Privacy Policy

Welcome to Trellis, an AI-powered property operations platform (the "Service"). The Service is owned and operated by Trellis Tech, Inc., a Delaware corporation and its subsidiaries (collectively, the "Company", "we", "us" and "our").

We, at Trellis, respect your privacy. This Privacy Policy (the "Policy") outlines our privacy practices with respect to the Service, including the ways your personal information and data is collected, stored, used, and shared.

Providing us with your personal information is a choice you make. We appreciate that and thank you for making this choice. You are not legally obligated to provide us with this information, but we do need it to allow you to use the Service.

This Policy is incorporated into our Terms of Service (the "Terms"), and is a part of them. Please refer to our Terms of Service for more information about how our Services work.

This Privacy Policy does not apply to data that is not personal data, including anonymous, de-identified, or aggregated data, even when such data has been derived from personal data.

1. What Data Do We Collect and Why

1.1 General Services

Customers and website visitors data — we may collect your name, address, mobile phone number, and email address when you submit an inquiry, make a customer service request, or register an account. Because our customers are rental businesses, our knowledge of your business is generally considered professional information. We may use this data to process transactions, authenticate you when you log in, operate and maintain our Services, communicate with you about the Services, respond to support requests, and provide customer support, including through the use of automated tools, chatbots, or AI-based agents.

Customers and Guests' data — we are a service provider to our customers and access user data relating to the employees of our customers and guest data on behalf of our customers. The data we collect about guests consists of: name, email, and phone number in order to provide our Service; commercial information such as reservation start and end dates; and any additional guest personal information shared with us for a business purpose only. This data will not be used beyond what is necessary to provide our Service as specified in our Terms of Service, and will not be sold, retained, or disclosed beyond what is necessary to provide our Service.

1.2 Payment Services

To provide our payment services effectively, we collect and process certain personal and financial information, including:

• Payment Details: When you make a payment for our services, your credit card or debit card information is securely processed by a third-party payment processor. We do not store your full payment card details on our systems unless explicitly required and legally permitted.
• Bank Details: If necessary, for specific transactions such as payments to property owners or refunds, we may collect and process bank account information.
• IP Address: To ensure the security of transactions and prevent fraudulent activities, we may collect your IP address when using our services.

All financial information is handled in accordance with applicable data protection laws, including GDPR and CCPA, and is used solely for the purposes of facilitating payments, preventing fraud, and complying with legal obligations.

1.3 Marketing

We may use data provided by you to send you email newsletters with updates on product features; to provide retargeted advertising; and to conduct sales outreach to prospective customers.

1.4 Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website, mobile applications, and emails to enhance functionality, monitor performance, and support secure processing. See our Cookie Policy for more details.

1.5 Internal Research, Customer Service, and Service Improvement

We may use data provided by you to analyze user activity data, to provide you with customer service, and to determine where we need to improve user and customer experience. We may also use AI-based tools and technologies to process data for the above-mentioned purposes, including for the additional internal purpose of improving our Services. We will not use identifiable personal data to train machine learning or artificial intelligence models without obtaining prior explicit consent or, where we act as a processor, the prior written authorization of the relevant customer.

These tools are designed to handle data securely and confidentially, ensuring that any information processed remains protected and is not shared in a manner that identifies individuals. While AI technologies may enhance our ability to deliver better services, we are committed to maintaining the privacy and integrity of our customers' and guests' data.

We may use the information we collect to compile anonymized or aggregated information that cannot reasonably be used to identify any individual. We may share or otherwise communicate such anonymized or aggregated information with third parties for legitimate business purposes, provided that we apply industry-standard de-identification techniques and contractually prohibit any recipient from attempting to re-identify individuals. We will not knowingly or intentionally share information that can be reasonably used to reveal your identity without your consent.

1.6 Security

We may use your data to verify accounts and activity, monitor suspicious or fraudulent activity, and identify violations of Service policies.

1.7 Compliance with Applicable Laws

We may use your data to enforce the Terms and this Policy, to prevent misuse of the Service, to comply with any applicable law and assist law enforcement agencies and competent authorities, and to take any action in any case of a dispute involving you with respect to the Service.

1.8 Artificial Intelligence and Machine Learning Processing

Our Service uses artificial intelligence ("AI") and machine learning ("ML") technologies to provide core platform functionality, including AI-powered guest communications, task scheduling, and property management automation. In connection with these features, personal data (including guest names, contact information, booking details, and message content) may be processed by the following third-party AI/LLM providers: (a) Anthropic (Claude) — for AI-generated guest communications and task management; (b) Google (Gemini) — for AI-powered analysis and automation; (c) OpenAI — for natural language processing and AI agent functionality.

