Privacy Policy

This Privacy Policy describes the data Trellis collects, what we do with it, who we share it with (and don't), and the rights you have over the information about you and the person you support. It applies to trelliscare.app and any related services Trellis operates.

Trellis handles Protected Health Information (PHI) on behalf of families coordinating disability and developmental care. That responsibility shapes every choice in this document.

We collect three categories of information:

Account information

• Your name, email address, and password (hashed)
• Profile photo (optional)
• Phone number (optional, for crisis-event push notifications)
• Notification preferences

Care data (Protected Health Information)

• Information about the individual receiving care: name, date of birth, pronouns, photo, communication preferences, sensory profile, diagnoses (if entered), allergies, emergency contacts
• Care notes, goal progress entries, medication timelines, crisis events, sensory observations, appointments, files, messages, and journal entries that team members create
• Care team membership and per-member permission flags

Operational telemetry

• Audit log entries — who accessed what, when, and from where (IP address and user-agent string captured for defense-in-depth)
• Error reports through Sentry — automatically scrubbed for PHI before transmission via a 7-layer pipeline
• Subscription + billing metadata via Stripe (no PHI in Stripe metadata; ever — see Security for the enforcement detail)

Trellis does not collect: social security numbers, government IDs, biometric data, location data beyond audit-log IP addresses, advertising identifiers, or third-party analytics identifiers. We do not run third-party trackers (no Google Analytics, no Facebook pixel, no behavioral ad networks).

We use the information we collect to:

• Deliver the coordination service — show care notes, goals, medications, crisis protocols, and other content to the people authorized to see them
• Send notifications (push, email, in-app) about events you care about, governed by your notification preferences
• Generate AI insights, weekly summaries, and pattern correlations on care data — only after de-identification (see AI & de-identification)
• Maintain audit logs required by HIPAA §164.312(b) and §164.528 (right to accounting of disclosures)
• Process subscription payments via Stripe (a HIPAA Business Associate under signed BAA)
• Investigate suspected abuse, security incidents, or violations of the Terms of Service

We do not use your information to train AI models, sell advertising, build user profiles for resale, or provide data to data brokers.

Care data is shared with the people you explicitly add to a care team for an individual, scoped by the visibility settings on each note (Team / Clinical only / Family only / Author only / Custom). Adding a team member is always your decision, and you can remove them at any time.

Beyond your care teams, Trellis shares information only with a small set of HIPAA Business Associates required to operate the platform. Each operates under a signed Business Associate Agreement (BAA):

• Convex — the database and server runtime that holds care data at rest and in transit
• Vercel — the application hosting platform (front-end + serverless functions)
• Postmark — transactional email delivery (notifications, password resets, invitations) — emails never contain PHI in body or subject
• Anthropic (Claude) — the AI provider used for pattern insights and weekly summaries — receives only de-identified surrogate data, never identifiable PHI, and is enrolled in Zero Data Retention
• Stripe — payment processing — receives billing metadata only, never PHI (a sanitizer enforces this at the API boundary)
• Sentry — error monitoring — receives error reports automatically scrubbed for PHI before transmission

A current list of subprocessors with their roles and BAA status is published on our Security page.

We will never sell or rent your data, share it with advertisers or marketing platforms, or provide it to law enforcement without a valid legal process and notice to you (unless the legal process forbids notice).

Trellis uses AI to surface patterns in care data — sleep trends, medication-behavior correlations, environmental triggers, goal trajectories. This analysis is gated to the Growth tier and runs through a 7-layer de-identification pipeline before any data leaves Trellis.

