Terms Of Use

Global Edition

LGPD (Brazil)

GDPR (European Union)

CCPA (California, USA)

TERMS OF USE

ScalpScan.AI | ScalpScan.AI Patient

HAIR RESTORATION SCIENCE LTDA.

Version 2.0 — Global Edition | March 2026

Applicable to: Physicians, Clinics and Patients | DPO: dpo@scalpscan.ai

https://www.scalpscan.ai/privacy-policy

1. ACCEPTANCE OF TERMS

1.1. By registering, accessing or using any of the Applications, the User declares to have read, understood and expressly agreed to these Terms, the integrated Privacy Policy (available at https://www.scalpscan.ai/privacy-policy) and any future updates, manifesting unequivocal electronic acceptance.

1.2. Acceptance is formalised at the time of registration, by creating an account in the Application. The Terms of Use and Privacy Policy are available on the application page in the App Store prior to download. The system automatically records, in an immutable manner: the version of the documents in force on the date of registration, the cryptographic hash and the server timestamp.

1.3. Refusal or disagreement with any clause obliges the User to immediately cease use of the Applications and delete their account directly in the Application Settings, or through the channel: support@scalpscan.ai.

2. DEFINITIONS

2.1. Application / ScalpScan.AI — Software designed for Professional Users that captures images and depth data of the scalp, generates life-size 3D models (USDZ), performs quantitative measurement of alopecia areas and produces follicular density metrics. Operates in a hybrid architecture: local processing (edge computing) on the device + storage of the final 3D model in AWS backend.

2.2. ScalpScan.AI Patient — Application designed for Patient Users, which enables the performance of a 3D scan of the scalp outside the clinical environment, with subsequent sharing of the model with a Professional User (via code). Models not shared with a physician are stored exclusively on the patient's device, without being sent to the HRS backend.

2.3. Professional User — Physician with an active professional registration or clinic under the technical responsibility of a qualified physician, licensee.

2.4. Patient User — Natural person who uses ScalpScan.AI Patient for their own scanning, on their own initiative or at a physician's request.

2.5. Patient / Data Subject — Natural person whose images, depth data, 3D models and derived metrics are processed in the Applications.

2.6. Sensitive Data / Special Categories / Sensitive Personal Information — Health data and biometric data (3D models and clinical metadata capturing unique physical characteristics of the scalp), subject to heightened protection under applicable laws, requiring specific and explicitly highlighted consent.

2.7. Joint Controllers / Co-Business — HAIR RESTORATION SCIENCE LTDA. (Controller/Data Controller for platform data) and the Professional User (Joint Controller for patient data in their account), with roles formalised by the DPA.

2.8. AWS Backend — Amazon Web Services infrastructure (EC2/MySQL + S3), us-east-1 region (USA). EC2 stores registration data, metadata and credentials; S3 stores USDZ 3D files.

2.9. Registration Data — Name, email, phone number, date of birth, city/state/country, collected at registration for both user profiles.

2.10. Authentication Credentials — Registered email, password encrypted in an irreversible hash (never in plain text) and internal user identifier (user ID).

2.11. Annotation Metadata — Geometric and display configuration data saved on the 3D model (selected vertices, colours and markings), which constitute sensitive health data and may form part of the medical record.

2.12. OTP — Identity verification by one-time use code sent via WhatsApp Business API (Meta Platforms / Meta Platforms Ireland Ltd.) to the Professional User, or by email to Professional and Patient Users.

2.13. Processors / Sub-processors / Service Providers — (i) Amazon AWS (EC2 + S3) — storage, USA; (ii) Meta / WhatsApp Business API — OTP verification, USA/EEA. All contractually bound by data protection obligations that prohibit use of personal data beyond the contracted service.

2.14. DPA — Joint Controllers Agreement, entered into between HRS and the Professional User, formalising roles and responsibilities regarding the processing of patient data, pursuant to applicable data protection law.

2.15. Admin Panel — Internal interface accessible exclusively by authorised HRS staff, for technical support, compliance and legal defence purposes.

2.16. Physician Code — Unique identifier generated by the Professional User to link the patient's scan to their clinical record.

2.17. "HRS" — abbreviated name for HAIR RESTORATION SCIENCE LTDA., Brazilian company registration (CNPJ) 50.807.318/0001-57, registered address: Av. Genesio Durao, 1160, apto 702, Ed. Morada do Sol, Tres Barras, Linhares/ES, CEP 29.907-010, Brazil.

3. SUBJECT MATTER AND TECHNICAL LIMITATIONS

⚠ IMPORTANT: ScalpScan.AI and ScalpScan.AI Patient are technical support tools. They do not perform diagnosis, do not replace in-person clinical examination, do not prescribe treatment, do not indicate surgical technique and do not perform any medical act.

3.1. Data architecture — Minimisation: Photographs captured during scanning are stored exclusively on the user's device and are not transmitted to the backend. The management, conservation and eventual deletion of these images is the exclusive responsibility of the user. HRS has no access to the device and does not control nor is responsible for those files. Only the final 3D model (USDZ) is sent to AWS.