We have entered into data processing agreements with each of these providers that include appropriate confidentiality, security, and data protection obligations. Data shared with AI/LLM providers is used solely to provide the requested AI functionality and is not used by these providers to train their general-purpose models, unless you have provided explicit opt-in consent.

AI-generated content (such as automated guest responses) is clearly identified as AI-generated where required by applicable law. You have the right to request human review of any significant decision made solely by automated means that affects you (see Section 10.2 regarding GDPR rights related to automated decision-making).

1.9 Our Role: Data Controller and Data Processor

Trellis acts in different capacities depending on the type of data being processed: (a) Data Controller: Trellis is the data controller for personal data of its direct customers (account holders), website visitors, prospective customers, and individuals who contact us directly. As controller, Trellis determines the purposes and means of processing this data. (b) Data Processor: Trellis acts as a data processor when processing guest personal data, property data, and communications data on behalf of its customers (property management companies, or "PMCs"). PMCs are the data controllers for this data, and Trellis processes it only in accordance with the PMC's instructions and the applicable data processing agreement ("DPA").

If you are a guest whose data is processed through our platform, your PMC is the data controller and you should direct any data subject requests to them in the first instance. We will assist our PMC customers in responding to such requests as required by applicable law and our DPA.

2. Data Sharing

We use service providers and other third-party services to help perform essential business functions on our behalf. We do not share any information unnecessarily. Our data sharing includes the following categories:

3. Children's Privacy

This Service is not directed to children. In the United States, we do not knowingly collect personal information from children under 13 years of age, in compliance with the Children's Online Privacy Protection Act ("COPPA"). In the European Economic Area and United Kingdom, we do not knowingly collect personal data from individuals under 16 years of age, in compliance with the GDPR. In other jurisdictions, we comply with the applicable minimum age requirements.

If we learn that we have collected personal information from a child below the applicable minimum age without verified parental consent, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at the details provided in Section 12.

4. Cookie Policy

This website uses cookies and similar tracking technologies (such as pixels, web beacons, and local storage) to recognize you when you visit our website. Cookies are small text files stored on your device that hold data specific to a website or server. We categorize cookies as follows:

• (a) Strictly Necessary Cookies: Essential for the website to function (e.g., session management, security). These cookies cannot be disabled.
• (b) Functional Cookies: Enable enhanced functionality and personalization (e.g., remembering your preferences and settings).
• (c) Analytics Cookies: Help us understand how visitors interact with our website by collecting information such as IP address, pages visited, and time spent. We use analytics providers such as Google Analytics for this purpose.
• (d) Marketing/Advertising Cookies: Used to deliver relevant advertisements and track the effectiveness of our marketing campaigns. These cookies may be set by third-party ad networks such as Meta and Google.

For users in the European Economic Area and United Kingdom, we obtain your consent before placing non-essential cookies (categories b, c, and d above) through our cookie consent banner. You may withdraw your consent at any time through the cookie settings on our website.

You can manage and delete cookies through your browser settings. You can also opt out of advertising cookies at: https://optout.aboutads.info/. For more information about cookies and how to manage them, visit www.allaboutcookies.org. Please note that disabling certain cookies may affect the functionality of our website.

For more details, see our Cookie Policy.

5. Transfer of Data Outside Your Territory

We may store and process information in various locations throughout the globe, including through cloud-based infrastructure services hosted by Amazon Web Services (AWS) in the United States. Our primary data processing occurs in the United States, but data may also be accessed from or processed in other countries where our service providers operate. The laws in those countries may provide a different degree of data protection than the laws of your own country. We ensure that appropriate safeguards are in place to protect your data when transferred internationally, including:

• (a) European Commission adequacy decisions, where applicable;
• (b) Standard Contractual Clauses (SCCs) approved by the European Commission;
• (c) binding corporate rules; or
• (d) other legally recognized transfer mechanisms under applicable law.

For transfers from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the transfer mechanisms described above rather than consent. For transfers from other jurisdictions, we comply with applicable local requirements. Regardless of where your data is processed, we apply the same level of protection described in this Policy and ensure compliance with applicable data protection laws. You may request a copy of the applicable transfer safeguards by contacting us at the details provided in Section 12.

6. Information Security

We implement industry-standard measures to reduce the risks of damage, loss of information, and unauthorized access or use of information. These measures include encryption, access controls, regular security audits, and staff training. However, these measures do not provide absolute information security. Therefore, it is not guaranteed, and you cannot expect that the Service will be immune to information security risks.

