Back home
Schedsy
Last updated May 26, 2026

Privacy, by design.
Not by accident.

We built Schedsy with privacy as a foundation, not a feature. This page explains what data we collect, how we protect it, and the rights you have over it — in plain language.

SOC 2 Type II
GDPR Compliant
HIPAA Ready
CCPA Aligned

Section 01

Introduction & Roles

Welcome to Schedsy. We provide an AI-powered appointment booking widget for service businesses. This Privacy Policy outlines how we collect, use, and protect information across our platform.

Schedsy

Data Processor

We process data on behalf of the businesses using our widget.

You / Business

Data Controller

Businesses integrating Schedsy decide what data is collected and why.

Section 02

What we collect

We collect only what's necessary to deliver our service. Here's a complete inventory.

Required

Account & Authentication

Name, email address, and secure authentication tokens used to access your dashboard.

Encrypted

Business Knowledge Data

Information you provide to train your AI receptionist via our RAG infrastructure — pricing, FAQs, services.

OAuth Only

Calendar Access

OAuth-authorized calendar access to read availability and write events. We never read personal events.

Processor

End-User Booking Data

Names, contact details, and appointment preferences submitted by visitors through your widget.

Section 03

AI & sub-processors

We work with carefully vetted partners to deliver the platform. Each maintains strict security and compliance standards.

Supabase

·

Database & Authentication

SOC 2 Type II — Row Level Security enforced

Lemon Squeezy

·

Payment Processing

PCI-DSS Level 1 — Merchant of Record

OpenAI

·

AI Inference

Zero-retention API — no model training

Zero-Retention AI Policy

Enforced

Data transmitted through our AI is used strictly for immediate inference. Your business data and end-user conversations are never used to train or fine-tune public foundation models.

Section 04

Security & retention

Every byte of your data is encrypted, monitored, and isolated. Here's our defense in depth.

In Transit

TLS 1.3 encryption on every connection. Zero exceptions.

At Rest

AES-256 encryption with isolated tenant databases.

Retention

Data kept only as long as needed. Deleted on request.

Section 05

Your legal rights

Depending on your jurisdiction (GDPR, CCPA, and similar frameworks), you have meaningful rights over your data. We honor all of them.

Right to Access

Request a copy of all personal data we hold about you.

Right to Rectification

Correct any inaccurate or incomplete data instantly.

Right to Erasure

Request permanent deletion of your data — the "Right to be Forgotten".

Right to Revoke

Disconnect OAuth calendar access at any time from your dashboard.

Section 06 · Contact

Questions about your data?

For privacy inquiries, data deletion requests, or to exercise any of your rights — reach out anytime. We respond within 48 hours.

support@schedsy.app