Privacy Policy

1. Overview

Shedu processes three categories of data:

1. Contractor Data (our direct customers)
2. End-User Lead Data (customers of contractors)
3. Website Visitor Data (visitors to shedu.io)

Shedu does not sell personal data.

2. Data We Collect

2.1 Data Collected from Contractors (Our Customers)

When a contractor signs up for Shedu, we collect and store:

Business & Account Information:

• Business name
• Owner name
• Email address
• Phone number
• Google Ads Customer ID (10-digit account number)
• Billing information (when applicable)

Google Integrations:

• Google Calendar OAuth tokens (encrypted at rest)
• Google Ads API OAuth tokens (encrypted at rest)

Operational Configuration Data:

• Crew information (names, roles, working hours, service areas)
• Geographic configuration (ZIP codes, service boundaries)
• Scheduling preferences (booking horizon, ad lead times, quiet hours)
• Dashboard authentication credentials (email-based sign-in, session cookies)
• Webhook keys for third-party integrations

This information is necessary to configure and operate the Contractor’s Shedu account.

2.2 Data Collected from Contractor’s Customers (End-User Leads)

When a consumer interacts with a contractor’s Google Ad or booking workflow, Shedu may process:

• Name
• Phone number
• Email address (if provided)
• Street address or ZIP code
• SMS conversation history (full message logs between the automated bot and the lead)
• Appointment details (date, time, assigned crew, status)
• Job value (when reported by contractor)
• Lead source attribution (Google Ads, referral, etc.)
• SMS opt-in/opt-out status

This data is collected and processed on behalf of the Contractor. The Contractor owns this data.

2.3 Data Collected from Website Visitors (shedu.io)

If you visit our website, we may collect:

Analytics Data (if enabled):

• IP address
• Browser type
• Device information
• Pages visited
• Referral source

Booking Widget Submissions:

• Name, email, phone, business type, crew count, ZIP codes

This data is used for demo scheduling and marketing performance tracking.

3. How We Use Data

3.1 Contractor Data

We use Contractor data to configure and operate Shedu accounts, manage Google Ads campaigns, sync Google Calendar availability, apply geographic coverage adjustments, send automated daily summary reports, and provide dashboard analytics.

3.2 End-User Lead Data

We process lead data on behalf of Contractors to send automated SMS messages for scheduling, confirm appointments, send reminders and follow-up messages, send review requests, and record appointment outcomes. We do not use end-user lead data for our own marketing purposes.

3.3 Website Data

We use website visitor data to improve website performance, track demo conversions, analyze traffic sources, and improve user experience.

4. How Data Is Stored and Secured

Infrastructure:

• Database: PostgreSQL hosted on Neon (encrypted at rest)
• Application Hosting: Vercel (US-based serverless infrastructure)
• SMS Provider: Twilio
• Google Integrations: Google Ads API and Google Calendar API

Encryption:

• Google OAuth tokens encrypted using AES-256 before storage
• Data encrypted in transit using HTTPS (TLS)
• Database encryption at rest via Neon

Access Controls:

• Restricted production access
• Role-based access internally
• Unique dashboard authentication tokens per contractor

5. SMS Compliance (TCPA)

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes at any time. Mobile numbers and SMS opt-in consent data are used exclusively for service delivery and appointment-related communications.

We do not sell, rent, or share your mobile information with third parties or affiliates for marketing or promotional purposes. Your mobile number and consent data are only used to send you messages related to your service request, such as appointment confirmations, reminders, and follow-ups.

We may share your information with service providers (such as Twilio for SMS delivery) strictly for the purpose of delivering the requested service. These providers are not permitted to use your information for marketing or promotional purposes.

You may opt out of receiving SMS messages at any time by replying STOP. For help, reply HELP.

6. Data Sharing

Shedu does not sell personal data.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes at any time. SMS opt-in data and consent records are never included in webhook exports and are not accessible to Contractor-configured integrations.

We share data only as necessary to provide the Service:

With Service Providers:

• Google (Ads API, Calendar API)
• Twilio (SMS delivery)
• Vercel (application hosting)
• Neon (database hosting)

Shedu’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

California Residents (CCPA):

We do not sell your personal information or the personal information of your leads and customers as defined by the California Consumer Privacy Act (CCPA). If you are a California resident and wish to request disclosure or deletion of your data, contact us at support@shedu.io.

With Contractor-Specified Integrations:

If a Contractor configures outbound webhooks, lead and booking data may be sent to Zapier, Make, CRM systems, accounting platforms, or the Contractor’s custom endpoints. We are not responsible for how Contractors or third-party tools handle exported data.

7. Data Ownership

• Contractor customer data belongs to the Contractor.
• Shedu acts as a data processor for lead data.
• Contractors may export their data at any time.
• Upon cancellation, data can be exported and deleted upon request.

8. Data Retention

• Active Accounts: Data is retained for the duration of the subscription.
• Canceled Accounts: Data is retained for 30 days after cancellation, then permanently deleted. To receive an export, you must request it before this window closes.
• SMS Logs: Retained for 12 months for compliance and dispute resolution.
• Event and Audit Logs: Retained for 12 months.

9. Contractor Rights

Contractors may request export of all account data, request deletion of their account, update account information, and disable integrations. Submit requests to: support@shedu.io

10. End-User (Lead) Rights

End-user leads may opt out of SMS by replying STOP, or request deletion of their data by contacting the Contractor directly or Shedu at support@shedu.io. We will coordinate with the Contractor to fulfill deletion requests.

11. California Privacy Rights (CCPA)

If you are a California resident, you may request disclosure of data collected, request deletion of your data, and opt out of the sale of personal data. Shedu does not sell personal data. Submit requests to: support@shedu.io

12. International Users (GDPR)

Shedu is based in the United States and designed primarily for North American contractors. If you are located in the European Union or are subject to the General Data Protection Regulation (GDPR), please contact us at support@shedu.io before using the Service to ensure appropriate data processing agreements are in place. We follow data minimization and security best practices and will update this policy if GDPR obligations become applicable.

13. SOC 2 Status

Shedu is an early-stage company and is not currently SOC 2 certified. We implement reasonable administrative, technical, and physical safeguards appropriate to our size and stage.

14. Children’s Privacy

Shedu is not intended for individuals under 18. We do not knowingly collect data from children.

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Material updates will be communicated via email notice (if applicable) or website notification. Continued use of the Service after updates constitutes acceptance.

16. Contact Information

By using Shedu, you acknowledge that you have read and understood this Privacy Policy.