Global Edition

LGPD (Brazil)

GDPR (European Union)

CCPA (California, USA)

Version 2.0 — Global Edition | March 2026

https://www.scalpscan.ai/privacy-policy

This Policy explains how HAIR RESTORATION SCIENCE LTDA. collects, uses, stores, and shares your personal data when you use the ScalpScan.AI application, regardless of your location. Please read carefully before using the application.

Questions? Contact our DPO: dpo@scalpscan.ai

ℹ This Policy adopts the most protective standard among the world's leading privacy laws — LGPD (Brazil), GDPR (European Union), and CCPA/CPRA (California, USA) — and applies that standard to all users regardless of location. You do not need to verify which jurisdiction you are in to know your rights: all rights listed in this Policy apply to you.

2. Scope of Application

This Policy applies to the processing of personal data carried out by HAIR RESTORATION SCIENCE LTDA. ("HRS") through the ScalpScan.AI and ScalpScan.AI Patient applications, in any country where they are used.
ScalpScan.AI is a technological tool designed to support three-dimensional scalp assessment for use by licensed healthcare professionals. It does not perform medical diagnosis, therapeutic prescription, or automated clinical decision-making.
For users located in jurisdictions not expressly mentioned in this Policy — such as Canada, Australia, India, China, Japan, South Africa, and others — HRS voluntarily applies the most protective standard set out in this Policy. Rights or obligations specific to local legislation — such as consent managers (India), data localization (China), or independent safeguard assessments (Australia) — will be addressed upon request to the DPO (dpo@scalpscan.ai). A complete list of data protection authorities by country is available upon request.

3. Definitions

The following terms are used in this Policy with the meanings set out below:

•Personal data: any information relating to an identified or identifiable natural person.

•Sensitive data: data concerning health, biometric data, genetic data, and other categories subject to heightened protection under applicable laws.

•Controller / Joint Controller: HAIR RESTORATION SCIENCE LTDA. and, jointly, the Professional User (physician/clinic), who together determine the purposes and means of processing patients' data.

•Processor / Service Provider: an entity that processes personal data on behalf of HRS (e.g., AWS, Meta).

•Data Subject: the natural person to whom the processed data relates (patient or healthcare professional).

•DPO / Data Protection Officer: the designated officer serving as the communication channel between HRS, data subjects, and competent authorities.

4. Personal Data Collected

HRS collects the following categories of personal data:

4.1 Professional User (Physician / Clinic)

When creating an account and using ScalpScan.AI Professional, we collect:
•Full name
•Professional email address (for OTP verification via email)
•Phone number (for OTP verification via WhatsApp)
•Authentication data (email, encrypted password, internal ID)
•City / State / Country
•Date of birth (use prohibited for those under 18)
•Signup source
•Usage and navigation data within the dashboard (access logs, timestamps, actions performed)

4.2 Professional User — Patient Data Collected

•Patient data: name, age, phone, and email.

•Consent record: cryptographic hash, server timestamp, and version of the accepted document.

•3D scalp model (USDZ) — sensitive biometric data.

•Clinical metadata and annotations (sensitive health data).

Note: This record corresponds to the co-controller physician's declaration that they obtained the patient's free and informed consent in person. Responsibility for obtaining and verifying consent rests exclusively with the healthcare professional.

4.3 Models Received via Patient Sharing

•3D scalp model (USDZ) — sensitive biometric data.

•Active consent record collected directly from the patient: cryptographic hash, server timestamp, and version of the accepted document.

Note: Consent is collected at the time of sharing, through an active and specific acceptance on the platform. The record is immutable, linked to the patient ID, the model ID, and the recipient physician's ID.

4.4 Patient User

When creating an account on ScalpScan.AI Patient:

•Full name.

•Email address.

•Phone number.

•Authentication data (email, encrypted password, internal ID).

•3D scalp model (USDZ) — collected exclusively at the time of sharing with a physician.

•Active consent record: cryptographic hash, server timestamp, and version of the accepted document.

4.5 Data We Do NOT Collect

HRS does NOT collect, store, or process:
•Original photographs taken during scanning (they remain on the user's device)
•National identification documents (CPF, RG, passport, SSN, or equivalents)
•Physician's professional registration number
•Precise geographic location data (GPS)
•Financial data or credit card details
•Health data beyond that related to three-dimensional scalp analysis
•Tracking cookies for advertising or marketing purposes
•Data from individuals under 18 years of age (use is expressly prohibited)

4.6 Data of Minors Under 18

ScalpScan.AI is not intended for individuals under 18 years of age. Scanning of minors is expressly prohibited by the Terms of Use. When creating an account, the user expressly declares that they are over 18 years of age and that they will not use the application to scan minors.

5. Purposes of Processing and Legal Bases

HRS processes personal data exclusively for the purposes set out below, based on the most protective legal grounds recognized by the principal applicable privacy laws:

6. Data Sharing

6.1 Joint Controller (Physician / Clinic)

HRS and the Professional User are joint controllers of patients' data. The responsibilities of each party are formalized in the Joint Controller Agreement (DPA):
•HRS is responsible for: maintaining secure infrastructure; recording consents in an immutable manner; handling rights requests directed to HRS; notifying competent authorities in the event of an incident; maintaining an operational DPO channel.
•Co-controller physician is responsible for: obtaining the patient's informed consent prior to scanning; integrating clinical data into the medical record; retaining the medical record for the applicable legal period; responding independently before authorities for the operations under their responsibility.
•Single point of contact: data subjects may exercise all of their rights before either joint controller. To contact HRS: dpo@scalpscan.ai.
The full text of the Joint Controller Agreement is available upon request to dpo@scalpscan.ai.

6.2 Service Providers (Processors)

HRS has disclosed the following categories of personal data to the service providers listed below, who are contractually bound by data protection obligations that prohibit the use of the information for purposes beyond those contracted:

6.3 Restrictions

HRS does NOT:
•Sell or trade personal data to third parties for any consideration;
•Share data for behavioral advertising purposes;
•Transfer data to third parties not listed in this Policy, except as required by law;
•Use patient data for its own purposes unrelated to the contracted service.

