Schedblitz Logo

Privacy Policy

Version 1.0 | Last Updated: October 13, 2024

1. Introduction

Welcome to SchedBlitz. We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our appointment booking platform.

This policy applies to all users of our platform, including business owners, staff members, and clients booking appointments.

2. Data Controller Information

Company Name: SchedBlitz

Contact Email: privacy@schedblitz.com

For questions about data protection or to exercise your rights, please contact us at the email address above.

3. Personal Data We Collect

We collect the following categories of personal data:

User Account Data

  • Email address
  • Full name
  • Password (stored as cryptographic hash only)
  • Account preferences and settings

Business Information

  • Business name and category
  • Business subdomain
  • Operating hours and contact details
  • Booking policies and settings
  • Business branding (logo, colors, custom content)

Staff Profile Data

  • Name, email, and phone number
  • Profile image
  • Service specializations
  • Availability schedules
  • Time-off requests

Appointment Data

  • Client name, email, and phone number
  • Appointment date, time, and service details
  • Appointment status and notes
  • Cancellation and rescheduling history

Payment Information

  • Transaction data (amount, status, method)
  • Stripe payment credentials (encrypted)
  • Payment history and records

Technical Data

  • IP addresses (used for rate limiting and security)
  • Session data and authentication tokens
  • Browser and device information
  • Usage analytics and error logs

4. Purposes of Processing

We process your personal data for the following purposes:

  • Account Creation and Authentication: To create and manage your user account, verify your identity, and provide secure access to the platform.
  • Service Provision: To enable appointment booking, scheduling, calendar management, and other platform features.
  • Payment Processing: To process payments for appointments and subscriptions via Stripe.
  • Email and SMS Notifications: To send appointment confirmations, reminders, cancellation notices, and other transactional communications.
  • Business Analytics: To provide business owners with insights into appointments, revenue, and customer trends.
  • Service Improvement: To analyze platform usage, identify issues, and improve our services.
  • Legal Compliance: To maintain tax records, comply with financial reporting requirements, and fulfill other legal obligations.
  • Security and Fraud Prevention: To protect against unauthorized access, detect fraudulent activity, and ensure platform security.

5. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide our services under the Terms of Service you agreed to.
  • Consent: For marketing communications and optional features, where you have provided explicit consent.
  • Legal Obligation: To comply with tax laws, financial reporting requirements, and other legal duties.
  • Legitimate Interests: For fraud prevention, service improvement, and business analytics, where our interests are balanced against your privacy rights.

6. Data Retention Periods

We retain personal data for the following periods:

  • User Accounts: Retained until account deletion is requested or after 3 years of account inactivity.
  • Appointment Records: Retained for 7 years, with personal identifiers anonymized after appointment completion.
  • Payment Records: Retained for 7 years to comply with tax and financial record-keeping requirements.
  • Email Verification Tokens: Automatically deleted after 24 hours.
  • Password Reset Tokens: Automatically deleted after 1 hour.
  • Audit Logs: Retained for 3-7 years depending on compliance requirements.

After the retention period expires, personal data is either permanently deleted or anonymized such that it can no longer be attributed to you.

7. Third-Party Data Processors

We use the following third-party services to provide our platform. All processors are GDPR-compliant and have appropriate data protection safeguards in place:

  • Neon: PostgreSQL database hosting services.
  • BetterAuth: Authentication services.
  • Vercel Blob: File storage services.
  • Stripe: Payment processing for appointments and subscriptions.
  • Resend: Transactional email delivery for appointment notifications.
  • SMS Works: SMS notifications for appointment reminders.
  • Upstash: Rate limiting services (processes IP addresses only).

These processors only access personal data necessary to perform their specific functions and are contractually obligated to protect your data.

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

  • Right to Access: You can export all your personal data via the account settings page. This provides a complete JSON file of all data we hold about you.
  • Right to Rectification: You can update your personal information at any time through your account settings.
  • Right to Erasure ("Right to be Forgotten"): You can delete your account via account settings. This permanently removes your personal data, subject to legal retention requirements.
  • Right to Data Portability: You can download your data in a machine-readable JSON format.
  • Right to Object: You can object to certain types of processing by managing your consent preferences in account settings.
  • Right to Restrict Processing: You can contact us to request restrictions on how we process your data.
  • Right to Withdraw Consent: You can toggle consent switches in your account settings at any time.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated.

To exercise any of these rights, visit your account settings or contact us at privacy@schedblitz.com.

9. Data Security

We implement robust security measures to protect your personal data:

  • Encryption: Data is encrypted in transit using TLS/SSL and at rest in our databases.
  • Password Security: Passwords are hashed using bcrypt before storage. We never store plain-text passwords.
  • Payment Credentials: Stripe payment credentials are encrypted using AES-256-GCM before storage.
  • Access Controls: Strict authentication and authorization controls limit access to personal data.
  • Regular Audits: We conduct regular security audits and vulnerability assessments.

While we implement industry-standard security practices, no system is completely secure. We encourage you to use strong, unique passwords and enable additional security features where available.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence. When we transfer data internationally:

  • We store data in EU/UK regions where possible to minimize international transfers.
  • We use standard contractual clauses approved by the European Commission with third-party processors.
  • We ensure adequate safeguards are in place to protect your data in accordance with GDPR requirements.

11. Cookies and Tracking

Our use of cookies is minimal and focused on essential functionality:

  • Session Cookies: We use session cookies for authentication and to maintain your logged-in state.
  • No Third-Party Advertising: We do not use third-party advertising cookies or tracking pixels.
  • Essential Only: All cookies we use are essential for the platform to function properly.

12. Children's Privacy

Our service is not intended for users under the age of 16. We do not knowingly collect personal information from children under 16. If you are under 16, you must have parental or guardian consent to use our platform.

If we become aware that we have collected personal data from a child under 16 without proper consent, we will take steps to delete that information.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes:

  • We will update the version number and last updated date at the top of this page.
  • We will notify you via email if the changes materially affect your rights.
  • Your continued use of the platform after changes are posted constitutes acceptance of the updated policy.

We recommend reviewing this policy periodically to stay informed about how we protect your data.

14. Contact Us

If you have questions about this Privacy Policy or how we handle your personal data, please contact us:

We are committed to resolving any concerns you may have about your privacy and data protection.

Back to LoginTerms of ServiceSupport