Cellar← Home

Privacy

Privacy Policy

Last updated June 2026

Cellar is operated by PM Frontier LLC, a Wyoming limited liability company. This Privacy Policy explains how PM Frontier LLC collects, uses, and protects information through Cellar.

What we hold

The documents you add and the details extracted from them, all encrypted. Minimal account information: email, region, language, preferences, optional date of birth if you provide it for clinician packets, and optional biological sex if you provide it to tailor the general reference ranges shown next to your biomarkers. Your name, date of birth, and sex are stored encrypted, like the rest of your identity. Sex is used inside your own account and, when on file, is included by default on shared packets; you can remove it in the packet builder before sharing. Non-sensitive metadata in plaintext for ordering, such as dates and categories. An append-only log of AI processing calls that records only metadata (model, token counts, timing), never the content.

How we use it

Only to provide the product: to read, organize, chart, and share your records at your request, and to operate your account and billing. We never sell your data, never track you for analytics, never use it for advertising, and never use it to train AI models.

No analytics or tracking

We don’t run product analytics or behavioral tracking. Cellar has no Google Analytics, no advertising or marketing pixels, no session recording, and no third-party tracker of any kind, and we set no advertising cookies. We never profile you or follow you across other sites. The only diagnostic data we send off the app is error reports (crashes and failures) used to keep the product working; record content, document names, share tokens, and identifiers are scrubbed before an event leaves the app. That error monitor is listed on our subprocessors page. To understand which channels help people find Cellar, we record one coarse detail when you create an account: the tagged link or campaign you arrived through, such as an ad or a partner link, if any. It is first-party, used only in aggregate, included in your export, and destroyed when you delete your account. The first-party cookies we set keep you signed in, remember your preferences, and, if you arrive through a tagged link, briefly hold which link it was so we can count it when you sign up.

Legal basis

For account, storage, export, delete, billing, and security operations, we process data to provide the service you ask us to provide, meet legal obligations, and protect the product. Because health records can include sensitive data, AI reading and organization is controlled by your explicit consent. You can turn that consent off in Settings.

AI processing

When AI processing is on, a document is decrypted transiently in your assigned processing region and sent to a third-party AI model under no-training processing terms. The specific provider is named on our subprocessors page. You can turn AI off at any time in Settings; we’ll still store your documents, but won’t extract from them.

Retention

We keep your account and records while your account is open, including read-only grace periods after billing changes. You can export or permanently delete your account from Settings. Document deletion hides derived details, purges the stored ciphertext blob when possible, and removes that document from any active share links that included it; those links stay live without it. Account deletion also asks your browser to clear Cellar cache, cookies, and local storage.

Subprocessors

We use a small set of vetted infrastructure providers. They are listed, with their purpose and region, on our subprocessors page.

Your rights

Access and export your full record in one tap. Delete your account permanently at any time. Deletion destroys your encryption key, making your data irrecoverable. Where local law grants further rights, including under the GDPR and UK GDPR, we honor correction, restriction, portability, objection, and complaint rights; use Settings to start a structured request or contact us.

Automated decisions

Cellar does not make decisions about your care, eligibility, insurance, employment, or access to services. It organizes and restates your records, with source links, for you and the clinicians you choose to share with. Shared links are time-limited and revocable. Settings shows when a link was opened, and unless you turn it off there, Cellar emails you each time one is. Cellar records that a link was opened, never who opened it, where, or on what device.

Region & availability

We assign a processing region based on your selected country. EU/UK/EFTA accounts use the EU region; most other served markets use the US region while we add more local infrastructure. Some regions aren’t available yet.

International transfers & breaches

When a subprocessor operates across borders, we rely on data-protection agreements and transfer safeguards appropriate to the region. If we discover an unauthorized disclosure or security incident involving identifiable health information, we will evaluate and provide required notices under applicable law.

Children

Cellar is for adults. You must be 18 or older to create an account.

Contact

Questions or requests: privacy@carecellar.com.

Privacy · Cellar