Trellis

Privacy Policy

Trellis — AI-Powered K-12 Tutoring Platform · trellislearn.com

Last Updated: 20 March 2026

1. Who We Are

Trellis is operated by Clario Technologies Ltd (company number 17097330), registered at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

We provide AI-powered tutoring services for students aged 5 to 18. Our platform helps students learn through interactive conversations with an AI tutor, covering their school curriculum across Study, Test, and Practice modes.

For data protection purposes, Clario Technologies Ltd is the data controller. This means we are responsible for deciding how we hold and use personal information about you and your child. This policy complies with the UK GDPR, the Data Protection Act 2018, and the EU General Data Protection Regulation (GDPR) for users located in the European Economic Area.

Contact details:
Email: hello@trellislearn.com
Website: trellislearn.com

2. What Data We Collect

We collect and process the following information:

Account Information

  • Email address (passed to us by your sign-in provider)
  • Name (passed to us by your sign-in provider)
  • A stable user ID from your sign-in provider
  • Account role (student, parent, or tutor)
  • Account creation date

Student Profile

  • Year level (e.g., Year 7, Grade 10)
  • Curriculum (e.g., GCSE, CBSE, IB)
  • Subjects being studied

Learning Activity

  • Study sessions, test sessions, and assignment sessions
  • Topics and subjects covered
  • Quiz scores and test results
  • Duration and status of learning sessions
  • Learning objectives and mastery levels
  • Full conversation history between the student and AI tutor (text-mode chat)
  • Voice conversation transcripts — text only, not audio. When voice mode is used, a third-party speech-recognition service transcribes audio to text in real time; we store those transcripts the same way we store text-mode chat history.

Uploaded Content

  • Photos of textbooks, homework, or handwritten notes
  • Text extracted from these images

Technical and Usage Information

  • Authentication tokens (stored temporarily in your browser)
  • API usage logs (which AI model was used, token counts, estimated costs for internal tracking)
  • Error logs and diagnostic information (if you consent to error tracking)

What We Don't Collect

We do not collect:

  • Payment card details — cards are handled directly by a PCI-DSS Level 1 certified payment processor; we never see your card number.
  • Voice audio. Audio frames are streamed to our voice processing provider for real-time transcription and tutor speech generation; neither we nor the provider retain the audio after the session ends. Only the resulting text transcripts are stored (see "Learning Activity" above).
  • Traditional tracking cookies for advertising or analytics
  • Browsing history outside of Trellis

3. How We Use Your Data

We use your data for the following purposes, each with a lawful basis under UK GDPR:

To Provide the Tutoring Service

Legal basis: Performance of a contract (your agreement to use Trellis)

  • Authenticate your account and maintain secure access
  • Generate personalised AI tutoring responses based on your child's learning needs
  • Track progress, quiz scores, and mastery of learning objectives
  • Store conversation history so learning context is maintained across sessions
  • Process uploaded images (homework, textbook pages) to provide relevant help
  • Deliver educational content, including text-to-speech audio

To Improve and Maintain the Service

Legal basis: Legitimate interests (ensuring service quality and security)

  • Monitor errors and diagnose technical issues
  • Analyse usage patterns to improve teaching effectiveness
  • Track API costs to optimise service efficiency
  • Maintain security and prevent abuse

To Communicate with You

Legal basis: Performance of a contract / Legitimate interests

  • Send service-related notifications (e.g., account confirmation)
  • Respond to your questions or support requests
  • Notify you of important changes to the service

To Comply with Legal Obligations

Legal basis: Legal obligation

  • Respond to lawful requests from authorities
  • Comply with data protection and other applicable laws

Optional Error Tracking

Legal basis: Consent

  • If you consent, we use a third-party error-monitoring provider to capture detailed error information that helps us fix bugs. This provider is configured to not automatically collect personally identifiable information.

What We Don't Do with Your Data

  • We never sell your data to third parties
  • We never use your data for advertising
  • We never share student data with schools, employers, or other educational institutions without your explicit consent

4. Children's Privacy

Trellis is designed primarily for K-12 learners, and many of our learners are children. We take children's privacy seriously and comply with UK GDPR requirements for processing children's data, regardless of which learners on an account happen to be under 18.