6A. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:

• (a) notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by GDPR Art. 33;
• (b) notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Art. 34;
• (c) notify our affected customers (PMCs) without undue delay where we are acting as a data processor, to enable them to fulfill their own notification obligations;
• (d) comply with applicable breach notification requirements under CCPA/CPRA, the Australian Privacy Act, the Mexican LFPDPPP, and any other applicable laws; and
• (e) document all breaches, including the facts, effects, and remedial actions taken.

We maintain an incident response plan and conduct regular testing to ensure timely and effective breach response.

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Specific retention periods are as follows:

• (a) Customer account data: Retained for the duration of the customer relationship and for a period of 3 years thereafter, unless a longer period is required for legal, tax, or regulatory compliance.
• (b) Guest data (processed on behalf of customers): Retained in accordance with the applicable data processing agreement with the customer, and deleted or returned upon termination of the customer relationship or upon the customer's written request.
• (c) Payment and financial data: Retained for the period required by applicable tax and financial regulations (typically 7 years).
• (d) Marketing data: Retained until you withdraw consent or opt out of marketing communications.
• (e) Cookie and analytics data: Retained for up to 26 months from the date of collection.
• (f) Communications data (messages, AI-generated responses): Retained for the duration of the customer relationship and deleted within 90 days of account termination, unless required for legal compliance.

We will notify customers before deleting data where practicable and provide an opportunity to export data in a commonly used, machine-readable format.

8. Data Subject Rights

You have certain rights under applicable data protection laws, such as access, correction, deletion, and data portability. These rights may vary depending on your location, including specific rights under the CCPA, GDPR, and other applicable regulations as detailed below.

9. CCPA Notice and Data Subject Rights

Trellis Tech, Inc. has implemented measures to ensure compliance with the California Consumer Privacy Act ("CCPA") of 2018, as amended by the California Privacy Rights Act of 2020 ("CPRA").

9.1 Right to Know

You have the right to request information regarding the categories and specific pieces of personal information we have collected about you, as well as the sources of that information, the business purpose for collecting it, and what types of third parties we share it with.

9.2 Right to Deletion

You have the right to request that we delete any of your personal information. We will delete any personal information that is not critical to the normal business operation from our records and direct all of our service providers to do the same.

9.3 Right to Non-Discrimination

If you exercise your consumer rights, we will not deny goods or services to you, charge different prices or rates, or provide a different level or quality of goods or services to you.

9.3A Right to Correct

Under the CPRA, you have the right to request that we correct inaccurate personal information that we maintain about you. Upon receiving a verified request, we will use commercially reasonable efforts to correct the inaccurate personal information.

9.3B Right to Limit Use of Sensitive Personal Information

If we collect sensitive personal information (as defined under the CPRA), you have the right to limit our use and disclosure of such information to only what is necessary to perform the services or provide the goods you reasonably expect. We do not use sensitive personal information for purposes beyond those permitted under the CPRA.

9.4 Do Not Sell My Personal Information

We do not sell any information that directly identifies you, such as your name or contact information. However, we do allow advertising networks such as Meta and Google to collect your electronic activity while on our website for retargeted advertising purposes. Under the CCPA/CPRA's broad definitions of "sale" and "sharing," this form of advertising may be considered a sale or sharing of personal information.

If you do not want us to sell or share your personal information with advertisers, you may opt out by:

• (a) visiting https://optout.aboutads.info/;
• (b) using the "Do Not Sell or Share My Personal Information" link on our website; or
• (c) enabling a recognized opt-out preference signal (such as the Global Privacy Control) in your browser.

We will process opt-out requests within 15 business days.

9.5 Authorized Agent

You may designate someone as an authorized agent to make a request under CCPA on your behalf by providing written permission. We will deny a request from an agent that does not submit proof that they have been authorized by you to act on your behalf.

9.6 Request Verification

Before we can respond to any CCPA requests, we will need to verify that you are who you say you are. Verification is important for preventing fraudulent requests and identity theft.

10. GDPR Notice and Data Subject Rights

Trellis Tech, Inc. is committed to protecting and respecting your privacy in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation ("UK GDPR"). Depending on the context, Trellis acts as either a data controller or a data processor:

• (a) Controller: Trellis is the data controller for personal data of its direct customers (account holders), website visitors, and prospective customers, where Trellis determines the purposes and means of processing.
• (b) Processor: Trellis acts as a data processor when processing guest personal data and property data on behalf of its customers (property management companies), who are the data controllers for such data. In this capacity, Trellis processes data only in accordance with the customer's instructions and the applicable data processing agreement.

