Privacy Policy

ScheduleCTRL Global Privacy Policy

Effective date: 13 October 2025

ScheduleCTRL Ltd is committed to protecting the privacy of our customers, their end users, and visitors to our websites and mobile apps. This policy explains how we handle personal data in compliance with the UK GDPR, EU GDPR, Data Protection Act 2018, and applicable US privacy laws.

1. Introduction

ScheduleCTRL Ltd ("ScheduleCTRL", "we", "us", or "our") operates the ScheduleCTRL platform, including schedulectrl.com, app.schedulectrl.com, tenant subdomains (for example tenant-name.schedulectrl.com), other domains that we control under schedulectrl.com, and our iOS and Android mobile applications. This Privacy Policy describes how we collect, use, disclose, and safeguard personal data when you interact with any of the Services and explains your rights under applicable privacy laws in the United Kingdom, the European Economic Area (EEA), the United States, and any other jurisdictions where we provide the Services.

2. Who We Are

ScheduleCTRL Ltd is the data controller responsible for personal data processed through the Services, except where we act as a data processor on behalf of a customer (a Controller Customer). Our registered details are:

  • Company name: ScheduleCTRL Ltd
  • Registered address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
  • Company number: 16694366 (registered in England and Wales)
  • Data protection contact: admin@schedulectrl.com

3. Scope of This Privacy Policy

This policy covers personal data processed when you:

  • Visit schedulectrl.com or any subdomain we operate
  • Create an account or sign in to app.schedulectrl.com
  • Access a tenant subdomain of the ScheduleCTRL platform
  • Use our iOS or Android mobile applications
  • Interact with our communications, marketing content, or customer support
  • Integrate ScheduleCTRL with third-party tools and services

4. Personal Data We Collect

We collect personal data from multiple sources. The specific data depends on how you interact with the Services and the features you use:

  • Account Data: name, job title, business name, email address, phone number, password (hashed), timezone, preferred language, and user role permissions.
  • Tenant Configuration: tenant names, subdomain addresses, industry category, company branding, custom forms, and settings.
  • Booking & Scheduling Data: customer contact details, service addresses, appointment history, job notes, checklists, photos, signatures, and messages submitted through the Services.
  • Team Member Data: staff names, working hours, availability preferences, GPS location snapshots (for features like route tracking and time logs), and performance metrics, where enabled by the tenant.
  • Financial Data: billing contact details, subscription plan, payment method tokens, invoicing information, and transaction history collected via our payment processors (e.g. Stripe).
  • Support & Communications: records of support tickets, chat transcripts, email correspondence, recorded calls (where permitted), and feedback forms.
  • Marketing & Website Interactions: IP address, device identifiers, browser type, referral URLs, pages visited, actions taken, marketing preferences, and email engagement data.
  • Integration Data: API keys, configuration settings, and the data transferred to or from third-party integrations at your direction (e.g. QuickBooks, Zapier, Twilio).
  • Mobile App Data: device identifiers, push notification tokens, crash diagnostics, app usage analytics, and optional access to device features such as camera, photo gallery, and location services.

5. How We Use Personal Data

We use personal data for the following purposes and legal bases:

  • Service Delivery: to create and manage accounts, authenticate users, provide scheduling, CRM, invoicing, communications, and analytics features (performance of a contract).
  • Platform Operations: to operate, maintain, and improve the Services, including troubleshooting, performance monitoring, and security (legitimate interests / performance of a contract).
  • Customer Support: to respond to enquiries, resolve technical issues, and provide training (performance of a contract / legitimate interests).
  • Billing & Subscription Management: to process payments, manage free trials, handle chargebacks, and send invoices via our payment processors (performance of a contract / legal obligations).
  • Communications & Marketing: to send product updates, newsletters, surveys, event invitations, and promotional offers, in accordance with your communication preferences (consent / legitimate interests / compliance with PECR and CAN-SPAM).
  • Security & Fraud Prevention: to detect and prevent fraudulent, abusive, or unauthorised use of the Services (legitimate interests / legal obligations).
  • Legal Compliance: to comply with applicable laws, regulatory requirements, court orders, and requests from government authorities (legal obligations).
  • Analytics & Product Development: to analyse usage trends, measure feature adoption, and develop new products and services (legitimate interests).
  • Testimonials & Case Studies: to publish customer success stories and testimonials with your consent.

6. Lawful Bases (UK & EEA)

Where the UK GDPR or EU GDPR applies, we rely on the following lawful bases for processing personal data:

  • Consent (Article 6(1)(a)) for optional marketing communications, analytics cookies, and data-sharing activities that require explicit agreement.
  • Contract (Article 6(1)(b)) to deliver the Services you request and to perform our obligations to customers and end users.
  • Legal obligations (Article 6(1)(c)) to comply with tax, anti-money laundering, and regulatory requirements.
  • Legitimate interests (Article 6(1)(f)) to operate and improve our business, maintain security, and prevent misuse of the platform.

