Privacy Policy

Effective Date: April 19, 2026

Trellis is a product of Trellis Ads LLC, a Utah limited liability company. This Privacy Policy describes how we collect, use, store, and protect your information when you use the Trellis advertising analytics platform at trellisads.com.

1. Introduction

Trellis is an advertising audit and analytics platform for e-commerce businesses. We connect to your advertising platforms (Google Ads, Microsoft Advertising) and e-commerce platforms (Shopify) to generate performance reports and optimization recommendations.

This policy applies to all users of trellisads.com, our APIs, and related services. By creating an account, you agree to these practices.

2. Information We Collect

a. Account Information

When you create a Trellis account, we collect:

• Email address
• Full name
• Company name
• Password (stored as a salted, one-way hash — never in plaintext)

b. Business Profile Data

To calibrate our analysis, we collect business targets you provide:

• Target CPA (cost per acquisition) and ROAS (return on ad spend) goals
• Campaign objectives and strategy preferences
• Profit margins and cost of goods sold (COGS)
• Average order value (AOV)

This data is entered by you and used exclusively to calibrate our analysis to your business goals.

c. Platform Credentials

When you connect your advertising or e-commerce accounts, we store:

• OAuth2 access and refresh tokens
• Service account keys (where applicable)

All credentials are encrypted at rest using industry-standard symmetric encryption. Credentials are only decrypted at the moment of use for API calls on your behalf.

d. Advertising Platform Data

Once connected, we pull the following data from your advertising accounts:

• Campaign structure (campaigns, ad groups, ads)
• Performance metrics (impressions, clicks, conversions, cost, revenue)
• Keywords and search terms
• Quality Scores and ad relevance metrics
• Bid strategies and budget configurations
• Ad copy and asset details

This data is accessed via the Google Ads API and Microsoft Advertising API using your authorized credentials.

e. Order & Revenue Data

If you connect your Shopify store, we access:

• Order totals and subtotals
• Cost of goods sold (COGS) per product
• Hashed customer email addresses (for attribution matching only — we use SHA-256 one-way hashing)
• UTM parameters for order attribution

We never store raw customer email addresses — only irreversible hashes, used solely to match ad conversions to orders.

f. Usage Data

We collect standard usage data to maintain and improve the service:

• API access logs (endpoint, timestamp, response status)
• Feature usage patterns (which reports you generate, which pages you visit)
• Audit history (when audits were run and their configuration)
• Page views and session data via Google Analytics (GA4)

g. Communications

We retain records of transactional emails we send you, including:

• Audit completion notifications
• Credential expiration warnings
• Account security alerts
• Billing and payment confirmations

3. How We Use Your Information

We use your information to:

• Provide audit and analytics services — performance reports, optimization opportunities, and actionable insights across your connected platforms.
• Generate audit reports — campaign metrics are analyzed using artificial intelligence to produce detailed, contextual recommendations.
• Monitor credential health — alerting you to expiring tokens or authorization issues.
• Send transactional notifications — informing you when audits complete, credentials need attention, or important account events occur.
• Internal product analytics — understanding how Trellis is used so we can improve the product (via Google Analytics GA4).
• Process payments — billing is handled through Stripe using your provided payment method.

We do NOT use your information to:

• Sell, rent, or share your personal information with third parties for their advertising purposes
• Use data stored within our platform (your account data, business data, or product usage) to build advertising profiles or target you with ads
• Build behavioral profiles beyond what's needed to provide our service
• Make credit, insurance, or employment decisions
• Train AI models on your business data

We may use cookies and similar technologies on our marketing website to measure advertising effectiveness and reach prospective customers through platforms such as Google and LinkedIn. These activities do not involve data you store within the Trellis product.

De-Identified and Aggregate Data

We may create de-identified, aggregated data derived from your use of the Service. This data does not identify you or any individual end user. We may use aggregate data for any lawful business purpose, including product improvement, benchmarking, and research. Aggregate data is not subject to deletion or portability obligations under this policy.

4. Google API Services User Data Disclosure

As required by Google's API Services User Data Policy, this section addresses our use of Google API data.

