Privacy Policy

Last updated: May 27, 2026

This Privacy Policy describes how Schedulify ("we", "us", "our") collects, uses, stores, shares, and protects your personal information when you use the Schedulify application and website (the "Service"). By accessing or using the Service, you consent to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

This policy is designed to comply with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), the Children's Online Privacy Protection Act (COPPA), and other applicable privacy legislation.

1. Information We Collect

We collect information to provide, maintain, and improve the Schedulify scheduling experience. The categories of information we collect include:

1.1 Information You Provide Directly

  • Account information: First name, last name, email address, and password (hashed and encrypted) provided during account registration. Accounts are authenticated through Amazon Cognito.
  • Calendar and task data: Events, tasks, subtasks, scheduling preferences, time estimates, priorities, categories, due dates, and other content you create within the Service.
  • AI chat interactions: Text-based prompts and messages you send to the AI scheduling assistant.
  • Bug reports: Titles, descriptions, severity ratings, reproduction steps, expected behavior, and actual behavior you submit through the in-app bug reporting system.
  • Payment information: Billing details (name, email, payment card information) provided during purchase. Payment card data is collected and processed directly by Stripe, Inc. and is never stored on our servers.
  • Communications: Information you provide when contacting us for support, feedback, or other inquiries.

1.2 Information Collected Automatically

  • Session data: JSON Web Tokens (JWTs) for session management, which contain your user ID, email, role, and billing status. Sessions expire after 24 hours.
  • Analytics events: Usage interactions, event types, session identifiers, timestamps, and interaction properties used to improve the Service.
  • Local storage data: The Service stores calendar events, tasks, AI chat messages, UI preferences (theme, calendar view, date selection, holiday region), and other operational data in your browser's local storage for offline access and performance. This data never leaves your device unless synced to our servers.
  • Audit logs: Administrative actions performed within the Service, including action type, target, old/new values, result status, and timestamps.
  • Server logs: Standard server-side logging of requests, errors, and system events for debugging and security monitoring.

1.3 Information from Third Parties

  • Stripe: Payment confirmation details, subscription status, customer ID, invoice information, and billing event data received via Stripe webhooks.
  • Amazon Cognito: User pool attributes (sub/user ID, email, given name, family name, custom role, group memberships) received during authentication.

2. How We Use Your Information

We use your information for the following purposes:

2.1 Service Delivery

  • To create and manage your account, including authentication, authorization, and role-based access control.
  • To provide, operate, and maintain the scheduling, task management, and calendar features.
  • To process your requests through the AI assistant, including routing to local inference engines (Ollama/Phi-3), AWS Bedrock (Amazon Nova, Claude), or OpenAI based on request complexity.
  • To generate smart scheduling recommendations, conflict detection, and time optimization suggestions.
  • To synchronize your data between your browser's local storage and our cloud database.
  • To manage token usage and enforce plan-based usage limits.

2.2 Billing and Transactions

  • To process payments, manage subscriptions, handle preorders, and administer refunds through Stripe.
  • To track billing status, subscription renewals, and Founder Edition access.
  • To send transactional communications related to your purchases and subscription status.

2.3 Communication

  • To send you important service updates, security alerts, and account notifications.
  • To send pre-launch updates, product announcements, and beta access notifications (if you signed up for the waitlist).
  • To respond to your support requests, bug reports, and inquiries.

2.4 Improvement and Analytics

  • To analyze usage patterns and improve the Service's features, performance, and user experience.
  • To improve our AI models and scheduling algorithms using de-identified, aggregated interaction data.
  • To detect, prevent, and address technical issues, abuse, and security threats.
  • To conduct internal research and development.

2.5 Legal and Compliance

  • To comply with legal obligations, enforce our Terms and Conditions, and protect our rights.
  • To maintain audit logs for administrative accountability and regulatory compliance.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, we process your personal data based on the following legal grounds:

  • Contractual necessity (Article 6(1)(b)): Processing necessary to perform our contract with you, including account management, service delivery, AI processing, and billing.
  • Legitimate interests (Article 6(1)(f)): Processing for our legitimate interests in improving the Service, ensuring security, preventing fraud, and conducting analytics, provided these interests are not overridden by your fundamental rights.
  • Consent (Article 6(1)(a)): Processing based on your explicit consent, such as receiving marketing communications or participating in beta programs. You may withdraw consent at any time.
  • Legal obligation (Article 6(1)(c)): Processing necessary to comply with applicable laws, regulations, or legal processes.

