Privacy Policy

This Privacy Policy describes the data Trellis collects, what we do with it, who we share it with (and don't), and the rights you have over the information about you and the person you support. It applies to trelliscare.app and any related services operated by Trellis Care Coordination LLC (“Trellis,” “we,” “us,” or “our”), an Oregon limited liability company with its principal place of business at 60982 Grand Targhee Drive, Bend, Oregon 97702.

Trellis handles Protected Health Information (PHI) on behalf of families coordinating disability and developmental care. That responsibility shapes every choice in this document.

A few sections of this policy treat Family Users (parents, guardians, family members, and self-advocate individuals using Trellis to coordinate their own care or care for someone they support) differently from Provider Users (clinicians, BCBAs, OTs, SLPs, RBTs, DSPs, agency staff, case managers, and educators using Trellis in a professional capacity, generally as workforce members of a HIPAA-covered entity or business associate).

Where a section applies to one category and not the other, we say so explicitly. Where a section applies to both, you're both covered.

We collect three categories of information:

Account information

• Your name, email address, and password (hashed)
• Profile photo (optional)
• Phone number (optional, for crisis-event push notifications)
• Notification preferences and timezone
• For Provider Users: organization affiliation, role, credentials supplied at invitation

Care data (Protected Health Information)

• Information about the individual receiving care: name, date of birth, pronouns, photo, communication preferences, sensory profile, diagnoses (if entered), allergies, emergency contacts
• Care notes, goal progress entries, medication timelines, crisis events, sensory observations, appointments, files, messages, and journal entries that team members create
• Care team membership and per-member permission flags
• For users who connect a Google calendar: events from a dedicated “Trellis” calendar we create in your Google account, plus events you explicitly select via the one-time bulk-browse import (see Google Calendar integration)

Operational telemetry

• Audit log entries — who accessed what, when, and from where (IP address and user-agent string captured for defense-in-depth and HIPAA §164.312(b) audit-control compliance)
• Error reports through Sentry — automatically scrubbed for PHI before transmission via a dedicated scrubber pipeline
• Subscription + billing metadata via Stripe (no PHI in Stripe metadata, ever — a sanitizer enforces this at the API boundary)
• DDoS / WAF telemetry from Cloudflare (IP addresses, request paths, attack signatures), used solely to protect the service from abuse

Trellis does not collect: social security numbers, government IDs, biometric data, location data beyond audit-log IP addresses, advertising identifiers, or third-party analytics identifiers. We do not run third-party trackers (no Google Analytics, no Facebook pixel, no behavioral ad networks).

We use the information we collect to:

• Deliver the coordination service — show care notes, goals, medications, crisis protocols, and other content to the people authorized to see them
• Send notifications (push, email, in-app) about events you care about, governed by your notification preferences
• Generate AI insights, weekly summaries, and pattern correlations on care data — only after de-identification (see AI & de-identification)
• Maintain audit logs required by HIPAA §164.312(b) and §164.528 (right to accounting of disclosures)
• Process subscription payments via Stripe (a HIPAA Business Associate under signed BAA)
• Investigate suspected abuse, security incidents, or violations of the Terms of Service
• Comply with legal obligations, respond to lawful process, and protect the rights, safety, and property of Trellis, our users, and the public

We do not use your information to train AI models, sell advertising, build user profiles for resale, or provide data to data brokers.

Care data is shared with the people you explicitly add to a care team for an individual, scoped by the visibility settings on each note (Team / Clinical only / Family only / Author only / Custom). Adding a team member is always your decision, and you can remove them at any time.

Beyond your care teams, Trellis shares information only with a small set of subprocessors required to operate the platform. Each subprocessor that handles PHI operates under a signed Business Associate Agreement (BAA). The current list:

Subprocessors handling PHI (BAA signed)

• Convex (Convex, Inc.) — the database and server runtime that holds care data at rest and in transit
• Vercel — application hosting (front-end edge + serverless functions)
• Anthropic (Claude) — the AI provider used for pattern insights and weekly summaries — receives only de-identified surrogate data, never identifiable PHI, and is enrolled in Zero Data Retention
• Paubox — transactional email delivery (notifications, password resets, invitations). HIPAA BAA-covered; emails are also formatted to avoid PHI in body or subject as a defense-in-depth measure
• Stripe — payment processing — receives billing metadata only, never PHI (a sanitizer enforces this at the API boundary)

Subprocessors not handling PHI

• Cloudflare — DDoS protection, edge caching of public marketing pages, and Web Application Firewall. Cloudflare does not see authenticated PHI traffic; care data flows browser-to-Convex via TLS without Cloudflare interception
• Sentry — error monitoring — receives error reports automatically scrubbed for PHI before transmission via a dedicated scrubber pipeline; under a signed BAA as a defense-in-depth measure even though scrubbing should prevent PHI exposure in the first place
• Google (calendar integration)— only for users who explicitly connect their Google calendar. Trellis writes appointments to a dedicated “Trellis ” calendar in the user's Google account; in opaque mode, the event title is “Trellis appointment ” with no PHI in title or description. Workspace BAA mode (an opt-in enrollment) allows the user's organization-issued Google Workspace, when itself BAA- covered, to receive richer event metadata. Google's handling of events written to a user's own calendar is governed by the user's relationship with Google, not by Trellis' subprocessor list
• AWS SES (legacy, bounce/complaint feedback only) — historically Trellis sent email through AWS SES. We migrated outbound delivery to Paubox in May 2026. The SES bounce/complaint event pipeline is retained for reputation monitoring; SES no longer carries the send path. AWS has signed a BAA with Trellis, retained as a precaution

A current list of subprocessors with their roles and BAA status is also published on our Security page. We will provide at least 30 days advance notice of any new subprocessor that will handle PHI before they begin processing.