⚠ HRS does NOT sell or share personal data for behavioral advertising purposes. There is no right of opt-out from sale or sharing to be exercised at this time.

7. International Data Transfers

Due to the use of the service providers listed in section 6.2, personal data is transferred to and stored on servers located in the United States of America (AWS, us-east-1 region).

All transfers are supported by Standard Contractual Clauses (SCCs/SCCs) approved by competent authorities — including ANPD Resolution CD/ANPD No. 19/2024 (Brazil) and European Commission Decision 2021/914, Module 2 (EEA/UK) — incorporated without modification in the contracts with each provider.

Pursuant to the Schrems II ruling (Case C-311/18), HRS conducted a Transfer Impact Assessment (TIA) for each transfer to the USA, concluding that the supplementary technical measures adopted (AES-256 at rest and TLS 1.3 in transit) ensure a level of protection equivalent to that of the country of origin of the data. A copy of the SCCs and TIA is available upon request to dpo@scalpscan.ai.

8. Data Retention Period

Data is retained for the following periods, after which it is irreversibly deleted or anonymized:

⚠ 3D models and medical records: ScalpScan.AI does not constitute a medical records system. HRS makes video and 3D model exports available for 60 days. The co-controller physician is solely responsible for exporting and storing clinical data in their own system before this period expires.

9. Data Security

HRS adopts technical and organizational measures appropriate to the sensitivity of the data processed, including:
•AES-256 encryption at rest for all data stored on AWS.
•TLS 1.3 protocol for data transmission in transit.
•Role-based access control (RBAC) and identity management (IAM).
•Immutable audit logs covering all operations involving sensitive data.
•Photographs captured during scanning stored exclusively on the user's device, with no transmission to HRS servers.
•Immutable consent records with cryptographic hash, server timestamp, and document version.

10. Security Incidents

In the event of a security incident posing relevant risk or harm to data subjects, HRS undertakes to:

•Immediately adopt appropriate containment measures;

•Notify the competent data protection authority without undue delay and, where possible, within a maximum of 72 hours after becoming aware of the incident;

•Inform the affected data subjects with clear information about the nature of the incident, the data involved, and the measures taken.

11. Data Subject Rights

HRS guarantees the following rights to all ScalpScan.AI users, regardless of their location:
•Confirmation of processing and access to the data processed, in portable and machine-readable format;
•Correction of incomplete, inaccurate, or outdated data;
•Deletion / erasure of data, within the limits provided by law;
•Withdrawal of consent at any time, without prejudice to processing carried out prior to withdrawal;
•Objection to processing based on legitimate interest;
•Restriction of processing under specific circumstances;
•Not to be subject to decisions based solely on automated processing with significant effects;
•Not to be discriminated against for exercising any of the above rights;
•Information about with whom their data has been shared;
•To lodge a complaint with the competent data protection authority in their country.
How to exercise your rights: send an email to dpo@scalpscan.ai stating your full name, registered email address, and the right you wish to exercise. Include the reference period where applicable. You may request data collected since January 1, 2022.
Response deadline: HRS will respond within 15 days for users in Brazil, 1 month for users in the EEA/United Kingdom (extendable by a further 2 months), and 45 days for users in California (extendable by a further 45 days). For other regions, the maximum period is 30 days.
Authorized agent: You may designate a representative to exercise your rights on your behalf. HRS may request proof of authorization.

ℹ Data protection authorities: Brazil — ANPD (www.gov.br/anpd) | European Union — the authority of the Member State of residence (list at edpb.europa.eu) | United Kingdom — ICO (ico.org.uk) | California — CPPA (cppa.ca.gov).

12. Automated Processing

ScalpScan.AI uses computational methods and algorithms to process images and generate three-dimensional scalp models, as well as to produce technical scalp analysis metrics.

This processing does NOT constitute automated decision-making with legal or clinical effects on the data subject. The co-controller physician is solely responsible for clinical assessment, diagnosis, and treatment planning.

Data subjects may, at any time, request from the DPO information about the criteria and procedures used by the algorithm and contest any results relating to them.

From January 1, 2027, should HRS begin using automated decision-making technology (ADMT) with significant effects on data subjects, it will provide specific advance notice and make an opt-out mechanism available before any such use. This Policy will be updated accordingly.

13. Data Protection Officer (DPO)

HRS has appointed a Data Protection Officer, given that the processing of biometric and health data is carried out at a relevant scale.

The DPO is the official communication channel between HRS, data subjects, and competent authorities in any jurisdiction.

14. Changes to this Policy

HRS may update this Policy periodically. Material changes will be communicated with a minimum of 15 (fifteen) days' notice by email and publication on the Policy page, before they take effect. For changes that involve new processing of sensitive data or new purposes incompatible with the original consent, explicit new consent from the data subject will be required.
The current version will always be available at https://www.scalpscan.ai/privacy-policy with the date of the last update.

15. Governing Law and Jurisdiction

This Policy is governed by international data protection standards and, specifically, by the laws applicable according to the data subject's location: Law No. 13,709/2018 (LGPD) in Brazil; Regulation (EU) 2016/679 (GDPR) in the EEA and United Kingdom; and the California Consumer Privacy Act (CCPA/CPRA) in California.

For contractual disputes between the parties, the courts of the District of Linhares, State of Espírito Santo, Brazil, are elected as the competent jurisdiction, without prejudice to the mandatory consumer rights in countries where local law is imperative.

HAIR RESTORATION SCIENCE LTDA.

dpo@scalpscan.ai | support@scalpscan.ai

https://www.scalpscan.ai/privacy-policy | Version 2.0 (Global) — March 2026

PRIVACY POLICY

ScalpScan.AI | ScalpScan.AI Patient

HAIR RESTORATION SCIENCE LTDA.

