This policy explains what data 365 Scheduler collects, how it is used, and your rights. We are committed to protecting your privacy and handling your data responsibly.
Plain English summary: We collect only what we need to run the service. We never sell your data. Your calendar data stays in your Microsoft 365 account — we only read it to display it on your room screen. You can request deletion of your account at any time.
365 Scheduler ("we", "us", "our") is a room display and booking management service operated by 365 Scheduler Ltd. Our service is accessible at 365scheduler.com and 365scheduler.co.uk.
For data protection enquiries, contact us at: support@365scheduler.com
| Data | Why we collect it | Retention |
|---|---|---|
| Email address | Account login and communication | Until account deleted |
| Phone number | SMS verification at registration only | Not stored after verification |
| Organisation name | To group your screens and team | Until account deleted |
When you connect a Microsoft 365 room mailbox, we access calendar events to display them on your room screen. This includes:
We do not store calendar events. They are fetched in real time from Microsoft Graph API and displayed directly. Nothing is written to our database.
To operate your room displays we store:
When you start a paid subscription, we pass your account email address and organisation name to Stripe, our payment processor, to create a Stripe customer record. Stripe handles your payment card information directly — we never see, store, or transmit your card details, CVV, or full card number. Card data is entered into Stripe-hosted Checkout / Customer Portal pages, which return only a non-sensitive Stripe customer ID to our system. We store that ID against your organisation so we can look up your subscription status and invoices.
What we hold on our side: Stripe customer ID, subscription status (active / trialing / past_due / cancelled), plan (monthly / annual), and period start/end dates received via webhook.
We use Cloudflare Web Analytics on the public marketing site for aggregated, anonymous visitor counts and country-level statistics. It is cookieless, sets no identifiers in your browser, and collects no personal data. No data is shared with advertising networks. We do not use Google Analytics, tracking pixels, or advertising cookies.
Our service connects to Microsoft 365 via the Microsoft Graph API using application permissions. This requires a one-time admin consent from your Microsoft 365 administrator.
The permissions we request:
Calendars.ReadWrite — to read meeting schedules and create room bookingsYour Microsoft credentials (passwords, personal tokens) are never accessed or stored by 365 Scheduler. Authentication uses Azure Active Directory application credentials stored securely server-side.
The 365 Scheduler Android app is a kiosk-mode WebView application designed to run on dedicated tablet hardware mounted outside meeting rooms.
The Android app itself collects no personal data, no analytics, no telemetry, and no advertising identifiers. It contains no third-party SDKs other than Android system libraries.
This data never leaves the device and can be cleared by tapping the "Reset pairing" option three times in the app, or by uninstalling the app.
The app makes HTTPS network requests to:
365scheduler.com — to fetch the room display, send heartbeat status, and exchange pairing codesapi.qrserver.com — to fetch a QR code image during the initial pairing flowThe standard server access logs (IP address, timestamp, requested URL) apply to these requests as described in section 2.
The app does not request access to contacts, location, camera, microphone, storage, or any other sensitive permissions.
We do not use your data for advertising, profiling, or any purpose other than operating the service.
We do not sell, rent, or share your personal data with third parties for commercial purposes.
We use the following trusted sub-processors to operate the service:
| Provider | Purpose | Location |
|---|---|---|
| Google Firebase | Authentication, database, hosting | EU (europe-west1) |
| Microsoft Azure | Calendar API access | EU |
| Stripe | Subscription billing and payment processing (PCI-DSS Level 1 compliant) | EU/US |
| SendGrid / SMTP | Transactional email (invites, alerts) | EU/US |
Stripe processes payment card information under their own privacy policy: stripe.com/privacy. We do not have access to your card number, CVV, or full card details at any time.
We take security seriously. Measures we have in place:
Under UK GDPR you have the right to:
To exercise any of these rights, email support@365scheduler.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have mishandled your data.
You can request deletion of your account and all associated data at any time:
When you delete your account, we remove: your account record, your organisation, all screens, all member invites, billing records (after legally-required retention period), and all configuration data. Calendar data accessed via Microsoft Graph is not stored on our servers, so there is nothing to delete on our side — it remains in your Microsoft 365 tenant under your control.
For the Android app specifically, all locally-stored data can be cleared by uninstalling the app or by tapping "Reset pairing" three times in the app.
We use only essential cookies required to operate the service (authentication session). We do not use tracking or advertising cookies. We use Cloudflare Web Analytics for aggregated, anonymous visitor statistics on our marketing site, which is cookieless and does not set any identifiers in your browser. No cookie consent banner is required as we only use strictly necessary cookies.
| Data type | Retention period |
|---|---|
| Account data | Until account is deleted |
| Screen configuration | Until screen is deleted by admin |
| Calendar events | Not stored — fetched live only |
| Invite tokens | 48 hours (or until used) |
| Phone numbers | Not stored after verification |
| Stripe customer ID & subscription metadata | Until account is deleted; invoices retained by Stripe according to their policy |
| Payment card details | Never stored by us; held by Stripe under PCI-DSS |
| Billing / invoice records | 7 years after end of subscription (UK tax law) |
365 Scheduler is a business service not directed at children. We do not knowingly collect data from anyone under 18 years of age.
We may update this privacy policy from time to time. We will notify account holders by email of any significant changes. The date at the top of this page indicates when it was last updated.
If you have any questions about this privacy policy or how we handle your data, please contact us at support@365scheduler.com. We aim to respond within 2 business days.