4. AI Data Processing

Schedulify uses artificial intelligence extensively. This section describes how your data is processed in connection with our AI features:

  • AI routing: The Service uses a router pattern that classifies your request and routes it to the appropriate AI backend. Simple requests are handled by local pattern matching (chrono-node for date/time parsing). Complex or ambiguous requests are sent to cloud AI providers.
  • AWS Bedrock: Prompts may be sent to Amazon Bedrock for processing by foundation models (e.g., Amazon Nova, Claude). AWS Bedrock processes data in accordance with AWS Service Terms. AWS does not use your prompts to train their base models.
  • OpenAI: Certain requests may be processed by OpenAI's API. OpenAI processes data in accordance with their Terms of Use and Privacy Policy. API usage data is not used by OpenAI to train their models.
  • Local AI (Ollama/Phi-3): Some AI processing occurs locally on our servers using self-hosted models. This data does not leave our infrastructure.
  • Data minimization: We strive to send only the minimum necessary context (your current prompt, relevant calendar context) to AI providers. We do not send your full account history or personal details unless directly relevant to your query.
  • No automated decision-making with legal effects: Our AI features provide scheduling suggestions only. No automated processing produces legal effects or similarly significant effects on you. You always retain full control over your schedule.

5. Data Storage and Security

5.1 Where Your Data is Stored

  • Cloud database: Account profiles, events, tasks, subtasks, bug reports, billing records, analytics events, audit logs, and feature flags are stored in Amazon DynamoDB with encryption at rest enabled.
  • Authentication: Account credentials (email, hashed password, user attributes) are managed by Amazon Cognito User Pools.
  • Browser local storage: Calendar events, tasks, AI chat messages, dismissed recommendations, UI preferences, and theme settings are cached in your browser's local storage (typically capped at ~5MB).
  • Stripe: Payment card details and billing information are stored and processed by Stripe in accordance with PCI DSS Level 1 compliance standards.

5.2 Data Transfer

Your data may be transferred to and processed in countries other than your country of residence, including Canada and the United States (where AWS regions and third-party services operate). We ensure appropriate safeguards are in place for international data transfers, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • The AWS Data Processing Addendum, which includes Standard Contractual Clauses.
  • Compliance with the EU-US Data Privacy Framework where applicable.

5.3 Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption in transit using TLS/HTTPS for all communications.
  • Encryption at rest for data stored in DynamoDB and Cognito.
  • HMAC-SHA256 secret hash verification for Cognito authentication requests.
  • JWT-based session management with 24-hour expiration and periodic re-hydration.
  • AWS IAM role-based access controls with least-privilege principles.
  • Stripe webhook signature verification for payment event authenticity.
  • Idempotency keys for critical billing operations to prevent duplicate processing.
  • Rate limiting and input validation on API endpoints.

Despite these measures, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security and are not responsible for breaches caused by factors beyond our reasonable control.

6. Data Sharing and Third-Party Services

We do not sell, rent, or trade your personal data to third parties. We share your information only in the following limited circumstances:

6.1 Service Providers (Data Processors)

We use the following trusted third-party service providers to deliver the Service:

  • Amazon Web Services (AWS): Cloud infrastructure, database hosting (DynamoDB), authentication (Cognito), AI processing (Bedrock), email notifications (SES — planned), SMS notifications (SNS — planned), and Lambda functions for marketing signup processing.
  • Stripe, Inc.: Payment processing, subscription management, invoice generation, and billing webhooks. Stripe is PCI DSS Level 1 compliant.
  • OpenAI: AI language model processing for complex scheduling requests. Subject to OpenAI's API data usage policies.
  • Vercel (or equivalent hosting): Application hosting and edge deployment for the Next.js frontend.

These providers have access to your information only to perform specific tasks on our behalf and are contractually obligated not to disclose or use it for any other purpose. Each provider maintains its own privacy policy and data processing agreements.

6.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Valid legal process (subpoenas, court orders, government requests).
  • Enforcement of our Terms and Conditions.
  • Protection of our rights, property, or safety, or that of our users or the public.
  • Detection, prevention, or investigation of fraud, security issues, or illegal activities.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

6.4 Shared Calendar Events

If you share calendar events with other users, the event details (title, start/end times, description) will be shared with the specified recipients via email or SMS notifications. You are responsible for ensuring you have appropriate consent before sharing events that contain third-party information.