3.2. The metrics, 3D models and estimates generated are objective technical inputs for clinical planning, without guarantee of absolute accuracy, as they depend on positioning, capture quality and individual patient characteristics.

3.3. Annotations on 3D models entered by the Professional User constitute sensitive health data and may form part of the medical record, subject to applicable health obligations in each jurisdiction.

3.4. ScalpScan.AI may be used in any territory, provided that applicable local laws are observed. For users in jurisdictions not expressly mentioned in these Terms, HRS voluntarily applies the highest standard of protection adopted herein.

4. ELIGIBILITY AND REGISTRATION

4.A. Professional User (Physicians and Clinics)

4.1. Use of ScalpScan.AI is restricted to physicians duly registered with competent professional bodies or clinics under the technical responsibility of a qualified physician.

4.2. The following data is collected at registration: name, email, phone number, city, state, country and date of birth. The system also records: (i) registration source (signup source); and (ii) authentication identifiers (email, encrypted password, internal ID).

4.3. The Professional User declares, under the penalties of applicable law, to hold an active professional registration upon accepting these Terms, assuming exclusive responsibility for the accuracy of this declaration.

4.4. The identity of the Professional User is verified by OTP via WhatsApp Business API (Meta) or by email.

4.B. Patient User (ScalpScan.AI Patient)

4.5. Any natural person aged 18 (eighteen) years or older may register in ScalpScan.AI Patient.

4.6. Persons under 18: ScalpScan.AI is not intended for use by patients under 18 years of age. Scanning of minors is expressly prohibited. By creating an account, the User expressly declares to be over 18 years of age and that they will not use the application to scan underage patients. Non-compliance is the exclusive responsibility of the User.

4.7. HRS may refuse registration, suspend or terminate access in cases of false information, professional irregularity or breach of these Terms.

5. LICENCE AND SUBSCRIPTION

5.1. HRS grants a limited, revocable, non-exclusive, non-transferable and paid licence to use ScalpScan.AI for the duration of the active subscription. ScalpScan.AI Patient is licensed free of charge.

5.2. Trial period: ScalpScan.AI offers a free trial period of 7 (seven) days. If not cancelled before the end of the trial, automatic billing will commence according to the selected plan (monthly, semi-annual or annual). Cancellation must be made directly through Apple: Settings → your name → Subscriptions → ScalpScan.AI → Cancel Subscription, at least 24 hours before the end of the trial period to avoid being charged for the first cycle. HRS does not process charges directly and has no access to the User's payment data.

5.3. Billing: Payment is processed via the App Store (Apple). HRS does not process payment data directly.

5.4. Price Changes: For subscriptions managed by Apple, communication of price changes and user acceptance occur entirely within the App Store ecosystem. HRS does not control this process. The User may cancel the subscription before the effective date of the new price without additional charge.

The following are expressly prohibited:

•use for unlawful or unauthorised purposes;

•sharing credentials or access by unauthorised third parties;

•reverse engineering, decompilation, modification or exploitation of algorithms;

•use of bots, scripts or unauthorised automation;

•any conduct that compromises the security, integrity or availability of the platform.

6. CLOUD STORAGE (AWS) AND PROCESSORS

6.1. Data transmitted by the Application is stored on Amazon Web Services (AWS) servers, us-east-1 region (USA):

•AWS EC2/MySQL: registration data, signup source, authentication credentials (irreversible hash), 3D model metadata and annotation metadata.

•AWS S3: finalised USDZ 3D files. Photographs captured during scanning remain on the user's device and are not transmitted to the cloud.

6.2. Security measures adopted:

•AES-256 encryption at rest (EC2 and S3);

•TLS 1.3 or higher protocol for transmission;

•IAM access controls with least privilege principle (RBAC);

•Immutable access and audit logs; automatic backups pursuant to the retention periods in Clause 13.

6.3. Admin Panel: Accessible exclusively to authorised HRS staff upon secure authentication, for technical support, compliance and legal defence purposes. All access is recorded in audit logs.

7. IDENTITY VERIFICATION (OTP)

7.1. HRS uses OTP sent via WhatsApp Business API (Meta Platforms Ireland Ltd. / Meta Platforms, Inc.) to the registered phone number of the Professional User, or via email to the registered address of Professional and Patient Users.
7.2. The OTP mechanism operates differently depending on the user profile:
•Professional User: OTP may be sent via WhatsApp Business API (Meta) or by email, according to the channel selected at registration. When the Professional User opts for WhatsApp, they expressly consent to their phone number being shared with Meta exclusively for code delivery. This transfer is covered by the safeguards described in Clause 15. Meta processes the number exclusively for OTP delivery purposes.
•Patient User: OTP is sent exclusively by email, without any sharing of data with Meta or third parties.
7.3. OTP is single-use and has limited validity. The user is responsible for the confidentiality of the received code.
7.4. HRS does not store the content of WhatsApp messages; it only records the verification event (success/failure) and the date/time. The log is deleted after 90 days (boolean flag), as a data minimisation measure.