Version 2.0 | March 2026
https://www.scalpscan.ai/privacy-policy

This Privacy Policy explains how HAIR RESTORATION SCIENCE LTDA. (“HRS”, “we”, “us” or “our”) collects, uses, stores and discloses your personal data when you use the ScalpScan.AI or ScalpScan.AI Patient applications. Please read it carefully before using the applications.

Questions? Contact our DPO: dpo@scalpscan.ai

1. Data Controller Identification

Legal Name: HAIR RESTORATION SCIENCE LTDA.
Brazilian Company Registration (CNPJ): 50.807.318/0001-57
Registered Address: Av. Genesio Durao, 1160, apto 702, Ed. Morada do Sol, Tres Barras, Linhares/ES, CEP 29.907-010, Brazil
Data Protection Officer (DPO): Efficient channel pursuant to Resolution CD/ANPD No. 2/2022 — dpo@scalpscan.ai
DPO email: dpo@scalpscan.ai
Support: support@scalpscan.ai

2. Scope of Application

This Privacy Policy applies to all personal data processing carried out by HAIR RESTORATION SCIENCE LTDA. (“HRS”) through the ScalpScan.AI and ScalpScan.AI Patient applications, including the versions intended for Professional Users (physicians and clinics) and Patient Users.

ScalpScan.AI is a technological tool that assists qualified healthcare professionals in performing three-dimensional scalp assessments. It does not provide medical diagnoses, therapeutic prescriptions, or automated clinical decisions.

3. Definitions

For the purposes of this Policy, the following definitions apply, pursuant to Law No. 13.709/2018 (LGPD):
•Personal data: information relating to an identified or identifiable natural person.
•Sensitive data: personal data concerning racial or ethnic origin, religious belief, political opinion, trade union membership, health or sex life data, genetic or biometric data, when linked to a natural person.
•Controller: HAIR RESTORATION SCIENCE LTDA., responsible for decisions on the processing of platform data.
•Joint controller: Professional User (physician/clinic), responsible for decisions on the data of patients in their account.
•Processor: natural or legal person that carries out processing on behalf of the controller (e.g.: AWS, Meta).
•Data subject: the natural person to whom the processed data refers (patient or healthcare professional).
•DPO/Data Protection Officer: person appointed to act as the communication channel between the controller, data subjects and the ANPD.

4. Personal Data Collected

4.1 Professional User (Physician / Clinic)

When you create an account and use ScalpScan.AI Professional, we collect:
•Full name
•Professional email address (used for OTP verification via email)
•Phone number (used for OTP verification via WhatsApp)
•Authentication data (email, encrypted password, internal ID)
•City / State / Country
•Date of birth (users under 18 years of age are not permitted to register)
•Source of registration
•Usage and navigation data in the panel (access logs, timestamps, actions performed)

4.2 Professional User (Physician / Clinic) — Data Collected from the Patient

•Patient data: patient name, age, phone number and email.

•Patient consent record: cryptographic hash, server timestamp and version of the accepted document.

•3D model data: three-dimensional (3D) scalp model in USDZ format.

•Clinical metadata and annotations associated with the 3D model (sensitive health data).

4.3 Professional User (Physician / Clinic) — Models Received by Patient Sharing

•Data shared by the patient: three-dimensional (3D) scalp model in USDZ format.
•Consent record: cryptographic hash, server timestamp and version of the accepted document.

Note: The consent record in this section is collected directly from the patient at the time they choose to share the model with the physician, by means of active and specific acceptance on the platform. The record is immutable, linked to the patient ID, model ID and recipient physician ID.

4.4 Patient User

When creating an account in ScalpScan.AI Patient:

•Full name.

•Email address (for OTP verification via email).

•Phone number (for OTP verification via WhatsApp).

•Authentication data (email, encrypted password, internal ID).

•Three-dimensional (3D) scalp model in USDZ format (collected exclusively at the time the patient chooses to share it with a physician).

•Patient consent record: cryptographic hash, server timestamp and version of the accepted document.

Note: When the patient creates their own account in ScalpScan.AI Patient, consent for the processing of biometric data is collected directly and specifically from the patient at the time of sharing, by means of active acceptance on the platform.

4.5 Data We Do NOT Collect

Photographs taken during the scanning process remain stored exclusively on the user’s device and are never transmitted to or stored on HRS’s servers. The management, storage and deletion of these photos are the sole responsibility of the user. HRS has no access to your device and is therefore neither able to control nor responsible for these files (Art. 42, §2, LGPD).

Furthermore, HRS does NOT collect, store or process the following data:

•National ID number, tax registration or any national identification document of patients or professionals

•Physician's professional registration number (the professional self-declares qualification upon accepting the Terms)

•Precise location data (GPS) of users

•Financial, banking or credit card data (payments are processed exclusively by the Apple App Store)

•Health data beyond that related to the three-dimensional scalp analysis that constitutes the object of the service

•Tracking cookies for advertising or marketing purposes

•Data of persons under 18 years of age (use expressly prohibited — see section 4.6)

4.6 Minors

ScalpScan.AI is not intended for use by or on patients under 18 years of age. Scanning of minors is strictly prohibited. By creating an account, you expressly declare that you are at least 18 years old and that you will not use the application to scan any person under 18.

5. Purposes of Processing and Legal Bases

HRS processes personal data based on the following legal grounds under Articles 7 and 11 of the LGPD:

6. Data Sharing

6.1 Joint Controller (Physician / Clinic)

Patient data registered in a Professional User’s account is accessible to that physician or clinic, who acts as joint controller with HRS for clinical purposes (preparation of medical records, surgical planning and follow-up).

The roles and responsibilities of each joint controller are formalised in the Joint Controllers Agreement (DPA), incorporated into the Terms of Use and accepted at registration.

