Schematic Privacy Policy

Schematic Inc. ("Schematic," "we," "us") prioritizes data privacy. We never sell your data. This policy explains how we collect, use, and protect information about visitors to our website, prospective customers, and authorized users of the Schematic product.

Effective Date: 2026-04-20
Last Updated: 2026-04-20

1. What This Policy Covers

This policy covers Service Data — information about visitors, prospective customers, and authorized users of Schematic's product. It does not cover Customer Data, which is the data our customers submit into Schematic for processing on their behalf. Customer Data is governed by our Data Processing Addendum, under which Schematic acts as a processor on the customer's instructions.

If you are an end user of a product that uses Schematic, your data is controlled by that product's operator (our customer), not by Schematic. Direct your privacy requests to them.

2. Information We Collect

Identity and account information When you sign up or interact with us, we collect your name, email address, company name, and the password or single sign-on credential you use to access the product.

Billing information Paid customers provide billing details. Credit card information is handled by our payment processor and never reaches Schematic's servers.

Product usage and telemetry We collect information about how you use the Schematic dashboard, APIs, and SDKs — including which pages you visit, which features you interact with, which API endpoints you call, and when.

Session replays We record dashboard sessions to diagnose issues and improve usability. Customer Data and sensitive input fields are masked and excluded from these recordings.

Diagnostic data We collect browser type, operating system, device identifiers, IP address, and error and performance information to operate and improve the product.

Website activity We collect browsing data, including your browser and operating system versions, your IP address, which web pages you visited, and how long they took to load. For signed-in users, analytics data ties to your account.

Cookies and similar technologies We use cookies for preferences, authentication, A/B testing, and analytics. You can adjust cookie settings in your browser. We describe cookie usage further in Section 10.

Advertising We run contextual ads on Google, Reddit, and LinkedIn. We do not sell personal information and we do not engage in cross-context behavioral advertising as defined by California law.

Voluntary correspondence We retain support emails, survey responses, and other voluntary communications for reference and product improvement.

We do not intentionally collect sensitive categories of personal information (such as health, racial, religious, biometric, or precise-geolocation data) as part of Service Data.

3. How We Use Information

We use Service Data to:

  • Operate, maintain, secure, and improve the Schematic product.
  • Authenticate users and manage accounts.
  • Understand how customers use the product, including generating activation and engagement signals used by our sales and customer success teams.
  • Provide customer support and respond to your requests.
  • Communicate with you about product updates, new features, and relevant educational content.
  • Detect, prevent, and respond to fraud, abuse, and security incidents.
  • Comply with our legal obligations.

No Schematic employee looks at Customer Data except for limited purposes with your express permission or as required to resolve a specific support request.

4. Legal Bases (GDPR and UK GDPR)

Where we process personal data of users in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases:

  • Performance of a contract — to provide the Services you or your employer have subscribed to.
  • Legitimate interests — to operate and improve the product, keep it secure, and generate internal business insights and sales signals.
  • Consent — for certain marketing communications, cookie categories, and optional surveys. You may withdraw consent at any time.
  • Legal obligation — to comply with applicable law.

5. Who We Share Information With

We share information only with parties that are contractually obligated to protect it. Categories of recipients:

RecipientPurpose
Infrastructure providers (Amazon Web Services)Hosting and storage.
Authentication (Clerk)User account management and sign-in.
Observability (Datadog)Logging, monitoring, and diagnostics.
Payments (Stripe)Payment processing and billing-data handling.
Product analytics and telemetry (Segment)Routing and analyzing product usage data.
Session replay (Fullstory)Recording dashboard sessions, with Customer Data and sensitive fields excluded.
Call recording and intelligence (Fathom)Recording and transcribing sales and customer calls to improve our services and support.
Customer operations and ticketing (Linear)Tracking customer support requests, product feedback, and internal operational workflows.
Status page and incident communications (Atlassian Statuspage)Publishing service status updates and notifying subscribers of incidents and maintenance.
Revenue analytics, sales, and marketing (Reo.dev, HubSpot, Mailchimp)Generating activation and engagement signals, managing customer communications, sending marketing and transactional emails, and supporting sales and marketing outreach.
Advertising partners (Google, Reddit, LinkedIn)Running contextual ads and measuring ad performance. We do not sell personal information or share it for cross-context behavioral advertising.

A current list of subprocessors for Customer Data is available at https://schematichq.com/subprocessors.

