Privacy Policy

Effective Date: January 1, 2025 | Last Updated: November 4, 2025

Introduction

At Skardu ("we," "us," or "our"), we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our demo reminder automation service (the "Service").

By using Skardu, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use the Service.

GDPR Compliance

All your data is stored on Supabase servers located in Ireland (European Union), making Skardu GDPR compliant by default.

  • Your data never leaves the European Economic Area (EEA) for storage purposes
  • We comply with all GDPR requirements for data protection and privacy
  • You have full rights under GDPR to access, modify, or delete your data
  • We implement strict security measures to protect your information

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Password (stored in encrypted/hashed form)
  • Company or organization name (optional)
  • Account preferences and settings

1.2 Calendar Data (Calendly Integration)

When you connect your Calendly account, we collect and process:

  • Scheduled demo events and meeting details
  • Event titles, descriptions, and locations
  • Meeting dates, times, and durations
  • Attendee names and email addresses
  • Event status (scheduled, cancelled, rescheduled)
  • Calendly OAuth access tokens (encrypted and stored securely in our database)

🔒 Security Note: Your Calendly OAuth access tokens are encrypted at rest using industry-standard AES-256 encryption and transmitted securely over HTTPS/TLS. We have read-only access to your Calendly events. We do not modify, create, or delete any events in your calendar.

1.3 Email Communication Data

To send reminder emails on your behalf, we collect and store:

  • SMTP server credentials including server address, port, username, and password (encrypted and stored securely)
  • Email templates you create
  • Recipient email addresses from your calendar events
  • Sent message logs and delivery status
  • Email personalization data (merge variables like names, times, meeting details)

🔒 Security Note: Your SMTP credentials (including email passwords) are encrypted at rest using industry-standard AES-256 encryption and transmitted securely over HTTPS/TLS. We never log or display your email passwords in plain text.

SMTP Providers Supported: We work with any email provider that supports SMTP, including but not limited to Zoho, FastMail, Gmail, Outlook, ProtonMail, iCloud, Yahoo, SendGrid, Mailgun, Amazon SES, and custom SMTP servers.

1.4 SMS and Voice Communication Data (Twilio)

If you choose to use SMS or voice reminder features, we collect:

  • Your Twilio account credentials including Account SID and Auth Token (encrypted and stored securely)
  • Phone numbers from your calendar events
  • SMS and voice message templates
  • Communication logs and delivery status

🔒 Security Note: Your Twilio credentials (Account SID and Auth Token) are encrypted at rest using industry-standard AES-256 encryption and transmitted securely over HTTPS/TLS. We never log or display your Twilio Auth Token in plain text.

Important: You use your own Twilio account for SMS and voice services. Twilio bills you directly for these services. We do not handle or process payments for Twilio services.

1.5 Usage and Analytics Data

We automatically collect certain information about your use of the Service:

  • Login times and access patterns
  • Features used and frequency of use
  • Template creation and modification activity
  • Integration connection and disconnection events
  • Reminder scheduling and sending statistics
  • Browser type, device information, and IP address
  • Pages viewed and time spent on different sections

1.6 Payment Information

All payment processing is handled entirely by Paddle, our payment processor. We do not collect, store, or have access to your payment card information.

Paddle collects and processes:

  • Credit card or payment method details
  • Billing addresses
  • Tax identification numbers (if applicable)
  • Transaction history

Paddle's privacy policy governs the collection and use of payment information. For more details, please review Paddle's Privacy Policy.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 To Provide the Service

  • Detect and identify scheduled demo events from your Calendly account
  • Automatically schedule reminder messages based on your configured timing
  • Send personalized email, SMS, and voice reminders to meeting attendees
  • Populate message templates with attendee information and meeting details
  • Track and report on reminder delivery and engagement

2.2 To Maintain and Improve the Service

  • Monitor service performance and reliability
  • Identify and fix technical issues
  • Analyze usage patterns to improve features
  • Develop new features and functionality
  • Optimize user experience and interface

2.3 To Communicate With You

  • Send account-related notifications and updates
  • Respond to your inquiries and support requests
  • Provide important service announcements
  • Send marketing communications (with your consent, and you can opt out anytime)

2.4 For Security and Fraud Prevention

  • Protect against unauthorized access and security threats
  • Detect and prevent fraudulent or abusive activities
  • Verify user identity and account ownership
  • Enforce our Terms of Service and Acceptable Use Policy

2.5 For Legal Compliance

  • Comply with applicable laws and regulations
  • Respond to legal requests and court orders
  • Establish, exercise, or defend legal claims
  • Maintain records as required by law

3. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

3.1 Contractual Necessity

Processing is necessary to perform our contract with you (providing the Service you signed up for).

