Privacy Policy

1. Introduction

Xaiotech Pty Ltd ABN 63 821 547 002 trading as Schediq (“Schediq,” “we,” “us,” or “our”) operates the Schediq appointment scheduling and booking management platform (the “Service”).

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use the Service, visit our websites, or interact with us. It applies to all users of the Service, including business owners (“Workspace Owners”), their staff members, and the clients who book appointments through the platform (“Booking Clients”).

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use the Service.

2. Information We Collect

2.1 Information you provide directly

• Account information: When you create a Schediq account, we collect your name, email address, password (hashed), business name, timezone, and industry type.
• Business profile: Business name, address, phone number, logo, service descriptions, pricing, and availability schedules.
• Booking information: When Booking Clients make appointments, we collect their name, email address, phone number, and any additional information collected through intake forms configured by the Workspace Owner.
• Payment information: Credit card details and billing addresses are collected and processed directly by Stripe, Inc. We do not store complete payment card numbers on our servers. We receive only a tokenised reference and last four digits for display purposes.
• Communications: When you contact our support team, submit feedback, or communicate through the Service, we collect the content of those communications.

2.2 Information collected automatically

• Usage data: Pages visited, features used, actions taken, booking patterns, and performance metrics.
• Device information: Browser type and version, operating system, device type, screen resolution, and language preferences.
• Log data: IP addresses, access times, referring URLs, and error logs for security and debugging purposes.
• Cookies and similar technologies: We use essential cookies for authentication, session management, and security. See Section 7 for details.

2.3 Information from third parties

• Social sign-in: If you sign in using Google or Microsoft, we receive your name, email address, and profile picture from the identity provider.
• Calendar integrations: If you connect Google Calendar or other calendar services, we access calendar event data to check availability and prevent double-bookings.
• Payment provider: Stripe provides us with transaction status, payment confirmation, and dispute information.

3. How We Use Your Information

We use personal information for the following purposes:

1. Providing the Service: Processing bookings, managing schedules, sending confirmations and reminders, processing payments, and enabling communication between Workspace Owners and Booking Clients.
2. Account management: Creating and managing your account, authenticating your identity, and providing customer support.
3. Service improvement: Analysing usage patterns to improve features, fix bugs, optimise performance, and develop new functionality.
4. Communication: Sending transactional emails (booking confirmations, reminders, receipts), service announcements, and security alerts. We do not send marketing emails without your explicit consent.
5. Security and fraud prevention: Detecting, preventing, and responding to security incidents, fraud, abuse, and violations of our Terms of Service.
6. Legal compliance: Complying with applicable laws, regulations, legal processes, and government requests.
7. Analytics and reporting: Providing Workspace Owners with aggregated analytics about their booking activity and business performance.

4. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We share information only in the following circumstances:

4.1 Between Workspace Owners and Booking Clients

When a Booking Client makes an appointment, their contact information and booking details are shared with the relevant Workspace Owner and their authorised staff. This is necessary to provide the scheduling service.

4.2 Service providers

We use trusted third-party service providers to operate the Service:

• Supabase (Supabase, Inc.): Database hosting and authentication services. Data is stored in Australian data centres where available.
• Stripe (Stripe, Inc.): Payment processing. Subject to Stripe’s Privacy Policy.
• Vercel (Vercel, Inc.): Application hosting and content delivery.
• Resend (Resend, Inc.): Transactional email delivery.

Each provider processes data only as instructed by us and is contractually bound to protect your information.

4.3 Legal requirements

We may disclose information if required by law, subpoena, court order, or government regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4.4 Business transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and your options regarding your information.

5. Data Security

We implement industry-standard security measures to protect your information:

• All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
• Passwords are hashed using bcrypt and never stored in plain text.
• Database access is protected by row-level security policies, ensuring users can only access their own data.
• API endpoints require authenticated sessions with JWT tokens.
• We conduct regular security reviews and monitoring.
• Access to production systems is restricted to authorised personnel with multi-factor authentication.

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. If you become aware of a security vulnerability, please report it to security@schediq.io.

6. Data Retention

We retain your personal information as follows:

• Account data: Retained while your account is active and for 30 days after account closure to allow for reactivation.
• Booking records: Retained for the duration of the Workspace Owner’s account, plus 7 years for financial and legal compliance purposes.
• Payment records: Retained as required by applicable tax and financial regulations (typically 7 years).
• Usage logs: Retained for up to 90 days for debugging and security purposes, then anonymised or deleted.
• Support communications: Retained for 2 years to provide context for ongoing support relationships.

You may request earlier deletion of your data subject to our legal retention obligations. See Section 8 for details on your rights.

7. Cookies and Tracking Technologies

7.1 Essential cookies

We use essential cookies that are strictly necessary for the Service to function. These include authentication session cookies, CSRF protection tokens, and user preference cookies. These cannot be disabled.

7.2 Analytics

We may use privacy-respecting analytics to understand how the Service is used. We do not use third-party advertising cookies, cross-site tracking, or fingerprinting technologies.

7.3 Booking page tracking

Public booking pages use a first-party visitor identifier cookie to provide attribution analytics to Workspace Owners (such as how clients found their booking page). This cookie does not track users across other websites.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

8.1 All users

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to our legal retention obligations.
• Data portability: Export your data through the Service’s export features or by contacting support.
• Withdraw consent: Where processing is based on consent, you may withdraw consent at any time.

8.2 Australian Privacy Act

If you are an Australian resident, you have rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You may lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached.

8.3 GDPR (European Economic Area)

If you are in the EEA, you have additional rights under the General Data Protection Regulation, including the right to restriction of processing, the right to object to processing, and the right to lodge a complaint with a supervisory authority. Our legal basis for processing is contractual necessity (to provide the Service), legitimate interest (to improve and secure the Service), and consent (where applicable).

8.4 Exercising your rights

To exercise any of these rights, contact us at privacy@schediq.io. We will respond within 30 days. We may ask you to verify your identity before processing your request.

9. International Data Transfers

Schediq is operated from Australia. Your information may be processed in countries other than your own, including Australia and the United States (where our service providers are located). We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where required.

10. Data Processing for Workspace Owners

When Workspace Owners use Schediq to manage their client bookings, they act as the data controller for their client data, and Schediq acts as a data processor. Workspace Owners are responsible for:

• Ensuring they have a lawful basis to collect and process their clients’ personal information through the Service.
• Providing appropriate privacy notices to their clients.
• Responding to data subject requests from their clients regarding data held in their Schediq workspace.
• Configuring appropriate data collection through intake forms and booking settings.

11. Children’s Privacy

The Service is not directed at children under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@schediq.io and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. The “Last updated” date at the top of this policy indicates when it was last revised.

Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy inquiries: privacy@schediq.io
• General support: support@schediq.io
• Security issues: security@schediq.io
• Xaiotech Pty Ltd, Perth, Western Australia, Australia