7. Cookies and Local Storage Technologies

7.1 Cookies

We use strictly necessary cookies to maintain your authentication session and ensure the security of the Service. These cookies are essential for the Service to function and cannot be disabled. We do not use advertising, tracking, or third-party marketing cookies.

  • Session cookies: Used by Next-Auth to maintain your authenticated session. These contain a signed JWT and expire after 24 hours.
  • CSRF tokens: Used to prevent cross-site request forgery attacks.

7.2 Local Storage

The Service uses browser local storage extensively for performance and offline access. The following data keys are stored locally:

  • Calendar events, tasks, and AI chat messages (for offline access and sync).
  • UI preferences: theme selection, calendar view mode, selected date, sidebar view, and holiday region.
  • Dismissed recommendation IDs (to avoid showing previously dismissed suggestions).

Local storage data remains on your device and is not transmitted to our servers except during synchronization. You can clear local storage through your browser settings at any time, though this may temporarily reset your UI preferences and cached data.

8. Data Retention

We retain your personal data for as long as necessary to fulfill the purposes described in this Privacy Policy:

  • Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
  • Calendar events, tasks, and subtasks: Retained for the duration of your account. Locally cached events older than the configured retention period are automatically evicted from browser storage.
  • AI chat messages: Stored locally in your browser. Server-side AI interaction logs are retained for up to 90 days for service improvement, then purged or anonymized.
  • Bug reports: Retained indefinitely for product improvement purposes, unless you request deletion.
  • Billing and payment records: Retained for a minimum of 7 years as required by Canadian tax and financial regulations.
  • Analytics events: Retained for up to 24 months, then aggregated and anonymized or deleted.
  • Audit logs: Retained for up to 24 months for security and compliance, then archived or deleted.
  • Stripe webhook events: Retained for processing integrity and dispute resolution. Completed events are retained for up to 12 months.
  • Marketing/waitlist signups: Retained until you unsubscribe or request deletion.

After account deletion, backup copies of your data may persist in encrypted backups for up to 90 days before being permanently purged.

9. Your Data Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

9.1 Rights Under GDPR (EEA, UK, Switzerland)

  • Right of access (Article 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data.
  • Right to erasure / "Right to be forgotten" (Article 17): Request deletion of your personal data, subject to legal retention requirements.
  • Right to restriction of processing (Article 18): Request that we limit how we process your data in certain circumstances.
  • Right to data portability (Article 20): Request a copy of your data in a structured, commonly used, machine-readable format.
  • Right to object (Article 21): Object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent (Article 7(3)): Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: File a complaint with your local Data Protection Authority (DPA).

9.2 Rights Under CCPA/CPRA (California Residents)

  • Right to know: Request disclosure of what personal information we collect, use, disclose, and sell.
  • Right to delete: Request deletion of personal information we have collected.
  • Right to opt-out of sale: We do not sell your personal information. No opt-out is necessary.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
  • Right to correct: Request correction of inaccurate personal information.
  • Right to limit use of sensitive personal information: Request limitations on how we use sensitive categories of information.

9.3 Rights Under PIPEDA (Canada)

  • Right of access: Request access to your personal information held by us.
  • Right to challenge accuracy: Request correction of personal information that is inaccurate or incomplete.
  • Right to withdraw consent: Withdraw consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions.
  • Right to complaint: File a complaint with the Office of the Privacy Commissioner of Canada.

9.4 How to Exercise Your Rights

To exercise any of the above rights, please contact us using the contact information provided at the end of this policy. We will respond to verified requests within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA).

We may need to verify your identity before processing your request. If we cannot verify your identity, we may ask for additional information or deny the request to protect your data security.

You may also delete your account directly through the Service, which triggers an automatic cascading deletion of all associated data (events, tasks, subtasks, analytics).

10. Children's Privacy

Protecting the privacy of children is extremely important to us. Our Service is not directed to children under the age of 13 (or 16 in the EEA, unless a lower age is permitted by applicable national law).

  • We do not knowingly collect personal information from children under 13 years of age.
  • If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately.
  • Upon verification, we will promptly delete such information from our servers and all third-party services.
  • Users between 13 and 18 (or the age of majority in their jurisdiction) may use the Service only with verified parental or guardian consent.

We comply with the Children's Online Privacy Protection Act (COPPA), the GDPR provisions on children's consent (Article 8), and equivalent protections in other jurisdictions.

11. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. Since there is no industry standard for how to respond to DNT signals, we do not currently respond to DNT signals. However, we do not engage in cross-site tracking, and we do not use third-party advertising or marketing tracking cookies.