We have implemented key measures to ensure compliance with the GDPR, including entering into relevant agreements with our vendors and certain customers, applying security measures including encryption and access controls, training staff, and incorporating relevant policies and procedures within our compliance program.

10.1 Legal Basis for Collecting Personal Data

• Consent (Art. 6(1)(a)): Where required, we collect personal data based on your freely given, specific, informed, and unambiguous consent. We maintain records of all consents obtained. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
• Performance of a Contract (Art. 6(1)(b)): We process personal data where necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This includes processing necessary to provide our Services to customers.
• Legitimate Interests (Art. 6(1)(f)): We may process personal data where necessary for our legitimate interests or those of a third party, provided that such interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include: operating and improving our Services, ensuring network and information security, preventing fraud, and conducting direct marketing to existing customers. We conduct balancing tests to ensure our legitimate interests do not override your rights.

10.2 Your GDPR Rights

You can exercise your GDPR rights by contacting us:

• The right to request a copy of your personal data that Trellis holds about you.
• The right to request that Trellis correct your personal data if inaccurate or out of date.
• The right to request that your personal data be deleted when it is no longer necessary for Trellis to retain such data.
• The right to withdraw any consent to personal data processing at any time.
• The right to request that Trellis provide you with your personal data in a portable format and, if possible, to pass on this information directly to another data controller.
• The right to request a restriction on further data processing, in case there is a dispute in relation to the accuracy or processing of your personal data.
• The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you (Art. 22 GDPR). Where our AI-powered features make automated decisions that significantly affect you, you have the right to obtain human intervention, express your point of view, and contest the decision.
• The right to object to the processing of personal data, in case data processing has been based on legitimate interest and/or direct marketing.
• The right to withdraw your consent at any time, and to submit a complaint to the relevant supervisory data protection authority.

10A. Australian Privacy Act Notice

If you are located in Australia, the following additional provisions apply under the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs"):

• (a) Collection: We collect personal information only by lawful and fair means, and only where it is reasonably necessary for our functions or activities (APP 3).
• (b) Use and Disclosure: We will only use or disclose your personal information for the primary purpose for which it was collected, or for a secondary purpose where you would reasonably expect such use and it is related to the primary purpose (APP 6).
• (c) Cross-Border Disclosure: Before disclosing personal information to overseas recipients (including to the United States where our servers are located), we take reasonable steps to ensure the overseas recipient complies with the APPs (APP 8).
• (d) Access and Correction: You have the right to request access to and correction of your personal information held by us (APPs 12 and 13). We will respond to access requests within 30 days.
• (e) Complaints: If you believe we have breached the APPs, you may lodge a complaint with us at the contact details in Section 12. If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.
• (f) Notifiable Data Breaches: We comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act and will notify the OAIC and affected individuals of eligible data breaches.

10B. Mexican Data Protection Notice (LFPDPPP)

If you are located in Mexico, the following additional provisions apply under the Federal Law on Protection of Personal Data Held by Private Parties ("LFPDPPP") and its Regulations:

• (a) Data Controller: For the purposes of the LFPDPPP, Trellis Tech, Inc. is the data controller ("responsable") for personal data collected directly from you.
• (b) Purposes: Your personal data is processed for the purposes described in this Policy, which constitute both primary purposes (necessary for the service relationship) and secondary purposes (such as marketing and analytics). You may opt out of secondary purposes by contacting us at the details in Section 12.
• (c) ARCO Rights: You have the right to Access, Rectify, Cancel, and Oppose the processing of your personal data ("ARCO rights"). To exercise these rights, please submit a written request to contact@trellistech.com including: your name and contact information, a clear description of the personal data at issue, and any documents supporting your request. We will respond within 20 business days.
• (d) Consent: Where required, we will obtain your consent before processing your personal data. You may revoke your consent at any time by contacting us.
• (e) International Transfers: Your personal data may be transferred to the United States and other countries as described in Section 5. We will inform you of such transfers and obtain your consent where required by the LFPDPPP.
• (f) Cookies: Our use of cookies and tracking technologies is described in Section 4.
• (g) Changes: Any changes to this notice will be communicated as described in Section 11.

11. Changes to this Privacy Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• (a) provide you with at least 30 days' prior notice through the Services' interface and/or by email to the address associated with your account;
• (b) clearly describe the changes and their effective date; and
• (c) where required by applicable law (including GDPR), obtain your consent before the changes take effect.

If you do not agree with the updated Policy, you may discontinue use of the Service and request deletion of your data in accordance with Section 7. We will not terminate your account solely because you decline to accept an amended Policy, but certain features may be unavailable if the changes are necessary for continued service delivery.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: