How Cellar protects your records

Every document and every extracted detail is encrypted at rest with envelope encryption: a unique data key per record, wrapped by a per-account key, wrapped in turn by a key-management service. Only minimal, non-sensitive metadata (dates, categories) is kept in plaintext, to order your timeline. Everything is encrypted in transit with TLS.

To read, translate, and organize a document, Cellar decrypts it transiently, in your region, and sends it to our processing model (Anthropic’s Claude) under a no-training, no-retention agreement. The model keeps nothing. There is no staff path to your records: the only systems that ever see plaintext are the processing pipeline and your own authenticated requests.

This is “compliant processing,” not an architecture where the operator is technically incapable of access. We don’t claim otherwise. Our roadmap moves processing into a confidential-computing enclave so that even we cannot observe plaintext during processing — the system is already built behind a single interface so that becomes a swap, not a rewrite.

A wrong fact in a medical record is a safety issue, so we engineer against it. Extraction runs as a multi-step pipeline with self-verification; every fact is grounded to the exact page and text it came from; and anything low-confidence or conflicting is routed to a review queue and never added to your record on its own. The original document is always preserved.

Authentication is passwordless (a secure link to your email). Every database table enforces row-level security, so each request can only ever reach its own account’s data. Share links are time-limited, revocable, and validated by a hashed token.

You can export everything — your originals plus your structured record — in one tap, anytime. Deletion is permanent: it destroys your account key, which makes every encrypted record cryptographically irrecoverable, and purges your stored files. Once it’s gone, no one can bring it back.

Cellar organizes, restates, translates, and charts your own records. It does not diagnose, recommend treatment, or predict disease. Always consult a qualified clinician about your care.