We will never sell or rent your data, share it with advertisers or marketing platforms, or provide it to law enforcement except as required by valid legal process, and where lawful, we will give you notice and an opportunity to challenge before producing your information.

Trellis uses AI to surface patterns in care data — sleep trends, medication-behavior correlations, environmental triggers, goal trajectories. This analysis is gated to the Growth tier and runs through a multi-layer de-identification pipeline before any data leaves Trellis.

The pipeline:

1. Structural scrub — typed identifier fields (names, DOB, addresses, contact info, medical-record numbers) are stripped from the structured payload
2. Free-text scrub — care-note bodies pass through pattern recognition for the 18 HIPAA Safe Harbor identifiers, with surrogate substitution
3. Validation gate — a deterministic regex/denylist check fails the request closed if any residual identifier survives
4. Semantic Haiku validation — a second-stage AI model (Claude Haiku) does named-entity-recognition on the scrubbed payload and blocks the request if it surfaces anything that looks human-identifiable
5. Inference call — the analysis prompt runs against Claude Sonnet with Zero Data Retention enabled at the provider level (Anthropic does not retain prompts or completions for ZDR-enrolled API keys)
6. Re-identification — surrogates in the response are substituted back to the real names/values inside Trellis before display
7. Structured-output parsing— the response is parsed into a typed insight payload; anything that doesn't match the schema is rejected

The AI provider never sees a name, a date of birth, an address, or any other identifier listed in HIPAA §164.514(b) (Safe Harbor). The full 18-identifier handling is documented on the HIPAA / BAA page.

Care data is neverused to train models — ours or anyone else's. AI features can be disabled by downgrading from the Growth tier.

Connecting a Google calendar to Trellis is optional. The integration has strong privacy boundaries baked into the architecture:

• On first connect, Trellis creates a dedicated “Trellis” calendar in your Google account. Trellis only ever reads from that dedicated calendar — your primary, family, work, school, and other calendars are never enumerated by automation
• Push direction (Trellis → Google): Trellis appointments fan out to each connected team member's Google calendar. The default mode is “opaque” — event title is “Trellis appointment,” no PHI in title or description. A “Workspace BAA” mode (opt-in, requires a user attestation that the recipient's Google Workspace is BAA-covered) allows richer titles
• Pull direction (Google → Trellis): events created in the dedicated Trellis calendar in Google flow into a Trellis Import Inbox for per-event individual assignment. Auto- rules let you opt INTO automatic assignment for routine events you describe
• Bulk-browse escape hatch: if you have existing events in your primary Google calendar that you want to import once, a bounded time-range picker lets you browse and select them for one-time import. This explicit-consent path writes an audit row every time it's used
• Disconnecting Google removes future push, the import inbox, and import auto-rules; previously imported appointments stay in Trellis as Trellis records (you control them via the normal appointment UI)

You have rights over the information Trellis holds about you and (where applicable) about the individual you support. Some are required by HIPAA, some by state privacy laws (including California's CMIA, Illinois's MHDDCA, Texas HB 300, and Oregon ORS 192.553), and some are commitments we make as a matter of principle.

• Access (HIPAA §164.524). View everything Trellis holds about you or the individual under your care, organized by type (notes, goals, files, audit log entries, etc.). For individually-managed records, in-app export satisfies access. For requests we need to fulfill manually, we respond within 30 days, with a one-time 30-day extension permitted under §164.524(b)(2) where we provide a written statement of the reason and the extended date. State-law overlay (F-003, May 12 2026 stock-take): California residents have access rights under the Confidentiality of Medical Information Act (CMIA) that typically require response within 5–15 business days; Texas residents have HB 300 access rights requiring response within 15 business days; Washington residents have additional access rights under MHMDA for consumer health data. We honor the strictest applicable timeline for your jurisdiction and aim to respond to ALL access requests within 15 business days regardless of state.
• Correction / Amendment (HIPAA §164.526). Edit account details, profile information, and care data through the app. For records you can't directly edit (e.g., audit-log entries), request corrections at privacy@trelliscare.app
• Portability.Export your data at any time — individual summaries, goal reports, care-note exports, and a complete “transition package” that compiles everything into a single document for handoff
• Deletion. Delete your account and the data it contains. Account-owner deletion removes the individuals you created, the care teams around them, and the associated content. Audit-log entries for HIPAA §164.528 disclosures are retained for the period required by law (six years)
• Accounting of disclosures (HIPAA §164.528). Family-role members can view a derived audit log showing every disclosure of an individual's PHI — who, when, and what action — for the prior six years
• Restriction request (HIPAA §164.522). You may request restrictions on how PHI is used or disclosed. We will accommodate where practicable; restrictions that prevent us from operating the service may require ending the account
• Confidential communications (HIPAA §164.522). You may request that we communicate with you in a particular way (alternate email, a different phone, etc.). Notification preferences in Settings cover the common cases; other requests should go to privacy@trelliscare.app
• Opt-out of AI features. Cancel the Growth subscription and AI processing stops immediately. Existing insights stay in the Journal where you saved them; no new inference runs
• Complaint. If you believe your privacy rights have been violated, you may file a complaint with us (privacy@trelliscare.app) and / or with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr/complaints. We will not retaliate against you for filing a complaint

