Privacy Policy

Last updated: June 2025

What We Collect

Schedulite collects the minimum information necessary to provide appointment check-in and communication services:

Practice staff

Name, email address, and role. Used for authentication, access control, and audit logging.

Patients

First name, phone number, date of birth, and email (optional). Used for appointment identification, SMS notifications, and calendar invites. All fields are encrypted at rest.

Appointments

Date, time, duration, provider, and status. Used to power the check-in workflow and real-time notifications.

How We Protect It

Patient data (name, phone, DOB, email) is encrypted at rest using AES-256 via Lockbox

All data is transmitted over TLS 1.2+

Blind indexes allow lookups without decrypting entire datasets

Audit logs record every access to patient and appointment data

Session timeout after 15 minutes of inactivity

What We Never Do

We never sell patient data to anyone, for any reason

We never include diagnosis, insurance, or clinical information in SMS messages

We never share data with third parties except as required to deliver the service

Third-Party Services

Twilio

Sends and receives SMS messages. We transmit only first names and appointment times — never clinical data.

Stripe

Processes credit card payments for no-show fees. Card numbers are handled entirely by Stripe — we store only a token and last 4 digits.

Data Retention

Completed appointment data is retained for up to 7 years (configurable per practice) to comply with medical record retention requirements. Audit logs are never deleted. Practices can request full data deletion by contacting us.

Your Rights

You may request access to, correction of, or deletion of your data at any time by emailing privacy@schedulite.com.