Privacy Policy — 365 Scheduler

Plain English summary: We collect only what we need to run the service. We never sell your data. Your calendar data stays in your Microsoft 365 account — we only read it to display it on your room screen. You can request deletion of your account at any time.

1. Who We Are

365 Scheduler ("we", "us", "our") is a room display and booking management service operated by 365 Scheduler Ltd. Our service is accessible at 365scheduler.com and 365scheduler.co.uk.

For data protection enquiries, contact us at: support@365scheduler.com

2. What Data We Collect

Account data

Data	Why we collect it	Retention
Email address	Account login and communication	Until account deleted
Phone number	SMS verification at registration only	Not stored after verification
Organisation name	To group your screens and team	Until account deleted

Calendar data

When you connect a Microsoft 365 room mailbox, we access calendar events to display them on your room screen. This includes:

Meeting subject, start time, end time
Organiser name (first name only, displayed on screen)

We do not store calendar events. They are fetched in real time from Microsoft Graph API and displayed directly. Nothing is written to our database.

Screen configuration

To operate your room displays we store:

Room email address and Microsoft tenant ID
Display settings (room name, logo, colours, booking durations)
LED controller settings (if enabled)
Alert email addresses

Usage data

We do not use analytics, tracking pixels, or advertising cookies. We do not use Google Analytics or any third-party analytics service.

3. Microsoft 365 Integration

Our service connects to Microsoft 365 via the Microsoft Graph API using application permissions. This requires a one-time admin consent from your Microsoft 365 administrator.

The permissions we request:

Calendars.ReadWrite — to read meeting schedules and create room bookings

Your Microsoft credentials (passwords, personal tokens) are never accessed or stored by 365 Scheduler. Authentication uses Azure Active Directory application credentials stored securely server-side.

4. How We Use Your Data

To operate the room display service
To create and manage your account
To send service notifications (offline alerts, invite emails)
To respond to support requests

We do not use your data for advertising, profiling, or any purpose other than operating the service.

5. Data Sharing

We do not sell, rent, or share your personal data with third parties for commercial purposes.

We use the following trusted sub-processors to operate the service:

Provider	Purpose	Location
Google Firebase	Authentication, database, hosting	EU (europe-west1)
Microsoft Azure	Calendar API access	EU
SendGrid / SMTP	Transactional email (invites, alerts)	EU/US

6. Data Security

We take security seriously. Measures we have in place:

All data transmitted over HTTPS/TLS encryption
Azure credentials stored server-side only — never exposed to browsers
Firebase Authentication with brute-force protection
Phone SMS verification required for new account registration
Invite-only access — no public self-registration
Role-based access control — team members only see screens they are assigned
API endpoints protected with key-based authentication

7. Your Rights (UK GDPR)

Under UK GDPR you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — ask us to correct inaccurate data
Erasure — request deletion of your account and associated data
Portability — receive your data in a machine-readable format
Objection — object to processing of your data
Restriction — request we limit how we use your data

To exercise any of these rights, email support@365scheduler.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have mishandled your data.

8. Cookies

We use only essential cookies required to operate the service (authentication session). We do not use tracking, analytics, or advertising cookies. No cookie consent banner is required as we only use strictly necessary cookies.

9. Data Retention

Data type	Retention period
Account data	Until account is deleted
Screen configuration	Until screen is deleted by admin
Calendar events	Not stored — fetched live only
Invite tokens	48 hours (or until used)
Phone numbers	Not stored after verification

10. Children's Privacy

365 Scheduler is a business service not directed at children. We do not knowingly collect data from anyone under 18 years of age.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify account holders by email of any significant changes. The date at the top of this page indicates when it was last updated.

✉️

Privacy questions?

If you have any questions about this privacy policy or how we handle your data, please contact us at support@365scheduler.com. We aim to respond within 2 business days.