Trellis

Legal

Privacy Policy

Effective date: April 2026

Trellis (“Trellis,” “we,” “us,” or “our”) provides a mobile wellness application designed to help people using GLP-1 class medications (including semaglutide and tirzepatide products) track their protein intake, injection rhythm, side effects, and progress toward their personal goals.

This Privacy Policy explains what information we collect, how we use it, how it is stored, who can access it, and what rights you have. It applies to the Trellis mobile application (the “App”) and the website at trellis.vercel.app (the “Site”), together the “Services.”

We are not a healthcare provider, not a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), and we do not provide medical advice. We treat your data as sensitive regardless — the sections below describe exactly how.

1. Our privacy approach in one paragraph

The App is local-first. By default, everything you log — weights, meals, doses, symptoms, labs — is stored in encrypted storage on your device and nowhere else. We do not transmit it to our servers, to third-party advertising networks, or to artificial intelligence services. If you choose to enable cloud backup (an off-by-default setting), we transmit your data to a secure database in our infrastructure (operated by Supabase, Inc.) for the sole purpose of letting you restore your data on a new device.

2. Information we collect

2.1 Information you provide

  • Account information(only if you sign in): your email address and, if you use “Sign in with Apple” or “Sign in with Google,” the identifier returned by those providers. You may also use the App as a guest without creating an account.
  • Profile information: display name (optional), date of birth, sex at birth, height, starting and goal weight, timezone, your medication type, dose, and injection day.
  • Health and wellness entries: dose logs, meal logs, weight logs, symptom logs, activity logs, hydration logs, and lab results that you choose to enter.
  • Meal photos (optional): photos are captured on your device for meal logging. Trellis does not transmit your photos to any external server or AI service.
  • Support communications: content of any email you send us.

2.2 Information collected automatically

  • Device information: basic device model, operating-system version, and App version. Used only to diagnose crashes and ensure compatibility.
  • Crash diagnostics: if the App crashes, technical diagnostics (stack trace, App state, anonymous device identifier) may be collected. These reports are scrubbed of any health data fields before transmission.
  • Purchase status: if you purchase a subscription, we receive confirmation from the App Store or Google Play (and our subscription partner, RevenueCat, Inc.) that your purchase was successful. We do not receive your payment card.

2.3 Information from health platforms (only with your permission)

If you explicitly enable integration with Apple HealthKit or Android Health Connect, the App reads data you authorize — weight, body composition, active energy, steps, sleep, dietary protein, and similar metrics. This data is read into the App on your device. We do not write data back to those platforms in the current release. You can revoke these permissions at any time in your device's system settings.

2.4 Information we do not collect

  • We do not use advertising SDKs. We do not build advertising profiles.
  • We do not sell your information to third parties. We do not share it with data brokers.
  • We do not transmit your health entries to any artificial intelligence or large language model service for analysis or processing.
  • We do not collect precise location data.

3. How we use information

  • To operate the App on your device (calculating protein targets, displaying charts, scheduling your reminders).
  • If you enable cloud backup: to synchronize your data to the backup database so you can restore it on another device.
  • To authenticate you when you sign in.
  • To diagnose crashes and improve stability.
  • To process subscription purchases through the App Store or Google Play.
  • To respond to your support messages.
  • To comply with legal obligations, including fraud prevention and enforcement of our Terms.

We do not use your information for targeted advertising, for training machine-learning models, or for any purpose not listed above.

4. Legal bases (for users in the EEA, UK, and similar regimes)

  • Performance of a contract — to provide the Services you requested.
  • Consent — for optional features such as cloud backup, push notifications, HealthKit / Health Connect integration, and marketing communications.
  • Legitimate interests — to diagnose crashes, secure the Services, and prevent fraud.
  • Legal obligation — where required by law.

5. How long we keep your information

Data you enter in the App stays on your device until you delete it or uninstall the App. If you enable cloud backup, your backup stays on our servers until you disable cloud backup (which deletes your remote copy) or you delete your account (which permanently removes all server-side data tied to you within 30 days).

Crash diagnostics are retained for up to 90 days and then deleted. Support email is retained for up to 24 months for quality and audit purposes unless you request earlier deletion.