6.2 Sub-processors

HRS uses the following sub-processors for the provision of the service, all contractually bound by data protection obligations:

6.3 Restrictions on Sharing

HRS does NOT:
•Sell or commercialise personal data of patients or professionals;
•Share health or biometric data for marketing or advertising purposes;
•Transfer data to third parties not listed in this Policy, except by legal obligation, court order or request by a competent authority;
•Use patient data for HRS's own purposes unrelated to the provision of the service contracted by the Professional User.

7. International Data Transfers

Due to the use of the sub-processors listed in section 6.2, personal data is transferred internationally to the United States of America (AWS, us-east-1 region).

All transfers are covered by Standard Contractual Clauses (SCCs) approved by the National Data Protection Authority — ANPD, pursuant to Annex II of Resolution CD/ANPD No. 19/2024, incorporated literally and without modification in the contracts with each sub-processor.

A copy of the incorporated SCCs is available upon request at dpo@scalpscan.ai.

8. Data Retention Period

Data is retained for the following periods, after which it is irreversibly deleted or anonymised:

3D Models and Medical Record
ScalpScan.AI does not constitute a medical record system as defined by CFM Resolution No. 1.821/2007. Responsibility for keeping the medical record for the statutory period of 20 years lies exclusively with the physician joint controller. The system makes video and 3D model export available during the 60-day period. Upon requesting account cancellation, the user acknowledges that data will be permanently removed from HRS's servers, with no possibility of recovery.

9. Data Security

HRS implements appropriate technical and organizational measures to protect personal data, including:
•AES-256 encryption for data at rest on AWS;
•TLS 1.3 for data in transit;
•Role-based access control (RBAC) and strict identity management;
•Immutable audit logs recording all operations on sensitive data.
•Photographs captured during scanning stored exclusively on the user's device, without transmission to HRS's servers.
•Immutable audit logs for all operations involving sensitive data.

10. Security Incidents

In the event of a security incident that may result in relevant risk or harm to data subjects, HRS undertakes to:

•Immediately adopt available containment measures;

•Notify the ANPD of the incident within 72 hours of becoming aware of it, pursuant to Resolution CD/ANPD No. 15/2024;

•Notify affected data subjects with information about the nature of the incident, data involved and measures adopted.

11. Your Rights as a Data Subject

Under Article 18 of the LGPD, you have the following rights:
•Confirmation of the existence of processing of your personal data;
•Access to your personal data;
•Correction of incomplete, inaccurate or outdated data;
•Anonymisation, blocking or deletion of unnecessary data or data processed in non-compliance with the LGPD;
•Portability of data to another service or product provider;
•Deletion of data processed on the basis of consent;
•Information about with whom your data has been shared;
•Information about the possibility of not providing consent and its consequences;
•Withdrawal of consent;
•Contestation of results obtained by automated processing and request for information about the criteria used.

To exercise your rights, contact the DPO at dpo@scalpscan.ai. The response period is up to 15 (fifteen) days from receipt of the request (Art. 18, §3, LGPD).

12. Automated Processing and Algorithmic Transparency

ScalpScan.AI uses computational methods and algorithms to process images and generate three-dimensional scalp models, as well as to produce technical scalp analysis metrics.

This processing does NOT constitute automated decision-making with legal or clinical effects on the data subject, pursuant to Art. 20 of the LGPD. The generated metrics and models are technical inputs mandatorily subject to the evaluation and validation of the physician, who is solely responsible for the clinical decision.

The data subject may, at any time, request from the DPO information about the criteria and procedures used by the algorithm, as well as contest any result they consider incompatible with their data (Art. 20, §1, LGPD).

13. Data Protection Officer (DPO)

The DPO is the official channel of communication between HRS, data subjects and the National Data Protection Authority (ANPD), pursuant to Arts. 41 and 42 of the LGPD and Resolution CD/ANPD No. 2/2022.

DPO Contact Channel
DPO Channel: dpo@scalpscan.ai — Response within 15 days.

14. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our services, applicable laws or data protection practices. If we make material changes, we will notify you by email at least 15 days in advance and publish the new version on our website before the changes take effect.

The current version will always be available at https://www.scalpscan.ai/privacy-policy with the date of the last update.

15. Applicable Law and Jurisdiction

This Privacy Policy is governed by the laws of Brazil, particularly Law No. 13.709/2018 (LGPD) and the Consumer Protection Code.
Any disputes arising from this Policy shall be submitted to the exclusive jurisdiction of the courts of Linhares, Espírito Santo, Brazil, without prejudice to your right to file a complaint with the National Data Protection Authority (ANPD), pursuant to Art. 18, §1, of the LGPD.

HAIR RESTORATION SCIENCE LTDA.

dpo@scalpscan.ai | support@scalpscan.ai
https://www.scalpscan.ai/privacy-policy | Version 2.0 — March 2026

PRIVACY POLICY

ScalpScan.AI | ScalpScan.AI Patient

HAIR RESTORATION SCIENCE LTDA.

Version 2.0 — GDPR Edition | March 2026

https://www.scalpscan.ai/privacy-policy

This Policy explains how HAIR RESTORATION SCIENCE LTDA. collects, uses, stores and shares your personal data when you use the ScalpScan.AI application. Please read carefully before using the application.

Questions? Contact our DPO: dpo@scalpscan.ai

1. Data Controller Identification

Legal Name: HAIR RESTORATION SCIENCE LTDA.