3.2 Legitimate Interests

Processing is necessary for our legitimate business interests, including:

  • Improving and developing the Service
  • Ensuring security and preventing fraud
  • Analyzing service usage and performance
  • Providing customer support

3.3 Consent

For marketing communications and certain optional features, we rely on your explicit consent. You can withdraw consent at any time.

3.4 Legal Obligations

Processing is necessary to comply with legal obligations, such as tax regulations, accounting requirements, and legal requests.

4. Third-Party Services and Data Sharing

We work with trusted third-party service providers to deliver our Service. We do NOT sell or rent your personal data to third parties.

4.1 Infrastructure and Hosting

Supabase (Database and Backend Services)

  • Stores all application data, including account information, templates, and settings
  • Servers located in Ireland (EU) - fully GDPR compliant
  • Provides authentication and secure data storage
  • Implements enterprise-grade security measures

Vercel (Application Hosting)

  • Hosts the Skardu web application
  • Provides content delivery and performance optimization
  • Does not have access to your personal data or database

4.2 Calendar Integration

Calendly

  • We connect to your Calendly account via OAuth to read scheduled events
  • We access event details, attendee information, and meeting times
  • Read-only access - we do not modify or delete your calendar events
  • You can revoke access at any time through your Calendly settings or Skardu dashboard

4.3 Email Communication

SMTP Email Providers

  • You connect your own email provider using SMTP credentials
  • We use your credentials to send reminder emails on your behalf
  • Emails are sent directly from your email account to maintain authenticity
  • Supported providers include any SMTP-compatible service (Zoho, FastMail, Gmail, Outlook, custom servers, etc.)
  • Your SMTP credentials (including passwords) are encrypted using AES-256 and stored securely

4.4 SMS and Voice Communication

Twilio

  • You provide your own Twilio account credentials
  • We use your Twilio account to send SMS and make voice calls on your behalf
  • Your Twilio credentials are encrypted using AES-256 and stored securely
  • All Twilio charges are billed directly to you by Twilio
  • We do not process payments for Twilio services
  • You can manage Twilio usage and billing directly through your Twilio account

4.5 Payment Processing

Paddle

  • Handles all payment processing, including credit card transactions
  • Manages global tax compliance (VAT, GST, sales tax)
  • Processes refunds and payment disputes
  • We never see or store your payment card information
  • Paddle operates as a "Merchant of Record" for all transactions

5. Data Storage and Security

5.1 Data Location

All your data is stored on Supabase servers located in Ireland (European Union), ensuring GDPR compliance by default.

5.2 Security Measures

We implement industry-standard security measures to protect your data:

  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS 1.3
  • Encryption at Rest: Sensitive data including passwords, API keys, OAuth tokens, SMTP credentials, and Twilio credentials are encrypted using AES-256 encryption
  • Password Security: User passwords are hashed using industry-standard bcrypt algorithms with high cost factors
  • OAuth Authentication: Calendar integration credentials use secure OAuth 2.0 tokens instead of passwords
  • Credential Encryption: All integration credentials (Calendly OAuth tokens, SMTP passwords, Twilio Auth Tokens) are encrypted at rest and never logged or displayed in plain text
  • Row Level Security (RLS): Database access is restricted based on user authentication, ensuring users can only access their own data
  • Secure Token Management: API keys and OAuth tokens are encrypted, rotated regularly, and stored with restricted access
  • Regular Security Updates: We keep all systems and dependencies up to date with the latest security patches
  • Access Controls: Strict internal access controls limit who can access user data, with audit logging of all access
  • Security Monitoring: Automated monitoring for suspicious activity, unauthorized access attempts, and security threats

5.3 Data Backup and Recovery

We maintain regular backups of your data to prevent loss in case of system failures. Backups are also stored securely in the EU and follow the same encryption and security standards as primary data storage.

