1. What This Policy Covers
This policy covers Service Data — information about visitors, prospective customers, and authorized users of Schematic's product. It does not cover Customer Data, which is the data our customers submit into Schematic for processing on their behalf. Customer Data is governed by our Data Processing Addendum, under which Schematic acts as a processor on the customer's instructions.
If you are an end user of a product that uses Schematic, your data is controlled by that product's operator (our customer), not by Schematic. Direct your privacy requests to them.
2. Information We Collect
Identity and account information When you sign up or interact with us, we collect your name, email address, company name, and the password or single sign-on credential you use to access the product.
Billing information Paid customers provide billing details. Credit card information is handled by our payment processor and never reaches Schematic's servers.
Product usage and telemetry We collect information about how you use the Schematic dashboard, APIs, and SDKs — including which pages you visit, which features you interact with, which API endpoints you call, and when.
Session replays We record dashboard sessions to diagnose issues and improve usability. Customer Data and sensitive input fields are masked and excluded from these recordings.
Diagnostic data We collect browser type, operating system, device identifiers, IP address, and error and performance information to operate and improve the product.
Website activity We collect browsing data, including your browser and operating system versions, your IP address, which web pages you visited, and how long they took to load. For signed-in users, analytics data ties to your account.
Cookies and similar technologies We use cookies for authentication, personalization, A/B testing, analytics, and marketing. For visitors in the European Economic Area, United Kingdom, and Switzerland, only strictly necessary cookies are set automatically; all other categories load only after you consent through our cookie banner. You can review or change your choices at any time using the "Cookie Settings" link in our website footer. We describe cookie usage further in Section 10.
Advertising We run contextual ads on Google, Reddit, and LinkedIn. We do not sell personal information and we do not engage in cross-context behavioral advertising as defined by California law.
Voluntary correspondence We retain support emails, survey responses, and other voluntary communications for reference and product improvement.
We do not intentionally collect sensitive categories of personal information (such as health, racial, religious, biometric, or precise-geolocation data) as part of Service Data.
3. How We Use Information
We use Service Data to:
- Operate, maintain, secure, and improve the Schematic product.
- Authenticate users and manage accounts.
- Understand how customers use the product, including generating activation and engagement signals used by our sales and customer success teams.
- Provide customer support and respond to your requests.
- Communicate with you about product updates, new features, and relevant educational content.
- Detect, prevent, and respond to fraud, abuse, and security incidents.
- Comply with our legal obligations.
No Schematic employee looks at Customer Data except for limited purposes with your express permission or as required to resolve a specific support request.
4. Legal Bases (GDPR and UK GDPR)
Where we process personal data of users in the European Economic Area, United Kingdom, or Switzerland, we rely on the following legal bases:
- Performance of a contract — to provide the Services you or your employer have subscribed to.
- Legitimate interests — to operate and improve the product, keep it secure, and generate internal business insights and sales signals.
- Consent — for certain marketing communications, cookie categories, and optional surveys. You may withdraw consent at any time.
- Legal obligation — to comply with applicable law.
5. Who We Share Information With
We share information only with parties that are contractually obligated to protect it. Categories of recipients:
| Recipient | Purpose |
|---|---|
| Infrastructure providers (Amazon Web Services) | Hosting and storage. |
| Authentication (Clerk) | User account management and sign-in. |
| Observability (Datadog) | Logging, monitoring, and diagnostics. |
| Payments (Stripe) | Payment processing and billing-data handling. |
| Product analytics and telemetry (Segment) | Routing and analyzing product usage data. |
| Session replay (Fullstory) | Recording dashboard sessions, with Customer Data and sensitive fields excluded. |
| Call recording and intelligence (Fathom) | Recording and transcribing sales and customer calls to improve our services and support. |
| Customer operations and ticketing (Linear) | Tracking customer support requests, product feedback, and internal operational workflows. |
| Status page and incident communications (Atlassian Statuspage) | Publishing service status updates and notifying subscribers of incidents and maintenance. |
| Revenue analytics, sales, and marketing (Reo.dev, HubSpot, Mailchimp) | Generating activation and engagement signals, managing customer communications, sending marketing and transactional emails, and supporting sales and marketing outreach. |
| Advertising partners (Google, Reddit, LinkedIn) | Running contextual ads and measuring ad performance. We do not sell personal information or share it for cross-context behavioral advertising. |
A current list of subprocessors for Customer Data is available at https://schematichq.com/subprocessors.
We may also disclose information to:
- Professional advisors (accountants, lawyers, auditors) under confidentiality obligations.
- Acquirers or successors in connection with a merger, acquisition, financing, or sale of all or part of our business.
- Government and law-enforcement authorities when compelled by legal process, as described in Section 11.
We do not sell personal information and we do not share personal information with third parties for cross-context behavioral advertising.
Aggregated or de-identified data, which cannot be used to identify any individual, may be used for any lawful purpose.
6. International Data Transfers
Schematic is based in the United States and our production infrastructure runs in the United States (AWS, us-east-1).
If you access the Services from outside the United States, your information will be transferred to and processed in the United States and other jurisdictions in which our subprocessors operate. For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum and equivalent Swiss mechanisms. A copy of the relevant clauses is available on request.
7. How Long We Keep Information
We retain Service Data for as long as your account is active and for as long afterward as necessary to meet our legal, accounting, regulatory, and operational obligations. Session recordings and short-lived telemetry are retained for shorter periods, typically 30 to 90 days.