Brazilian Company Registration (CNPJ): 50.807.318/0001-57

Registered Address: Av. Genesio Durao, 1160, apto 702, Ed. Morada do Sol, Tres Barras, Linhares/ES, CEP 29.907-010, Brazil

Data Protection Officer (DPO): Efficient contact channel pursuant to Arts. 37-39 GDPR — dpo@scalpscan.ai

DPO Email: dpo@scalpscan.ai

Support: support@scalpscan.ai

EU Representative (Art. 27 GDPR): To be appointed prior to offering services to EEA data subjects. Contact: dpo@scalpscan.ai

2. Scope of Application

This Policy applies to the processing of personal data carried out by HAIR RESTORATION SCIENCE LTDA. ("HRS") through the ScalpScan.AI application, in the versions intended for Professional Users (physicians and clinics) and Patient Users, to the extent that such processing is subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR").
ScalpScan.AI is a technological tool supporting three-dimensional scalp assessment for use by qualified healthcare professionals. It does not perform medical diagnosis, therapeutic prescription or automated clinical decision-making.
This Policy applies to data subjects located in the European Economic Area (EEA) and the United Kingdom. For data subjects located in Brazil, the applicable document is the Privacy Policy — LGPD Edition.

3. Definitions

For the purposes of this Policy, the following definitions apply pursuant to the GDPR:

•Personal data: any information relating to an identified or identifiable natural person.

•Special categories of data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation (Art. 9 GDPR).

•Controller: HAIR RESTORATION SCIENCE LTDA., responsible for determining the purposes and means of processing.

•Joint Controllers: HAIR RESTORATION SCIENCE LTDA. and the Professional User (physician/clinic), who jointly determine the purposes and means of processing of patient data (Art. 26 GDPR).

•Processor: a natural or legal person that processes personal data on behalf of the Controller (e.g., AWS, Meta).

•Data subject: the natural person to whom the processed data relates (patient or healthcare professional).

•DPO: Data Protection Officer, appointed pursuant to Arts. 37-39 GDPR, acting as the contact point between the Controller, data subjects and supervisory authorities.

•Supervisory Authority: the independent public authority responsible for monitoring the application of the GDPR in the relevant EEA member state.

4. Personal Data Collected

4.1 Professional User (Physician / Clinic)

When creating an account and using ScalpScan.AI Professional, we collect:

•Full name

•Professional email address (for OTP verification via email)

•Phone number (for OTP verification via WhatsApp)

•Authentication data (email, encrypted password, internal ID)

•City / State / Country

•Date of birth (users under 18 are prohibited from registering)

•Signup source

•Usage and navigation data in the panel (access logs, timestamps, actions performed)

4.2 Professional User (Physician / Clinic) — Data Collected from the Patient

•Patient data: patient name, patient age, phone number and email.
•Patient consent record: cryptographic hash, server timestamp and version of the accepted document.
•3D model data: three-dimensional (3D) scalp model in USDZ format — biometric special category data.
•Clinical metadata and annotations associated with the 3D model (health special category data).

Note: This record corresponds to the declaration by the Joint Controller physician that they obtained the patient's free and informed consent in person — not a direct consent by the patient on the platform. Responsibility for obtaining and verifying consent lies exclusively with the Joint Controller physician (Art. 26 GDPR).

4.3 Professional User (Physician / Clinic) — Models Received by Patient Sharing

•Data shared by the patient: three-dimensional (3D) scalp model in USDZ format — biometric special category data.

•Consent record: cryptographic hash, server timestamp and version of the accepted document.

Note: The consent record in this section is collected directly from the patient at the moment they choose to share the model, through an active and specific consent on the platform. The patient expressly consents to the upload, storage and processing of the biometric data for medical evaluation purposes. This record is immutable, linked to the patient ID, the model ID and the recipient physician ID, with server timestamp (Arts. 6(1)(a) and 9(2)(a) GDPR).

4.4 Patient User

When creating an account in ScalpScan.AI Patient:

•Full name.

•Email address (for OTP verification via email).

•Phone number (for OTP verification via WhatsApp).

•Authentication data (email, encrypted password, internal ID).

•Three-dimensional (3D) scalp model in USDZ format — biometric special category data (collected exclusively at the moment the patient opts to share the model with a physician).

•Patient consent record: cryptographic hash, server timestamp and version of the accepted document.

Note: When the patient creates their own account in ScalpScan.AI Patient, consent for the processing of biometric data is collected directly from the patient on the platform, by active and specific consent at the time of sharing (Art. 9(2)(a) GDPR). The processing of data of patients without their own account — whose folders are created by the physician — is described in section 4.2.

4.5 Data We Do NOT Collect

Photographs captured during the scanning process remain stored exclusively on the user's device and are not transmitted to or stored on HRS servers. The management, retention and eventual deletion of such images is the exclusive responsibility of the user. HRS has no access to the device and therefore does not control or bear responsibility for those files.

In addition, HRS does NOT collect, store or process the following data:

•National identification documents (passport, national ID) of patients or professionals

•Medical registration number of the physician (the professional self-declares eligibility upon accepting the Terms)

•Precise location data (GPS) of users

•Financial, banking or credit card data (payments are processed exclusively via the Apple App Store)

•Health data beyond that related to the three-dimensional scalp analysis that constitutes the object of the service

•Tracking cookies for advertising or marketing purposes

•Data of persons under 18 years of age (use expressly prohibited — see section 4.6)

4.6 Data of Persons Under 18 Years of Age

ScalpScan.AI is not intended for use by patients under 18 years of age. Scanning of minors is expressly prohibited by the Terms of Use. Upon creating an account, the user expressly declares to be over 18 years of age and that they will not use the application to scan patients under 18. Non-compliance with this prohibition is the exclusive responsibility of the user, without any liability on the part of HRS.

5. Purposes of Processing and Legal Bases

HRS processes personal data on the following legal bases pursuant to Arts. 6 and 9 GDPR:

6. Data Sharing

6.1 Joint Controllers (Physician / Clinic) — Art. 26 GDPR

HRS and the Professional User are Joint Controllers of patient data pursuant to Art. 26 GDPR. The responsibilities of each party are formalised in the Joint Controllers Agreement (DPA), the essence of which is as follows:
•HRS is responsible for: maintaining secure storage infrastructure; recording consent records in an immutable manner; handling data subject rights requests directed to HRS; notifying the competent supervisory authority of personal data breaches; and maintaining the DPO channel.
•The Joint Controller physician is responsible for: obtaining the patient's informed consent prior to scanning; integrating clinical data into the medical record; retaining the medical record for the applicable legal period; and responding independently to the supervisory authority for the processing operations within their remit.
•Single point of contact for data subjects: regardless of the internal allocation of responsibilities, data subjects may exercise all of their rights against either Joint Controller. To contact HRS: dpo@scalpscan.ai.
The full text of the Joint Controllers Agreement is available upon request to dpo@scalpscan.ai.

