Schedulr Privacy Policy
Version: 5.0 (privacy_schedulr_2026_06_v5)
Effective Date: June 28, 2026
Last Updated: June 28, 2026
1. Who We Are
This Privacy Policy describes how Holicow LLC ("Holicow," "we," "us," or "our"), a Washington limited liability company, handles personal data in connection with Schedulr, an online appointment scheduling service at schedulr.biz and related web applications (collectively, the "Service").
Contact: [email protected] | Privacy Policy
Postal address:
Holicow LLC Attn: Privacy 1164 Palmer Loop Chewelah, Washington 99109 United States
2. The Two Roles in Schedulr (Please Read First)
Schedulr lets a business (organization) manage appointments, staff, locations, and customer bookings. Because of this structure, there are two different data-protection relationships, and which one applies determines who is responsible for what:
Your own account. For the personal data of the person who holds a Schedulr login (name, email, password) and uses the admin dashboard, Holicow is the data controller. This Policy governs that processing.
Booking data in your organization. For the personal data an organization collects about its customers, staff, and appointments ("booking data"), the organization owner is the data controller and Holicow is a data processor that stores and processes that data on the organization's instructions. The organization decides what to collect, why, and on what lawful basis; Holicow provides the platform.
In plain terms: Holicow is responsible for the Service and your account. The organization owner is responsible for the customers and staff they choose to schedule and for having a lawful basis to process their data. Organization owners who are subject to the GDPR should also read our Data Processing Addendum, which forms the Article 28 contract between the organization (controller) and Holicow (processor).
3. Who This Policy Applies To
- Organization owners and staff — must be 18 years of age or older to create or administer an organization.
- Customers — people who book appointments through an organization's public scheduling pages. Their booking data is collected and controlled by the organization; Holicow processes it on the organization's behalf.
- Data subjects — people whose personal data appears in bookings or staff records who may never log into Schedulr. Their data is controlled by the organization.
The Service is offered internationally. Depending on where you live, the GDPR (EU/UK), the California Consumer Privacy Act ("CCPA"), and other regional privacy laws may apply.
4. Information We Collect
4.1 Information You Provide (Account)
- Account information: name, email address, phone number, password (stored as a one-way hash).
- Organization profile: business name, timezone, contact email, locations, services, staff, and availability you configure.
- Support communications: if you contact us, we keep a record of the correspondence.
4.2 Booking Data (Controlled by the Organization)
When an organization uses Schedulr, it collects and stores data about customers and appointments. Depending on the organization's configuration and what customers enter at booking, this can include names, email addresses, phone numbers, appointment notes, and any custom fields the organization enables. Holicow stores and processes this data as a processor on the organization's instructions; the organization determines what is collected and why.
4.3 Information Collected Automatically
- Device and browser information: browser type, operating system, locale, time zone.
- Identifiers: session identifiers and authentication tokens.
- Usage information: IP address, request timestamps, application logs, error reports, and security audit records (including legal document acceptance metadata).
4.4 Information from Payment Processing (Platform Billing)
We do not collect or store full payment-card numbers, CVCs, or bank-account details for platform subscriptions. Subscription fees are processed by Paddle.com Market Limited ("Paddle"), which acts as merchant of record. From Paddle we receive subscription identifiers, plan and price information, billing period start/end dates, renewal/cancellation status, and limited billing metadata. We do not receive your full card number.
Future tenant payment features. If and when Schedulr offers optional features for organizations to accept payments from their own customers through a third-party payment provider, those payments will be processed under separate terms. That processing is distinct from platform billing through Paddle.
5. How We Use Information
For account and platform data (where Holicow is the controller), we use information to:
- operate, maintain, secure, and provide the Service;
- authenticate you and manage your sessions;
- send transactional communications (account verification, billing notices, Terms-update notices, security alerts);
- process platform subscriptions through Paddle;
- prevent and investigate fraud, abuse, or violations of our Terms of Service;
- comply with legal obligations and respond to lawful requests;
- improve and develop features, using aggregated or anonymized analytics where reasonably possible.
