trellis

Legal

Privacy Policy

Last updated: May 21, 2026

1. Who we are

Trellis Clinical, Inc. (“Trellis,” “we,” “us”) provides software that helps licensed clinicians and their practices manage at-home ketamine and esketamine therapy. This policy explains what information we collect, how we use it, and the choices you have.

2. Information we collect

  • Account data: name, email, practice, role, credentials and authentication metadata.
  • Practice and clinical data (PHI): patient demographics, MRN, insurance, allergies, medications, enrollments, dosing sessions, vitals, lots, notes, adverse events, and billing records that your practice enters into Trellis.
  • Usage data: log files, device and browser information, IP address, pages viewed, and feature interactions.
  • Cookies and similar technologies: used for authentication, session continuity, and product analytics.

3. HIPAA and protected health information

When Trellis processes PHI on behalf of a covered entity, we act as a Business Associate under HIPAA. A Business Associate Agreement (BAA) governs that processing. We implement administrative, physical, and technical safeguards intended to protect the confidentiality, integrity, and availability of PHI, including encryption in transit and at rest, role-based access controls, and audit logging.

4. How we use information

  • To provide, secure, and improve the Trellis service.
  • To authenticate users, enforce role-based access, and prevent abuse.
  • To generate practice-level reports and product analytics in aggregated or de-identified form.
  • To communicate with you about your account, security, and product updates.
  • To comply with applicable laws and lawful requests.

5. How we share information

We do not sell personal information or PHI. We share information only with: (a) subprocessors that help us operate the service under written contracts (hosting, monitoring, email delivery); (b) your practice administrators, as required to operate your account; (c) regulators or authorities when required by law; and (d) successors in connection with a merger, acquisition, or asset sale, subject to equivalent protections.

6. Data retention

Practice and clinical data is retained for as long as your practice maintains its account, or longer where required by law, professional record-keeping requirements, or the terms of your BAA. You may request export or deletion of your data subject to those obligations.

7. Your choices and rights

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, and to object to or restrict certain processing. Patients should direct requests regarding PHI to their treating practice, which controls that record. For account-level requests, contact us at the address below.

8. Security

We use industry-standard safeguards, including TLS for data in transit, encryption at rest, row-level access controls, audit logging, and least-privilege access for personnel. No system is perfectly secure; if we become aware of a breach affecting your data, we will notify affected parties as required by law and your BAA.

9. International transfers

Trellis is operated from the United States. If you access the service from outside the U.S., you understand that your information may be transferred to, stored, and processed in the U.S. under U.S. law.

10. Children

Trellis is not directed to children under 13, and we do not knowingly collect personal information from them outside the clinical record entered by a treating practice.

11. Changes

We may update this policy from time to time. Material changes will be notified through the product or by email. Continued use of Trellis after the effective date constitutes acceptance of the updated policy.

12. Contact

Trellis Clinical, Inc.
Privacy Officer · privacy@trellis.health