Skip to main content

Privacy Policy

Effective Date: March 8, 2026 | Last Updated: March 8, 2026

1. Introduction

Skedron LLC ("Skedron," "we," "us," or "our") operates the Skedron scheduling platform, including the website at app.skedron.com, the Skedron mobile application, and related services (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use our Service.

Skedron is a business-to-business ("B2B") software platform that helps massage therapy, spa, and wellness businesses manage their scheduling, client communications, and operations. We serve two categories of individuals:

  • Business Users — staff, administrators, and owners of businesses that subscribe to Skedron.
  • End Clients — individuals who book appointments with businesses that use Skedron.

By using the Service, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, please do not use the Service.

This Privacy Policy should be read together with our Terms of Service and Data Processing Agreement.

2. Our Role: Controller and Processor

Skedron acts in two capacities with respect to personal information:

  • Data Controller — for Business User account information (email, authentication credentials, organization membership) and platform operational data (analytics, error logs, usage metrics). We determine the purposes and means of processing this data.
  • Data Processor / Service Provider — for End Client data (names, phone numbers, email addresses, booking details, SMS conversations) that businesses enter into or collect through the Service. The subscribing business is the data controller for this information and determines how and why it is collected. We process it on their behalf solely to provide the Service. For purposes of the California Consumer Privacy Act ("CCPA"), Skedron acts as a "service provider" with respect to End Client data.

If you are an End Client with questions about how a specific business uses your data, please contact that business directly. If you wish to exercise data rights regarding information held by a business using Skedron, we will assist the business in fulfilling your request.

3. Information We Collect

3.1 Business User Information (Controller)

  • Account information: email address, first and last name (from Google OAuth, if used), organization membership, and role.
  • Authentication data: magic link login codes (temporary, auto-expire after 5 minutes), JWT session tokens, Google OAuth tokens (not stored).
  • Device information: Apple Push Notification Service (APNs) device tokens for mobile push notifications.
  • Usage data: pages visited, features used, click patterns, error reports, performance metrics, and session information collected via analytics and error tracking tools. This may include session replays that capture your interactions with the Service interface (see Section 6).
  • Biometric authentication preferences: whether Face ID or Touch ID is enabled in the mobile app. We do not store biometric data — authentication is handled entirely by the device operating system.

3.2 End Client Information (Processor)

The following data is entered by businesses using Skedron and processed on their behalf:

  • Contact information: client name, phone number, and email address (optional).
  • Booking information: services booked, appointment date and time, duration, price, confirmation code, booking status (confirmed, cancelled, completed, no-show), and booking source.
  • Communication records: two-way SMS message content between the business and client, message timestamps, and delivery status.
  • Automated notifications: booking confirmations, reminders, and cancellation notices sent via SMS, including delivery status.

3.3 Information We Do Not Collect

  • We do not collect payment card numbers, bank account information, or other financial data from End Clients. Skedron does not process payments between businesses and their clients.
  • We do not require or request health or medical information. While our Service is used by massage and wellness businesses, the Service is not designed to store protected health information (PHI) as defined by HIPAA. If a business voluntarily enters health-related information into free-text fields (such as appointment notes or SMS messages), that business is solely responsible for compliance with applicable health privacy laws. Skedron disclaims any responsibility for such data and does not provide HIPAA-compliant storage.
  • We do not collect biometric data. Face ID and Touch ID authentication is handled entirely by the device operating system; Skedron only stores a boolean preference indicating whether the feature is enabled.
  • We do not knowingly collect information from anyone under the age of 18. See Section 12.

4. Legal Basis for Processing

We process personal information on the following legal bases:

  • Contract performance: processing Business User account data is necessary to provide the Service under our Terms of Service.
  • Legitimate interests: we process usage data and error reports to maintain, secure, and improve the Service. We balance our interests against your rights and freedoms and do not use this data for profiling or automated decision-making.
  • Consent: where required by law, we obtain your consent before processing.
  • Legal obligation: we may process data to comply with applicable laws, regulations, or legal process.
  • Processor instructions: End Client data is processed on behalf of the subscribing business under the terms of our Data Processing Agreement.

