Consumer Health Data Privacy Policy

This is Trellis Care Coordination LLC’s separate Consumer Health Data Privacy Policy required by Washington’s My Health My Data Act(RCW 19.373). It addresses how we handle “consumer health data” — a broader category than HIPAA “Protected Health Information” — about Washington residents who use Trellis.

If you are a Washington resident and Trellis processes your health data, this policy is the canonical reference for your rights and our obligations. Our general Privacy Policy covers all other categories of personal information and applies in addition to this policy.

MHMDA applies broadly — to apps, retailers, and other businesses, regardless of whether they’re traditional healthcare entities. Trellis voluntarily applies this policy globally because it represents our actual data practices regardless of user state.

Trellis collects the following categories of consumer health data:

• Identifiers tied to health data — first name, last name, date of birth, pronouns, account email, profile photo. Collected at registration and during care-team setup.
• Diagnoses + condition categories — any diagnoses you (or someone on your care team) record on your individual record. These remain associated with the individual to whom they pertain.
• Care notes — free-text observations, session notes, family updates, and clinical documentation that you or your care team write.
• Goals + goal progress — the goals you track and the progress entries logged against them.
• Crisis protocols + crisis events — documentation of crisis-related plans and incidents.
• Medications — names, dosages, start and end dates, and reasons recorded for medications.
• Sensory profiles — preferences and sensitivities you record.
• Messages — communications between members of your care team via Trellis messaging.
• Files — file attachments you or your care team upload (assessments, IEPs, reports).
• Pacing logs — daily energy ratings and symptom annotations (for users on chronic-illness care contexts).
• Appointments + calendar data — scheduled appointments, attendees, and (with opt-in) Google Calendar sync data.
• Audit log records — who accessed what and when, with timestamps. Used for compliance and forensic review. Contains no raw health information, only categorical metadata.
• Care contexts— the categorical care categories (e.g., “chronic illness,” “addiction recovery”) associated with each individual’s record.

We collect consumer health data only for the following purposes:

• Care coordination— enabling members of an individual’s care team to coordinate around that individual’s care.
• Service delivery — providing the Trellis platform functionality you requested when you signed up.
• De-identified pattern analysis — using AI to surface patterns, milestones, and insights from data that has been de-identified to the standard of HIPAA Safe Harbor (45 CFR § 164.514(b)(2)). Our de-identification pipeline removes the 18 HIPAA identifiers before any data leaves our infrastructure for AI processing. Documented in our public De-identification Specification.
• Transactional notifications — sending email notifications about activity in your care team, via Paubox (HIPAA-compliant email provider with a BAA).
• Compliance + audit — maintaining audit logs for our regulatory obligations and breach response readiness.
• Customer support — when you contact us with questions or issues, we may access your account-related data as strictly necessary to assist. Documented in audit log.

We do NOT collect or use consumer health data for:

• Advertising of any kind (we don’t run ads at all).
• Selling to third parties (architecturally impossible).
• Marketing communications (we send transactional only).
• Profiling for non-care purposes.
• Geofencing around health facilities (we don’t track location).

We collect consumer health data only from:

• You directly — when you sign up, complete your profile, write notes, set goals, or otherwise use the platform.
• Members of your care team— when they write notes, log goal progress, document crisis events, or otherwise contribute to the record you’ve authorized them to access. Each contribution is audit-logged.
• Google Calendar (only if you opt in)— if you connect your Google Calendar, Trellis reads events from a dedicated “Trellis” calendar that we create in your Google account. We never read your primary calendar automatically; you can use the Bulk Browse feature on an event-by-event basis with explicit per-event approval.

We do not purchase health data from data brokers, ad networks, or any other source. We do notinfer health data from analytics or tracking pixels (we don’t run them).

We share consumer health data only with the following third parties, and only for the purposes documented above:

• Convex (Convex Cloud) — our primary database and storage provider. Convex is HIPAA-compliant and has signed a Business Associate Agreement with us. All your structured data is stored here.
• Paubox — our HIPAA-compliant email delivery provider. Paubox has signed a BAA with us. We use it to send transactional emails (notifications, care updates). Email content includes minimal data — typically a first name and a link.
• Sentry — error monitoring. PHI is scrubbed before any data reaches Sentry. Sentry has signed a BAA with us.
• Anthropic (Claude API) — for AI-driven pattern analysis. We do NOT have a BAA with Anthropic. Instead, we de-identify all data to HIPAA Safe Harbor standard before sending. The 18 HIPAA identifiers are removed; the resulting data is no longer considered Protected Health Information under §164.514(b)(2). Our de-identification pipeline is documented publicly and structurally enforced.
• Google Calendar (optional, per-user opt-in)— if you connect your Google Calendar, scheduled appointments sync. By default we use “opaque” mode (title = “Trellis appointment” with no PHI). The optional “workspace_baa” mode shares role + first name in the event title and requires your explicit attestation that you have a Google Workspace BAA in place.
• AWS SES — legacy bounce/complaint feedback pipeline. No PHI flows through here (event metadata only). AWS has signed a BAA with us.
• Stripe — subscription billing. Stripe processes payment data only. No health data is sent to Stripe.

