Privacy
Privacy Notice
Last updated: April 21, 2026
Nice Schedule (“Nice Schedule,” “we,” “us”) provides workforce scheduling software and related scheduling services for medical practices. This notice explains what personal information we collect through our website and scheduling product, how we use it, and how to contact us about it.
Plain English: We collect the information needed to run a scheduling service: account details, clinician records, shift assignments, time-off and preference requests, scheduling rules, support messages, and limited technical data. We do not sell personal information. The service is not intended for patient data or Protected Health Information.
Organization accounts
Most product data belongs to the medical practice or organization that uses Nice Schedule. If your organization gives you access to Nice Schedule, your organization controls who may view, edit, export, or delete data inside that account. Organization administrators can see schedule and request data for their own organization.
Information we collect
- Website and lead information: name, email address, organization name, group size, message text, page URL, referrer, and bot-verification data from Cloudflare Turnstile.
- Account information: email address, full name, organization membership, role, account status, password hash, password reset or invitation token metadata, and last login time.
- Clinician and practice information: clinician names, emails, clinician type, employment type, FTE, active status, call totals, facilities, sites, shift types, shift times, eligibility, and staffing requirements.
- Schedule and request information: schedule periods, request deadlines, shift assignments, dates, sites, shift types, cover assignments, notes, vacation requests, call preferences, request reasons, request status, token budgets, and review activity.
- Email-ingestion information, if enabled: sender email, subject, message body, selected message headers, envelope information, message IDs, parse results, error status, and scheduling requests extracted from the message.
- Security and usage information: IP address, browser or device information, authentication events, failed login attempts, API key metadata, server logs, and similar operational records.
- Local device data: the web app may store an authentication token and current organization ID in browser storage. The service worker may cache limited schedule data on the device for offline fallback and clears user-scoped cached data on logout.
No patient data or PHI
Nice Schedule is intended for workforce scheduling data. Do not submit patient names, medical record numbers, diagnoses, procedure details, clinical notes, claims information, or other Protected Health Information (“PHI”) unless we have signed a separate written Business Associate Agreement with your organization. If you believe PHI was submitted by mistake, contact us promptly at [email protected].
How we use information
- To provide, maintain, secure, and improve the scheduling service.
- To create schedules, manage requests, show published schedules, run reports, and support administrator workflows.
- To authenticate users, protect accounts, detect abuse, and investigate security events.
- To send transactional emails such as invitations, password resets, schedule updates, and request-related messages.
- To respond to website inquiries, support requests, and account communications.
- To measure website traffic and lead-form activity.
Automated request parsing
If your organization enables email ingestion, Nice Schedule may use automated systems and service providers, including OpenAI, to parse scheduling emails into structured requests. We store the original message content and parse results so administrators can review, approve, reject, or audit the request.
How we share information
We do not sell personal information. We share information only as needed to operate the service, comply with law, or support your organization:
- Within your organization: authorized users and administrators may see schedule, request, clinician, and practice data according to their role.
- Service providers: providers that host, secure, route, analyze, or process data for us. Current or planned providers include AWS, Cloudflare, Google Analytics for the marketing site, and OpenAI for email parsing when enabled.
- Legal and safety purposes: when required by law, subpoena, court order, or to protect the rights, security, and integrity of Nice Schedule, our customers, or others.
- Business transfers: if Nice Schedule is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction subject to appropriate protections.
Cookies, analytics, and bot checks
The marketing site uses Google Analytics to understand traffic and lead-form activity. It uses Cloudflare Turnstile to help distinguish human visitors from bots. The product uses browser storage for authentication and preferences. We do not use advertising cookies or cross-site behavioral advertising in the scheduling product.
Where information is processed
Nice Schedule is operated from the United States. The marketing site is served through Cloudflare Pages. The application and database run on AWS infrastructure, including EC2, PostgreSQL storage on EBS, AWS SES for transactional email, and AWS Systems Manager Parameter Store for secrets. Backups currently use rolling EBS snapshots.
Retention
We retain organization, schedule, request, account, and operational data while the organization account is active and as needed to provide the service, meet legal obligations, resolve disputes, secure the product, and maintain business records. On termination or written request by an authorized organization administrator, we will work with the organization to export or delete active account data. Backup copies expire on their normal rolling schedule.
Security
We use technical and organizational safeguards designed for the type of data we process, including HTTPS in transit, password hashing, role-based access controls, rate limits, bot checks, request-size limits, server access controls, backups, and operational logging. No internet service can be perfectly secure, and you are responsible for safeguarding your own devices and account credentials.
Your choices and rights
You may request access, correction, export, or deletion of your personal information by emailing [email protected]. If your data is part of an organization account, we may direct the request to your organization administrator or require administrator approval. If privacy laws in your jurisdiction give you additional rights, we will honor them to the extent they apply.
Children
Nice Schedule is not directed to children and may not be used by anyone under eighteen.
Changes
We may update this notice from time to time. If we make material changes, we will post the updated notice here with a new last-updated date and, where appropriate, notify account administrators.
Contact
Questions, requests, or concerns: [email protected].