Parental Responsibility

When you create a Trellis account using a third-party sign-in provider, you (the parent or legal guardian) are the account holder. The account and all data associated with it are under your control.

Under UK GDPR (Article 8, as applied in the UK under the Data Protection Act 2018), children under 13 require verifiable parental consent for online services that process their personal data. Since you create the account as the parent using your own sign-in credentials, you are providing this consent.

What This Means

  • You control your child's Trellis account
  • You can review, modify, or delete your child's data at any time
  • All data rights (access, deletion, etc.) are exercised by you as the parent
  • Account-level communications — billing, security alerts, policy updates — go only to you, never directly to your child. The tutoring product itself, of course, converses with your child during a session; that is the service.

Age-Appropriate Design

We follow the UK Information Commissioner's Office (ICO) Age Appropriate Design Code principles:

  • We collect only the data necessary to provide tutoring
  • Default settings prioritise privacy
  • We provide clear, age-appropriate information about how data is used
  • We do not use children's data for profiling, advertising, or other purposes beyond education

United States — COPPA Compliance (children under 13)

The U.S. Children's Online Privacy Protection Act (COPPA, 16 CFR Part 312) requires verifiable parental consent before an online service knowingly collects personal information from children under 13. Trellis complies as follows.

What we collect from your child. First name, year level, curriculum, country, and learning interactions: tutoring conversations (text, and during voice mode, transient audio frames that are transcribed but not retained); quiz and test responses; uploaded homework and study materials; progress and mastery measurements; XP and session metadata. We do not knowingly collect home addresses, phone numbers, photographs of the child, geolocation, persistent device identifiers, or biometric data.

How we obtain verifiable parental consent. The parent or legal guardian creates the account (using their own sign-in credentials) and reviews this Privacy Policy at signup. The act of completing the subscription payment serves as verifiable parental consent under COPPA, using the FTC-recognised credit/debit card transaction method (16 CFR §312.5(b)(2)(ii)). We record the parent's identity, the consent timestamp, and the payment transaction ID as the verification artifact. Until the parent has provided this consent, Trellis does not enable any tutoring, AI conversation, or other personal-information-collecting feature for the child.

How a parent can exercise COPPA rights.

  • Review — sign in to the account dashboard to view your child's profile and learning history.
  • Delete — use Account settings → Delete account, or contact us. We honour deletion requests within 30 days (a deletion window during which the parent can reverse the request); after that, all of the child's data is permanently erased.
  • Refuse further collection — cancel the subscription. The paywall stops further data-collecting interactions immediately. The existing record is retained only as long as the subscription window allows for refunds (typically until period end), then follows the deletion path above.
  • Questions — contact us at hello@trellislearn.com for any COPPA-related inquiry. We respond within 7 days.

Conditioning use on data collection. Trellis does not condition the child's participation on the collection of more personal information than is reasonably necessary to provide the tutoring service.

Third-party disclosure. We do not sell or share children's personal information with third parties for their own purposes. The third-party services listed in Section 5 process children's data only as our service providers under written data-processing terms, and only as needed to deliver the tutoring service.

5. Third-Party Services and International Transfers

To provide Trellis, we work with carefully selected third-party services. Some of these are located outside the UK, which means your data may be transferred internationally. We ensure appropriate safeguards are in place.

AI processing providers (United States)

What they process: Text and image messages between students and the AI tutor; uploaded images analysed for tutoring help; during voice mode, live audio frames for real-time speech-to-text transcription and tutor speech generation. Conversation transcripts (text only) are stored by us; audio is not retained.

Safeguards: UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge). Provider API terms state customer data is not used to train their models.

Data location: United States

File storage providers (Global, UK/EU residency available)

What they process: Uploaded student files (photos of textbooks, homework, notes). Encrypted at rest and in transit.

Safeguards: UK GDPR compliant; UK/EU data residency options.

Application hosting providers (United States)

What they process: Host our backend application infrastructure.

Safeguards: UK-US Data Bridge.

Data location: United States

Authentication providers (Global)

What they process: Account sign-in via the third-party identity provider you choose. The provider passes us your email address, name, and a stable user ID for the account.

Safeguards: Standard Contractual Clauses; UK GDPR compliant.