6.2 Processors

HRS uses the following processors for the provision of the service, all contractually bound to data protection obligations:

6.3 Restrictions on Sharing

HRS does NOT:
•Sell or commercialise personal data of patients or professionals;
•Share health or biometric data for marketing or advertising purposes;
•Transfer data to third parties not listed in this Policy, except where required by legal obligation, court order or competent authority;
•Use patient data for HRS's own purposes unrelated to the service contracted by the Professional User, except with the data subject's specific and explicit consent.

7. International Data Transfers

Due to the use of the processors listed in section 6.2, personal data is transferred internationally to the United States of America.

All transfers are covered by the Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision 2021/914 of 4 June 2021 (Module 2: Controller to Processor), incorporated without modification into the contracts concluded with each processor (Art. 46(2)(c) GDPR).

In accordance with the case law of the Court of Justice of the European Union (Schrems II, Case C-311/18), HRS has carried out a Transfer Impact Assessment (TIA) for each transfer to the United States, assessing the laws and practices of the destination country that may affect the effectiveness of the safeguards adopted, in particular with regard to US surveillance legislation (FISA 702). The TIA concluded that, having regard to the nature of the data transferred, the purposes of the processing and the supplementary technical measures adopted (AES-256 encryption at rest and TLS 1.3 in transit), the SCCs provide a level of protection substantially equivalent to that guaranteed in the EEA. The full TIA documentation is available upon request to dpo@scalpscan.ai.

A copy of the incorporated SCCs is also available upon request to dpo@scalpscan.ai.

8. Data Retention Periods

Data is retained for the following periods, after which it is deleted or irreversibly anonymised:

⚠ 3D models and medical records: ScalpScan.AI does not constitute a medical records system. HRS makes video and 3D model export functionality available during the 60-day grace period. The Joint Controller physician is exclusively responsible for exporting and retaining clinical data in their own records system before this period expires.

9. Data Security

HRS adopts appropriate technical and organisational measures pursuant to Art. 32 GDPR, including:

•AES-256 encryption at rest for all data stored on AWS.

•TLS 1.3 protocol for data transmission in transit.

•Role-based access control (RBAC) and identity management (IAM).

•Immutable audit logs recording all operations involving special category data.

•Photographs captured during scanning stored exclusively on the user's device, without transmission to HRS servers.

•Immutable consent records with cryptographic hash, server timestamp and document version.

10. Personal Data Breaches

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, HRS undertakes to:
•Immediately adopt appropriate containment measures;
•Notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (Art. 33 GDPR);
•Communicate the breach to affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, providing information on the nature of the breach, the data involved and the measures taken (Art. 34 GDPR).

11. Data Subject Rights

Pursuant to Arts. 15-22 GDPR, you have the right to:

•Access your personal data and obtain a copy thereof (Art. 15 GDPR);

•Rectification of inaccurate or incomplete personal data (Art. 16 GDPR);

•Erasure of your personal data ('right to be forgotten'), where applicable (Art. 17 GDPR);

•Restriction of processing in the circumstances set out in Art. 18 GDPR;

•Data portability in a structured, commonly used and machine-readable format (Art. 20 GDPR);

•Object to processing based on legitimate interests (Art. 21 GDPR);

•Not be subject to automated individual decision-making producing legal or similarly significant effects (Art. 22 GDPR — see section 12);

•Withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal (Art. 7(3) GDPR);

•Lodge a complaint with the competent supervisory authority in your EEA member state of residence (Art. 77 GDPR).

Response time: Requests will be handled free of charge within 1 (one) month of receipt (Art. 12 GDPR). This period may be extended by a further 2 months where necessary, taking into account the complexity and number of requests. HRS will inform the data subject of any such extension within 1 month of receiving the request.

Contact: To exercise your rights, contact the DPO at dpo@scalpscan.ai.

12. Automated Processing and Algorithmic Transparency

ScalpScan.AI uses computational methods and algorithms to process images and generate three-dimensional scalp models, as well as to produce technical scalp analysis metrics.

This processing does NOT constitute a decision based solely on automated processing that produces legal effects or similarly significantly affects the data subject within the meaning of Art. 22 GDPR. The Joint Controller physician is solely responsible for clinical assessment, diagnosis and treatment planning, interpreting the system's outputs as informational support tools.

Without prejudice to the foregoing, HRS guarantees data subjects the right to obtain, at any time, information about the criteria and procedures used in the platform's automated processes, as well as to contest results that concern them (Art. 22(3) GDPR), by contacting dpo@scalpscan.ai.

13. Data Protection Officer (DPO)

HRS has appointed a Data Protection Officer pursuant to Art. 37 GDPR, as the processing of special categories of data (biometric and health data) is carried out on a large scale.

The DPO is the official channel of communication between HRS, data subjects and supervisory authorities.

14. Changes to this Policy

HRS may update this Policy periodically to reflect changes in the service, legislation or data protection practices. Material changes will be communicated to data subjects with a minimum of 15 (fifteen) days' notice before taking effect, by email notification or publication on the Policy page. For changes involving new processing of special categories of data or new purposes incompatible with the original consent, new explicit and specific consent will be required from the data subject before the change takes effect (Art. 7 GDPR).
The current version will always be available at https://www.scalpscan.ai/privacy-policy with the date of the last update.

15. Applicable Law and Jurisdiction

This Policy is governed by the General Data Protection Regulation (EU) 2016/679 (GDPR) and other applicable European data protection legislation.

