Privacy Policy

1. Who We Are

EquaSched is operated by Timur Kharenkov, an Irish sole trader (a Delaware LLC successor entity is being formed). We provide B2B workforce scheduling software for medical clinics in the United States. Subscription payments are processed by Paddle.com Market Ltd. as merchant of record.

General contact: hello@equasched.com
Privacy / data subject requests: hello@equasched.com (subject line: "Privacy Request")
Marketing unsubscribe: one-click link in any marketing email (automated; not routed through support queues)

Notice at Collection (US Residents)

At the point of account registration we collect, for the purposes described in Section 3, the following categories of personal information:

• Identifiers: name, business email address, IP address.
• Commercial information: subscription tier, billing history.
• Professional / employment information: job title you provide for your administrator account; staff data the clinic chooses to enter (names, work emails, roles, qualifications, shift assignments).
• Internet activity: session logs, error logs, feature usage.
• Sensitive personal information (CPRA): account login credentials (email + hashed password) used only for authentication.

Retention by category: account identifiers and credentials — while your account is active, then deleted from active systems within 90 days after closure (backups within an additional 90 days); billing records — up to 7 years; security and audit logs — 12 months. Full details in Section 5. We do not sell personal information for money. We may "share" identifiers and internet activity with Google Analytics 4 only after you affirmatively accept our cookie consent banner (see Section 10). For full California rights, see Section 6.B (California). For Washington residents, see Section 6.D. For Texas, Colorado, Connecticut, and Virginia, see Section 6.E.

2. What Data We Collect

Important: No Patient Health Information (PHI) or Consumer Health Data

EquaSched is designed exclusively for staff workforce scheduling. We do not collect, process, or store Protected Health Information (PHI) as defined by HIPAA (45 C.F.R. § 160.103), and Customers agree not to input any patient identifiers, medical records, diagnoses, or health information into EquaSched (see Terms §4). We also do not intentionally collect "consumer health data" as defined by US state laws, including Washington's My Health My Data Act (RCW 19.373), Nevada SB 370, or similar statutes. EquaSched is not a HIPAA Business Associate unless a separate written Business Associate Agreement has been executed.

Operational enforcement (zero human review): We operate an automated pattern-detection system that blocks inputs containing prohibited PHI patterns (such as MRN-style identifiers, SSNs, or named patient + procedure combinations) at the time of submission. We log only the pattern category and a cryptographic hash of the rejected content — never the content itself. EquaSched personnel do not review detected content. Where prohibited data is nonetheless found in storage, we quarantine it for 14 days (allowing the clinic administrator to extract or remediate) and then permanently delete it. This automated control is a reasonable assistance measure, not a guarantee that prohibited data will never transit the Service.

3. How We Use Your Data

• Service delivery: Account provisioning, schedule generation, staff notifications via email.
• Billing: Processing subscription payments, sending invoices and receipts.
• Security: Fraud prevention, authentication, access control, automated PHI-pattern blocking.
• Support: Responding to customer inquiries and bug reports.
• Product improvement: Analyzing aggregated, non-identifiable usage patterns to improve features.
• Legal compliance: Complying with applicable laws and regulations.

Automated decision-making. EquaSched uses automated scheduling algorithms to generate proposed shift assignments. These algorithms inform but do not finalize staffing decisions; the clinic administrator retains full authority to review, edit, override, or reject any algorithmically proposed schedule before publication. EquaSched does not engage in automated decision-making that produces legal or similarly significant effects on individuals without human review.

4. Who We Share Data With

We share data only with sub-processors / service providers necessary to deliver our service. Each is engaged under a written data-processing agreement and acts as a service provider / processor (not as an independent recipient for its own purposes):

We do not sell personal information for money. We do not use cookies for cross-context behavioral advertising or social-media tracking. After analytics-cookie consent, GA4 processing may constitute "sharing" under California law; you can withdraw this consent at any time via the cookie banner or by enabling Global Privacy Control.

