Privacy Policy

1. Introduction

This Privacy Policy describes how Schedly processes personal data when you use our website and service. DSG refers to the Swiss Federal Act on Data Protection (revDSG, in force since 1 September 2023) and applies to persons in Switzerland. GDPR refers to the EU General Data Protection Regulation and applies to persons in the European Union who use our service.

Schedly is a scheduling tool that helps you find shared free time across multiple iCalendar feeds. We take your privacy seriously and are committed to full transparency. In short: we do not store the contents of your calendar events.

2. Controller (Responsible Party)

The controller within the meaning of data protection law is:

3. Data We Process

• Account data - when you register, we store your e-mail address and a hashed password (PBKDF2 via ASP.NET Core Identity). Legal basis: Art. 6(1)(b) GDPR / Art. 31 DSG (contract performance).
• Profile data - you may optionally save a display name, a personal calendar URL, a profile picture, a branding logo, workday availability hours (start and end), available days of the week, and a UI language preference. These are stored in our database until you delete your account. Legal basis: Art. 6(1)(a) GDPR (consent / voluntary provision).
• ICS / Calendar URLs & event data - calendar feeds are fetched server-side in real time solely to compute available time slots. This includes your personal calendar URL and, when meeting rooms are selected, each room's calendar URL. The raw event data (titles, descriptions, attendees) is never written to our database. Calendar URLs and event contents are also never written to our application logs. Only the derived free/busy result is returned to your browser.
• Contact connections - if you use the Contacts feature, we store the contact relationship (both user IDs and status) to enable shared availability lookups. Legal basis: Art. 6(1)(b) GDPR / Art. 31 DSG.
• Meeting type data - if you create a Meeting Type, we store its title, description, duration, working-hours settings, remote-meeting flag, a unique booking token, and the list of invited user IDs and selected room IDs. This data remains in our database until you delete the meeting type or your account. Legal basis: Art. 6(1)(b) GDPR / Art. 31 DSG (contract performance).
• Booking-page visitor e-mail - when a visitor books a slot via a public booking link, they enter their e-mail address. That address is used solely to send the calendar invite and is never stored in our database; it is passed transiently to our SMTP relay and then discarded. Legal basis: Art. 6(1)(b) GDPR / Art. 31 DSG (contract performance - delivering the requested invite).
• Audit log - certain user actions are recorded for operational and security purposes: specifically, each availability search (recording the search parameters - duration, time window, number of calendars, slots found - but never calendar contents) and each calendar invite sent (recording participant count, meeting duration, and start time). These records are pseudonymous (stored against a user ID only) and are automatically purged after 12 months. Audit records are intentionally retained after account deletion to preserve audit integrity; they contain no calendar event contents and no contact details. You may request earlier deletion by contacting privacy@schedly.ch. Legal basis: Art. 6(1)(f) GDPR / Art. 31 DSG (legitimate interest - security & operation). privacy@schedly.ch.
• Server logs - standard web-server access logs (IP address, timestamp, requested URL, HTTP status) are retained for up to 7 days for security and debugging, then anonymised or deleted. Legal basis: Art. 6(1)(f) GDPR / Art. 31 DSG (legitimate interest - security & operation).

4. What We Do Not Do

• We do not sell, share, or rent your personal data to third parties for commercial purposes.
• We do not use tracking cookies, analytics SDKs, or advertising networks (e.g. Google Analytics, Meta Pixel).
• We do not store the contents of your calendar events - only computed free/busy availability is used and then discarded.
• We do not profile users or make automated decisions with legal or similarly significant effects (Art. 22 GDPR).

5. Cookies

Schedly uses only strictly necessary cookies. No consent banner is required for these:

• .AspNetCore.Antiforgery.* - a CSRF protection token required for form submissions. Contains no personal data; deleted when you close your browser.
• .AspNetCore.Identity.Application - an encrypted authentication session cookie set when you sign in. Deleted on sign-out or browser close.

We do not set any marketing, analytics, or third-party cookies. You can manage cookies in your browser settings, but disabling the above cookies will prevent you from signing in.

6. Third-Party Services

• SMTP / Transactional email - we use an SMTP provider to send account-related emails (email verification, password reset) and calendar invites. Calendar invites are sent in two scenarios: (1) when you send a meeting invite from the Results page - the e-mail addresses of all selected participants and any selected meeting room are passed to the SMTP relay; (2) when a visitor books a slot via a public booking link - the host's, invitees', and visitor's e-mail addresses are passed to the SMTP relay for delivery. In both cases, addresses are used solely for delivery and are not retained by us after sending. Legal basis: Art. 6(1)(b) GDPR / Art. 31 DSG (contract performance).
• Calendar providers - when computing availability, our server fetches the ICS URL you provide. This request originates from our server and is subject to the privacy policy of the respective calendar provider (e.g. Google Calendar, Apple iCloud).

Data is processed primarily in Switzerland. The Swiss Federal Council has determined that Switzerland provides an adequate level of data protection. Where processors operate outside Switzerland/EU, we ensure appropriate safeguards (e.g. EU Standard Contractual Clauses) are in place.

7. Data Security

8. Your Rights (DSG / GDPR)

Under Swiss data protection law (revDSG) and, where applicable, the EU GDPR, you have the following rights. To exercise any of them, contact us at privacy@schedly.ch. privacy@schedly.ch.

• Right of access Art. 8 DSG / Art. 15 GDPR
  You may request confirmation of whether we process personal data about you, and if so, obtain a copy of it.
• Right to rectification Art. 5 DSG / Art. 16 GDPR
  You may request that inaccurate personal data be corrected, or incomplete data completed. You can update most profile data directly on the Profile page.
• Right to erasure Art. 17 GDPR / Art. 5 DSG
  You may request deletion of your personal data where it is no longer necessary, consent has been withdrawn, or another ground under Art. 17 GDPR applies. You can delete your account directly from the Profile page, which removes your user record, profile data, calendar URL, profile picture, branding logo, and all contact connections. Pseudonymous audit-log entries are automatically purged after 12 months; you may request earlier deletion by contacting privacy@schedly.ch. privacy@schedly.ch.
• Right to restriction of processing Art. 18 GDPR
  EU persons may request that we restrict processing under certain conditions (e.g. while accuracy is contested).
• Right to data portability Art. 20 GDPR
  EU persons may request a machine-readable export of personal data you have provided to us, where processing is based on consent or contract and carried out by automated means.
• Right to object Art. 21 GDPR
  EU persons may object to processing based on legitimate interests (Art. 6(1)(e)/(f) GDPR). We do not engage in direct marketing, so this right is primarily relevant to audit-log retention.
• Right not to be subject to automated decisions Art. 22 GDPR
  We do not make solely automated decisions that produce legal or similarly significant effects on you.

9. Right to Lodge a Complaint

If you believe that the processing of your personal data violates applicable law, you have the right to lodge a complaint with a supervisory authority.

• Switzerland - Federal Data Protection and Information Commissioner (EDOB / FDPIC) (see Art. 15, 25, 27, 29 DSG.)
• EU residents - you may also contact the supervisory authority in your EU member state of habitual residence, place of work, or the place of the alleged infringement (Art. 77 GDPR).

10. Changes to This Policy

We may update this policy from time to time. The date at the top of this page reflects the most recent revision. We will notify registered users of material changes by email. Continued use of Schedly after changes are published constitutes acceptance of the revised policy.