Data subjects located in the EEA have the right to lodge a complaint with the supervisory authority in their member state of residence. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

For data subjects located in the United Kingdom, the competent authority is the Information Commissioner's Office (ICO): https://ico.org.uk.

For contractual disputes between the parties, the courts of the Judicial District of Linhares, State of Espirito Santo, Brazil, shall have jurisdiction, without prejudice to the mandatory rights of EU consumers under applicable consumer protection legislation.

HAIR RESTORATION SCIENCE LTDA.

dpo@scalpscan.ai | support@scalpscan.ai

https://www.scalpscan.ai/privacy-policy | Version 2.0 (GDPR) — March 2026

PRIVACY POLICY

ScalpScan.AI | ScalpScan.AI Patient

HAIR RESTORATION SCIENCE LTDA.

Version 2.0 — CCPA/CPRA Edition | March 2026
https://www.scalpscan.ai/privacy-policy

This Policy explains how HAIR RESTORATION SCIENCE LTDA. collects, uses, stores and shares your personal information when you use the ScalpScan.AI application. Please read carefully before using the application.

Questions? Contact our DPO: dpo@scalpscan.ai

ℹ This Policy applies to consumers residing in the State of California (USA), pursuant to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). For users located in Brazil, the applicable document is the Privacy Policy — LGPD Edition. For users in the EEA/UK, the applicable document is the Privacy Policy — GDPR Edition.

1. Business Identification

Legal Name: HAIR RESTORATION SCIENCE LTDA.
Brazilian Company Registration (CNPJ): 50.807.318/0001-57
Registered Address: Av. Genesio Durao, 1160, apto 702, Ed. Morada do Sol, Tres Barras, Linhares/ES, CEP 29.907-010, Brazil
Privacy Officer (DPO): dpo@scalpscan.ai
Support: support@scalpscan.ai
Designated Agent for CCPA Requests: dpo@scalpscan.ai

2. Scope of Application

This Policy applies to the processing of personal information of consumers residing in California, pursuant to the CCPA (Cal. Civ. Code § 1798.100 et seq.) and the CPRA (Prop. 24, 2020), effective as of January 1, 2023, including the CPPA regulations effective January 1, 2026.

ScalpScan.AI is a technological tool supporting three-dimensional scalp assessment for use by qualified healthcare professionals. It does not perform medical diagnosis, therapeutic prescription or automated clinical decision-making.

3. Definitions

For the purposes of this Policy, pursuant to the CCPA/CPRA:
•Personal information: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
•Sensitive personal information: a special category that includes health data, biometric data and genetic data, subject to additional rights and restrictions under the CPRA.
•Business: HAIR RESTORATION SCIENCE LTDA., the entity that determines the purposes and means of processing personal information.
•Service provider: an entity that processes personal information on behalf of the Business, subject to contractual restrictions.
•Consumer: a natural person who is a California resident.
•Sale: selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating personal information to a third party for monetary or other valuable consideration.
•Sharing: disclosing personal information to a third party for cross-context behavioral advertising, whether or not for monetary consideration.

4. Personal Information Collected

HRS has collected the following categories of personal information. Pursuant to CPPA regulations effective January 1, 2026, the default reference period is the past 12 months, but you may request data collected since January 1, 2022 (see section 10.1):

4.1 Professional User (Physician / Clinic)

When creating an account and using ScalpScan.AI Professional, we collect:
•Full name
•Professional email address (for OTP verification via email)
•Phone number (for OTP verification via WhatsApp)
•Authentication data (email, encrypted password, internal ID)
•City / State / Country
•Date of birth (users under 18 are prohibited from registering)
•Signup source
•Usage and navigation data in the panel (access logs, timestamps, actions performed)

4.2 Professional User — Data Collected from the Patient

•Patient data: name, age, phone number and email.

•Consent record: cryptographic hash, server timestamp and version of the accepted document.

•3D scalp model (USDZ) — biometric sensitive personal information.

•Clinical metadata and annotations (health sensitive personal information).

Note: This record corresponds to the declaration by the physician that they obtained the patient's consent in person. Responsibility for obtaining consent lies exclusively with the healthcare professional.

4.3 Patient User

When creating an account in ScalpScan.AI Patient:

•Full name.

•Email address.

•Phone number.

•Authentication data (email, encrypted password, internal ID).

•3D scalp model (USDZ) — collected exclusively at the moment the patient opts to share with a physician.

•Consent record: cryptographic hash, server timestamp and version of the accepted document.

4.4 Information We Do NOT Collect

HRS does NOT collect, store or process:
•Original photographs captured during scanning (remain on the user's device)
•Social Security Number (SSN) or government-issued identification documents
•Precise geographic location data (GPS)
•Financial or credit card data
•Content of private communications
•Data of persons under 18 years of age (use expressly prohibited)
•Data for behavioral advertising or consumer profiling purposes

5. Purposes of Processing

HRS uses the personal information collected exclusively for the following business and service purposes:

•Provision of the contracted three-dimensional scalp analysis service

•Authentication and identity verification of users

•Platform security, fraud prevention and system integrity

•Compliance with applicable legal and regulatory obligations

•Transactional communications related to the service

•Technical support to users

⚠ HRS does NOT sell personal information of California consumers to third parties. HRS does NOT share personal information for cross-context behavioral advertising. There is therefore no right of opt-out of sale or sharing to be exercised at this time.

6. Disclosure of Personal Information

6.1 Service Providers

HRS has disclosed the following categories of personal information to the service providers listed below in the past 12 months, pursuant to contracts that prohibit the use of the information for purposes beyond the provision of the contracted service (CPPA Reg. § 7011):

6.2 Restrictions on Disclosure

HRS does NOT:
•Sell personal information to third parties for any monetary or other valuable consideration;
•Share personal information for cross-context behavioral advertising;
•Disclose health or biometric information to third parties not listed in this Policy;
•Use health or biometric data for purposes other than the provision of the contracted medical service.