Data location: Global infrastructure (varies by provider)

Payment processing providers (Global)

What they process: Payment card details for subscriptions. Cards are handled directly by a PCI-DSS Level 1 certified processor — Trellis never sees or stores your card number.

Safeguards: PCI-DSS Level 1; UK GDPR compliant.

Data location: Global infrastructure

Optional error monitoring providers (United States — consent required)

What they process: If you consent, error logs and diagnostic information. The provider is configured to not automatically capture personally identifiable information.

Safeguards: UK-US Data Bridge; Standard Contractual Clauses.

Data location: United States

Transactional email service providers (European Union)

What they process: Your email address and the contents of transactional emails (account-related notifications: cancellation confirmations, account deletion confirmations, and similar service messages). Delivery metadata only — no behavioural tracking, no marketing.

Safeguards: UK GDPR compliant; Standard Contractual Clauses where applicable.

Data location: European Union

Search API providers (United States)

What they process: Search query text used to retrieve educational images for tutoring sessions. Queries do not include user identifiers.

Safeguards: UK-US Data Bridge; Standard Contractual Clauses.

Data location: United States

UK-US Data Bridge

The UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge) is a mechanism approved by the UK government that allows UK organisations to transfer personal data to certified US companies with adequate protections. This ensures your data transferred to the United States receives protections equivalent to UK GDPR.

6. How We Store and Protect Your Data

We take data security seriously and implement appropriate technical and organisational measures:

Security Measures

  • Encryption in transit: All data sent between your device and our servers is encrypted using HTTPS (TLS/SSL)
  • Encryption at rest: Uploaded files are encrypted in our object storage
  • Authentication: Secure JWT (JSON Web Token) authentication with short expiry times (30 minutes)
  • Access control: Role-based access control ensures users can only access appropriate data
  • Rate limiting: API endpoints have rate limits to prevent abuse
  • Password hashing: Where applicable, passwords are hashed using industry-standard algorithms
  • Regular security reviews: We regularly review our security practices

Data Storage Location

Your data is stored across multiple services (listed in Section 5). We use cloud infrastructure with redundancy and backup systems to prevent data loss.

Access to Your Data

Access to your data is restricted to:

  • Authorised Trellis personnel who need access to provide support or maintain the service
  • Third-party processors (listed in Section 5) who process data on our behalf under contract
  • Authorities, if required by law

Limitations

While we implement strong security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to protect your data using industry best practices.

7. How Long We Keep Your Data

We retain your data for as long as necessary to provide the service and comply with legal obligations:

Active Accounts

  • Account data: Retained while your account is active
  • Learning history: Retained while your account is active to maintain continuity of learning
  • Conversation history: Retained while your account is active to provide context for future tutoring sessions
  • Uploaded files: Retained while your account is active

Temporary Data

  • Authentication tokens: Expire after 30 minutes
  • Text-to-speech audio: Streamed in real-time and not stored

After Account Deletion

When you request deletion of your account (see Section 8), we will delete:

  • Your account information
  • All student profiles associated with the account
  • All conversation history
  • All uploaded files
  • All learning session data and performance records

Deletion is completed within 30 days of a verified deletion request.

Legal Retention

We may retain certain data for longer periods if required by law (e.g., financial records for tax purposes, or data subject to legal hold).

Anonymised Data

We may retain anonymised or aggregated data (data that cannot identify you or your child) indefinitely for research and service improvement purposes.

8. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights regarding your personal data and your child's data:

Right of Access (Article 15)

You can request a copy of all personal data we hold about you and your child. This is commonly known as a "subject access request."

Right to Rectification (Article 16)

You can ask us to correct any personal data that is inaccurate or incomplete. You can also update most information directly through your Trellis account settings.

Right to Erasure / "Right to be Forgotten" (Article 17)

You can request that we delete your personal data and your child's data. We will comply unless we have a legal obligation to retain certain information.

Right to Restrict Processing (Article 18)

You can ask us to temporarily restrict how we use your data in certain circumstances (e.g., while we verify the accuracy of data you've challenged).

Right to Data Portability (Article 20)

You can request a copy of your data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) so you can transfer it to another service.

