Privacy Policy

Schedra (“we,” “our,” or “us”) provides scheduling, customer relationship, and team management software for service businesses (the “Service”). This Privacy Policy explains what information we collect, how we use it, and the choices you have about your data when you use schedra.ai or any related products.

By creating an account or using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service.

We collect the following categories of information:

2.1 Account information

• Email address and a hashed password
• Business name, phone number, and address (when provided)
• Account type and subscription status (managed via our payment processor)

2.2 Customer and booking data

• Information entered by you (the business operator) about your customers, including names, contact details, notes, and appointment history
• Information your end customers submit when booking appointments through your booking page (typically name, email, phone, and any custom fields you configure)
• Financial line items, pricing, and revenue records you record per job

2.3 Integration tokens

• When you connect Google Calendar, we store the OAuth access and refresh tokens issued by Google so we can read busy times and create calendar events on your behalf
• When you connect Stripe, we store a Stripe customer ID and subscription ID. We do not store payment card details — those are handled directly by Stripe

2.4 AI / LLM usage

• Conversation messages you send to our built-in AI assistant (powered by Anthropic Claude). We log token usage for billing and quota purposes
• We do not use your AI conversations to train any model. Anthropic's data handling for our API usage is described in their privacy policy

2.5 Technical data

• IP addresses (for rate limiting and abuse prevention)
• Browser session cookies (for authentication only)
• Standard server logs (request paths, status codes, timestamps)

We use the information we collect to:

• Provide and operate the Service, including authentication, scheduling, and notifications
• Send transactional emails (appointment confirmations, password resets, account verification, billing receipts)
• Sync events to your connected calendar when you enable that integration
• Process payments and manage your subscription
• Power AI features you explicitly invoke
• Detect and prevent abuse, spam, and security incidents
• Improve the Service through aggregate usage analytics (no personally identifying data is shared with third parties for analytics)

We do not sell personal information, and we do not share it with advertising networks.

We share information only with the service providers we need to operate the platform. Each is bound by an agreement that limits what they may do with your data.

• Resend — sends transactional and notification emails on our behalf
• Stripe — processes subscription payments
• Anthropic — provides the AI model that powers the AI assistant feature
• Google — only when you explicitly connect Google Calendar; we exchange events and read busy times via the Google Calendar API
• DigitalOcean — hosts our servers and stores application data (encrypted at rest)

We may also disclose information if required by law (subpoena, court order) or to protect the rights, property, or safety of Schedra, our users, or others.

Schedra's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Schedra:

• Requests the Google Calendar scope (https://www.googleapis.com/auth/calendar) to read busy times via the freebusy API and create, update, and delete calendar events on the user's primary calendar when a booking is made through Schedra
• Allows Limited Use of data to providing or improving user-facing features that are prominent from Schedra's user interface
• Allows transferring data to others only if necessary to provide or improve user-facing features that are prominent from Schedra's user interface, comply with applicable laws, or as part of a merger, acquisition, or sale of assets
• Prohibits use of Google user data for serving advertisements
• Prohibits allowing humans to read Google user data unless we have obtained the user's affirmative agreement to view specific messages or events, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for our internal operations when the data have been aggregated and anonymized

You can revoke Schedra's access to your Google account at any time through the disconnect button in Settings → Calendar, or via your Google Account permissions page. When you disconnect, Schedra immediately deletes the stored OAuth tokens. Calendar event IDs that we created on your behalf remain associated with the corresponding Schedra bookings for your records but cannot be used to access your Google account.

We retain account and customer data for as long as your account is active. When you delete your account, we delete or anonymize your data within 30 days, except where we are required to retain certain records (for example, billing records for tax purposes).

You may request deletion of specific records (such as a customer you no longer work with) at any time through the application interface or by contacting [email protected].

We protect your data with industry-standard measures: HTTPS for all network traffic, password hashing with bcrypt, OAuth tokens stored on encrypted volumes, isolated tenant database schemas, and rate limiting on authentication endpoints. No method of transmission or storage is perfectly secure, but we work hard to minimize risk.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data (subject to legal retention requirements)
• Export a copy of your data in a portable format
• Object to or restrict certain processing

Exercise these rights by emailing [email protected]. We will respond within 30 days.

Schedra is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us so we can delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy here and update the “Last updated” date. For significant changes, we will notify account holders by email.

Questions about this policy or your data?
Email: [email protected]