Legal
Privacy Policy
Last updated
1. Introduction
This Privacy Policy explains how Schedars (“we”, “us”, “our”) collects, uses, and protects personal data when you visit schedars.com or engage us as a service provider.
We act as a data controller for personal data we collect through this website (visitors, contact form submissions, prospective clients), and as a data processor when we process personal data on behalf of our clients during paid engagements (governed by a separate Data Processing Agreement — see /legal/dpa).
This policy is written to comply with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA / CPRA). If you reside in another jurisdiction with stronger protections (Brazil’s LGPD, Canada’s PIPEDA, the UK GDPR), we apply those protections by default.
Have a question we don’t answer here? Email privacy@schedars.com and we’ll respond within 30 days as required by law (typically much faster).
2. Who we are
Schedars is a software development studio. Our website is operated from the European Union and we serve clients globally, including in the United States.
Mailing address and registration details are available on request to privacy@schedars.com to deter automated scraping.
3. Personal data we collect
Visitors to schedars.com
When you browse the site without contacting us, we collect:
- Aggregated, privacy-respecting analytics via Vercel Web Analytics (no cookies, no fingerprinting, no personal identifiers — only counts of page views by URL, country, device class, referrer)
- Server logs held by Vercel for up to 30 days (IP address, request URL, user agent) for security and abuse prevention
- Theme preference (light/dark) stored in your browser’s
localStorage— never transmitted to our servers
When you contact us
When you fill out the contact form, send us an email, or message us on Telegram, we collect:
- The information you choose to share (name, email, company, project description)
- The date and channel of contact
We use this only to reply to your inquiry and to evaluate a potential engagement. We do not enrich it with third-party data, sell it, or use it for marketing campaigns you didn’t opt into.
When you become a client
If we sign an engagement, we collect contractual data necessary to deliver and bill the project: company name, billing address, VAT/tax ID, signatory contact, payment details handled by Stripe (we do not store full credit card numbers — Stripe does, in their PCI-DSS compliant environment).
4. Why we collect it (legal basis)
Under GDPR, every collection has a legal basis:
| Activity | Legal basis |
|---|---|
| Replying to your inquiry | Pre-contractual measures (Art. 6(1)(b)) |
| Delivering and billing a project | Performance of contract (Art. 6(1)(b)) |
| Aggregated, anonymous analytics | Legitimate interest (Art. 6(1)(f)) — improving the site |
| Server logs for security | Legitimate interest (Art. 6(1)(f)) — preventing abuse |
| Sending newsletters (if you subscribe) | Consent (Art. 6(1)(a)) — withdrawable at any time |
5. How long we keep it
| Data | Retention |
|---|---|
| Contact form submissions | 24 months from last contact, then deleted |
| Closed engagements | 7 years from project end (legal/tax obligation) |
| Active engagements | Duration of contract + 7 years (legal/tax) |
| Server logs | Up to 30 days |
| Analytics aggregates | Indefinite (no personal data) |
| Newsletter subscriptions | Until you unsubscribe |
6. Third-party processors we use
We share personal data only with vetted processors necessary to deliver our services:
- Vercel Inc. (United States) — hosting, edge CDN, web analytics — bound by Vercel’s DPA + EU SCCs
- Cloudflare Inc. (United States) — DNS, edge security, CMS subdomain — DPA + SCCs
- Hetzner Online GmbH (Germany) — VPS hosting our CMS infrastructure — EU-only data residency
- Stripe Inc. (United States, EU subsidiary in Ireland) — payments — Stripe’s DPA + SCCs
- Email transactional provider (Resend or Postmark, United States) — DPA + SCCs
- AI providers (Anthropic, OpenAI — United States) — only if explicitly disclosed in an engagement and the client signs an AI-data addendum
All US-based processors are covered by the EU-US Data Privacy Framework (or equivalent SCCs where DPF doesn’t apply).
We never sell personal data — to anyone, ever, regardless of jurisdiction.
7. Your rights
Under GDPR (EU/EEA/UK residents)
You have the right to:
- Access (Art. 15) — get a copy of your data
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — request deletion (the “right to be forgotten”)
- Restriction (Art. 18) — limit how we use your data
- Portability (Art. 20) — receive your data in a portable format
- Object (Art. 21) — to processing based on legitimate interest or direct marketing
- Withdraw consent at any time, where consent is the legal basis
- Lodge a complaint with your supervisory authority
Under CCPA / CPRA (California residents)
You have the right to:
- Know what personal information we collect, use, disclose
- Delete personal information we hold about you
- Correct inaccurate personal information
- Opt out of sale or sharing (we don’t sell or share — but you can confirm this)
- Limit use of sensitive personal information (we don’t collect sensitive PI)
- Non-discrimination — exercising your rights doesn’t change the service we provide
To exercise any right, email privacy@schedars.com with the subject line “Privacy Request — [your right]”. We will reply within 30 days (GDPR) or 45 days (CCPA).
For visitors who haven’t given us identifying data, we don’t require verification — but for clients with active engagements, we may need to verify identity to prevent fraud.
8. Cookies
This site uses minimal cookies. We do not run advertising trackers, social media pixels, or session replay tools without explicit consent.
See our Cookies Policy for details.
9. Children’s privacy
This site is not directed at children under 16 (or 13 in the United States). We do not knowingly collect personal data from children. If you believe we have, email privacy@schedars.com and we will delete it.
10. International transfers
Personal data we collect may be transferred to and processed in the United States or other countries outside your jurisdiction. We ensure adequate protection through:
- The EU-US Data Privacy Framework for processors certified under it
- Standard Contractual Clauses (SCCs) for processors outside DPF
- Supplementary technical measures (encryption in transit and at rest) where SCCs require them
11. Security
We implement reasonable technical and organizational measures: encryption in transit (TLS 1.2+), encryption at rest where supported, access controls (least privilege), regular dependency scanning, OWASP Top 10 review on every project we ship.
No system is fully secure. If a breach affecting your personal data occurs, we will notify you and the relevant supervisory authority within 72 hours of discovery, as required by GDPR.
12. Changes to this policy
We may update this policy as our practices evolve or as the law changes. The “Last updated” date at the top reflects the latest version. We will email you about material changes if we have your email and the change affects you.
Old versions are kept on request to privacy@schedars.com.
13. Contact
For any privacy question, request, or complaint:
- Email: privacy@schedars.com
- Data Protection Officer: We are not legally required to appoint a DPO under GDPR Art. 37 given our size, but the email above reaches the responsible person.
This document is provided for informational purposes and represents Schedars’ current data practices. It is not legal advice for any other party. If you operate in a regulated industry (healthcare, finance, etc.), we recommend a separate engagement-specific data agreement.
Have a question?
For privacy / data protection: privacy@schedars.com.
For legal / contract: legal@schedars.com.
For everything else: contact us.