When Customer Data is deleted (either on request or on account termination), it is purged from our production systems within the timeframes described in our Data Processing Addendum.
8. How We Protect Information
Schematic maintains a SOC 2 Type II information security program with continuous monitoring. We encrypt data in transit and at rest, restrict access on a least-privilege basis, require multi-factor authentication for production access, and commission periodic third-party penetration testing. Our security practices are summarized at https://docs.schematichq.com/security.
No method of transmission over the internet or method of electronic storage is 100% secure. In the event of a security incident affecting your personal data, we will notify you in accordance with applicable law.
9. Your Rights
Depending on where you live, you may have the following rights:
- Right to know what personal information we collect and how we use it.
- Right of access to the personal information we hold about you.
- Right to correction of inaccurate personal information.
- Right to erasure of your personal information, subject to legal limitations.
- Right to restrict or object to processing, including profiling for sales and marketing purposes.
- Right to data portability to receive and transfer your personal information.
- Right against solely automated decisions with legal or similarly significant effects.
- Right to non-discrimination for exercising your privacy rights.
- Right to withdraw consent where we rely on consent.
- Right to lodge a complaint with a supervisory authority.
Many of these rights can be exercised directly through your account settings. To make a request, email privacy@schematichq.com or write to us at the address in Section 14. We will respond within the timelines required by applicable law.
California Residents
California residents have the rights described above under the California Consumer Privacy Act, as amended by the California Privacy Rights Act. We do not sell or share your personal information as those terms are defined by California law, and we have not done so in the preceding 12 months. Under California's "Shine the Light" law, we do not disclose personal information to third parties for their own direct marketing purposes.
Other US State Residents
Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have similar rights under their respective statutes. Contact us at privacy@schematichq.com to exercise them.
10. Cookies and Tracking
We use cookies and similar technologies, grouped into the categories below.
- Strictly necessary — required to operate the Services, including authentication, security, and load balancing. This category also includes the cookies our consent manager uses to record your cookie choices (
osano_consentmanagerandosano_consentmanager_uuid). These are always active and do not require consent. - Personalization — remember your settings and preferences.
- Analytics — help us understand product and website usage, including session recordings used for debugging and usability (Segment, Reo.dev, Fullstory).
- Marketing — support marketing attribution, measure the effectiveness of our contextual ads, and tie activity to campaigns (HubSpot, LinkedIn, Google Tag Manager, and UTM attribution). When enabled, this category also covers our advertising partners (Google, Reddit, LinkedIn).
How we obtain and manage cookie consent
For visitors in the European Economic Area, United Kingdom, and Switzerland, we do not set personalization, analytics, or marketing cookies until you give consent. When you first visit our site, our consent banner lets you accept or decline each non-essential category. No non-essential cookie or tracking script runs before you have consented to its category.
You can review your choices, grant consent, or withdraw consent at any time through the "Cookie Settings" link in our website footer, which reopens the consent banner. Withdrawing consent stops future use of cookies in that category. We honor Global Privacy Control (GPC) signals as a valid opt-out of "sharing" under California law.
Cookies we use
| Category | Provider | Purpose |
|---|---|---|
| Strictly necessary | Schematic, Clerk | Authentication, security, and load balancing. |
| Strictly necessary | Osano | Store and recall your cookie consent choices. |
| Personalization | Schematic | Remember your settings and preferences. |
| Analytics | Segment | Route and analyze product and website usage. |
| Analytics | Reo.dev | Generate activation and engagement signals. |
| Analytics | Fullstory | Record dashboard sessions for debugging and usability. |
| Marketing | HubSpot | Marketing attribution and campaign measurement. |
| Marketing | Marketing attribution and ad measurement. | |
| Marketing | Google Tag Manager | Manage marketing and analytics tags. |
| Marketing | Schematic (UTM attribution) | Attribute visits to marketing campaigns. |
| Marketing | Google, Reddit, LinkedIn | Contextual advertising and ad measurement (when enabled). |
The current, itemized list of individual cookies, including their names and retention periods, is available in the "Cookie Settings" panel.
11. Legal Requests
Schematic is a US-based company with infrastructure located in the United States. Our policy is to not respond to government requests for user data unless we are compelled by legal process. We must comply with valid US warrants, subpoenas, and court orders. Where permitted by law, we will notify affected users before disclosure.
12. Automated Decision-Making
We do not use solely automated decision-making that produces legal or similarly significant effects on individuals. Our analytics and revenue-signal processing are used to inform, not replace, decisions made by our employees.
13. Children
The Schematic product is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@schematichq.com and we will delete it.
14. Contact
Questions about this policy or about how we handle your personal information can be directed to:
- Email:
privacy@schematichq.com(privacy matters) orsupport@schematichq.com(general support). - Mail: Schematic Inc., 1012 Hawthorn Ave, Boulder, CO 80304, United States.
Our EU Representative under Article 27 GDPR: [EU REPRESENTATIVE — TBD]. Our UK Representative under Article 27 UK GDPR: [UK REPRESENTATIVE — TBD].
15. Changes to This Policy
We update this policy as our practices and applicable laws change. The "Last Updated" date at the top of this page reflects the most recent revision. Material changes will be communicated through the product or by email where appropriate.
© 2026 Schematic Inc.