Right to Object (Article 21)

You can object to processing of your data where we rely on legitimate interests as the legal basis. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Rights Related to Automated Decision-Making (Article 22)

While Trellis uses AI to generate educational content and tutoring responses, we do not use automated decision-making that produces legal effects or similarly significant effects on you or your child (such as automated grading that determines school progression, university admission, or employment). The AI tutor is an educational tool to support learning, not to make consequential decisions about your child.

However, if you have concerns about how AI is used in your child's learning, you have the right to request human review and explanation.

Right to Withdraw Consent

Where we process data based on your consent (e.g., optional error tracking), you can withdraw your consent at any time. This will not affect the lawfulness of processing before you withdrew consent.

Right to Limit Use of Sensitive Personal Information

Trellis does not collect or process the categories of "sensitive personal information" defined under California Civil Code §1798.140(ae) (such as government identifiers, account log-in credentials with passwords, precise geolocation, racial or ethnic origin, religious or philosophical beliefs, contents of mail or messages, genetic or biometric data, health information, or sexual orientation). Because we do not process sensitive personal information, no limitation right needs to be exercised.

Right to Non-Discrimination

We will not deny, charge different prices for, or provide a different quality of service to anyone who exercises their privacy rights. Exercising these rights does not affect your use of Trellis in any way.

How to Exercise Your Rights

To exercise any of these rights, email us at: hello@trellislearn.com

We will respond to your request within one month. If your request is complex or we receive multiple requests, we may extend this by up to two additional months, and we'll let you know.

We may need to verify your identity before fulfilling your request. We will not charge a fee unless your request is clearly unfounded, excessive, or repetitive.

Right to Complain

If you believe we have not handled your data properly, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

9. Cookies and Local Storage

Trellis does not use traditional cookies for authentication or tracking in the tutoring app.

What We Use Instead (in the app)

We use browser localStorage to store your authentication token (JWT) after you sign in. This token:

  • Keeps you signed in during your session
  • Expires after 30 minutes for security
  • Is stored only on your device
  • Is not sent to third parties
  • Can be cleared by signing out or clearing your browser data

Third-Party Services

Some third-party services we use (such as your chosen sign-in provider) may set their own cookies. These are governed by those providers' own privacy policies, which you should review independently.

Analytics on the Marketing Site

We use a third-party analytics provider on our marketing website (trellislearn.com) to understand how visitors find and use the site. Analytics cookies are only stored after you click "Accept" on our cookie banner (Consent Mode v2 default-denied). If you decline, no analytics cookies are stored.

The cookies (where consented) collect anonymised usage data such as pages visited, time on site, and referral source. They do not identify you personally. You can change your choice at any time using the "Cookie preferences" link in our footer.

Essential vs Optional

The localStorage token is essential for the tutoring service to function — without it, you cannot stay signed in. Analytics cookies on the marketing website are optional and require your consent.

10. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

How We'll Notify You

  • We will update the "Last updated" date at the top of this policy
  • For significant changes, we will notify you by email at the address associated with your account
  • We may also display a notice on the Trellis website or dashboard

Your Continued Use

By continuing to use Trellis after changes to this policy take effect, you accept the revised policy. If you do not agree with the changes, you should stop using the service and request deletion of your data.

Version History

Previous versions of this policy are available upon request. Email hello@trellislearn.com if you would like to review an earlier version.

11. How to Contact Us

Data Controller

Clario Technologies Ltd
Company number: 17097330
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
United Kingdom

Privacy Questions and Requests

For any questions about this privacy policy, or to exercise your data rights, contact us at:

Email: hello@trellislearn.com

What to Include in Your Request

To help us process your request quickly, please include:

  • Your full name
  • The email address associated with your Trellis account
  • A clear description of your request (e.g., "I would like to delete my account and all associated data")
  • Any relevant details that help us verify your identity

Response Time

We aim to respond to all privacy-related enquiries within one month. For complex requests, we may extend this by up to two additional months and will inform you of the extension.

ICO Registration

Clario Technologies Ltd is registered with the UK Information Commissioner's Office (ICO) as a data controller under registration number ZC108675. Our entry is publicly viewable on the ICO's public register.

This privacy policy is effective as of the date listed at the top of this page. It applies to all users of Trellis, regardless of when they created their account.