7. Sensitive Personal Information (CPRA)

The CPRA created a special category of "sensitive personal information", subject to additional rights and restrictions. HRS processes the following categories of sensitive personal information:

•Biometric data: three-dimensional (3D) scalp model in USDZ format, used exclusively for the provision of the contracted medical service.

•Health data: clinical metadata and annotations associated with the 3D model, used exclusively for the provision of the contracted medical service.

HRS does not use sensitive personal information to infer characteristics about consumers. Use is restricted to the provision of the medical service requested by the user, as permitted by the CPRA (Cal. Civ. Code § 1798.121).

ℹ Right to Limit Use of Sensitive Personal Information: You have the right to request that HRS limit the use of your sensitive personal information to what is strictly necessary for the provision of the service. As HRS already restricts use of this information to that purpose, there is no additional use to be limited. For questions, contact: dpo@scalpscan.ai.

8. Data Transfers

Personal information of California users is transferred to and stored on servers located in the United States of America (AWS, us-east-1 region). No transfers of data to countries outside the USA occur at this time.

9. Retention Periods

Personal information is retained for the time necessary for the purposes described in this Policy, subject to the following periods:

10. California Consumer Rights

Pursuant to the CCPA/CPRA, consumers residing in California have the following rights:

10.1 Right to Know

You have the right to request that HRS disclose:
•The categories of personal information collected about you;
•The categories of sources from which the information was collected;
•The business or commercial purpose for the collection;
•The categories of service providers with whom the information was shared;
•The specific personal information collected about you, in a portable, readily usable format where technically feasible.

Lookback period: Pursuant to CPPA regulations effective January 1, 2026 (Reg. § 7024), you may request personal information collected since January 1, 2022. The default response period is the past 12 months; to request the full history since January 2022 or a specific date range, indicate the desired period in your request email. Information collected before January 1, 2022 may not be available.
Request limit: HRS is required to fulfill up to 2 (two) access requests per consumer in each 12-month period (Cal. Civ. Code § 1798.130(a)(3)).

10.2 Right to Delete

You have the right to request deletion of personal information collected by HRS, subject to applicable legal exceptions (such as legal retention obligations and defense of rights in litigation).

10.3 Right to Correct

You have the right to request correction of inaccurate personal information maintained by HRS.

10.4 Right to Non-Discrimination

HRS will not discriminate against you for exercising any right provided under the CCPA/CPRA. You will not be subject to different prices, reduced service levels or any other negative treatment as a result of exercising your rights.

10.5 Right to Opt-Out of Sale and Sharing

HRS does not sell or share personal information for behavioral advertising purposes. There is therefore no opt-out to be exercised at this time. Should this practice be adopted in the future, this Policy will be updated and the link "Do Not Sell or Share My Personal Information" will be made available.

10.6 Right to Limit Use of Sensitive Personal Information

As described in section 7, HRS already limits the use of sensitive personal information to the provision of the contracted service. There is no additional use to be limited. You may formally exercise this right through the channel dpo@scalpscan.ai.

11. How to Exercise Your Rights

To exercise any of the rights described in this Policy, California consumers may:
•Send an email to: dpo@scalpscan.ai
•Include in the email: full name, email address registered on the platform, description of the right to be exercised and, where applicable, the reference period (e.g., 'all data since January 1, 2022').

Response time: HRS will respond to requests within 45 days. This period may be extended by a further 45 days with prior notice to the consumer, where necessary due to complexity or volume of requests (Cal. Civ. Code § 1798.130).
Identity verification: HRS may request additional information to verify the consumer's identity before processing the request, in order to protect personal information against unauthorized access.
Authorized agent: You may designate an authorized agent to exercise your rights on your behalf. HRS may require written proof of the authorization and direct identity verification from the consumer.

12. Information Security

HRS adopts technical and organizational measures appropriate to the sensitivity of the information processed, including:

•AES-256 encryption at rest for all data stored on AWS.

•TLS 1.3 protocol for data transmission in transit.

•Role-based access control (RBAC) and identity management (IAM).

•Immutable audit logs for operations involving sensitive data.

•Photographs captured during scanning stored exclusively on the user's device.

•Immutable consent records with cryptographic hash and server timestamp.

13. Security Incidents

In the event of a data breach affecting unencrypted or unredacted personal information of California consumers, HRS will notify affected consumers as required by California's data breach notification law (Cal. Civ. Code § 1798.29 and § 1798.82), in the most expedient time possible and without unreasonable delay.
Consumers affected by a data breach resulting in unauthorized access to unencrypted personal information have the right to bring a civil action for statutory damages pursuant to the CCPA (Cal. Civ. Code § 1798.150).

14. Automated Processing

ScalpScan.AI uses computational methods and algorithms to generate 3D models and scalp analysis metrics. This processing does not constitute automated decision-making with legal or significant effects on the consumer. The physician is solely responsible for clinical assessment and treatment decisions.

Effective January 1, 2027, if HRS begins using Automated Decision-Making Technology (ADMT) with significant effects on California consumers, as defined by CPPA regulations, HRS will provide specific prior notice and make an opt-out mechanism available before any such use. This Policy will be updated accordingly.

15. Changes to this Policy

HRS may update this Policy periodically. Material changes will be communicated with a minimum of 15 days' notice by email and publication on the Policy page. The current version will always be available at https://www.scalpscan.ai/privacy-policy.

16. Applicable Law

This Policy is governed by the California Consumer Privacy Act (CCPA), Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act (CPRA), Proposition 24 (2020), and other applicable California state law.
For questions related to the CCPA/CPRA, California consumers may also contact the California Privacy Protection Agency (CPPA): https://cppa.ca.gov.

HAIR RESTORATION SCIENCE LTDA.

dpo@scalpscan.ai | support@scalpscan.ai
https://www.scalpscan.ai/privacy-policy | Version 2.0 (CCPA/CPRA) — March 2026