For booking data (where Holicow is the processor), we process information only to provide the Service to the organization and on the organization's documented instructions, and as described in the Data Processing Addendum.
Phone numbers you provide may be used for account security and transactional SMS or messaging when those features are enabled and you opt in.
6. Lawful Bases (GDPR)
Where the GDPR applies, we rely on the following bases for account and platform data:
- Contract (Art. 6(1)(b)) — to create and operate your account and provide the Service you sign up for, and to process platform subscriptions.
- Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent fraud and abuse, and maintain operational logs.
- Legal obligation (Art. 6(1)(c)) — to retain certain records and respond to lawful requests.
- Consent (Art. 6(1)(a)) — for optional features such as marketing communications (if offered) or SMS where consent is required.
For booking data, the organization owner (as controller) is responsible for establishing the lawful basis for collecting and processing each data subject's information. Holicow processes that data on the organization's behalf.
7. How We Share Information
7.1 Within an Organization
Booking data is visible to the organization's authorized owners and staff according to roles and product permissions. Customers who book appointments submit information to the organization through Schedulr's scheduling pages.
7.2 With Sub-Processors
We share data only with service providers ("sub-processors") necessary to operate the Service, under written agreements that restrict their use of the data to providing services to us. As of the Last Updated date, these include:
| Sub-processor | Purpose | Processing location |
|---|---|---|
| Paddle.com Market Limited | Platform subscription billing (merchant of record) | United States / global |
| Laravel Holdings, Inc. | Application hosting and database (Laravel Cloud) | United States |
| Amazon Web Services, Inc. (Amazon SES) | Transactional email delivery | United States |
| Twilio Inc. (if SMS enabled) | SMS verification and transactional messages | United States / global |
The current sub-processor list is maintained in the Data Processing Addendum. We will update it as our providers change.
7.3 For Legal and Safety Reasons
We may disclose information if required by law, subpoena, or court order; to protect the rights, property, or safety of Holicow, our users, data subjects, or others; or to investigate fraud, security, or technical issues. We maintain a zero-tolerance policy for child sexual abuse material and will report it to NCMEC and law enforcement.
7.4 In a Business Transaction
If Holicow is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to this Policy and applicable law.
7.5 We Do Not Sell Your Information
We do not sell personal information for monetary consideration and do not engage in cross-context behavioral advertising.
8. International Data Transfers
The Service is hosted in the United States (Laravel Cloud). If you are located in the EEA, the UK, or elsewhere outside the United States, your personal data will be transferred to and processed in the United States. Where required, such transfers are made under appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum, which are incorporated into our agreements with sub-processors and into the Data Processing Addendum between organization owners and Holicow.
9. Data Retention
We keep personal data only as long as necessary for the purposes described above, then delete or anonymize it. The periods below are our standard retention rules:
| Category | Retention period |
|---|---|
| Active account data | For as long as your account is open. |
| Deleted accounts | Identifying fields deleted or anonymized within 30 days of account deletion, except records under legal hold and the audit/billing records below. |
| Booking data — on organization erasure request | Processed per organization instructions; deleted or anonymized when the organization deletes records or closes the account, subject to export and churn windows below. |
| Booking data — on non-payment / lapsed subscription | Retained for up to 90 days after platform access ends to allow export; then permanently deleted through automated purge. |
| Consent & Terms-acceptance audit records | Retained for the life of the account plus 6 years as the legal record of consent. Incidental metadata in these records (IP address, user-agent) may be scrubbed after 24 months while proof of acceptance is preserved. |
| Support communications | 24 months after the matter is resolved. |
| Server, application & security logs | 90 days, then deleted or anonymized. |
| Backups | Encrypted, on a rolling 35-day cycle; deletions of live data propagate as backups expire. |
| Billing & transaction records | Retained for 7 years to meet tax and accounting obligations (limited billing metadata only — Paddle is the merchant of record). |
Where a longer period is required by law, or data is needed to establish, exercise, or defend legal claims, we retain it for that period and then delete it.