The pipeline:

1. Structural scrub — typed identifier fields (names, DOB, addresses, contact info, medical-record numbers) are stripped from the structured payload
2. Free-text scrub — care-note bodies pass through pattern recognition for the 18 HIPAA identifiers, with surrogate substitution
3. Validation gate — a deterministic regex/denylist check fails the request closed if any residual identifier survives
4. Semantic Haiku validation — a second-stage AI model (Claude Haiku) does named-entity-recognition on the scrubbed payload and blocks the request if it surfaces anything that looks human-identifiable
5. Inference call — the analysis prompt runs against Claude Sonnet with zero data retention enabled at the provider level
6. Re-identification — surrogates in the response are substituted back to the real names/values inside Trellis before display
7. Structured-output parsing — the response is parsed into a typed insight payload; anything that doesn't match the schema is rejected

The AI provider never sees a name, a date of birth, an address, or any other identifier listed in HIPAA §164.514(b) (Safe Harbor). The full 18-identifier handling is documented on the HIPAA / BAA page.

Care data is never used to train models — ours or anyone else's.

You have rights over the information Trellis holds about you and (where applicable) about the individual you support. Some are required by HIPAA, some by state privacy laws, and some are commitments we make as a matter of principle.

• Access. View everything Trellis holds about you or the individual under your care, organized by type (notes, goals, files, audit log entries, etc.)
• Correction. Edit account details, profile information, and care data through the app. For records you can't directly edit (e.g., audit-log entries), request corrections at hello@trelliscare.app.
• Portability. Export your data at any time — individual summaries, goal reports, care-note exports, and a complete “transition package” that compiles everything into a single document for handoff.
• Deletion. Delete your account and the data it contains. Account-owner deletion removes the individuals you created, the care teams around them, and the associated content. Audit-log entries for HIPAA §164.528 disclosures are retained for the period required by law.
• Accounting of disclosures. Per HIPAA §164.528, family-role members can view a derived audit log showing every disclosure of an individual's PHI — who, when, and what action.
• Opt-out of AI features. Cancel the Growth subscription and AI processing stops immediately. Existing insights stay in the Journal where you saved them; no new inference runs.

To exercise any of these rights, email hello@trelliscare.app. We respond within 30 days (typically much faster).

Trellis is designed to coordinate care for children and youth (often the individual at the center of a care team is a minor), but accounts on Trellis must be created by adults (18+). Children do not directly create accounts.

Information about a child receiving care is treated as PHI and protected accordingly. The account owner (typically a parent or guardian) controls who is on the care team and what information they can see.

When the individual reaches the age of majority and takes over their own account, the existing account owner can transfer ownership through a future tooling pass (target: V1.5).

Different categories of data have different retention windows:

• Care data on free (Roots) plans — visible for 90 days; older entries are archived and accessible via export. Roots+ and Growth plans retain care data indefinitely while the subscription is active.
• Audit log entries — retained for the full HIPAA-required period (six years for §164.528 disclosure records) regardless of plan tier.
• Account data — retained while the account is active, plus a 30-day reactivation window after deletion request, after which permanently purged.
• Backups — included in the Convex production backup schedule with rolling 30-day retention. Deletion requests propagate to backups within the next scheduled rollover.

Trellis is operated from the United States. Our infrastructure providers (Convex, Vercel, Postmark, Anthropic, Stripe, Sentry) operate primarily from US data centers. If you access Trellis from outside the United States, your information will be transferred to and processed in the United States.

Trellis is built for the US healthcare context (HIPAA-aligned) and is not currently designed for use under GDPR, UK Data Protection Act, or other non-US data-protection regimes. Users outside the US can use Trellis but should understand that local protections may differ from US frameworks.

We'll update this policy when we change practices that are described here, when we add or remove a subprocessor, or when laws change in ways that require disclosure.

Material changes — anything that meaningfully affects the choices you have or what we do with your data — will be announced via in-app notification and email at least 30 days before the change takes effect, so you can review and decide whether to continue using Trellis.

Non-material changes (clarifying language, fixing typos, adding new examples) take effect on the “Effective” date at the top of this document.

Privacy questions, requests to exercise rights described above, or concerns about how Trellis handled your data — email us:

hello@trelliscare.app

For HIPAA-specific requests (Right of Access, accounting of disclosures, breach inquiries), see the dedicated HIPAA / BAA page for the formal process.

Trellis is built and operated by Veridian Synthetics, an independent maker.