Features How It Works Pricing Demo Contact
← Back to Schedule365

Privacy Policy

Last updated: March 2026

Privacy Policy Terms of Service

1. Overview

Schedule365 ("we," "us," or "our") provides a multi-tenant scheduling platform that service businesses ("Tenants") use to manage appointments with their customers. This Privacy Policy explains how we collect, use, and protect information in connection with our platform.

There are two categories of people whose data we process: Tenant Administrators — businesses using our dashboard — and End Customers — people who submit appointment requests through a scheduling widget embedded on a Tenant's website.

2. Information We Collect from Tenant Administrators

When a business signs up for or uses Schedule365, we collect:

  • Business name, contact email address, and login credentials (passwords are stored as one-way bcrypt hashes and never in plaintext)
  • First and last name of dashboard users
  • Notification phone numbers and email addresses for appointment alerts
  • Two-factor authentication phone number, if two-factor authentication is enabled on an account (used only to deliver a one-time verification code via SMS)
  • Branding preferences (colors, logo)
  • Service configuration settings, including business address, hours, and timezone
  • API keys for widget integration
  • Third-party CRM credentials (API keys or OAuth tokens) when a CRM integration is enabled — stored encrypted at rest
  • Device trust records: a one-way cryptographic fingerprint derived from your browser's User-Agent and language headers, stored for up to 30 days to avoid repeated two-factor prompts on recognized devices. The fingerprint does not identify you personally and is automatically deleted after 30 days of inactivity

3. Information We Process on Behalf of Tenants (End Customer Data)

When end customers submit appointment requests through a Tenant's scheduling widget, we store that data on the Tenant's behalf. This includes:

  • Customer name, phone number, and email address
  • Service address (street, city, state, ZIP)
  • Appointment details — service type, date, time, and any description provided
  • Communication preferences (SMS opt-in status)

For this data, Schedule365 acts as a data processor and the Tenant acts as the data controller. Tenants are responsible for ensuring they have appropriate legal authority to collect and process their customers' personal information.

4. How We Use Information

Tenant Administrator data is used to:

  • Provide and maintain access to the scheduling platform
  • Send appointment notifications to the business
  • Authenticate users and secure accounts, including two-factor authentication and trusted device recognition
  • Populate business profile information via the Google Places API when a Tenant searches for their business during setup
  • Communicate about service updates or issues

End Customer data is used solely to:

  • Store and display appointment records in the Tenant's dashboard
  • Deliver appointment notifications on behalf of the Tenant
  • Enable CSV export for the Tenant's scheduling workflows
  • Sync to a third-party CRM platform (Housecall Pro, Jobber, Service Titan, or Dispatch) if the Tenant has enabled that integration

5. Third-Party Services

We use the following third-party services that may process personal data:

Twilio

Used to send WhatsApp and SMS appointment notifications to Tenant-configured phone numbers, to deliver optional SMS confirmations to end customers who opt in, and to send two-factor authentication codes to Tenant Administrator accounts. Phone numbers and relevant appointment details are transmitted to Twilio for this purpose.

Resend (Email Delivery)

Appointment confirmation and notification emails — both to Tenant-configured business addresses and to end customers — are delivered through Resend. Recipient email addresses and appointment details are transmitted to Resend for delivery. Two-factor authentication codes for Tenant Administrators may also be delivered via Resend.

Mapbox

When enabled by the Tenant, the scheduling widget uses Mapbox for address autocomplete. As an end customer types their street address, partial address text is sent to Mapbox's geocoding API. Mapbox's own privacy policy governs their use of that data.

Google Places API

When a Tenant Administrator searches for their business by name during platform setup, the search query is sent to the Google Places API to retrieve business details (address, phone, hours, location coordinates). This applies only to the admin dashboard setup flow, not to the customer-facing scheduling widget. Google's privacy policy governs their use of that data.

Housecall Pro

If a Tenant enables the Housecall Pro integration, end customer personal information — including name, email address, phone number, and service address — is transmitted to Housecall Pro each time a new appointment is created. This transfer is initiated by the Tenant and governed by the Tenant's agreement with Housecall Pro.

Jobber

If a Tenant enables the Jobber integration, end customer personal information — including name, email address, phone number, and service address — is transmitted to Jobber each time a new appointment is created. This transfer is initiated by the Tenant and governed by the Tenant's agreement with Jobber.

Service Titan

If a Tenant enables the Service Titan integration, end customer personal information — including name, email address, phone number, and full service address — is transmitted to Service Titan each time a new appointment is created. This transfer is initiated by the Tenant and governed by the Tenant's agreement with Service Titan.

Dispatch

If a Tenant enables the Dispatch integration, end customer personal information — including name, email address, phone number, and service address — is transmitted to Dispatch each time a new appointment is created. This transfer is initiated by the Tenant and governed by the Tenant's agreement with Dispatch.

Database & Hosting

All platform data is stored in a managed PostgreSQL database hosted by a cloud infrastructure provider. Data is encrypted in transit (HTTPS/TLS) and at rest.

6. Data Retention

  • Tenant account data is retained for the duration of the business relationship and deleted within 90 days of account closure upon written request.
  • Appointment records (end customer data) are retained for up to 2 years and then permanently deleted.
  • Two-factor authentication verification codes expire after 10 minutes and are purged automatically.
  • Trusted device records (browser fingerprints) expire and are deleted after 30 days of inactivity.
  • Authentication and security event logs are retained for 90 days.

7. Data Security

  • All data is transmitted over HTTPS/TLS encrypted connections
  • Passwords are hashed using bcrypt and never stored in plaintext
  • API keys are tenant-scoped — each tenant can only access their own data
  • JWT tokens expire after 7 days and are required for all dashboard access
  • Token versioning allows immediate invalidation of all active sessions (e.g., on password change)
  • Two-factor authentication is available for all Tenant Administrator accounts
  • Trusted device fingerprints are stored as one-way SHA-256 hashes and cannot be reversed to identify a specific device or user
  • Tenant data is isolated at the database level

8. Data Sharing and Sale

We do not sell personal information. We do not share personal data with third parties except as necessary to operate the platform (as described in Section 5) or as required by law. When a Tenant enables a CRM integration, data sharing with that CRM is directed by the Tenant and governed by the Tenant's own agreement with that provider.

9. Your Rights

Tenant Administrators may request access to, correction of, or deletion of their account data by contacting us. Depending on your location, you may have additional rights under applicable law (e.g., GDPR, CCPA).

End Customers seeking to access or delete their appointment records should contact the business (Tenant) they scheduled with directly, as that business is the data controller for their personal information. If your data was synced to a third-party CRM by that Tenant, you may also need to contact the Tenant to request deletion from that system.

10. California Residents (CCPA)

California residents have the right to know what personal information we collect, to request deletion of their personal information, and to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at hello@techscheduler.io.

11. SMS / Text Messages

SMS appointment updates sent through the platform require explicit opt-in from the end customer at the time of booking. Recipients may opt out at any time by replying STOP. Message and data rates may apply. Frequency varies.

12. Children's Privacy

Our platform is not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13.

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated to Tenant Administrators via email or an in-dashboard notice. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

14. Contact

For privacy-related questions, requests, or concerns, please reach us at hello@techscheduler.io.