Scope requested: https://www.googleapis.com/auth/adwords

Data accessed from Google Ads:

• Campaign structure and hierarchy
• Performance metrics (clicks, impressions, conversions, cost)
• Bid strategies and budget settings
• Keyword reports and Quality Scores
• Ad group structure and ad copy

How this data is used:

Trellis accesses your Google Ads data in a read-only capacity for the sole purpose of generating audit reports and performance analysis. Trellis NEVER makes changes to your Google Ads account — no bid adjustments, no budget changes, no campaign modifications, no keyword additions or removals.

Storage:

Google Ads data is encrypted at rest and stored in PostgreSQL on DigitalOcean infrastructure in San Francisco, United States.

Sharing:

Your Google Ads data is NEVER shared with, sold to, or transferred to any third party. The only exception is that aggregated, non-personally-identifiable campaign metrics are sent to our AI sub-processors for analysis (see Section 6).

Human access:

Your Google Ads data is only accessed by authorized Trellis personnel for debugging purposes, and only with your explicit consent.

Limited Use Disclosure:

Trellis's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

5. Microsoft Advertising Data Disclosure

Scope requested: msads.manage

Data accessed from Microsoft Advertising:

• Campaign structure and hierarchy
• Performance metrics (clicks, impressions, conversions, cost)
• Bid strategies and budget settings
• Keyword reports and Quality Scores
• Ad group structure and ad copy

How this data is used:

Trellis accesses your Microsoft Advertising data in a read-only capacity for audit reports and performance analysis. Trellis does not make changes to your Microsoft Advertising account.

Storage and sharing commitments:

All storage, sharing, and human access policies described in Section 4 for Google Ads data apply equally to your Microsoft Advertising data. Your data is encrypted at rest, never shared with third parties, and only accessed by personnel with your explicit consent for debugging purposes.

6. AI Processing Disclosure

Trellis uses third-party artificial intelligence services to analyze your advertising data and generate audit reports. Our current AI sub-processors are listed in Section 7.

• What is sent: Aggregated campaign metrics — click counts, conversion rates, costs, Quality Scores, keyword statistics, and bid strategy configurations.
• What is NOT sent: No personally identifiable information (PII) is transmitted. We do not send customer names, email addresses, phone numbers, or any data that could identify your end customers.
• AI provider data policies: Our AI sub-processors do not train models on data submitted via their commercial APIs. Your campaign data is processed and discarded.
• Nature of outputs: Audit reports are informational and analytical. They do not constitute financial, legal, or professional advice. Recommendations should be evaluated in the context of your business before implementation.

7. Third-Party Service Providers

We use the following categories of service providers to deliver Trellis. Each is bound by contractual obligations to protect your data:

• Cloud infrastructure providers — application hosting, database, and object storage (PDF reports)
• Payment processors — subscription billing and payment method handling
• Analytics providers — internal product analytics with anonymized IP
• Email delivery services — transactional notifications (audit completion, credential alerts)
• Error monitoring services — application error tracking (stack traces only, no PII)
• AI analysis services — campaign metric analysis for audit report generation (see Section 6)

All service providers are based in the United States. Each receives only the minimum data necessary to perform its function. We do not share your raw advertising data, credentials, or business metrics with any party outside these categories.

8. Data Retention

We retain your data according to the following schedule:

• Account data (email, name, company, preferences): Retained while your account is active. Deleted upon account deletion request.
• Conversion upload data: Automatically deleted after 90 days.
• Attribution check results: Automatically deleted after 180 days.
• Operation logs (API access logs, audit run logs): Automatically deleted after 365 days.
• Audit reports: Retained indefinitely unless you request deletion. You may delete individual reports or request bulk deletion at any time.
• Platform credentials (OAuth tokens, service account keys): Deleted immediately upon platform disconnect or account deletion.
• Payment records: Retained as required by applicable law.

When you delete your account, we remove all associated data within a commercially reasonable period (typically 90 days), except for records retained for legal compliance.

