Back to home

    Privacy Policy

    Last updated: March 2, 2026

    This Privacy Policy describes how Schedulab Ltd. ("Company", "we", "us", "our") collects, uses, and shares information about you when you use our shift scheduling platform ("Service"). By using the Service, you agree to the collection and use of information in accordance with this policy.

    1. Information We Collect

    Account Information

    When you create an Account, we collect your name, email address, and password (hashed). If you sign in via Google OAuth, we collect your name, email, and profile picture from your Google account.

    Organization Information

    When you create or join an Organization, we collect the organization name, slug, and your role within it.

    Schedule & Operational Data

    We collect data you provide through the Service, including: shift schedules, worker assignments, scheduling rules and constraints, worker preferences and availability, team structures, and schedule versions.

    Usage Data

    We automatically collect information about how you interact with the Service, including pages visited, features used, actions taken, timestamps, device type, browser type, operating system, IP address, and referring URLs.

    Cookies & Local Storage

    We use essential cookies for authentication (session tokens), locale preferences, and theme preferences. We use local storage for offline functionality (preference submission queue). We do not use third-party tracking cookies or advertising cookies.

    Communications

    We collect information from communications you send to us, including support requests, feedback, and any content provided in those communications.

    2. How We Use Your Information

    • To provide, maintain, and improve the Service, including generating schedules, processing constraints, and managing assignments.
    • To create and manage your Account, authenticate your identity, and process your requests.
    • To communicate with you about the Service, including sending transactional emails (password resets, email verifications, invitations, schedule notifications).
    • To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
    • To comply with legal obligations, enforce our Terms of Service, and protect our rights and the rights of others.
    • To power AI-assisted features (schedule generation, constraint solving, natural language interface) using third-party AI services. Your scheduling data may be sent to AI service providers solely for processing your requests.
    • To understand usage patterns and improve the Service. We use aggregated and anonymized data for analytics purposes.
    • To provide customer support and respond to your inquiries.

    3. How We Share Your Information

    We do not sell your personal information. We share information only in the following circumstances:

    Within Your Organization

    Information you provide (name, email, preferences, availability) is visible to authorized members of your Organization (owners, managers) as necessary for scheduling operations.

    Service Providers

    We share information with third-party service providers who process data on our behalf:

    • Stripe — payment processing (billing information, subscription details)
    • Resend — transactional email delivery (email addresses, notification content)
    • Google — OAuth authentication (authentication tokens)
    • Anthropic — AI-assisted features (scheduling data sent for constraint solving and natural language processing)
    • Vercel — hosting and infrastructure (request logs, performance data)
    • Database hosting provider — data storage (all Service data, encrypted at rest)

    Legal Requirements

    We may disclose your information if required to do so by law, or if we believe in good faith that such action is necessary to: comply with a legal obligation or valid legal process; protect and defend our rights or property; prevent fraud or address security issues; or protect the personal safety of users or the public.

    Business Transfers

    In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

    With Your Consent

    We may share your information with third parties when you explicitly consent to or direct such sharing.

    4. Data Retention

    We retain your personal information for as long as your Account is active or as needed to provide the Service.

    Upon Account deletion, we delete or anonymize your personal data within 30 days, except:

    • Data required to be retained by law (e.g., billing records, tax information) — retained for the legally required period.
    • Data needed for ongoing disputes or legal proceedings — retained until resolution.
    • Anonymized audit logs — retained for up to 12 months for security analysis.
    • Encrypted backups — purged within 90 days of Account deletion.

    If you are a member of an Organization, your scheduling data (assignments, preferences) may persist within that Organization's data after you leave, as it is part of the Organization's operational records.

    5. Your Rights & Choices

    Depending on your location, you may have the following rights regarding your personal information:

    • Access — Request a copy of the personal information we hold about you.
    • Correction — Request that we correct inaccurate or incomplete information.
    • Deletion — Request that we delete your personal information (subject to legal retention requirements).
    • Data Portability — Request your data in a structured, commonly used, machine-readable format.
    • Objection — Object to the processing of your personal information in certain circumstances.
    • Restriction — Request that we restrict the processing of your personal information.
    • Withdraw Consent — Where processing is based on consent, you may withdraw consent at any time.

    To exercise any of these rights, please contact us at the email address provided below. We will respond to your request within 30 days.

    We will not discriminate against you for exercising your privacy rights.

    6. Security

    We implement appropriate technical and organizational security measures to protect your information, including:

    • Encryption of data in transit (TLS/HTTPS) and at rest.
    • Password hashing using industry-standard algorithms (bcrypt).
    • Role-based access controls and principle of least privilege.
    • Secure session management with automatic expiration (24-hour maximum session duration).
    • Rate limiting on authentication endpoints to prevent brute-force attacks.
    • Security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options).
    • Audit logging of all data modifications.
    • Multi-tenant data isolation — Organization data is strictly separated.

    While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

    7. International Data Transfers

    Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. When we transfer data internationally, we implement appropriate safeguards to protect your information, including standard contractual clauses where applicable.

    8. Children's Privacy

    The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information promptly. If you believe we may have collected information from a child, please contact us.

    9. GDPR Compliance (European Users)

    Legal Basis for Processing

    • Contract — Processing necessary to perform the Service you requested.
    • Consent — Where you have given explicit consent (e.g., marketing communications).
    • Legitimate Interest — Processing necessary for our legitimate interests (e.g., fraud prevention, service improvement) that do not override your rights.
    • Legal Obligation — Processing necessary to comply with legal requirements.

    For GDPR-related inquiries, please contact us at the email address provided below.

    If you are in the European Economic Area, you have the right to lodge a complaint with your local supervisory authority.

    10. CCPA Compliance (California Users)

    We do not sell personal information as defined by the California Consumer Privacy Act (CCPA).

    California residents have the right to: know what personal information we collect and how it is used; request deletion of personal information; opt out of the sale of personal information (not applicable as we do not sell data); and not be discriminated against for exercising privacy rights.

    Under California's "Shine the Light" law, California residents may request information about the disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information for direct marketing.

    11. Changes to This Policy

    We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice (such as an email notification). Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

    12. Contact Us

    If you have any questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at:

    Email: legal@schedulab.com

    We will respond to all privacy-related inquiries within 30 days.

    Schedulab - Shift Scheduling Platform