Privacy Policy

Schedula acts as a controller for direct manager signups, account-security data, billing, and product communications. For staff scheduling, ratings, swap workflows, and other data processed under tenant instructions, Schedula acts as a processor on behalf of the tenant (the operator who owns the account). Employment records ultimately remain under the tenant's control.

We process the following categories of personal data:

• Account identity — name, email, role, profile photo.
• Authentication data — hashed passwords, OAuth identifiers (Google/Apple), session tokens, login attempts, account-lockout events.
• Contact information — phone number, WhatsApp number, push notification tokens.
• Scheduling data — shift assignments, availability, time-off requests, swap history.
• Performance data — customer ratings, badges, levels, action plan items, burnout-risk signals.
• Technical metadata — IP address, user agent, device identifiers, audit log entries.
• Billing data — handled by Stripe; we receive only minimal billing identifiers.

We process personal data to: (a) operate the platform under our contract with the tenant; (b) authenticate and secure accounts; (c) generate compliant schedules; (d) deliver shift, swap, and burnout notifications; (e) provide customer support; (f) meet legal and regulatory obligations; (g) detect and prevent fraud or abuse; and (h) improve the service. We rely on contract, legal obligation, legitimate interest, or — where required — explicit consent as the lawful basis for each purpose.

Audit logs are retained for 365 days by default, configurable per tenant. Login attempts are retained for 90 days. Customer ratings are retained for 24 months. Active account data is retained for the lifetime of the account. After account deletion or tenant deletion, a 30-day grace window applies before irreversible erasure or anonymisation.

We share data only with the sub-processors listed on our Sub-processors page, each under a written DPA. We do not sell personal data. We may disclose data when required by law or when necessary to investigate fraud, abuse, or imminent harm.

Schedula is hosted in the EU. Some sub-processors operate outside the EU/EEA. Where transfers occur, we rely on Standard Contractual Clauses or an adequacy decision. Details are listed on the Sub-processors page.

Under the GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, plus the right to withdraw consent and to lodge a complaint with your supervisory authority. See the GDPR Rights page for tooling and contact details.

We use Argon2 password hashing, JWT-based sessions, encrypted secrets, account lockout, audit logging, and rate limiting. Field-level encryption at rest is being rolled out per Phase 3 of our security roadmap.

We will notify account owners of material changes by email and via in-app notice at least 30 days before they take effect. Each version is identified by a version number and effective date displayed at the top of this page.

Questions, requests, or complaints can be sent to dpo@schedula.com. Postal address and supervisory-authority details will be added once finalised by counsel.