Privacy Policy — Schedualy

1. Who We Are

Schedualy is operated by Schedualy Inc., a company based in Quebec, Canada. Schedualy provides a subscription-based AI calendar assistant available at schedualy.com.

This Privacy Policy applies to all services offered through schedualy.com and its associated products, including the Telegram bot integration. If you have any questions, contact us at support@schedualy.com.

2. Data We Collect

2.1 Account data

When you create an account we collect your email address and a password, which is hashed and never stored in plain text. A unique user ID is generated for your account.

2.2 Preferences and settings

We store your preferences to personalise the assistant experience: timezone, language, default event duration, week start day, workday hours, and agenda digest configuration (enabled status, preferred delivery time).

2.3 Calendar integration (Google Calendar & Outlook)

When you connect Google Calendar or Outlook we receive an OAuth refresh token, which is encrypted at rest using AES-256-GCM before being stored. We also store your connected calendar ID and connection status. Calendar events are not stored locally — all reads and writes happen via live API calls (Google Calendar API or Microsoft Graph) at the time of your request.

2.4 Conversation history

Every message you send to the assistant and every reply it generates is stored, along with the channel it came from (in-app or Telegram) and a timestamp. This history is used to provide multi-turn conversation context and is visible to you on the Conversations page.

2.5 Reminders

When you set a reminder we store the associated calendar event ID, a snapshot of the event title and start time at creation, the calculated fire time, and the delivery status (pending, sent, cancelled, or failed).

2.6 Telegram account linking

If you choose to link your Telegram account we store your Telegram chat ID and display name. Single-use linking codes are stored temporarily with a 15-minute expiry and are automatically deleted after use.

2.7 Billing data

We store your Stripe customer ID, subscription ID, plan name, subscription status, and current billing period end date. Raw payment card data never reaches our servers — all card information is tokenized by Stripe before being transmitted.

2.8 Technical deduplication data

To prevent duplicate processing of Telegram messages we log Telegram update IDs. These contain no user content and are used solely for idempotency.

2.9 Cookies and session data

We use a session cookie (httpOnly, Secure, SameSite=Lax) to keep you signed in. During Google or Microsoft OAuth flows we use a short-lived state nonce cookie (httpOnly, Secure, 10-minute expiry) to prevent CSRF attacks. Both cookies are deleted when they expire or when you sign out.

2.10 Data we do not collect

Schedualy does not use analytics services, advertising trackers, or third-party pixels of any kind. We do not collect device fingerprints, IP addresses for tracking purposes, or behavioural data beyond what is necessary to deliver the service.

3. How We Use Your Data

To operate the calendar assistant — reading, creating, updating, and deleting events in your connected calendar (Google Calendar or Outlook) on your instruction
To send reminders and daily agenda digests at the times you configure
To process your subscription and manage billing through Stripe
To authenticate your account and maintain your session
To deliver messages and reminders via Telegram when you have linked your account
To send transactional emails (email confirmation, password reset) via Resend
To generate AI-assisted replies to your messages using OpenAI
To provide you with the conversation history displayed on your dashboard

We do not use your data for advertising, profiling for third parties, or any purpose beyond delivering and improving the service described above.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area, our processing is based on the following grounds under the General Data Protection Regulation:

Performance of a contract (Art. 6(1)(b)): Processing your account data, settings, calendar integration, conversations, reminders, and billing is necessary to provide the service you subscribed to.
Legitimate interests (Art. 6(1)(f)): We process deduplication logs and security data to prevent fraud, protect service integrity, and ensure accurate delivery of messages.
Consent (Art. 6(1)(a)): Linking your Telegram account and granting Google Calendar or Outlook access are explicit, freely given consent actions. You may withdraw consent at any time via Integrations.
Legal obligation (Art. 6(1)(c)): We retain billing records as required by applicable tax and accounting law.

5. Third-Party Services

We share data with the following third-party service providers only to the extent necessary to operate Schedualy:

Supabase

Provides our database and authentication infrastructure. All tables are protected by Row-Level Security. Data is stored in the region selected at project creation.

Google Calendar API & Microsoft Graph

Receives calendar read/write requests on your behalf, authorised by the OAuth scope you grant. See Section 6 for our Google Limited Use commitment.

