Skip to main content
Scheduly

Privacy Policy

Last updated: 22 April 2026

1. Company Information

Scheduly is operated by PT Komodo Liveaboard Dwipantara, registered in Indonesia. For any privacy-related inquiries, contact us at admin@scheduly.id.

2. Legal Basis

This Privacy Policy is governed by Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi (UU PDP — Indonesia's Personal Data Protection Law). As a data controller and processor operating in Indonesia, we comply with all obligations under UU PDP, including lawful processing, purpose limitation, data minimization, accuracy, storage limitation, and data subject rights.

We process your personal data based on one or more of the following legal grounds as defined in Article 20 of UU PDP:

  • Consent: you have given explicit consent for the processing (e.g. signing up, submitting a guest form)
  • Contractual necessity: processing is necessary to perform our service agreement with you
  • Legitimate interest: processing is necessary for security, fraud prevention, and service improvement
  • Legal obligation: processing is required by applicable Indonesian law

3. Data Protection Officer

We have appointed a Data Protection Officer (DPO) as required by UU PDP. For any questions about how your data is processed, to exercise your data rights, or to file a complaint, contact our DPO:

  • Role: Data Protection Officer
  • Email: dpo@scheduly.id
  • Organization: PT Komodo Liveaboard Dwipantara

4. Data We Collect

We collect the following data when you use Scheduly:

  • Account data: name, email address, Google profile information (when you sign in with Google)
  • Operator data: business name, vessel details, cabin configurations, pricing, schedules
  • Booking data: guest names, contact information, booking status, payment references
  • Guest form data: passport details, nationality, dietary preferences, flight information (collected via shareable guest forms)
  • Usage data: login times, device information, and IP addresses (for security purposes)

5. Data Storage & Security

Your data is stored on secure cloud servers in Singapore. All data is encrypted both when stored and when transmitted. Sensitive personal data (passport numbers, phone numbers, email addresses, bank details) is encrypted at the application layer using AES-256 before being written to the database. Your data is completely separated from other operators — no one else can access your information.

6. Data Ownership

You retain full ownership of all data you input into Scheduly, including booking records, guest information, crew data, and schedule configurations. Scheduly acts as a data processor, not a data owner. You may export or request deletion of your data at any time by contacting admin@scheduly.id.

7. How We Use Your Data

  • To provide and maintain the Scheduly service
  • To process bookings and manage availability
  • To send notifications (booking confirmations, reminders) via channels you configure
  • To generate reports and analytics within your operator dashboard
  • To improve service reliability and performance

8. Third-Party Data Processors

Your data is never sold, shared, or disclosed to third parties for marketing or advertising purposes. We share limited data with the following third-party processors, each bound by data processing agreements:

  • Supabase, Inc. (Singapore region) — database hosting, authentication, and file storage
  • Vercel, Inc. (US/Global CDN) — application hosting and serverless compute
  • Cloudflare, Inc. — CDN, DDoS protection, DNS, and object storage (R2)
  • PT Xendit Teknologi Indonesia — payment processing (transaction amount, customer name, payment reference only)
  • Telegram Messenger Inc. — reminder delivery via Telegram Bot API (first name, event title, time, location only)
  • Meta Platforms, Inc. — reminder delivery via WhatsApp Cloud API (first name, event title, time, location only)
  • PostHog, Inc. — anonymized product analytics (no PII transmitted)
  • Resend, Inc. — transactional email delivery (email address, notification content)
  • Google LLC — OAuth authentication (email, display name) and file import (Google Drive API)
  • Sentry (Functional Software, Inc.) — error monitoring (no PII transmitted)

Each processor receives only the minimum data necessary for its function. We do not transfer personal data to any processor without ensuring adequate protection measures are in place, consistent with Article 56 of UU PDP on cross-border data transfers.

9. Data Access by Scheduly Staff

Scheduly staff may access your data only for technical support when explicitly requested by you, or for system maintenance and security purposes. All access is logged and auditable.