5.4 Limitations

While we implement strong security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data. You are responsible for maintaining the security of your account credentials and should notify us immediately of any unauthorized access.

6. International Data Transfers

Primary Storage: All data is stored on Supabase servers in Ireland (EU), ensuring compliance with GDPR and other EU data protection regulations.

Third-Party Services: Some third-party services we integrate with may be based outside the EU:

  • Calendly: US-based company, processes data according to their privacy policy and uses Standard Contractual Clauses (SCCs)
  • Twilio: US-based company, processes SMS/voice data according to their privacy policy
  • SMTP Providers: Location depends on your chosen email provider
  • Paddle: Payment processor with global operations, complies with international payment standards

When data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission
  • Third parties' compliance with GDPR requirements

7. Your Privacy Rights

7.1 Rights Under GDPR (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have the following rights:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Correct any inaccurate or incomplete personal data
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Restrict Processing: Request that we limit how we use your data
  • Right to Object: Object to our processing of your data for certain purposes
  • Right to Withdraw Consent: Withdraw consent at any time (where we rely on consent)
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

7.2 Rights Under CCPA and Other US State Laws

If you are a resident of California or other US states with privacy laws (Virginia, Colorado, Connecticut, Utah, etc.), you have the following rights:

  • Right to Know: Request information about the personal data we collect, use, and share
  • Right to Delete: Request deletion of your personal data
  • Right to Opt-Out: Opt out of the "sale" or "sharing" of your personal data (note: we do not sell data)
  • Right to Correct: Request correction of inaccurate personal data
  • Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights
  • Right to Limit Use of Sensitive Data: Limit use of sensitive personal information

7.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

  • Email: support@skardu.io
  • Through your account settings (for access, correction, and deletion)

We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

8. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy.

8.1 Active Account Data

  • Account information, templates, and settings are retained while your account is active
  • Integration credentials are retained until you disconnect the integration
  • Usage and analytics data may be retained for up to 2 years

8.2 After Account Deletion

  • Personal data is deleted within 30 days after account termination
  • Backup copies may persist for an additional 90 days before permanent deletion
  • Some data may be retained longer if required by law (e.g., financial records for tax purposes)
  • Aggregated, anonymized data may be retained for analytics and service improvement

8.3 Email and Communication Logs

  • Email delivery logs are retained for 12 months for analytics and troubleshooting
  • SMS and voice communication logs follow the same retention period
  • You can request earlier deletion of this data

8.4 Legal and Compliance Records

  • Payment and billing records: Retained for 7 years (tax and accounting requirements)
  • Legal agreements and consent records: Retained as required by applicable law
  • Security and fraud prevention data: Retained for legitimate business interests

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience and collect information about how you use the Service.

9.1 Types of Cookies We Use

Essential Cookies (Required)

  • Authentication and session management
  • Security and fraud prevention
  • Core functionality of the Service
  • Cannot be disabled as they are necessary for the Service to function

Analytics Cookies (Optional)

  • Track usage patterns and feature engagement
  • Measure service performance
  • Help us improve the user experience
  • Can be disabled through browser settings or cookie preferences

Preference Cookies (Optional)

  • Remember your settings and preferences
  • Personalize your experience
  • Can be disabled, but may affect functionality

9.2 Managing Cookies

You can control and manage cookies through:

  • Browser settings (most browsers allow you to refuse or delete cookies)
  • Our cookie preference center (if available)
  • Third-party opt-out tools

Note that disabling certain cookies may affect the functionality of the Service.

10. Children's Privacy

The Service is not intended for use by individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children.

If we become aware that we have collected personal data from a child without proper consent, we will take steps to delete that information as quickly as possible.

If you believe we may have collected information from a child, please contact us immediately at support@skardu.io.

11. Your Responsibilities

As a user of Skardu, you have important responsibilities regarding the personal data of your email and SMS recipients.