Stripe

Handles payment processing and subscription management. Your email and a user reference are shared with Stripe at checkout. Card data is tokenized by Stripe.js in your browser and never transmitted to our servers.

OpenAI

Processes the text of your conversations to generate the assistant's replies. Message content is transmitted to OpenAI's API per their privacy policy.

Telegram Bot API

Used to deliver messages and reminders to users who have opted in by linking their Telegram account. Your Telegram chat ID is transmitted with each message sent.

Resend

Delivers transactional emails (email confirmation, password reset) using our custom domain. Only your email address and the email content are transmitted.

Vercel

Hosts and serves the Schedualy application. Vercel may log request metadata (IP, user agent) for security and operational purposes per their privacy policy.

6. Google API Limited Use Disclosure

Schedualy's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

Calendar data obtained from Google APIs is used exclusively to perform the calendar management features you request within the Schedualy service.
Calendar data is not used for serving advertisements or for any advertising-related purpose.
Calendar data is not transferred to third parties except as necessary to provide the service (e.g., displaying event details in the assistant response).
Calendar data is not used to build user profiles, sold, or used for purposes unrelated to improving your experience with Schedualy.
Humans at Schedualy do not read your calendar data unless you explicitly share it with us for support purposes or as required by law.

7. Data Retention

Data type	Retention
Account, settings, conversations, reminders	Life of account; deleted within 30 days of account deletion request
Google Calendar or Outlook refresh token	Until you disconnect the calendar or the token is revoked
Billing records	7 years as required by Quebec tax and accounting law
Telegram linking codes	15 minutes (auto-expired)
Google OAuth state nonce cookie	10 minutes (auto-expired)
Telegram deduplication log	Retained indefinitely for idempotency; contains no personal content

8. Your Rights

Depending on your location you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your account and associated personal data, subject to legal retention obligations.
Portability: Receive your personal data in a structured, machine-readable format.
Withdrawal of consent: Disconnect Google Calendar or Outlook, or unlink Telegram at any time via Integrations without affecting the lawfulness of prior processing.
Restriction and objection: Request that we restrict or stop processing your data in certain circumstances.

These rights apply to EU/EEA residents under the GDPR and to Quebec residents under Quebec's Law 25 (Act respecting the protection of personal information in the private sector). To exercise any of these rights, email support@schedualy.com. We will respond within 30 days.

9. Cookies

Schedualy uses only strictly necessary cookies. We do not use advertising cookies, analytics cookies, or any third-party tracking cookies, and therefore no cookie consent banner is required.

Cookie	Purpose	Expiry
sb-session	Authentication session (httpOnly, Secure, SameSite=Lax)	Session / logout
google_oauth_state	CSRF protection during Google OAuth flow (httpOnly, Secure)	10 minutes

10. Data Security

We implement technical and organisational measures to protect your personal data:

All data is transmitted over HTTPS/TLS.
Your Google Calendar and Outlook refresh tokens are encrypted at rest using AES-256-GCM.
Passwords are hashed using bcrypt via Supabase Auth and are never stored in plain text.
Row-Level Security is enforced on all database tables so users can only access their own data.
Payment card data is tokenized by Stripe.js in your browser — raw card numbers never reach our infrastructure.
Webhook payloads from Stripe and Telegram are verified using cryptographic signatures before processing.

No security measure is perfect. If you discover a potential vulnerability, please report it to support@schedualy.com.

11. Children's Privacy

Schedualy is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has registered an account, please contact us at support@schedualy.com and we will promptly delete the account.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email or by a notice within the application at least 14 days before the new policy takes effect. The effective date at the top of this page reflects the version currently in force. Continued use of Schedualy after the effective date constitutes acceptance of the updated policy.

13. Governing Law

This Privacy Policy is governed by the laws of the Province of Quebec, Canada, including Quebec's Act respecting the protection of personal information in the private sector (Law 25) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) where applicable.

If you are located in the European Economic Area, the GDPR rights described in Section 8 apply to you in addition to the above. You also have the right to lodge a complaint with your local data protection authority.

14. Contact

For any questions, requests, or concerns regarding this Privacy Policy or the handling of your personal data, please contact:

Schedualy Inc.

Quebec, Canada

support@schedualy.com

We will respond to all privacy-related inquiries within 30 days.