9. Data Security

We protect your data with the following measures:

• Encryption in transit: All data transmitted between your browser and our servers uses TLS/HTTPS. API calls to third-party platforms are also made over encrypted connections.
• Encryption at rest: Platform credentials are encrypted using industry-standard symmetric encryption with key rotation support. Database backups are encrypted.
• Rate limiting: API endpoints are subject to rate limits to prevent abuse and brute-force attacks.
• Account lockout: We implement account lockout protections against brute-force login attempts.
• Multi-factor authentication: Available via TOTP-compatible authenticator apps (Google Authenticator, Authy, 1Password, etc.).
• Admin access controls: Administrative access is restricted by IP whitelist and requires multi-factor authentication.
• Monitoring: We maintain regular security monitoring, alerting, and audit logging for all administrative actions.
• Dependency management: We regularly update dependencies and monitor for known vulnerabilities.

If you believe your account has been compromised, contact us immediately at hello@trellisads.com.

10. Cookies

a. Essential Cookies

These cookies are required for Trellis to function and cannot be disabled.

These cookies do not track you across other websites and are never shared with third parties.

b. Analytics Cookies

We use Google Analytics (GA4) to understand how users interact with Trellis so we can improve the product.

Analytics data is used for understanding feature usage, session patterns, and product performance. It is not used for targeted advertising, behavioral profiling, data sales, or cross-site tracking. IP anonymization is enabled.

c. Advertising and Tracking Cookies

We do not use any advertising, retargeting, or social media tracking cookies. We do not serve ads on Trellis, participate in advertising networks, or embed social media tracking pixels.

d. Managing Cookies

You may opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on, or by adjusting your browser's cookie settings. Blocking essential cookies will prevent you from logging in to Trellis.

We respect Do Not Track (DNT) browser signals. When a DNT signal is detected, analytics cookies are not set.

11. Your Rights

Depending on your jurisdiction, you have the following rights regarding your data:

All Users

• Access: Request a complete copy of all data we hold about you.
• Export: Download your audit reports, account information, and business profile data.
• Deletion: Request deletion of your account and all associated data. We will comply within a commercially reasonable period.
• Credential Disconnect: Revoke platform access at any time via your account settings or by revoking OAuth authorization directly in Google or Microsoft.
• Communication Preferences: Opt out of non-essential notifications at any time. Transactional messages related to account security and credential health cannot be disabled while your account is active.

Utah Residents (UCPA)

Under the Utah Consumer Privacy Act, you have the right to:

• Access and obtain a copy of your personal data
• Delete personal data you have provided
• Opt out of targeted advertising and data sales

Note: Trellis does not sell personal data and does not engage in targeted advertising. These rights are inherently satisfied by our business model.

California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the sale or sharing of personal information
• Non-discrimination for exercising your privacy rights

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

European Union Residents (GDPR)

If the General Data Protection Regulation applies to you, you have the rights of:

• Access, rectification, and erasure
• Data portability (receive your data in a structured, machine-readable format)
• Restriction of processing and objection to processing
• Withdrawal of consent at any time

Our lawful basis for processing is contract performance (providing the service you signed up for) and legitimate interest (product improvement and security).

To exercise any of these rights, contact us at hello@trellisads.com. We will respond within 30 days.

12. Children's Privacy

Trellis is a business-to-business advertising analytics platform. It is not directed at individuals under 16 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will delete that information promptly.

13. International Data Transfers

All Trellis data is stored and processed in the United States (DigitalOcean, San Francisco region).

If you access Trellis from outside the United States, your data will be transferred to and processed in the United States. By using Trellis, you consent to this transfer. We rely on standard contractual clauses and other appropriate safeguards where required by applicable law.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

• We will provide 30 days' notice before the changes take effect.
• Notice will be delivered via email to your registered address and displayed as a banner within the Trellis application.
• Continued use of Trellis after the 30-day notice period constitutes acceptance of the updated policy.

Changes required to comply with applicable law or address security concerns may take effect immediately. Non-material changes (formatting, clarifications) may be made without notice. The effective date at the top always reflects the most recent revision.

15. Contact Us

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how your information is handled:

Trellis (Trellis Ads LLC) Utah, United States hello@trellisads.com

We aim to respond to all privacy-related inquiries within 5 business days.