Legal
Privacy Policy.
What we collect, what we don't, and what you can do about it.
The short version
- We collect the minimum needed to run the service — your email, account info, and encrypted OAuth tokens.
- We don't collect your content. We read field names and up to 3 sample rows during setup. We don't store your Airtable records or Webflow CMS items.
- Stripe handles payments. We never see or store your credit card number.
- No tracking cookies, no ad networks, no data sales. We use one auth cookie and that's it.
- You can delete your data anytime. Email us and we'll wipe everything.
Last updated: March 23, 2026
1. Who We Are
Trellis is operated by Pitch Space LLC. When this policy says "we," "us," or "our," it refers to Pitch Space LLC and the Trellis service at trelliscms.com.
2. What We Collect
Account information
When you sign up, we collect your email address and create an account record. If you sign up with Google, we receive your name and email from Google's OAuth flow.
OAuth tokens (encrypted)
When you connect Airtable or Webflow, those platforms issue an access token scoped to your account. We encrypt this token using AES-256-GCM before storing it in our database. The token is only decrypted when we need to make an API call on your behalf. See our Security page for technical details.
Configuration data
Your CMS configuration — which content types you selected, field mappings, sync settings, and site setup preferences — is stored in our database to provide the service.
Usage data
We collect basic usage information: which features you use, when you use them, and general interaction patterns. This helps us improve the product. We do not track your browsing across other sites.
3. What We Don't Collect
Your content
Trellis reads your field names and up to 3 sample rows per table during the setup flow. This data is used in your browser to help you configure your CMS — it is not stored on our servers. We do not store, index, or analyze your Airtable records or Webflow CMS items.
Payment information
All payment processing is handled by Stripe. Your credit card number, billing address, and payment details are sent directly to Stripe and never touch our servers. We only receive a Stripe customer ID and subscription status.
Passwords for connected services
We never see or store your Airtable or Webflow passwords. OAuth means you authenticate directly with those platforms — we only receive a scoped token.
4. How We Use Your Data
- Authentication: To verify your identity and secure your account.
- Providing the service: To connect your platforms, create CMS structures, sync content, and manage your configuration.
- Improving the product: To understand which features are used, identify bugs, and make Trellis better.
- Communication: To send you account-related emails (password reset, subscription changes, service notifications). We don't send marketing emails unless you opt in.
5. Third Parties
We share data with the following third parties, only as needed to provide the service:
| Service | Purpose | Data shared |
|---|---|---|
| Firebase (Google Cloud) | Hosting, authentication, database | Account data, configuration, encrypted tokens |
| Stripe | Payment processing | Email, plan selection (Stripe handles all payment info) |
| Airtable API | Schema discovery, content sync | Your OAuth token (to access your own data) |
| Webflow API | Schema discovery, CMS operations | Your OAuth token (to access your own data) |
| OpenAI | Optional AI-powered field suggestions | Field names and content type context (no user content) |
We do not sell, rent, or share your personal data with any other third parties. We do not use ad networks or data brokers.
6. Data Retention
- Active accounts: Your data is retained as long as your account is active.
- Deleted accounts: When you delete your account, we remove your account data, encrypted tokens, configuration data, and sync logs from our systems within 30 days.
- OAuth tokens: Encrypted tokens are deleted immediately when you disconnect a platform or delete your account.
- Backups: Automated database backups may retain deleted data for up to 30 days before being purged.
7. Your Rights
You have the right to:
- Access: Request a copy of all data we hold about you.
- Correction: Update inaccurate information in your account.
- Deletion: Request complete deletion of your account and all associated data.
- Data export: Request a machine-readable export of your configuration data.
- Disconnect: Revoke Trellis's access to your Airtable or Webflow account at any time, either in Trellis or directly in those platforms.
To exercise any of these rights, email skye@trelliscms.com. We respond within 5 business days.
8. Cookies
Trellis uses one essential cookie: your Firebase authentication session token. This keeps you logged in. It is not used for tracking.
We do not use analytics cookies, advertising cookies, or third-party tracking scripts. No cookie banner is needed because we don't use optional cookies.
9. Children
Trellis is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us and we'll delete it.
10. International Data
Trellis is hosted on Google Cloud Platform in the United States. If you use the Service from outside the US, your data will be transferred to and processed in the United States. Google Cloud maintains appropriate safeguards for international data transfers.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email at least 14 days before they take effect. The "last updated" date at the top reflects the most recent revision.
12. Contact
Questions about this privacy policy or how we handle your data? Email skye@trelliscms.com.