes for which we process the data and whether we can achieve those purposes through other means; and the applicable legal requirements. Unless otherwise required by applicable law, at the end of the retention period we will remove personal data from our systems and records or take appropriate steps to anonymize it properly.

YOUR RIGHTS AND CHOICES

EU and UK data subjects have certain rights with respect to their personal data. Subject to certain conditions, you may make the following types of requests:

  • Access. You may request that we provide you with information about our processing of your personal data and give you access to your personal data.
  • Correction. You may request that we update or correct personal data about you that is inaccurate or incomplete.
  • Deletion. You may request that we delete your personal data.
  • Objection. You may object to our reliance on our legitimate interests as the basis for processing of your personal data.
  • Restriction. You may request that we restrict the processing of your personal data.
  • Transfer. You may request that we transfer a machine-readable copy of personal data you have given us to you or to a third party of your choice.

You also may request at any time that we stop sending you direct marketing communications. We may continue to send you communications related to your transactions with Vera Bradley and other non-marketing communications.

You can submit these requests by clicking here, by email to internationalcare@verabradley.com, or by phone at +1-888-855-8372. We will respond to your request within a reasonable timeframe. We may request specific information from you to help us confirm your identity prior to processing your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions.

You also have the right to lodge a complaint with your data protection supervisory authority. You can find information about your data protection regulator here.

UPDATES TO THIS NOTICE

This Privacy Notice may be revised from time to time as we add new features and services, as laws change, and as industry privacy and security best practices evolve. We display an effective date on the policy in the upper right corner of this Notice so that it will be easier for you to know when there have been material changes. Your continued interaction with Vera Bradley following the posting of changes to the Notice will mean that you accept those changes.

CONTACT US

If you have questions about this Notice or about exercising your data protection rights under the GDPR, please contact us by email to internationalcare@verabradley.com or by phone at +1-888-855-8372.

To contact our GDPR Representative, you may write to:

Osano International Compliance Services Limited
ATTN: M7J8
25/28 North Wall Quay
Dublin 1, DO1 H104
Ireland