We may also disclose information to:

  • Professional advisors (accountants, lawyers, auditors) under confidentiality obligations.
  • Acquirers or successors in connection with a merger, acquisition, financing, or sale of all or part of our business.
  • Government and law-enforcement authorities when compelled by legal process, as described in Section 11.

We do not sell personal information and we do not share personal information with third parties for cross-context behavioral advertising.

Aggregated or de-identified data, which cannot be used to identify any individual, may be used for any lawful purpose.

6. International Data Transfers

Schematic is based in the United States and our production infrastructure runs in the United States (AWS, us-east-1).

If you access the Services from outside the United States, your information will be transferred to and processed in the United States and other jurisdictions in which our subprocessors operate. For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum and equivalent Swiss mechanisms. A copy of the relevant clauses is available on request.

7. How Long We Keep Information

We retain Service Data for as long as your account is active and for as long afterward as necessary to meet our legal, accounting, regulatory, and operational obligations. Session recordings and short-lived telemetry are retained for shorter periods, typically 30 to 90 days.

When Customer Data is deleted (either on request or on account termination), it is purged from our production systems within the timeframes described in our Data Processing Addendum.

8. How We Protect Information

Schematic maintains a SOC 2 Type II information security program with continuous monitoring. We encrypt data in transit and at rest, restrict access on a least-privilege basis, require multi-factor authentication for production access, and commission periodic third-party penetration testing. Our security practices are summarized at https://docs.schematichq.com/security.

No method of transmission over the internet or method of electronic storage is 100% secure. In the event of a security incident affecting your personal data, we will notify you in accordance with applicable law.

9. Your Rights

Depending on where you live, you may have the following rights:

  • Right to know what personal information we collect and how we use it.
  • Right of access to the personal information we hold about you.
  • Right to correction of inaccurate personal information.
  • Right to erasure of your personal information, subject to legal limitations.
  • Right to restrict or object to processing, including profiling for sales and marketing purposes.
  • Right to data portability to receive and transfer your personal information.
  • Right against solely automated decisions with legal or similarly significant effects.
  • Right to non-discrimination for exercising your privacy rights.
  • Right to withdraw consent where we rely on consent.
  • Right to lodge a complaint with a supervisory authority.

Many of these rights can be exercised directly through your account settings. To make a request, email privacy@schematichq.com or write to us at the address in Section 14. We will respond within the timelines required by applicable law.

California Residents

California residents have the rights described above under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. We do not sell or share your personal information as those terms are defined by California law, and we have not done so in the preceding 12 months. Under California's "Shine the Light" law, we do not disclose personal information to third parties for their own direct marketing purposes.

Other US State Residents

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have similar rights under their respective statutes. Contact us at privacy@schematichq.com to exercise them.

10. Cookies and Tracking

We use the following categories of cookies and similar technologies:

  • Strictly necessary — required to operate the Services (authentication, security, load balancing).
  • Preferences — remember your settings.
  • Analytics — help us understand product usage (Segment, Reo.dev).
  • Session replay — record dashboard sessions for debugging and usability (Fullstory).
  • Advertising — measure the effectiveness of our contextual ads (Google, Reddit, LinkedIn).

You can manage cookies through your browser settings. We honor Global Privacy Control (GPC) signals as a valid opt-out of "sharing" under California law.

11. Legal Requests

Schematic is a US-based company with infrastructure located in the United States. Our policy is to not respond to government requests for user data unless we are compelled by legal process. We must comply with valid US warrants, subpoenas, and court orders. Where permitted by law, we will notify affected users before disclosure.

12. Automated Decision-Making

We do not use solely automated decision-making that produces legal or similarly significant effects on individuals. Our analytics and revenue-signal processing are used to inform, not replace, decisions made by our employees.

13. Children

The Schematic product is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@schematichq.com and we will delete it.

14. Contact

Questions about this policy or about how we handle your personal information can be directed to:

  • Email: privacy@schematichq.com (privacy matters) or support@schematichq.com (general support).
  • Mail: Schematic Inc., 1012 Hawthorn Ave, Boulder, CO 80304, United States.

Our EU Representative under Article 27 GDPR: [EU REPRESENTATIVE — TBD]. Our UK Representative under Article 27 UK GDPR: [UK REPRESENTATIVE — TBD].

15. Changes to This Policy

We update this policy as our practices and applicable laws change. The "Last Updated" date at the top of this page reflects the most recent revision. Material changes will be communicated through the product or by email where appropriate.

© 2026 Schematic Inc.