Controller / service-provider roles: For clinic staff scheduling data entered by a clinic administrator, the clinic is the data controller / business and EquaSched acts as service provider / processor on the clinic's behalf and instructions. For account registration, billing, security, product improvement, and marketing data, EquaSched is the independent controller / business. A Data Processing Addendum that incorporates both an EU/UK Annex and a US State Privacy Addendum (CPRA service-provider language for California and equivalent processor terms for Colorado, Connecticut, Virginia, Texas, Oregon, Tennessee, Indiana, Maryland, and other US states with comprehensive privacy laws as defined in the DPA Part B) is available at /dpa.

5. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy or as required by applicable law. Retention periods by category:

• Account data (live): retained while the account is active; deleted from active systems within 90 days after account deletion or the close of the post-termination export window (whichever is later).
• Staff scheduling data (live): deleted on the same 90-day timeline as account data.
• Encrypted backups: rotated and overwritten within an additional 90 days following deletion from active systems.
• Billing, invoice, and tax records: retained for up to 7 years as required by tax/accounting law.
• Account and security audit logs: retained for 12 months.
• PHI-detection logs: retained for 12 months (pattern category + content hash only; never the content).
• Marketing opt-out / suppression list: retained indefinitely to honor your opt-out request.

You may request deletion of your data at any time by contacting hello@equasched.com, subject to the legal retention obligations above.

6. Your Privacy Rights

6.A General Rights

Depending on your location, you may have the following rights:

• Right to Know / Access: Request information about what personal data we hold about you.
• Right to Delete (Erasure): Request deletion of your personal data, subject to legal retention obligations.
• Right to Correct (Rectification): Request correction of inaccurate data.
• Right to Restrict Processing: Request that we limit how we use your data while a dispute is resolved.
• Right to Object: Object to processing based on legitimate interests or for direct marketing.
• Right to Data Portability: Request a copy of your data in a machine-readable format.
• Opt-out of Marketing: Unsubscribe from marketing emails at any time via the one-click link in any marketing email; opt-outs are processed automatically and are not subject to support ticket queues.
• Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

6.B California Residents (CCPA / CPRA) — Do Not Sell or Share

We do not sell personal information for money and we do not use personal information for cross-context behavioral advertising except as described for GA4 in Section 10 (which requires your prior cookie consent and can be withdrawn at any time). Categories of personal information we collect are listed in the Notice at Collection above. We do not knowingly sell or share personal information of consumers under 16 years of age.

California response time. We will confirm receipt within 10 business days and substantively respond within forty-five (45) days. We may extend once by an additional forty-five (45) days where reasonably necessary, with notice within the initial period (Cal. Civ. Code §1798.130(a)(2)).

Right to limit use of sensitive personal information. We collect login credentials (SPI) but use them only for authentication and security; we do not use SPI for any purpose that would trigger a CPRA "right to limit" obligation.

How to opt out of sale / share (multiple methods). California residents may opt out at any time by: (i) clicking "Decline" on the cookie consent banner or revisiting Cookie Settings in the site footer to withdraw analytics-cookie consent; (ii) enabling the Global Privacy Control (GPC) browser signal — when GPC is detected by our cookie-consent layer or our backend middleware, GA4 is not loaded regardless of prior banner acceptance; or (iii) emailing hello@equasched.com with the subject "Do Not Sell or Share."

Authorized agent. You may designate an authorized agent to submit a request on your behalf. We may require written, signed permission from you and proof of the agent's identity, and we may require you to verify your own identity directly with us.

Appeal. If we deny your request, you may appeal by replying to our decision email within 30 days; we will review and respond within 45 days.

To exercise any California right, contact hello@equasched.com with the subject line "California Privacy Request."