10. Your Privacy Rights
Subject to applicable law, you may have the right to access, correct, delete, restrict, or object to processing of your personal data, to data portability, and to withdraw consent. To exercise these rights:
- For your account data (Holicow as controller): contact [email protected] with the subject "Privacy Request." We will verify your identity using the email associated with your account and respond within the timeframes required by law (generally 30 days under the GDPR and 45 days under the CCPA).
- For booking data (organization as controller): direct your request to the organization that collected your data. As the processor, Holicow will assist the organization in responding.
Organization owners may export organization data in CSV format from the billing area while their account permits.
You will not be discriminated against for exercising any privacy right.
11. California Residents (CCPA/CPRA Notice)
This section applies to California residents under the California Consumer Privacy Act, as amended by the CPRA. We provide these rights to all California residents whether or not Holicow currently meets the CCPA's business thresholds — that is, we honor them voluntarily as a baseline.
Categories of personal information. In the past 12 months we have collected the categories in Section 4: identifiers (name, email, phone, account/session identifiers, IP address); customer records (contact details, appointment information where you or an organization provide them); commercial information (subscription/transaction metadata from Paddle); and internet/network activity (usage and log data). We collect these from you, your device, the organization you book with or work for, and Paddle for platform billing. We use them for the business purposes in Section 5 and disclose them only to the service providers in Section 7.
Sensitive personal information. As a controller, Holicow does not intentionally collect sensitive personal information beyond account log-in credentials, used solely to provide and secure the Service. However, booking data is configured and uploaded by organizations and may include sensitive information — for example health, disability, or other details in appointment notes — if the organization or customer chooses to provide it; for that data the organization is the controller and is responsible for it. We do not use or disclose sensitive personal information for purposes that would trigger the right to limit, and we do not "sell" or "share" it.
No sale or sharing. We do not sell personal information and do not share it for cross-context behavioral advertising, and we have not done so in the past 12 months. We do not knowingly sell or share the personal information of consumers under 16.
Retention. We retain each category of personal information only as long as necessary for the purposes it was collected, per the schedule in Section 9.
Your rights. You may request to know/access, delete, and correct your personal information, to opt out of any sale or sharing (none occurs), and to limit the use of sensitive personal information (not applicable as described above). We will not discriminate against you for exercising these rights.
How to exercise, and authorized agents. Submit a request to [email protected]. We will verify your identity using the email associated with your account before acting. You may use an authorized agent to submit a request on your behalf; we may require the agent to provide written, signed permission and may verify your identity directly. We respond within 45 days, extendable by a further 45 days with notice as permitted by law.
12. Children's and Minors' Privacy
Schedulr is not directed to children. Organization owners must be 18 or older. Organizations must not collect personal data about children under 13, and our Acceptable Use Policy prohibits it. We do not knowingly process the personal data of a child under 13. If you believe a child's data has been added to an organization, contact [email protected] (and, for booking data, the organization) and we will act to delete it.
Minors aged 13–17. Organizations may process personal data about individuals aged 13–17 only where the organization has a lawful basis and any required parent, guardian, school, or organizational authorization, and only for a legitimate scheduling purpose (such as a school, youth sports program, club, congregation, family, or community organization). As the controller of booking data, the organization is responsible for those authorizations and for limiting access, purpose, and the use of any sensitive data about a minor, as set out in Section 5 of the Terms of Service and the Data Processing Addendum. We do not use minor data for advertising, profiling, or any purpose unrelated to operating the scheduling service, and a minor (or their parent, guardian, or representative) may request access, correction, or deletion at any time via the organization or by contacting [email protected].
13. Security
We use commercially reasonable safeguards, including HTTPS/TLS for data in transit, one-way password hashing, access controls, and audit logging on our backend. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
14. Changes to This Policy
We may update this Policy from time to time. Material changes will be communicated through the Service, by email, or both, before they take effect. The "Last Updated" date reflects the most recent revision. Continued use after the effective date may require re-acceptance in the product.
15. Contact Us
For privacy questions or to exercise your rights:
Holicow LLC Attn: Privacy 1164 Palmer Loop Chewelah, Washington 99109 United States