10. Data Retention

When you delete data, it is kept in a recoverable state for 90 days in case you need it back, then permanently removed. Your account data is kept for as long as your subscription is active. After you close your account, your data is retained for 30 days (during which you can request an export), then permanently deleted after 90 days.

11. Your Rights

Under UU PDP (Articles 5–13), you have the following rights regarding your personal data:

  • Access: Request a copy of all data we hold about you
  • Correction: Update or correct inaccurate data
  • Deletion: Request deletion of your personal data
  • Export / Portability: Request your data in a structured, machine-readable format
  • Restriction: Request that we limit processing of your data in certain circumstances
  • Objection: Object to processing based on legitimate interest
  • Consent withdrawal: Withdraw consent at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, email dpo@scheduly.id. We will respond within 3 x 24 hours as required by UU PDP.

12. Cookies

We use essential cookies only: authentication session cookies and a consent verification cookie. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

13. Data Breach Notification

In the event of a data breach that affects your personal data, we will notify you and the relevant authority within 3 x 24 hours of becoming aware of the breach, as required by Article 46 of UU PDP. Notification will include the nature of the breach, the categories of data affected, the estimated number of data subjects impacted, and the steps we are taking to mitigate and resolve it.

14. Children's Data

Scheduly is not intended for use by children under the age of 17. We do not knowingly collect personal data from children under 17 without verifiable parental or guardian consent.

If an operator collects guest data that includes minors (e.g. family bookings), the operator as the data controller is responsible for obtaining appropriate parental or guardian consent before submitting that data to Scheduly.

If we become aware that we have collected personal data from a child under 17 without proper consent, we will delete such data within 3 x 24 hours. If you believe we have inadvertently collected a child's data, contact us at dpo@scheduly.id.

15. Personal Calendar Users

Scheduly Personal is our free personal calendar for individuals — not businesses. If you use the personal calendar (sign up via the “Personal” option on our homepage), the following applies in addition to the sections above.

15.1 Data We Collect for Personal Users

  • Account: name, email, Google profile (via Google Sign-In)
  • Contact channels: WhatsApp number and/or Telegram chat ID (only one is required, both are optional)
  • Events: title, date and time, notes, location, categories, reminder settings, recurrence rules, done/pending status
  • Reminder audit log: which channel each reminder was sent to, whether delivery succeeded or failed, error messages from the delivery provider, and the timestamp
  • Timezone: used to fire reminders at the correct local time

15.2 Third Parties We Send Your Data To

To deliver reminders, we send the minimum necessary content to the messaging provider you have connected:

  • Telegram (Telegram Messenger Inc.): we send your first name, event title, event time, and location (if you set one) to your Telegram chat via the official Bot API. Telegram's own privacy policy applies to anything Telegram stores.
  • WhatsApp (Meta Platforms, Inc.): used if you enter a WhatsApp number. We send your first name, event title, event time, and location (if set) via the official WhatsApp Cloud API. Meta's privacy policy applies.

We do not send your notes, categories, email, or any other personal data to these providers. You can disconnect either channel at any time in Settings.

15.3 Location Data

If you add a location to an event, the text you type is stored as-is and rendered as a link to Google Maps. We do not access your device's GPS or location services, and we do not share your location with Google unless you tap the link yourself.

15.4 Data Retention for Personal Events

Deleted events are soft-deleted (moved to a Deleted tab) and can be restored by you at any time. Soft-deleted events are permanently removed 90 days after deletion. Reminder audit logs are kept for 90 days then automatically purged. If you delete your Scheduly Personal account, all events, categories, and logs are removed within 30 days.

15.5 Deleting Your Personal Account

To delete your personal account and all associated data, email dpo@scheduly.id from the email address on the account. We will confirm within 3 x 24 hours and complete deletion within 30 days.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be communicated via the consent flow on your next login. Continued use of Scheduly after changes constitutes acceptance.

PT Komodo Liveaboard Dwipantara

Terms of Service