6. Who we share information with

We share information only with the service providers listed below, only to the extent necessary for them to help us operate the Services, and only under contractual confidentiality obligations.

  • Supabase, Inc. — database, authentication, and cloud storage infrastructure for users who enable cloud backup.
  • Apple Inc. and Google LLC — App distribution, sign-in, and in-App purchase processing.
  • RevenueCat, Inc. — subscription entitlement verification (purchase status only; no health data is shared).
  • Email service providers — for transactional email (account actions, receipts, support replies).

We may disclose information if required by law, subpoena, or valid legal process, or to protect the rights, property, or safety of users or the public. We will notify affected users of such requests unless legally prohibited.

7. Your rights

You have the right to:

  • Access the information we hold about you
  • Export your data in a portable format (JSON and PDF formats are available directly inside the App Settings)
  • Correct inaccurate information (most data can be edited directly in the App)
  • Delete your data and your account (available in App Settings and honored within 30 days)
  • Opt out of optional data collection (push notifications, cloud backup, health-platform integrations) at any time
  • Object to or restrict certain processing, where applicable
  • Lodge a complaint with a data protection authority

To exercise any of these rights, email tranquilitypages@gmail.com. We will respond within 30 days (45 days under certain laws).

8. Health information and breach notification

Although we are not a HIPAA-covered entity, we acknowledge and comply with the Federal Trade Commission's Health Breach Notification Rule (16 C.F.R. Part 318). If there is a breach of security resulting in the acquisition of your unsecured personally identifiable health information by an unauthorized person, we will notify you and, where applicable, the Federal Trade Commission and the media, within 60 calendar days of discovery of the breach. Notifications will include the date of the breach, the information involved, the steps we are taking, and steps you can take to protect yourself.

9. State-specific disclosures (United States)

9.1 Washington residents — My Health My Data Act

If you are a Washington resident, you have the right to confirm whether we collect, share, or sell your consumer health data; to withdraw consent; and to have your consumer health data deleted. Requests can be submitted to tranquilitypages@gmail.com. We do not sell consumer health data as defined by RCW 19.373. A separate Consumer Health Data Privacy Policy is available on the Site and in the App as required by the Act.

9.2 California residents — CCPA / CPRA / CMIA

California residents have the right to know what personal information we collect, to delete it, to correct it, to opt out of any sale or sharing (we do not sell or share for targeted advertising purposes), and to non-discrimination. Sensitive personal information and medical information are handled under the California Medical Information Act (CMIA) standards even though we are not a “ provider of health care.” Submit requests to tranquilitypages@gmail.com.

9.3 Connecticut, Virginia, Colorado, and similar state privacy laws

Residents of states with general consumer privacy laws have the right to access, correct, delete, and port their personal data, and to opt out of targeted advertising, sale, and certain profiling. We do not engage in any of those activities. Submit requests to tranquilitypages@gmail.com.

9.4 Appeals

If we decline a privacy request, you may appeal by replying to our response. We will reconsider and respond within 45 days.

10. Children and minors

The Services are not directed to children under 17 and are intended for adults who are prescribed or are candidates for GLP-1 class medications. We do not knowingly collect personal information from children under 13, and we do not knowingly collect sensitive health information from minors under 17. If you believe a child has provided us with personal information, email tranquilitypages@gmail.com and we will delete it.

11. International users

The Services are operated from the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Services you consent to this transfer.

12. Security

We use industry-standard safeguards: device-level encryption for local storage, TLS for data in transit, encryption at rest for any cloud backup, strict row-level security rules that prevent any user from accessing another user's data, and access controls on our infrastructure. No system is perfect; we encourage you to use a device passcode, keep your OS updated, and enable two-factor authentication on any accounts linked to the App.

13. Changes to this policy

We will update this policy from time to time. If we make material changes, we will notify you in-App and by email (if you have an account) at least 30 days before the change takes effect, and we will update the effective date at the top. Continued use of the Services after changes take effect constitutes acceptance.

14. Contact us

For any question about this policy or your data, email us at tranquilitypages@gmail.com. For general support, email tranquilitypages@gmail.com.