Compliance & Privacy

Click-to-Cancel (self-service)

Cancel your subscription at any time in Settings → Billing without calling support or waiting in a chat queue. No friction, no dark patterns.

Pre-charge reminder email (FTC Negative Option Rule)

We send you an email reminder before your 7-day trial converts to a paid subscription, with the exact charge amount, date, and a direct cancel link. Required by the 2024 FTC Click-to-Cancel rule — and we comply.

Auto-renewal disclosure at signup

A separate required checkbox at signup discloses the exact plan price, billing frequency, and cancellation terms before you can create an account. No buried fine print.

Global Privacy Control (GPC) honored

Our backend reads the Sec-GPC: 1 signal and responds with Sec-GPC-Acknowledged: 1. Required under CPRA §1798.135(b) for California residents; we honor it for all users.

Do Not Sell or Share My Personal Information

We do not sell or share personal information with third parties for cross-context behavioral advertising. Submit a Do Not Sell request →

Notice at Collection (CPRA §1798.100)

We disclose the categories of personal information collected and their retention periods at the point of collection during signup — not buried in a linked policy.

US State Privacy Addendum

Our DPA includes a US State Privacy Addendum covering CPRA (California), CPA (Colorado), CTDPA (Connecticut), VCDPA (Virginia), TDPSA (Texas), OCPA (Oregon), Washington MHMDA, and other applicable state laws.

Cookie consent with conditional analytics

Google Analytics (GA4) loads only after you explicitly accept cookies. You can change your choice at any time using the Cookie Settings link in every page footer.

CAN-SPAM Act compliance

Every marketing email includes a one-click unsubscribe link (RFC 8058 List-Unsubscribe-Post) and our physical mailing address. Unsubscribe requests are processed within 10 business days.

PHI prohibition enforced at the API level

Our Terms of Service explicitly prohibit entering Protected Health Information (PHI) — including patient names with diagnoses, MRNs, SSNs, DOBs, ICD-10 codes — into the system. This prohibition is backed by automated DLP pattern detection on all text inputs.

HIPAA Business Associate Agreement (Enterprise plan)

Enterprise plan customers who require a BAA for compliance purposes may request one. EquaSched is designed as a workforce scheduling tool (staff data only) and does not store patient data by design.

Washington MHMDA & Texas HB 300

We do not process reproductive health data or mental health data for consumer-facing purposes. Staff scheduling data is operational, not clinical.

Data Processing Addendum (DPA)

A full DPA is available to all customers — not just EU customers. It covers sub-processors, data subject rights assistance, breach notification (72 hours), audit rights, and international transfer mechanisms. Read the DPA →

Arbitration & class action waiver

Disputes are resolved through binding arbitration (AAA Commercial Rules). Both parties waive the right to participate in class action lawsuits. See Terms §13.

Vendor DPAs signed

We have executed DPAs with all sub-processors that handle personal data: Paddle (payments), Supabase (database), Resend (email), Cloudflare (CDN/DNS), and Hostinger (VPS). Vendor DPA documentation is available on request.

SOC 2 Type II — audit in progress

EquaSched is preparing for SOC 2 Type II certification. Report expected Q2 2027. Our database infrastructure (Supabase) is SOC 2 Type II certified. See our Security page for details.

Row-Level Security (RLS)

All database access enforces row-level security — clinic staff can only access their own clinic's data. Enforced at the database level, not just the application layer.

Rate limiting & bot protection

All endpoints are rate-limited. Signup is protected by Cloudflare Turnstile (privacy-preserving CAPTCHA). Authentication uses JWT with short-lived tokens.

Breach notification SLA: 72 hours

In the event of a personal data breach affecting your clinic's data, we will notify you within 72 hours of becoming aware of the incident.