PRIVACY POLICY

Trellis.ph

Effective Date: 8 May 2026

Trellis.ph ("we," "our," or "us") is committed to protecting personal data and strictly complies with the Philippine Data Privacy Act of 2012 (R.A. 10173), its Implementing Rules and Regulations, and all applicable issuances of the National Privacy Commission (NPC).

This Privacy Policy explains how we collect, use, store, protect, and dispose of personal data when you use Trellis.ph. Our platform is an integrated SaaS solution providing end-to-end tools for HR, Business Connectivity, and Operations powered by Artificial Intelligence (AI). This includes our human resources, enterprise resource planning, customer relationship management, internal communications, Job Board, and Applicant Tracking System (ATS) features.

1. Legal Roles: Controller vs. Processor

To understand your privacy rights, it is critical to know how Philippine law classifies our relationship based on how you use the platform:

• For Employees and Employer Data: When a Client (Employer) uses Trellis.ph for HR, ERP, or ATS operations, the Client acts as the Personal Information Controller (PIC). Trellis.ph acts strictly as the Personal Information Processor (PIP), processing data only on the Client's instructions. The Client is legally responsible for obtaining explicit consent and providing manual alternatives to biometric tracking.
• For Public Job Seekers: When you create a profile directly on the Trellis.ph Public Job Board as an independent applicant, Trellis.ph acts as the PIC for your base profile data. When you submit an application or allow your profile to be viewed by a specific Employer, that Employer also becomes an independent PIC of the data they receive.

2. Information We Collect

We collect personal data strictly to deliver our SaaS features. Depending on the tools utilized, this may include:

• Applicant and Candidate Data: Resumes, CVs, portfolios, employment history, interview notes, and contact details submitted via the Trellis.ph Job Board or ATS.
• Personal Identification: Names, email addresses, phone numbers, and emergency contacts.
• Employment and Financial Data: Attendance logs, payroll computations, tax slab data, job details, performance records, and expense claims.
• Biometric Data (Facial Recognition): Mathematical facial templates (face maps) captured securely during check-in and check-out to verify identity and prevent attendance fraud.
• Geolocation Data (GPS): GPS coordinates captured strictly during active work shifts (when an employee is "Checked-In") to verify authorized field presence.
• Communications Data: Internal chat logs, emails sent through the platform, and call summaries.
• Technical Information: IP addresses, device data, cookies, and account activity logs.

3. Purpose of Processing

Personal data is processed on behalf of our Clients and Users to:

• Host a Public Job Board to allow candidates to discover open roles and enable registered Clients to search for prospective talent.
• Facilitate the recruitment lifecycle, including job postings, resume parsing, and applicant tracking.
• Deliver automated HR, payroll, and operational services.
• Ensure accurate attendance tracking and prevent identity fraud via biometrics.
• Verify authorized field presence via shift-based geolocation tracking in compliance with labor guidelines (DOLE D.O. 238-23).
• Facilitate internal team communications and CRM pipeline management.
• Operate, maintain, troubleshoot, and secure the Trellis.ph platform.

4. Data Storage and Security Architecture

We implement strict, "Privacy by Design" security measures to protect your data from unauthorized access or breaches:

• Server-Side Storage: Biometric templates, applicant resumes, and GPS logs are not stored locally on your mobile device. They are immediately transmitted to and stored on Trellis.ph's highly secured cloud servers.
• Security Mechanics: Trellis.ph utilizes a robust security architecture. This includes PBKDF2 + SHA256 hashing for user passwords, Fernet symmetric encryption for system API secrets, and mandatory TLS/HTTPS encryption for all data in transit. We also utilize built-in mitigations against SQL Injection and Cross-Site Scripting (XSS).
• Access Controls: We deploy strict Role-Based Access Control (RBAC) and data-level permissions to ensure only authorized Client administrators, recruiters, or HR personnel can view sensitive employment or applicant data.

5. Artificial Intelligence (AI) and Analytics

Trellis.ph utilizes AI to provide advanced insights, system optimizations, and talent acquisition tools:

• AI Job Matching (Automated Profiling): For users of the Public Job Board and ATS, our AI analyzes candidate resumes, skills, and historical data against open job postings to suggest optimal matches. This automated processing is designed to enhance discoverability. Trellis.ph does not make final hiring decisions; all recruitment outcomes are determined solely by the hiring Client.
• Tenant-Specific Analytics: AI insights generated specifically for an Employer's internal HR data are processed within a secure environment and are never shared with other organizations.
• Anonymized Global Training: We use strictly anonymized and aggregated data (stripped of names, contact details, and identifying markers) to train and improve our core AI models.
• Protection of Sensitive Data: Under no circumstances will Trellis.ph use raw Biometric Data, applicant resumes, un-anonymized Personal Identifiable Information (PII), or confidential employee files to train global AI models.