7. Cookies & Tracking Technologies

We use cookies, pixels, local storage, and similar tracking technologies to measure usage, remember preferences, and deliver targeted marketing. On the marketing website we obtain consent where required by law. You can manage your cookie preferences through our cookie banner, your browser settings, or opt-out tools provided by analytics providers (e.g. Google Analytics) and advertising networks (e.g. Meta Ads, LinkedIn Ads).

8. How We Share Personal Data

We may share personal data with:

  • Service providers and subprocessors: hosting providers (e.g. Vercel, Railway, Supabase), payment processors (e.g. Stripe), messaging platforms (e.g. Twilio, SendGrid), analytics tools (e.g. Mixpanel), customer support platforms (e.g. Intercom), and other vendors who support the delivery of the Services. These third parties agree to data protection obligations consistent with this policy.
  • Controller Customers: When you use the Services under a tenant account, the tenant (e.g. your employer or service provider) controls your personal data. We process data on their behalf and share relevant information with them as necessary to deliver the Services.
  • Professional advisors: auditors, accountants, lawyers, bankers, insurers, and consultants who assist us in operating our business.
  • Business transfers: in connection with a merger, acquisition, financing, or sale of assets, we may transfer personal data, subject to appropriate safeguards.
  • Legal and regulatory authorities: where required by law, regulation, or legal process, or to protect the rights, property, or safety of ScheduleCTRL, our users, or others.
  • With your consent: we may share data with third parties where you have explicitly instructed or authorised us to do so (e.g. third-party integrations, testimonials).

9. International Data Transfers

We operate globally and may transfer personal data to countries outside the UK or EEA, including the United States. When we transfer personal data internationally, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA), EU Standard Contractual Clauses (SCCs), or other approved transfer mechanisms. Where applicable, we also conduct transfer risk assessments and implement additional safeguards (e.g. encryption, access controls).

10. Data Security

We use technical and organisational measures to protect personal data, including encryption in transit and at rest, role-based access controls, multi-factor authentication, network monitoring, regular vulnerability scanning, secure coding practices, and employee training. Despite these efforts, no security controls are infallible, and you acknowledge that transmissions over the internet carry inherent risks.

11. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes outlined in this policy, comply with legal obligations, resolve disputes, and enforce agreements. Specific retention periods depend on the type of data and our contractual commitments to Controller Customers. Customers can request deletion or export of their data through in-app tools or by contacting us. We may anonymise data for analytics and product development after it is no longer needed in identifiable form.

12. Your Rights

Depending on your location and applicable laws, you may have rights to:

  • Access: receive confirmation of whether we process your personal data and obtain a copy.
  • Rectification: correct inaccurate or incomplete personal data.
  • Deletion: request deletion of personal data (subject to legal exceptions).
  • Restriction: limit processing of personal data under certain circumstances.
  • Portability: receive personal data in a structured, commonly used format.
  • Objection: object to processing based on legitimate interests or direct marketing.
  • Withdraw consent: withdraw consent at any time for processing based on consent.
  • Non-discrimination: in the United States, you will not receive discriminatory treatment for exercising privacy rights.

13. How to Exercise Your Rights

To exercise your rights or make privacy-related enquiries, contact us at admin@schedulectrl.com. We may request verification of your identity before fulfilling your request. If we process your data on behalf of a Controller Customer, we will direct your request to that controller. You may also have the right to complain to your local data protection authority (e.g. the UK Information Commissioner’s Office or an EU Data Protection Authority).

14. Additional Information for United States Residents

Residents of certain US states (including California, Colorado, Connecticut, Utah, Virginia) may have additional rights such as rights to know, delete, correct, and opt-out of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. ScheduleCTRL does not sell personal data as defined under applicable state laws. To exercise state-specific rights, email admin@schedulectrl.com with your request and state of residence.

15. Children’s Privacy

The Services are not directed to individuals under the age of 16, and we do not knowingly collect personal data from children under 16. If we learn that we have collected such data without appropriate consent, we will delete it promptly.

17. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or technology. We will post the updated policy on schedulectrl.com and indicate the effective date. Material changes will be communicated via email or a prominent notice within the Services. Continued use of the Services after the effective date constitutes acceptance of the updated policy.

18. Contact Us

If you have questions, concerns, or feedback about this Privacy Policy or our privacy practices, please contact us:

  • Email: admin@schedulectrl.com
  • Postal address: ScheduleCTRL Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

Last updated: 13 October 2025

← Back to Home