5. How We Use Information

5.1 Business User Information

  • To provide and maintain the Service, including authentication and access control.
  • To send push notifications about booking activity and messages.
  • To monitor and improve Service performance, reliability, and security.
  • To diagnose and fix technical issues via error tracking.
  • To understand usage patterns and improve the user experience via analytics.
  • To communicate with you about Service updates, security alerts, and support.

5.2 End Client Information

  • To provide scheduling and booking functionality on behalf of the subscribing business.
  • To send appointment confirmations, reminders, and cancellation notices via SMS on behalf of the business.
  • To facilitate two-way SMS communication between the business and client.
  • To generate usage reports for the subscribing business.

5.3 Automated Decision-Making

Skedron uses automated scheduling algorithms to suggest optimal appointment times based on staff availability, room availability, and scheduling rules configured by the business. These algorithms do not make decisions based on personal characteristics of End Clients. No decisions with legal or similarly significant effects are made solely by automated means.

6. Third-Party Service Providers

We share personal information with the following categories of service providers, solely to operate the Service:

  • Cloud hosting: Google Cloud Platform (GCP) — hosts our application infrastructure and database in the United States.
  • SMS communications: Telnyx — delivers SMS messages between businesses and their clients. Telnyx receives client phone numbers and message content.
  • Transactional email: Postmark — sends login codes and system emails to Business Users. Postmark receives Business User email addresses.
  • Error tracking: Sentry — collects error reports, performance data, and session replays to help us diagnose and fix issues. Session replays capture user interface interactions (clicks, navigation, form interactions) but are configured to mask personally identifiable information. Sentry does not receive End Client data (PII transmission is disabled in our configuration).
  • Payment processing: Our third-party payment processor (currently Stripe) processes subscription payments from businesses to Skedron. The payment processor receives business billing information but does not receive End Client information.
  • Authentication: Google OAuth — used optionally by Business Users to sign in. Google receives confirmation that a user authenticated but does not receive Skedron usage data.
  • Push notifications: Apple Push Notification service (APNs) — delivers push notifications to Business Users on iOS devices. Apple receives device tokens.

We do not sell, rent, or trade personal information to third parties for their marketing purposes. We do not share personal information with data brokers. We do not share personal information for cross-context behavioral advertising.

7. Legal Disclosures

We may disclose personal information if we believe in good faith that disclosure is necessary to:

  • Comply with a legal obligation, subpoena, court order, or other legal process.
  • Protect and defend the rights, property, or safety of Skedron, our users, or the public.
  • Prevent fraud or other illegal activity.
  • Enforce our Terms of Service or other agreements.
  • Report suspected illegal activity — including suspected human trafficking, exploitation, or fraud — to appropriate law enforcement agencies, even absent a subpoena or other legal process.

Where legally permitted, we will notify the affected Business User before disclosing their data or Customer Data in response to legal process. For End Client data, we will notify the subscribing business (the data controller) so they can respond or challenge the request. We may withhold notification where disclosure is prohibited by law or court order, or where notification could compromise a law enforcement investigation.

We may also preserve data beyond our normal retention periods when required by a litigation hold, preservation order, or law enforcement request. See Section 9 (Data Retention) for details.

8. Cookies and Tracking Technologies

Skedron uses the following technologies:

  • Authentication tokens: We store a JSON Web Token (JWT) in your browser's local storage to maintain your login session. This is essential for the Service to function and cannot be disabled.
  • Session replay: Sentry may record your interactions with the Service interface (clicks, navigation, scrolling) to help us reproduce and fix bugs. Session replays are configured to mask form inputs and sensitive data. Replays are retained for a limited period and accessible only to Skedron engineering staff.

We do not use advertising cookies or cross-site tracking technologies. Business Users who do not wish to be included in session replays may contact us at privacy@skedron.com to opt out.