6. Data Retention and Disposal

We follow the principle of proportionality regarding how long data is kept, strictly adhering to our Terms of Service:

• Job Applicants and Candidates: Candidate data submitted via the Job Board or ATS is retained according to the specific recruitment policies of the Client. Once the Client initiates a data purge or the applicant requests deletion, the data is permanently destroyed.
• Active Employment: Data is retained for as long as you are actively employed by the Client and utilizing the platform.
• Post-Employment: Upon resignation or termination, biometric and employment records are retained for a maximum of five (5) years to align with the legal prescriptive periods for labor claims and DOLE audits in the Philippines. After 5 years, the data is securely and permanently destroyed.
• Subscription Termination: If the Client terminates their Trellis.ph software subscription, all associated data (including biometrics and applicant pipelines) is permanently purged from our active servers within thirty (30) days to allow for Client export, except where retention is otherwise required by Philippine law.

7. Data Sharing and Visibility

Trellis.ph does not sell personal data. We only share personal data with:

• Hiring Employers (Via Job Board): If you create a Public Job Board profile and set your visibility to "Public," your professional profile (excluding private contact details until authorized) may be viewed by registered Client employers searching for candidates. If you apply for a specific role, your full application data is shared directly with that Employer.
• Employers and Administrators (Internal SaaS): The specific Client organization that controls and manages your active employee account.
• Authorized Sub-Processors: Vetted third-party cloud hosting providers or payment gateways necessary to run the platform infrastructure. All sub-processors are bound by strict Data Processing Agreements.
• Government Authorities: Only when legally compelled by a valid court order, warrant, or regulatory requirement.

8. Client ATS and B2C Responsibilities

For Clients utilizing our platform to process the data of job applicants or end-customers, the Client remains the sole PIC of that data. Clients are legally required to maintain, display, and enforce their own external Privacy Policies for their candidates and customers. Trellis.ph processes this data strictly to host the platform on their behalf.

9. Data Subject Rights

Under the Data Privacy Act of 2012, individuals have the right to be informed, access, correct, delete, or restrict their personal data, as well as the right to damages and data portability. You also have the right to withdraw consent.

Because Trellis.ph acts primarily as the Processor for corporate accounts, job applicants and employees wishing to exercise their privacy rights must submit requests directly to the Hiring Company's or Employer's HR department or designated Data Protection Officer (DPO). The Employer will then instruct Trellis.ph on how to execute the technical changes. Independent public job seekers may manage their data directly within their account settings.

9.1 In-App Account Deletion

All Users — including employees managed under a Client Employer's workspace and independent public job seekers — may permanently delete their Trellis.ph user account at any time, directly within the iOS, Android, and Web apps. The deletion flow is fully self-service; no phone call, email, or customer service ticket is required.

To delete your account:

1. Open the Trellis.ph app (iOS, Android, or Web).
2. Navigate to Profile → Security → Delete Account.
3. Confirm the request via the in-app confirmation prompt (you will be asked to re-enter your email address as a safety check, and — if you are the sole owner of any company workspace — to nominate a replacement owner so the workspace is not orphaned).

Upon confirmation, the User's authentication credentials, social-login bindings (Google, Apple), saved preferences, and personal profile data are permanently and irreversibly destroyed. The User is immediately signed out of all active sessions and devices, and the account cannot be recovered.

Employer-controlled records: Where the User is an active employee of a Client Employer, employment records (attendance, payroll, biometric face maps, leave history, COA, expense claims, etc.) remain owned and controlled by the Employer as Personal Information Controller, and follow the retention schedule in Section 6 above (including the five-year DOLE post-employment retention period required by Philippine labor law). To request deletion of these Employer-controlled records, contact the Employer's HR department or DPO. In-app account deletion severs the User's ability to log in but does not unilaterally purge these records, in keeping with Philippine labor compliance requirements.

10. Cookies, Tracking, and Advertisements

Trellis.ph uses cookies and similar tracking technologies to maintain session security and analyze platform usage. Users may manage their cookie preferences through their web browser settings.

Free Tier Users: For Clients, applicants, and Users accessing a free or basic tier of Trellis.ph (including the free Job Board), the platform may display third-party advertisements. These third-party ad networks may use their own cookies or trackers to deliver relevant ads. Trellis.ph does not share your raw PII, resumes, or biometric data with these advertisers.

For full details, see our Cookie Policy.

11. Changes to This Policy

This Privacy Policy may be updated periodically to reflect changes in NPC regulations, legal precedents, or platform features. Material changes will be communicated directly through the platform interface or via email to Client administrators.

12. Contact Information

If you have questions, concerns, or require technical assistance regarding how the Trellis.ph platform handles privacy and security, you or your Employer's DPO may contact our privacy team at:

Trellis.ph Data Privacy Team

Location: Makati City, Metro Manila, Philippines

Email: DPO@trellis.ph