Privacy policy
Effective: April 30, 2026
1. Who we are
ScheduleHQ ("we", "us") is a free shift-scheduling web application. We are the data controller for the personal information you provide while using the service. You can reach us at [email protected].
2. What we collect
Account information
- Name and email address (required at signup)
- A bcrypt-hashed copy of your password — we never see or store the plaintext
- Phone number and payment-profile string (optional, only if you add them)
Workspace content you create or are added to
- Workspace names, logos, schedules, shifts, day notes
- Announcements, reports, resource pages, swap requests
- Personal calendar reminders (tied only to your account)
- Hourly pay rate, if a manager sets it for you
Technical data
- Standard server logs from our hosting provider — IP, user agent, request paths
- Session token (a random string in an HTTP-only cookie)
- Your theme and accent preferences
We do not run third-party analytics, advertising trackers, fingerprinting, or cross-site tracking pixels.
3. How we use it
- To provide the scheduling service: showing your schedule, sending invites and verification emails, computing earnings, etc.
- To keep your account secure (rate limits, audit logs, abuse detection)
- To communicate with you about your account when something material changes
We do not sell your personal information. We do not share it for advertising.
4. Third-party processors
To operate the service, your data passes through these vendors:
- Vercel (United States) — application hosting and serverless functions. Vercel privacy
- Neon (United States) — managed PostgreSQL database where your workspace data lives. Neon privacy
- Resend or Gmail SMTP — transactional email delivery (verification, invites, announcements). Used only when configured by the workspace owner.
These vendors only process data necessary to deliver their part of the service and are bound by their own privacy commitments.
5. International users
Our infrastructure is hosted in the United States. By using ScheduleHQ you consent to your information being transferred to and processed in the U.S. We rely on standard contractual clauses with our vendors where relevant.
6. Your rights
Depending on where you live (EU/UK GDPR, California CCPA, etc.) you have the right to:
- Access a copy of your personal information
- Correct inaccurate information (most fields are editable in Settings)
- Delete your account — Settings → Danger zone → Delete account
- Port your data to another service — email us and we'll export it
- Opt out of any non-essential communication (we don't send marketing email today)
- Lodge a complaint with your local data protection authority
Email [email protected] with your request. We'll respond within 30 days.
7. Data retention
- Your account, workspace memberships, and authored content stay until you delete them or your account.
- Deleted accounts are removed from the live database immediately. Backup copies expire on our database provider's schedule (typically within 30 days).
- Server logs are kept for up to 90 days for security and abuse investigation.
- If you're removed from a workspace, your historical records (e.g. shifts you worked) may remain visible to that workspace's managers — they're part of that business's operating history.
8. Security
- HTTPS-only connections in production (HSTS preload via Vercel)
- Passwords hashed with bcrypt (cost factor 10)
- Session tokens stored in HTTP-only, SameSite=Lax cookies and rotated on every login
- Database connections require TLS
No system is perfectly secure. If you discover a vulnerability, please email [email protected] before disclosing publicly.
9. Children
ScheduleHQ is not intended for users under 16 (or under 13 in the U.S.). We do not knowingly collect data from children. If you believe a child has signed up, contact us and we'll delete the account.
10. Changes to this policy
We'll update the effective date above when we make changes. Material changes will be announced in-app or by email.
11. Contact
Questions, requests, or complaints: [email protected].