12. Email and Marketing Communications

  • Transactional emails: We will send you essential service-related emails (e.g., email verification, password resets, billing confirmations, security alerts). These cannot be opted out of while you maintain an account.
  • Marketing emails: If you signed up for the beta waitlist or opted in to product updates, you may receive launch updates and occasional product announcements. You can unsubscribe from marketing communications at any time by using the unsubscribe link in any marketing email or by contacting us.
  • Marketing signup processing: Waitlist and marketing signups may be processed through an AWS Lambda function that stores your email and name in a separate DynamoDB table for notification purposes.

We comply with Canada's Anti-Spam Legislation (CASL), the CAN-SPAM Act, and the ePrivacy Directive requirements for electronic communications.

13. Automated Decision-Making and Profiling

The Service uses automated processing to provide scheduling recommendations, conflict detection, and AI-assisted planning. However:

  • No automated decision-making produces legal effects or similarly significant effects concerning you.
  • All AI suggestions are presented as recommendations. You retain full control over accepting, modifying, or rejecting any suggestion.
  • We do not engage in profiling for the purposes of advertising, credit scoring, employment decisions, or any other purpose with legal or similarly significant effects.
  • Role-based access control and billing status are determined by your subscription tier, not by automated profiling of your behavior.

If you believe you have been subject to a decision based solely on automated processing that produces legal effects concerning you, you have the right to obtain human intervention, express your point of view, and contest the decision. Please contact us to exercise this right.

14. California Privacy Disclosures

If you are a California resident, the following additional disclosures apply under the CCPA/CPRA:

  • Categories of personal information collected: Identifiers (name, email), commercial information (purchase history, billing), internet activity (usage analytics, session data), and inferences drawn from the above.
  • Business purpose for collection: Providing and improving the Service, processing payments, customer support, analytics, and security.
  • Categories of sources: Directly from you, automatically through use of the Service, and from third-party service providers (Stripe, Cognito).
  • Sale or sharing of personal information: We do not sell or share (as defined by the CCPA/CPRA) your personal information with third parties for cross-context behavioral advertising.
  • Sensitive personal information: We collect account login credentials (email and password). We do not collect Social Security numbers, driver's license numbers, financial account numbers (Stripe handles payment data directly), precise geolocation, racial/ethnic origin, health data, or biometric data.
  • Retention: See Section 8 (Data Retention) for details on how long we retain each category of information.

To exercise your California privacy rights, please see Section 9.2 above or contact us using the information provided at the end of this policy.

15. International Users

The Service is operated from Canada using AWS cloud infrastructure. If you are accessing the Service from outside Canada, please be aware that your data may be transferred to, stored, and processed in Canada, the United States, or other countries where our service providers maintain facilities.

By using the Service, you consent to the transfer of your information to countries that may have different data protection laws than your country of residence. We ensure appropriate safeguards are in place for such transfers as described in Section 5.2.

If you are located in the European Union and have a complaint about our data practices, you have the right to lodge a complaint with your local Data Protection Authority.

16. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the appropriate supervisory authority within 72 hours of becoming aware of the breach, as required by the GDPR (Article 33).
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Article 34).
  • Comply with breach notification requirements under PIPEDA, CCPA, and other applicable legislation.
  • Document the breach, its effects, and the remedial actions taken.

17. Third-Party Links and Services

The Service may contain links to third-party websites, services, or resources. We are not responsible for the privacy practices or content of these third-party services. We encourage you to read the privacy policies of every website and service you visit. Our inclusion of a link does not imply endorsement of the linked site.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes:

  • We will update the "Last updated" date at the top of this page.
  • For material changes, we will provide notice via email to the address associated with your account and/or through an in-app notification at least 30 days before the changes take effect.
  • Continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

19. Data Protection Inquiries

For all privacy-related questions, concerns, data access requests, or complaints, please contact us through one of the following channels:

  • In-app: Use the bug reporting / support feature within the Schedulify application.
  • Email: Contact our privacy team at the email address provided within the application.

We aim to respond to all privacy inquiries within 10 business days, and to fulfill verified data rights requests within 30 days (or as required by applicable law).

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction:

  • Canada: Office of the Privacy Commissioner of Canada (OPC)
  • European Union: Your local Data Protection Authority (DPA)
  • United Kingdom: Information Commissioner's Office (ICO)
  • California: California Attorney General's Office