11.1 Data Controller Relationship

For the personal data of your demo attendees and email/SMS recipients:

  • You are the Data Controller: You determine what data is collected and how it's used
  • We are the Data Processor: We process data on your behalf according to your instructions
  • You are responsible for complying with all applicable data protection laws

11.2 Consent and Compliance

You must ensure that:

  • You have obtained proper consent from recipients before sending communications
  • You maintain records of consent as required by law
  • Your communications comply with all applicable laws (CAN-SPAM, TCPA, GDPR, etc.)
  • You honor all opt-out and unsubscribe requests promptly
  • You include required disclosures and unsubscribe mechanisms in your messages
  • You do not send spam, unsolicited messages, or unauthorized communications

11.3 Account Security

You are responsible for:

  • Maintaining the security of your account credentials
  • Safeguarding API keys, OAuth tokens, and SMTP credentials
  • Notifying us immediately of any unauthorized access or security breaches
  • All activities that occur under your account

12. Data Breach Notification

In the event of a data breach that affects your personal information:

  • We will notify affected users within 72 hours of becoming aware of the breach (as required by GDPR)
  • We will notify relevant supervisory authorities as required by applicable law
  • The notification will include:
    • Nature and scope of the breach
    • Types of data affected
    • Potential consequences
    • Measures taken to address the breach
    • Recommended actions for affected users

We maintain an incident response plan and conduct regular security assessments to minimize the risk of data breaches.

13. Do Not Track Signals

Some web browsers have a "Do Not Track" (DNT) feature that signals to websites you visit that you do not want your online activity tracked. Because there is not yet a common understanding of how to interpret DNT signals, our Service does not currently respond to DNT signals.

You can still control tracking through your browser's cookie settings and our cookie preferences.

14. Third-Party Links and Services

The Service may contain links to third-party websites, applications, or services that are not operated by us. This Privacy Policy does not apply to third-party services.

We recommend reviewing the privacy policies of any third-party services you interact with:

We are not responsible for the privacy practices of third-party services.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Post the new Privacy Policy on this page
  • Notify you by email for material changes
  • May display an in-app notification for significant changes

Continued use of the Service after changes become effective constitutes acceptance of the revised Privacy Policy. If you disagree with the changes, you should discontinue use of the Service and may request deletion of your account.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy and Data Protection
Email: support@skardu.io
Website: https://skardu.io

For GDPR-related inquiries:

If you are located in the EU/EEA and wish to exercise your GDPR rights or have concerns about how we handle your data, you can contact us at support@skardu.io.

You also have the right to lodge a complaint with your local data protection authority if you believe we have not adequately addressed your concerns.

17. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Categories of Personal Information We Collect

  • Identifiers (name, email, account ID)
  • Commercial information (subscription history, payment records via Paddle)
  • Internet activity (usage data, log data)
  • Professional information (company name, role)
  • Inferences (preferences, characteristics)

How We Use Personal Information

We use personal information for the business purposes described in Section 2 of this Privacy Policy.

Categories of Third Parties We Share With

  • Service providers (Supabase, Vercel, Calendly, Paddle)
  • Communication providers (your own SMTP and Twilio accounts)

We do NOT sell or share your personal information for cross-context behavioral advertising.

Your California Privacy Rights

  • Right to know what personal information we collect, use, and disclose
  • Right to request deletion of your personal information
  • Right to correct inaccurate personal information
  • Right to opt-out of the sale or sharing of your personal information (not applicable - we don't sell)
  • Right to limit use of sensitive personal information
  • Right to non-discrimination for exercising your rights

To exercise these rights, contact us at support@skardu.io. We will verify your identity and respond within 45 days.

Acknowledgment and Consent

By using Skardu, you acknowledge that you have read, understood, and agree to this Privacy Policy. You specifically acknowledge that:

  • Your data is stored on servers in Ireland (EU) and is GDPR compliant
  • Your Calendly OAuth tokens, SMTP passwords, and Twilio credentials are encrypted and stored securely
  • You understand how we collect, use, and protect your personal information
  • You are responsible for obtaining consent from recipients of your communications
  • You must comply with all applicable data protection and communication laws
  • You can exercise your privacy rights at any time by contacting us
← Back to Home