Privacy Policy

Skemaka ApS (“Skemaka”, “we”, “us”) operates the Skemaka staff-scheduling platform. We are registered in Denmark and act as the data controller for the personal data described in this policy. For data you enter about your employees, you are the controller and we act as your processor — see Section 6.

Questions about this policy or your data can be directed to privacy@skemaka.com.

We collect the following categories of personal data:

• Account data — your name, email address, and profile picture, obtained from Google when you sign in via Google OAuth.
• Organisation data — your business name and the settings you configure (store hours, currency, shift templates).
• Employee data — names, email addresses, phone numbers, job roles, hourly wages, contracted hours, and schedules that you enter for the people you manage.
• Usage data — pages visited, actions taken, and timestamps, collected to improve the Service and diagnose issues.
• Billing data — payment method details and billing address, collected and stored by Stripe on our behalf. We never store full card numbers.

We use the data we collect to:

• Provide, maintain, and improve the Service.
• Authenticate you and keep your account secure.
• Process subscription payments and send receipts.
• Send transactional emails (schedule invites, availability requests, account notices).
• Respond to support requests.
• Comply with legal obligations.

We do not sell your personal data or use it to serve third-party advertising.

Where the GDPR applies, we rely on the following legal bases:

• Contract — processing necessary to provide the Service you signed up for (account management, scheduling, billing).
• Legitimate interests — usage analytics and security monitoring, where our interests do not override your rights.
• Legal obligation — retaining billing records as required by tax law.
• Consent — where we have asked for and received your consent, such as for optional marketing communications.

We share data with the following sub-processors to operate the Service:

• Google — authentication via Google OAuth. Google’s Privacy Policy applies to data processed by Google.
• Neon — PostgreSQL database hosting. Data is stored in the EU (eu-central-1, Frankfurt). Neon is GDPR-compliant and processes data under a DPA.
• Stripe— payment processing. Stripe is PCI DSS Level 1 certified and GDPR-compliant. See Stripe’s Privacy Policy.
• Vercel— application hosting and edge delivery. Data in transit passes through Vercel’s infrastructure.

A complete, current list of our sub-processors — including Twilio (SMS), Resend (email), and Upstash (rate limiting) — is maintained at skemaka.com/subprocessors. We require all sub-processors to maintain appropriate security measures and process data only as instructed.

When you add employee records to Skemaka, you are the data controller for that personal data and you are responsible for having a lawful basis to process it (e.g. employment contract, legitimate interest). Skemaka acts as a data processor, handling that data solely to provide the scheduling features you have requested.

A Data Processing Agreement (DPA) governing this relationship is available on request at privacy@skemaka.com.

We retain your account and organisation data for as long as your account is active and for up to 90 days after deletion, to allow recovery if you change your mind. Billing records are retained for 5 years to comply with Danish bookkeeping law.

When you delete your account, we permanently delete all associated personal data (schedules, employees, settings) within 90 days, except where retention is required by law.

All data is encrypted in transit (TLS 1.2+) and at rest. Access to production systems is restricted to authorised personnel. We use JWT-based authentication with short-lived tokens and conduct periodic security reviews.

In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours where required by law.

We use a single session cookie to keep you signed in. We do not use tracking, analytics, or advertising cookies. No cookie banner is shown because we only set cookies that are strictly necessary to operate the Service.

Under the GDPR you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate data.
• Erasure — ask us to delete your data (“right to be forgotten”).
• Portability — receive your data in a structured, machine-readable format.
• Restriction — ask us to pause processing while a dispute is resolved.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email privacy@skemaka.com. We will respond within 30 days. You also have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) at datatilsynet.dk.

Your data is stored in the EU (Frankfurt). Some sub-processors may transfer data outside the EEA; where they do, we ensure appropriate safeguards are in place (e.g. EU Standard Contractual Clauses or an adequacy decision).

We may update this policy from time to time. We will notify you of material changes by email or in-app notice at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

Skemaka ApS
Copenhagen, Denmark
privacy@skemaka.com