We do NOT share consumer health data with law enforcement, immigration authorities, or any government agency except in response to a valid legal process (e.g., a court order), and even then only the specific information required, with notice to the affected individual where legally permitted.

No data sales, ever. Selling your data is architecturally impossible — Trellis does not have a sales relationship for personal data with any entity.

If you are a Washington resident, you have the right to:

• Confirm whether Trellis is collecting, sharing, or selling your consumer health data.
• Access the specific consumer health data we maintain about you.
• Delete your consumer health data.
• Withdraw consent for the collection and sharing of your consumer health data, at any time.

Trellis voluntarily extends these rights to ALL users, regardless of state of residence, because we believe they’re the right baseline for a healthcare platform.

How to exercise these rights:

• Confirm + access: log into your Trellis account; your profile + individual records show all data we maintain. For a formal export, email privacy@trelliscare.app. We respond within 15 business days.
• Delete: go to Settings → Account → Delete Account; OR email privacy@trelliscare.app. We complete deletion within 30 days of request.
• Withdraw consent: deletion of your account is the most direct mechanism. For partial consent withdrawal (e.g., revoking AI processing), email us.

We will not retaliate against you for exercising any of these rights.

Trellis implements administrative, technical, and physical safeguards consistent with the HIPAA Security Rule, NIST SP 800-66 Rev. 2, and the MHMDA “reasonable standard of care” requirement. Specifically:

• Encryption at rest + in transit — all health data encrypted at rest (Convex default) and in transit (TLS 1.3).
• Access controls — every read/write of health data is gated by per-individual care team membership + granular role permissions.
• Audit logging — every access of health data is recorded, retained for at least 6 years.
• De-identification pipeline for AI — structurally enforced via type-system and CI gates; documented in our public de-identification spec.
• Risk Assessment — semi-annual review; available to regulators on request.
• Breach Response Plan— incident response within 30 days (uniform target across all jurisdictions, tighter than HIPAA’s 60-day federal default).
• Workforce training — semi-annual HIPAA/MHMDA awareness training.

We retain your consumer health data for as long as your Trellis account is active. Upon account deletion:

• Your account-level data is deleted within 30 days.
• Care team membership records are marked inactive so historical references in other users’ records remain consistent.
• Audit log entries about your account are retained for the HIPAA-required minimum of 6 years for our compliance obligations.
• Backups containing your data age out per Convex’s point-in-time backup policy (30 days).

Trellis serves families where individuals receiving care may be minors. For such accounts:

• Parents/guardianshold the Tier 2 authority on a minor’s record by default.
• For Illinois-resident minors aged 12+ receiving mental health or developmental disabilities services, the Illinois Mental Health and Developmental Disabilities Confidentiality Act (MHDDCA) grants the minor specific consent rights. The architectural enforcement of these rights is under active development (see our HIPAA Stock-Take Finding F-004).
• For all users: when an individual takes over their own account (Tier 3 — Self), they obtain Tier-2-equivalent authority.

MHMDA RCW 19.373.040 prohibits geofencing around healthcare facilities for the purpose of identifying individuals, collecting consumer health data, or sending advertisements.

Trellis does not implement any geofencing. We don’t collect location data. We don’t run ads. This provision is satisfied by architectural design.

For any consumer health data privacy question — including rights requests, complaints, or general inquiries:

• Email: privacy@trelliscare.app
• Privacy Officer: Skyler Kruger
• Mailing address:
  Trellis Care Coordination LLC
  60982 Grand Targhee Drive
  Bend, OR 97702

If we have not adequately addressed your concern, you may file a complaint with:

• Washington Attorney General — www.atg.wa.gov/file-complaint
• HHS Office for Civil Rights — www.hhs.gov/ocr/complaints

Filing a complaint with a regulator does not affect any other rights you have under MHMDA, including the private right of action.

When we materially update this policy, the “Effective” date at the top of this page will change. We may also send notice to users whose data is affected.

This policy is reviewed semi-annually and any time MHMDA or relevant Trellis data practices change. Next scheduled review: November 12, 2026.