Trust
Trust at Cellar
Last updated June 2026
Cellar holds some of your most sensitive information, so here are straight answers to the questions people ask before trusting us with it: who can see your records, how they are encrypted, how regulation applies, how you sign in, what billing covers, and how your data stays yours. We answer them plainly.
Common questions
Who at Cellar can see my records?
No one on our staff has a path to your records. The only systems that ever handle plaintext are the pipeline that reads a document you added, your own signed-in requests, and a read-only link you share with a clinician (which transiently decrypts only the documents and images in that packet). Every database row is access-controlled to your account alone. This is compliant processing, not an architecture where the operator is technically incapable of access, and we don't claim otherwise. Our roadmap moves processing into a confidential-computing enclave so that even we cannot observe plaintext while a document is read.
Do you use my records to train AI?
Never. Records are read under no-training terms, and we don't use your data to train or improve any model. AI reading is optional: you can turn it off in Settings, and Cellar still stores your documents.
Does a third-party AI model read my documents?
Yes. To read and organize a document, Cellar decrypts it transiently and sends it to a third-party AI model in your assigned processing region under no-training terms. The specific providers, and the region each one operates in, are listed on our Subprocessors page.
Do you track me or run analytics?
No. Cellar runs no product analytics and embeds no advertising pixels, session recording, or third-party trackers, and it sets no analytics or advertising cookies. The only data that leaves the app for diagnostics is scrubbed error reports, with record content, document names, and identifiers removed first.
How are my records encrypted?
Every document and every extracted detail is encrypted at rest with envelope encryption: a unique key per record, wrapped by a per-account key, wrapped in turn by a key-management service. Document storage holds ciphertext only, and everything is encrypted in transit with TLS. The only plaintext we keep is minimal, non-sensitive metadata, such as dates and categories, used to order your timeline.
Is Cellar end-to-end encrypted or zero-knowledge?
No, and we describe this precisely rather than reaching for those labels. A document is decrypted only transiently, so it can be read, then handled under the access controls above. That is compliant processing, not an architecture where the operator is technically incapable of access. We are advancing toward confidential-computing processing, in which even we cannot observe plaintext during a read, and the system is built behind a single interface so that becomes a swap rather than a rewrite.
What security standards does Cellar follow?
Cellar's security is built around the control areas that recognized information-security frameworks are based on: encryption everywhere, disciplined key management, least-privilege access with no staff path to your records, isolation of every account's data, monitoring, and a defined incident-response and responsible-disclosure process. Records are encrypted at rest with a separate key per account in a managed key service, encrypted in transit with TLS, and stored as ciphertext only. Every subprocessor operates under a data-protection agreement, and we align with the GDPR and UK GDPR. Security researchers can reach us at security@carecellar.com.
Is my data protected by HIPAA?
HIPAA governs hospitals, clinics, insurers, and the vendors working for them. It does not cover a personal vault you choose and control, so Cellar is not your provider's system and signs no business-associate agreement. When you share records with a clinician, you are exercising your own right of access. What does protect your records here: the encryption and access controls on this page, our contractual commitments in the Privacy Policy and Terms, and your rights under privacy law, including the GDPR and UK GDPR where they apply and the United States FTC Health Breach Notification Rule. This is how patient-controlled records work, not legal advice.
How do I sign in, and is there two-factor authentication?
Sign-in is passwordless: Cellar sends a one-time code to your email, so there is no password to reuse, guess, or leak. Because your email is the key to any account you own, we recommend protecting it with two-factor authentication. Links you share with a clinician are separately time-limited, revocable, and validated by a hashed token.
What happens if I stop paying?
Viewing your records is never paywalled. If a subscription lapses, your account stays fully usable for a 30-day grace period, then becomes read-only: you can still open, read, and export everything. You do not lose access to your own data.
Can I get a refund?
The 14-day trial is free and we don't charge until it ends, so you can evaluate Cellar before paying anything. You can cancel anytime to stop future charges; you keep full access through the term you have paid for, and viewing and export stay available after that. For a billing question, write to support@carecellar.com.
Why is Cellar $200 a year?
One scattered record can mean a repeated test, a history your new doctor never sees, or an afternoon on hold with a clinic abroad. For $200 a year, Cellar keeps your whole medical life encrypted, organized, and ready the day you need it, with unlimited documents, answers cited to the source, biomarker trends, and unlimited revocable packets to share with a clinician.
Can I export everything and leave?
Yes. Export your full record, your original files plus the structured data Cellar built, in one tap, anytime, with no proprietary lock-in. If you delete your account, deletion destroys your account key, which makes every encrypted record cryptographically irrecoverable, and purges your stored files.
Am I locked in, or can I always get my data out?
You are never locked in. Your original files and the structured record Cellar builds export in one tap, anytime, in standard formats, and viewing your records is never paywalled. Your data stays yours and portable, independent of your subscription, so your records never depend on Cellar staying in the picture to remain accessible.
Who can open a link I share with a doctor?
Anyone holding an active link can open it, which is what lets a clinician view it without an account. That is why every link is time-limited, revocable anytime from Settings, and validated by a hashed token, and why Cellar can email you when one is opened. Cellar records that a link was opened, never who opened it or from where. Send links only through channels you trust, and revoke them when the visit is done.
How accurate is the extraction, and can I trust the values?
Extraction runs as a multi-step pipeline that verifies its own work, and every value is grounded to the exact page and line it came from, so you can check it against the original. Values are added as soon as they are read; anything low-confidence or conflicting is flagged as unconfirmed for you to confirm or remove. The original document is always kept. Cellar organizes and restates your records; it does not diagnose or give medical advice.
The canonical pages
These answers summarize how Cellar works. The binding detail lives on the pages they point to:
- Security: the encryption and access model, stated honestly.
- Privacy Policy: what we hold, how we use it, and your rights.
- Subprocessors: the third parties that process data, by region.
- Terms: subscription, billing, and your exit.
- About: who operates Cellar and what we commit to.
Security reports go to security@carecellar.com.