To exercise any of these rights, email privacy@trelliscare.app.

In the event of a breach of unsecured PHI as defined in HIPAA §164.402, Trellis will notify affected individuals (or the covered entity, where Trellis is acting as a Business Associate) without unreasonable delay and in any case within 60 daysof discovery, in accordance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). Notice will include a description of what happened, the types of information involved, the steps individuals should take to protect themselves, what we're doing to investigate and mitigate harm, and contact information for questions.

Where required, we will also notify the Secretary of HHS and (for breaches affecting more than 500 residents of a state or jurisdiction) prominent media outlets serving that area. We notify state attorneys general where state law requires it.

Trellis is designed to coordinate care for children and youth (often the individual at the center of a care team is a minor), but accounts on Trellis must be created by adults (18+). Children do not directly create accounts.

Information about a child receiving care is treated as PHI and protected accordingly. The account owner (typically a parent or guardian) controls who is on the care team and what information they can see.

When the individual reaches the age of majority and takes over their own account, the existing account owner can transfer ownership through a future tooling pass (target: V1.5). Trellis is not subject to COPPA because we do not knowingly collect personal information directly from children under 13; care information about minors is provided by the responsible adult.

Different categories of data have different retention windows:

• Care data on free (Roots) plans — visible for 90 days; older entries are archived and remain accessible via export. Roots+, Growth, and Provider plans retain care data indefinitely while the subscription is active
• Audit log entries — retained for six years (HIPAA §164.528 disclosure records) regardless of plan tier
• Account data — retained while the account is active, plus a 30-day reactivation window after deletion request, after which permanently purged
• Backups — included in the Convex production backup schedule with rolling 30-day retention. Deletion requests propagate to backups within the next scheduled rollover
• Billing records (Stripe)— retained per Stripe's standard retention and applicable tax / financial regulations (typically seven years)

We implement administrative, physical, and technical safeguards required by the HIPAA Security Rule (45 CFR §§ 164.302–318), including:

• Encryption in transit (TLS 1.2+) and at rest (provider- managed)
• Access controls, role-based permissions, and per-record authorization checks on every server function
• Audit logging of every PHI access, write, and disclosure
• Workforce training on HIPAA, secure development, and incident response
• Vulnerability scanning, dependency monitoring, and a published responsible-disclosure program
• DDoS protection and Web Application Firewall via Cloudflare on public-facing infrastructure

Security details and our responsible-disclosure program are on the Security page.

Trellis is operated from the United States. Our infrastructure providers (Convex, Vercel, Cloudflare, Anthropic, Paubox, Stripe, Sentry, Google) operate primarily from US data centers. If you access Trellis from outside the United States, your information will be transferred to and processed in the United States.

Trellis is built for the US healthcare context (HIPAA- aligned) and is not currently designed for use under the EU/UK GDPR, the Swiss FADP, or other non-US data-protection regimes. Users outside the US can use Trellis but should understand that local protections may differ from US frameworks.

Pursuant to HIPAA §164.530(a), Trellis Care Coordination LLC designates the following individual as Privacy Officer and contact for receiving complaints and providing information about our privacy practices:

Skyler Kruger, Privacy Officer
Trellis Care Coordination LLC
60982 Grand Targhee Drive, Bend, Oregon 97702
privacy@trelliscare.app

We'll update this policy when we change practices that are described here, when we add or remove a subprocessor, or when laws change in ways that require disclosure.

Material changes — anything that meaningfully affects the choices you have or what we do with your data — will be announced via in-app notification and email at least 30 days before the change takes effect, so you can review and decide whether to continue using Trellis. New subprocessors that will handle PHI receive the same 30-day advance notice.

Non-material changes (clarifying language, fixing typos, adding new examples) take effect on the “Effective ” date at the top of this document.

Privacy questions, requests to exercise rights described above, or concerns about how Trellis handled your data — email us:

• Privacy / HIPAA: privacy@trelliscare.app
• Security / abuse: security@trelliscare.app
• General & legal: legal@trelliscare.app

By mail: Trellis Care Coordination LLC, Attn: Privacy Officer, 60982 Grand Targhee Drive, Bend, Oregon 97702.

For HIPAA-specific requests (Right of Access, accounting of disclosures, breach inquiries), see the dedicated HIPAA / BAA page for the formal process.