6.C / 6.D Washington Residents — My Health My Data Act

EquaSched is workforce scheduling software for clinic employers and is not a consumer health app. We do not intentionally collect consumer health data as defined by RCW 19.373. To the extent any information we process is treated as consumer health data under Washington law, we collect it solely to provide scheduling services under contract with your employer/clinic, we do not sell consumer health data, we do not use geofencing around healthcare facilities, and we do not use such data for advertising. Washington residents may contact us at hello@equasched.com (subject: "Washington Health Data Request") to exercise rights available under RCW 19.373, including access, deletion, and withdrawal of consent. Similar limitations apply under Nevada SB 370 (consumer health data); we do not intentionally collect consumer health data and do not sell it.

6.E Other US State Residents (Colorado, Connecticut, Virginia, Texas, Oregon, Tennessee, Indiana, Maryland, and other states with comprehensive privacy laws)

Depending on your state of residence, you may have rights to access, correct, delete, obtain a portable copy, and opt out of (i) targeted advertising, (ii) sale of personal data, and (iii) profiling that produces legal or similarly significant effects. We do not engage in targeted advertising, do not sell personal data, and do not use staff scheduling for automated decision-making producing legal or similarly significant effects without human review. To exercise these rights, email hello@equasched.com with the subject line "[State] Privacy Request." Residents of other US states with comprehensive privacy laws (including but not limited to Oregon (OCPA), Tennessee (TIPA), Indiana (INCDPA), Maryland (MODPA), Delaware (DPDPA), Iowa (ICDPA), Montana (CDPA), Kentucky, Rhode Island, and similar) may exercise applicable rights via the same channel. EquaSched will extend equivalent processor / service-provider terms in the DPA to additional states upon written request or policy update. Texas residents are additionally informed that we do not sell "sensitive personal information" as defined by Tex. Bus. & Com. Code Ch. 541 and do not process reproductive health data for consumer-facing purposes.

6.F GDPR / UK GDPR Response Timing (EEA / UK Users)

For EEA / UK users, we will respond to verifiable requests within one (1) month of receipt, extendable by up to two (2) further months for complex or numerous requests, with notice within the initial month (GDPR Art. 12).

7. GDPR Lawful Basis (EEA and UK Users)

EquaSched is operated by an Irish sole trader and is therefore established in the EU. Under Article 3(1) GDPR, our processing of personal data is subject to the GDPR and the Irish Data Protection Act 2018. We rely on the following lawful bases when acting as a controller:

• Contract (Art. 6(1)(b)): processing account, billing, and authentication data to provide the Service.
• Legitimate interests (Art. 6(1)(f)): usage and technical data for platform security, abuse prevention, and product improvement.
• Legal obligation (Art. 6(1)(c)): retention of payment and transaction records for tax and accounting compliance.
• Consent (Art. 6(1)(a)): marketing communications and analytics cookies (GA4), where you have opted in. You may withdraw consent at any time.

For staff scheduling data processed on a clinic's behalf, the clinic is the controller and identifies the lawful basis (typically Art. 6(1)(b) employment contract, Art. 6(1)(f) legitimate interests, or Art. 6(1)(c) legal obligation). EquaSched processes such data only on the clinic's documented instructions, under the Data Processing Addendum at /dpa.

Our lead supervisory authority is the Irish Data Protection Commission (DPC), dataprotection.ie.

8. International Data Transfers

Some of our sub-processors are located in the United States. For personal data transferred from the EEA or UK to the United States, we rely on the European Commission's Standard Contractual Clauses (SCCs) under Article 46 GDPR (Module 2), together with the UK International Data Transfer Addendum (IDTA) for UK transfers. We supplement the SCCs with documented technical and organizational safeguards (encryption in transit and at rest, access controls, sub-processor due diligence). We will conduct a Transfer Impact Assessment (TIA) in accordance with EDPB Recommendations 01/2020 on the written request of any Controller and prior to commencing transfers of that Controller's EEA / UK personal data. You may request a copy of the applicable transfer mechanism and a TIA summary by emailing hello@equasched.com.

