Schedlo

Privacy Policy

Last updated: 11th December 2025

1. Introduction

This Privacy Policy explains how Schedlo ("we", "us", "our") collects, uses, stores, and protects personal data in compliance with the UK GDPR.

We operate as a sole trader in the United Kingdom.

2. What Data We Collect

2.1 Business Users

  • Name
  • Email
  • Phone number
  • Business address
  • Worker details (names, emails, phone numbers)
  • Booking and appointment information
  • Payment amounts
  • User agent and device information

2.2 Client/Customer Data

Provided when booking through a business:

  • Name
  • Email
  • Phone number
  • Appointment details
  • Feedback (anonymous)

2.3 Automatically Collected Data

  • IP address
  • Device/browser information
  • User agent
  • Service logs

We currently do not use cookies or analytics tracking.

3. How We Use the Data

We process data to:

  • Enable bookings and business management
  • Provide dashboards to workers and admins
  • Process subscription payments (via Stripe)
  • Send essential service emails (via Resend)
  • Improve security, debugging, and performance
  • Comply with legal obligations

We do not use personal data for marketing.

4. Lawful Bases for Processing

Under UK GDPR, we rely on:

  • Contract — processing needed to deliver the Service.
  • Legitimate Interests — security, logging, analytics, improvements.
  • Legal Obligation — financial/transaction data required by law.

5. Data Retention

  • Client personal data (name, email, phone) is deleted after one week from the appointment being completed, unless required longer by law.
  • Business account and booking metadata is kept while the subscription is active.
  • We may retain minimal information if required for legal, tax, or anti-fraud reasons.

6. Sharing Data with Third Parties

We only share data with service providers essential to delivering Schedlo:

  • Supabase — authentication, database, storage
  • AWS — hosting and infrastructure
  • Stripe — subscription payments
  • Resend — essential emails

These partners process data on our behalf under secure agreements.

We do not sell or rent personal data to any third parties.

7. International Transfers

All core services are hosted in UK regions where possible. Some service providers (e.g., Stripe) may process data internationally under approved safeguards such as Standard Contractual Clauses.

8. Security Measures

We take security seriously and use:

  • Role-based access controls
  • Database row-level security
  • Rate limiting and IP protection
  • Encrypted storage (where applicable)
  • Encrypted communication (HTTPS/TLS)

No system is 100% secure, but we follow industry best practices.

9. Client and Business Rights

You have the right to:

  • Access your data
  • Correct inaccurate data
  • Request deletion (where applicable)
  • Object to processing
  • Restrict processing
  • Port your data

Requests can be made via: ryan.lee.kai.la@schedlo.org

10. Business Responsibility

Businesses using Schedlo are controllers of their clients' booking data. Schedlo is the processor. Businesses must comply with data protection laws when handling customer data.

11. Age Restrictions

There are currently no age restrictions for client bookings. Businesses remain responsible for complying with laws around under-18 customers.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify businesses of material changes by email or through the dashboard.

13. Contact

For privacy concerns or data requests: ryan.lee.kai.la@schedlo.org