9. Data Retention

  • Business User accounts: retained for the duration of the business subscription. Upon subscription termination, Business User account data is retained for up to 90 days (to allow for data export and account recovery), after which it is permanently deleted.
  • End Client data: retained indefinitely until deleted by the subscribing business through the Service, or until the business's subscription terminates. Upon subscription termination, all associated data is deleted within 90 days.
  • Authentication codes: magic link login codes expire and are invalidated after 5 minutes.
  • SMS records: message content and delivery records are retained for the duration of the business subscription for communication history and compliance purposes.
  • Error logs and session replays: retained according to the retention policies of our service providers (Sentry: 90 days).
  • Legal hold override: notwithstanding the retention periods above, we may retain any data for longer periods when required by applicable law, legal process, litigation hold, law enforcement preservation request, or regulatory investigation. We will resume normal deletion once the legal obligation expires.

10. Data Security

We implement industry-standard security measures to protect personal information:

  • All data is encrypted in transit using TLS 1.2 or higher.
  • Data at rest is encrypted using Google Cloud Platform's default encryption.
  • Database access is restricted to application services with no public internet exposure.
  • Authentication uses short-lived JWT tokens with automatic expiration and 30-day maximum session limits.
  • The mobile application supports biometric authentication (Face ID / Touch ID) as an additional security layer.
  • API endpoints use idempotency keys to prevent duplicate operations.
  • SMS communications are sent via A2P 10DLC registered numbers in compliance with carrier requirements.

While we strive to protect your personal information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

11. Your Rights and Choices

11.1 All Users

You have the right to:

  • Access — request a copy of the personal information we hold about you.
  • Correction — request that we correct inaccurate personal information.
  • Deletion — request that we delete your personal information, subject to legal retention requirements.
  • Portability — request your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.

To exercise any of these rights, contact us at privacy@skedron.com. We will verify your identity and respond within 30 days. If we need additional time, we will notify you of the extension and the reasons for it.

11.2 California Residents (CCPA/CPRA)

While Skedron currently falls below the thresholds that trigger obligations under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA"), we voluntarily extend the following rights to California residents as a matter of current policy. These voluntary commitments are not contractual obligations and may be modified or withdrawn at any time by updating this Privacy Policy:

  • Right to know — you may request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
  • Right to delete — you may request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, detecting security incidents, complying with legal obligations).
  • Right to opt out of sale or sharing — we do not sell or share personal information as defined by the CCPA. Because no sale or sharing occurs, a "Do Not Sell or Share My Personal Information" link is not required on our website.
  • Right to non-discrimination — we will not discriminate against you for exercising your privacy rights.
  • Right to correct — you may request correction of inaccurate personal information.
  • Right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by the CCPA.

To submit a verifiable consumer request, email privacy@skedron.com with the subject line "California Privacy Request." We will verify your identity before processing the request. You may designate an authorized agent to make a request on your behalf. We will respond within 45 days and may extend this period by an additional 45 days with notice. If we deny your request in whole or in part, you may appeal by contacting us at the same email address within 30 days of receiving our response.

11.3 End Clients

If you are an End Client whose information is held by a business using Skedron, please contact that business directly to exercise your data rights. The business is the data controller for your information. If the business directs us to delete or modify your data, we will do so promptly. Skedron cannot independently verify End Client identities and therefore cannot respond to End Client requests without direction from the subscribing business.

12. Children's Privacy

The Service is intended for users who are at least 18 years old. We do not knowingly collect personal information from anyone under the age of 18. If we learn that we have collected personal information from a person under 18, we will delete that information promptly. If you believe a minor has provided us with personal information, please contact us at privacy@skedron.com.

13. International Data Transfers

Skedron operates exclusively in the United States. All data is stored and processed within the United States using Google Cloud Platform infrastructure. We do not intentionally transfer personal information to other countries. If you access the Service from outside the United States, you acknowledge that your information will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, notify Business Users via email or in-app notification at least 30 days before the changes take effect. Your continued use of the Service after the effective date of the revised Privacy Policy constitutes acceptance of the changes.

15. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: