Privacy Policy

This Privacy Policy explains how Sharp Hour Ltd ("Sharp Hour", "we", "us", or "our") collects, uses, stores, and protects personal data when you visit our website, create an account, or use the Sharp Hour calendar and appointment scheduling platform (the "Service").

We are committed to protecting your privacy and processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and — where applicable to individuals in the European Economic Area (EEA) — the EU General Data Protection Regulation (EU GDPR).

Please read this policy carefully. By using the Service, you acknowledge that you have read and understood this Privacy Policy. Where we rely on consent, you may withdraw it at any time as described in Section 12.

The data controller responsible for your personal data is:

• Sharp Hour Ltd
• Registered in England and Wales
• Registered office: Unit A, 82 James Carter Road, Mildenhall, Suffolk, IP28 7DE, United Kingdom
• Email: hello@sharphour.com

For data protection enquiries, please contact us using the details above. We have not appointed a Data Protection Officer as we are not required to do so under applicable law; however, we take data protection seriously and will respond to all enquiries promptly.

This policy applies to:

• Visitors to our website at https://sharphour.com
• Registered users of the Sharp Hour Service (account holders)
• Individuals who book appointments through Sharp Hour booking pages ("Guests")
• Individuals who contact us via email, contact forms, or support channels

If you use Sharp Hour to schedule appointments with your own clients or contacts, you may act as an independent data controller in respect of their personal data. Section 14 explains your responsibilities in that role.

This policy does not apply to third-party websites, calendar providers, or services that may be linked from or integrated with the Service. Those parties process data under their own privacy policies.

"Personal data" means any information relating to an identified or identifiable natural person. We may collect the following categories of personal data:

4.1 Account and identity data

• Full name and display name
• Email address
• Password (stored in hashed form — we never store plain-text passwords)
• Profile photograph (if uploaded)
• Job title, company name, and timezone preferences
• Account settings and subscription plan details

4.2 Calendar and scheduling data

• Availability windows, working hours, and buffer settings
• Event types, meeting durations, and booking page customisations
• Appointment details (date, time, location, video conferencing links)
• Calendar sync tokens and metadata from connected calendars (Google Calendar, Microsoft Outlook, Apple iCloud)
• Names and contact details of Guests who book through your booking pages
• Responses to custom booking questions you configure
• Rescheduling, cancellation, and no-show records

4.3 Payment and billing data

• Billing name and address
• Subscription history, invoices, and transaction references
• Payment method type and last four digits (full card details are processed and stored by our payment providers — see Section 8)
• VAT or tax identification numbers where provided

4.4 Communications data

• Messages you send us via contact forms, email, or support tickets
• Automated booking confirmations, reminders, and notifications sent through the Service
• Marketing preferences and email open/click data (where applicable)

4.5 Technical and usage data

• IP address and approximate geographic location
• Browser type, operating system, and device identifiers
• Pages visited, features used, session duration, and clickstream data
• Log files, error reports, and performance diagnostics
• Cookie and similar technology data (see Section 11)

We do not intentionally collect special category data (such as health information, racial or ethnic origin, or biometric data). Please do not submit such data through the Service unless you have a lawful basis and appropriate safeguards in place.

We collect personal data through:

• Direct interactions: when you register, update your profile, subscribe, or contact us
• Automated technologies: cookies, server logs, and analytics tools when you use our website or Service
• Third-party integrations: when you connect a calendar, video conferencing tool, or payment method
• Guests: when individuals book appointments through your booking pages
• Payment processors: transaction confirmations from Stripe, Mollie, or other processors we use

Under UK GDPR and EU GDPR, we must have a lawful basis to process your personal data. We rely on the following bases:

• Contract (Article 6(1)(b)): processing necessary to perform our contract with you — for example, creating your account, providing scheduling functionality, processing subscriptions, and sending service-related communications
• Legitimate interests (Article 6(1)(f)): processing necessary for our legitimate interests, provided these are not overridden by your rights — including improving the Service, preventing fraud, ensuring network security, analysing usage patterns, and enforcing our Terms. We conduct balancing tests where required
• Consent (Article 6(1)(a)): where you have given clear consent — for example, non-essential cookies, marketing emails, or optional analytics. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal
• Legal obligation (Article 6(1)(c)): processing necessary to comply with applicable law — for example, tax record-keeping, responding to lawful requests from authorities, or accounting requirements

Where we process personal data on behalf of account holders in respect of their Guests, the account holder is typically the data controller and we act as a data processor under a data processing agreement.

We use personal data for the following purposes:

• Providing, operating, and maintaining the Service
• Creating and managing your account and subscription
• Synchronising calendars and processing bookings on your behalf
• Sending booking confirmations, reminders, and service notifications
• Processing payments and managing billing
• Providing customer support and responding to enquiries
• Monitoring, detecting, and preventing fraud, abuse, and security incidents
• Analysing usage to improve features, performance, and user experience
• Sending product updates and, with your consent, marketing communications
• Complying with legal obligations and enforcing our Terms & Conditions

We do not sell your personal data. We do not use your calendar content or booking data for advertising purposes targeted at third parties.

We share personal data with trusted third parties who process data on our behalf under written data processing agreements that require them to protect your data and use it only for specified purposes. These include:

8.1 Payment processors

• Stripe Payments UK Ltd / Stripe, Inc. — subscription billing and payment processing. Stripe's privacy policy is available at stripe.com/gb/privacy
• Mollie B.V. — alternative payment processing for certain transactions. Mollie's privacy policy is available at mollie.com/privacy

We do not receive or store your full payment card number. Payment processors handle card data in accordance with PCI DSS standards.

8.2 Hosting and infrastructure

• Vercel, Inc. — website and application hosting
• Cloud database and storage providers located within the UK or EEA, or covered by appropriate transfer safeguards (see Section 10)

8.3 Analytics

• Privacy-focused analytics tools (such as Plausible Analytics or similar) to understand website traffic and usage patterns without cross-site tracking, where you have consented to non-essential analytics cookies

8.4 Communications and productivity

• Email delivery providers for transactional and service emails
• Customer support tools for handling enquiries

8.5 Calendar and integration partners

• Google LLC (Google Calendar) — when you authorise a connection
• Microsoft Corporation (Outlook / Microsoft 365) — when you authorise a connection
• Apple Inc. (iCloud Calendar) — when you authorise a connection

Data shared with integration partners is limited to what is necessary for the integration to function and is governed by their privacy policies and your authorisation.

8.6 Other disclosures

We may also disclose personal data:

• To professional advisers (lawyers, accountants, insurers) under confidentiality obligations
• To regulators, courts, or law enforcement when required by law or to protect our legal rights
• In connection with a merger, acquisition, or sale of assets, with notice to you where required by law

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements.

• Account data: retained for the duration of your account and up to 90 days after deletion to allow recovery and complete erasure from backups
• Calendar and booking data: retained while your account is active; deleted or anonymised within 90 days of account closure unless you request earlier deletion or we are required to retain it longer
• Payment and billing records: retained for up to seven (7) years to comply with UK tax and accounting obligations
• Support communications: retained for up to three (3) years after resolution of the enquiry
• Server logs and security data: typically retained for up to twelve (12) months
• Marketing data: retained until you unsubscribe or withdraw consent, plus a short suppression period to honour your preferences

When data is no longer needed, we securely delete or anonymise it. Anonymised data that cannot identify you may be retained indefinitely for statistical purposes.

We primarily store and process personal data within the United Kingdom and the European Economic Area (EEA). However, some of our service providers (including Stripe, Vercel, and certain email providers) may process data in the United States or other countries outside the UK/EEA.

Where personal data is transferred outside the UK or EEA to a country not deemed to provide an adequate level of data protection, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office or European Commission
• The UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs, where applicable
• Transfers to US recipients certified under the EU-US Data Privacy Framework or UK Extension, where applicable

You may request a copy of the safeguards we use for international transfers by contacting us at hello@sharphour.com.

Our website and Service use cookies and similar technologies (such as local storage and pixels) to operate effectively and, with your consent, to understand how the Service is used.

11.1 Types of cookies we use

• Strictly necessary cookies: required for the Service to function — including authentication, session management, and security. These do not require consent under UK/EU law
• Functional cookies: remember your preferences (such as language and timezone). These may require consent depending on their nature
• Analytics cookies: help us understand how visitors use our website (e.g. pages visited, referral source). We use privacy-respecting analytics where possible and request your consent before placing non-essential analytics cookies
• Marketing cookies: used only if you opt in to marketing tracking. We do not use invasive cross-site advertising trackers

11.2 Managing cookies

When you first visit our website, you will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies. You can also manage cookies through your browser settings. Disabling strictly necessary cookies may affect the functionality of the Service.

For more information about cookies, visit aboutcookies.org.

Under UK GDPR and EU GDPR, you have the following rights in respect of your personal data, subject to certain conditions and exemptions:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete personal data
• Right to erasure ("right to be forgotten"): request deletion of your personal data in certain circumstances
• Right to restrict processing: request that we limit how we use your data in certain circumstances
• Right to data portability: receive your data in a structured, commonly used, machine-readable format and transmit it to another controller
• Right to object: object to processing based on legitimate interests or for direct marketing purposes
• Rights related to automated decision-making: we do not make decisions based solely on automated processing that produce legal or similarly significant effects
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, email us at hello@sharphour.com with "Data Subject Request" in the subject line. We will respond within one (1) month, which may be extended by a further two months for complex requests as permitted by law. We may need to verify your identity before processing your request.

We will not charge a fee for exercising your rights unless your request is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable fee or refuse the request as permitted by law.

We hope to resolve any privacy concern directly. Please contact us first at hello@sharphour.com and we will endeavour to respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority:

• United Kingdom: Information Commissioner's Office (ICO) — Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Website: ico.org.uk. Helpline: 0303 123 1113
• European Economic Area: you may contact the data protection authority in your country of residence. A list of EU supervisory authorities is available at edpb.europa.eu

If you are a Sharp Hour account holder who uses the Service to collect bookings from clients, customers, or other individuals ("Guests"), you are typically the data controller for Guest personal data. Sharp Hour Ltd acts as a data processor on your instructions.

As a data controller, you are responsible for:

• Providing Guests with a clear privacy notice explaining how their data will be used
• Ensuring you have a lawful basis under GDPR to collect and process Guest data
• Honouring Guest rights requests, with our reasonable assistance where required
• Configuring booking forms and data collection appropriately for your use case

We process Guest data on your behalf solely to provide the scheduling Service. A Data Processing Agreement (DPA) is available on request for business and Team plan customers, or can be incorporated into our Terms where applicable.

If you are a Guest who booked through someone else's Sharp Hour page and wish to exercise your data rights, please contact the account holder (the scheduler) in the first instance. If you are unable to reach them, contact us and we will assist within the limits of our role as processor.

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/HTTPS) and at rest for sensitive data stores
• Hashed and salted password storage
• Role-based access controls and principle of least privilege for staff
• Regular security reviews and vulnerability monitoring
• Secure development practices and code review
• Incident response procedures (see Section 16)

No method of transmission over the internet or electronic storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (and, where applicable, the relevant EU supervisory authority) within 72 hours of becoming aware of the breach, where required by law.

If the breach is likely to result in a high risk to you, we will also notify affected individuals without undue delay, describing the nature of the breach, likely consequences, and measures taken or proposed to address it.

If you believe your account has been compromised, please contact us immediately at hello@sharphour.com.

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will take steps to delete it promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email to the address associated with your account and/or by posting a prominent notice on our website or within the Service at least 30 days before the changes take effect, unless a shorter period is required by law.

The "Last updated" date at the top of this page indicates when this policy was most recently revised. We encourage you to review this policy periodically.

For any questions about this Privacy Policy or our data practices, please contact:

• Sharp Hour Ltd
• Unit A, 82 James Carter Road, Mildenhall, Suffolk, IP28 7DE, United Kingdom
• Email: hello@sharphour.com