9. Security and Breach Notification

We implement administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS 1.2+), encryption at rest for primary databases and backups, role-based access controls, and security monitoring, consistent with the reasonable safeguards standard under New York General Business Law §899-bb (SHIELD Act) and similar US state laws. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a confirmed data breach affecting personal information: (a) where EquaSched is your clinic's processor for staff scheduling data, we will notify your designated administrator without unreasonable delay and no later than 72 hours after confirmation, and will reasonably assist you with required notifications to affected staff and supervisory authorities; (b) where EquaSched is an independent controller (e.g., your administrator account data), we will notify affected individuals and supervisory authorities as required by applicable law, including applicable US state breach-notification laws.

10. Cookies, Analytics, and Tracking

EquaSched uses two categories of cookies and similar technologies:

• (a) Strictly necessary cookies — required for authentication (session cookies) and bot protection (Cloudflare Turnstile may set a short-lived security cookie and process your IP on signup forms). To remember your cookie-consent choice, we store a single flag in your browser's local storage; this is a strictly necessary technical mechanism and is not used for tracking. These are set without consent.
• (b) Analytics cookies — Google Analytics 4 (Measurement ID G-05Y4J423NX) collects pseudonymous usage data (pages viewed, session duration, device type, approximate location at city level) using cookies or similar device identifiers, only after you click "Accept" on our cookie consent banner. You may decline or withdraw consent at any time via the cookie banner. We enable IP-address truncation in GA4 settings and do not use GA4 for advertising, remarketing, or cross-context behavioral advertising. We treat the Global Privacy Control (GPC) signal as an opt-out of sale/share: when GPC is detected by our backend or our cookie-consent layer, GA4 is not loaded regardless of prior banner acceptance.

We do not use third-party advertising cookies, social-media tracking pixels, profiling for ad targeting, or other behavioral tracking beyond the GA4 usage described above.

11. Email Practices

(a) Operational and transactional emails. Schedule notifications, account, billing, support, and security emails are sent to implement the Service. They include our physical postal address (Section 14) in the footer but are not marketing messages and do not include promotional content beyond minimal Service branding or links to your account.

(b) Marketing emails (CAN-SPAM). Where we send marketing or promotional emails to US recipients, we comply with the CAN-SPAM Act (15 U.S.C. §7701): every marketing email (i) clearly identifies itself as a commercial message; (ii) includes our valid physical postal address; (iii) includes a clear and conspicuous one-click unsubscribe link, supported by RFC 8058 List-Unsubscribe and List-Unsubscribe-Post headers; and (iv) honors opt-outs within ten (10) business days (typically within minutes). Opt-out processing is automated and is not subject to support ticket queues.

(c) No marketing to uploaded staff addresses. We will not send marketing emails to clinic staff using addresses uploaded by Customer for scheduling purposes unless the staff member separately opts in directly with us.

(d) SMS / phone. EquaSched does not currently send SMS marketing messages. If we add SMS in the future, we will obtain prior express written consent as required by the Telephone Consumer Protection Act (TCPA, 47 U.S.C. §227) and update this Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will post updates on this page and notify you of material changes by email at least 30 days before they take effect. Where a material change introduces new processing that requires your consent under applicable law, we will request fresh consent before that processing begins. For non-material updates, continued use of EquaSched after the effective date indicates acknowledgment of the updated policy.

13. Children

EquaSched is a B2B service intended solely for healthcare clinic administrators and their authorized staff. It is not directed to and we do not knowingly collect personal data from children. For US users, we comply with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §6501) and do not knowingly collect personal information from children under 13. For EEA / UK users, we do not knowingly collect personal data from children under 16. We do not knowingly sell or share personal information of consumers under 16 (CCPA / CPRA). If you believe a minor has provided us with personal data, contact hello@equasched.com and we will delete it promptly.

14. Contact

For privacy inquiries, data subject requests, authorized-agent submissions, or questions about this policy:

Email: hello@equasched.com
EquaSched / Timur Kharenkov
5 Keegans Flats, 20 North Parade, Gorey, Co Wexford, Y25VY73, Ireland