Privacy Policy

Last updated: May 10, 2026

This Privacy Policy describes how SynchronIA SAS ("we", "us", or "the Company") collects, uses, and protects your personal data when you use Skedul (the "Service"), accessible at skedul.ai and related subdomains.

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the French Data Protection Act (Loi n°78-17 du 6 janvier 1978, "Loi Informatique et Libertés"), and applicable French and European data protection legislation.

1. Data Controller


Company	SynchronIA SAS
Registered office	Bureau 326, 78 Avenue des Champs-Élysées, 75008 Paris, France
SIRET	988 493 243 00014
Contact	[email protected]

2. Data We Collect

2.1 Account data (collected at sign-up)

Name and email address — provided by Google OAuth (scopes: email, profile). Used to identify your account and greet you by name.

2.2 Data you create within the Service

Tasks, events, goals, vectors, milestones, habits, lists, and associated metadata
Morning plans, end-of-day check-ins, mood ratings
Schedule preferences (timezone, working hours, language)

2.3 Voice data

When you use the voice assistant, your audio is streamed in real-time to the Google Gemini API for processing. We do not store audio recordings on our servers. Google may retain API call logs for up to 30 days for abuse monitoring and service improvement, in accordance with Google's API Terms of Service.

2.4 Google Calendar data (optional)

If you choose to connect Google Calendar in Settings, we request the https://www.googleapis.com/auth/calendar.readonly scope. This allows us to read your calendar events so they appear alongside your Skedul events. We do not create, modify, or delete events in your Google Calendar.
Your Google OAuth tokens are encrypted at rest using AES-256-GCM and stored in our database. They are used solely to read your calendar events for display within Skedul.
You can disconnect Google Calendar at any time from Settings, which deletes your stored tokens.

2.5 Payment data

Payments are processed by Stripe, Inc.. We do not store your credit card number. Stripe provides us with a customer identifier, subscription status, and billing history.

2.6 Technical data

Push notification subscription endpoints (for morning/evening reminders, if you enable notifications)
We do not use advertising pixels or third-party cookies.

2.7 Anonymous analytics

We use Umami, a privacy-focused, cookieless analytics tool, to collect anonymous, aggregate usage data on both the marketing website and within the application. This includes page views, button click events (e.g., which call-to-action was clicked), sign-up funnel progression (e.g., whether a user completed registration steps), referrer URLs, and UTM campaign parameters (e.g., utm_source, utm_medium, utm_campaign).
Umami does not collect personal data, does not use cookies, and does not track individual users across sessions or websites. No IP addresses are stored. All data is aggregated and cannot be used to identify individual visitors.
This data helps us understand how visitors discover the website, which features drive sign-ups, and where users drop off during registration.

3. Purposes and Legal Basis

Purpose	Legal basis (GDPR Art. 6)
Provide and operate the Service	Performance of contract (Art. 6(1)(b))
Authenticate your identity via Google OAuth	Performance of contract
Synchronize events with Google Calendar	Consent (Art. 6(1)(a)) — you opt in from Settings
Process payments via Stripe	Performance of contract
Send push notification reminders	Consent — you opt in from Settings
Improve the Service (aggregate, anonymized usage patterns)	Legitimate interest (Art. 6(1)(f))
Collect anonymous analytics and conversion funnel metrics (Umami)	Legitimate interest (Art. 6(1)(f))

4. Data Sharing

We do not sell your personal data to any third party.

Your data is shared only with the following service providers (sub-processors), strictly for operating the Service:

Sub-processor	Purpose	Location
Supabase (Supabase Inc.)	Authentication, database	EU (Stockholm)
OVHcloud (OVH SAS)	Server hosting	France (Gravelines)
Google LLC (Gemini API)	Voice assistant AI processing	EU/US
Google LLC (Calendar API)	Calendar synchronization (if connected)	EU/US
Stripe, Inc.	Payment processing	EU/US
Umami (Umami Software, Inc.)	Anonymous website analytics	EU/US

Where data is transferred outside the EU/EEA (Google, Stripe), these providers operate under the EU-U.S. Data Privacy Framework or Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of data protection.

5. Data Retention

Account and user-created data: retained for the duration of your account. Deleted within 30 days of account deletion request.
Google OAuth tokens: deleted immediately when you disconnect Google Calendar, or upon account deletion.
Voice data: not stored by us. Google may retain API logs for up to 30 days.
Payment data: retained by Stripe in accordance with their retention policy and applicable tax/accounting obligations.

6. Your Rights

Under the GDPR and French data protection law, you have the following rights:

Right of access (Art. 15) — obtain a copy of your personal data
Right to rectification (Art. 16) — correct inaccurate data
Right to erasure (Art. 17) — request deletion of your data
Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
Right to restrict processing (Art. 18)
Right to object (Art. 21) — object to processing based on legitimate interest
Right to withdraw consent (Art. 7(3)) — for consent-based processing (e.g., Google Calendar sync, notifications)

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Commission Nationale de l'Informatique et des Libertés (CNIL), the French data protection authority: www.cnil.fr.

7. Security

We implement appropriate technical and organizational measures to protect your data, including:

Encryption in transit (TLS/HTTPS) for all communications
Encryption at rest (AES-256-GCM) for sensitive data such as Google OAuth tokens
Access restricted to authorized personnel only
Database hosted in the European Union

8. Cookies

We use only strictly necessary cookies for authentication (Supabase session cookies). We do not use advertising or tracking cookies. Our analytics tool (Umami) is entirely cookieless and does not store any data on your device. No cookie consent banner is required under the CNIL guidelines on cookies and trackers (Délibération n°2020-091) as we use only strictly necessary cookies and cookieless analytics.

9. Children

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For material changes, we will notify you via the Service.

11. Contact

For any questions regarding this Privacy Policy or your personal data:

SynchronIA SAS Bureau 326, 78 Avenue des Champs-Élysées 75008 Paris, France [email protected]