8. DATA PROCESSING ROLES

8.A. HAIR RESTORATION SCIENCE LTDA. as Controller

8.1. HRS is the Controller / Data Controller / Business and is directly accountable to competent authorities for the processing of: (i) registration and authentication data of Professional and Patient Users; (ii) OTP verification logs; (iii) patient folders created on the platform; (iv) 3D models and metadata stored on AWS.

8.2. Legal bases and purposes used by HRS:

•Performance of a contract: data necessary for the provision of the service to the Professional User.

•Health purposes by a qualified professional: legal basis of the Professional User (joint controller) for the processing of the patient's sensitive data during the in-person scan.

•Explicit and specific consent: legal basis for sensitive data of Patient Users in the direct sharing flow via ScalpScan.AI Patient, collected directly from the data subject.

•Documented legitimate interest: for signup source, assessed in a documented balancing test.

•Legal obligation: for compliance with requirements of competent authorities.

8.B. Professional User as Joint Controller

8.3. The Professional User is a Joint Controller for patient data for clinical use purposes (preparation of medical records, surgical planning, etc.), answering independently before competent authorities and applicable professional regulatory bodies.

8.4. Roles are formalised by the DPA, incorporated into these Terms of Use and accepted by the Professional User at registration, setting out each party's responsibilities regarding legal basis, security, handling of data subject requests and incident notification. The full text of the DPA is available upon request at dpo@scalpscan.ai.

8.5. The Professional User may not invoke HRS's records to justify their obligations before competent authorities. Maintaining the medical record for the period required by the health legislation applicable in their jurisdiction, obtaining the patient's informed consent and clinical responsibility for data processed for diagnostic and therapeutic purposes are exclusive obligations of the physician joint controller, independent and parallel to HRS's obligations.

9. HRS RESPONSIBILITIES AS CONTROLLER

HRS, as Controller / Data Controller, is responsible for:

•Maintaining immutable technical records (append-only) of all consents collected, including: data subject ID, version and hash of the accepted document, server timestamp and collection mechanism;

•Informing users that photographs captured remain on the device and may be manually deleted;

•Keeping the DPO channel (dpo@scalpscan.ai) operational, responding to data subjects within 15 days (general standard), observing more favourable deadlines required by the legislation of the data subject's country where applicable;

•Complying with the retention and deletion periods defined in Clause 13;

•Notifying the competent authority and affected Data Subjects without undue delay and, where possible, within a maximum of 72 hours after becoming aware of a security incident with relevant risk or harm;

•Preparing and keeping updated the Records of Processing Activities (RoPA) and the Data Protection Impact Assessment (DPIA), as required by applicable laws;

•Conducting cybersecurity audits and Privacy Impact Assessments (PIAs) as required for the large-scale processing of sensitive data.

10. PROFESSIONAL USER RESPONSIBILITIES AS JOINT CONTROLLER

10.1. Mandatory consent: When manually creating the patient folder — i.e., when the patient does not have their own account in ScalpScan.AI Patient — the Professional User is required to obtain the patient's free and informed consent in person, prior to scanning, in accordance with applicable professional health obligations in their jurisdiction. The record generated in the system by the physician's declaration does not replace this obligation.

⚠ ATTENTION — PHYSICIAN: The declaration recorded in the system at the time of patient folder creation does not replace the formal consent required by applicable medical professional standards in your jurisdiction, nor the obligation to document such consent in the medical record. The Professional User answers independently before competent authorities for any non-compliance, including the obligation to keep the medical record for the period required by applicable health legislation in their jurisdiction.

10.2. System declaration — mandatory checkbox: When creating each patient folder, the Professional User must tick the mandatory declaration checkbox: "I declare that I informed this patient about the functioning of ScalpScan.AI, including the nature of the biometric and health data collected, the identity of the parties processing such data, the applicable retention periods, and the patient's right to withdraw consent at any time through the channel dpo@scalpscan.ai or directly with the undersigned physician. I obtained the free, specific and informed consent of the patient for the performance of the scan and for the storage and processing of the generated data, in accordance with applicable data protection law and applicable professional medical standards." The “Create Patient” button remains disabled until the checkbox is ticked.
10.2-A. Nature of the record: The record generated by the system on the “Add New Patient” screen does not constitute direct consent by the patient, but rather proof of the physician joint controller's declaration that they obtained such consent from the patient. The system immutably records: (i) subjectId; (ii) patientId; (iii) consentDeclaration=true; (iv) documentVersion; (v) SHA-256 hash of the document; (vi) collectionMethod="checkbox"; and (vii) server timestamp. Responsibility for the accuracy of this declaration lies exclusively with the physician joint controller.
10.3. Persons under 18: Scanning of minors is expressly prohibited by the Application. The Professional User declares, by accepting these Terms, that they will not use the platform to scan patients under 18 years of age. Non-compliance is the exclusive responsibility of the Professional User.
10.4. Documentation in the medical record: The physician must export and archive the consent record and relevant clinical information in their medical record system, in accordance with applicable health legislation in their jurisdiction.
10.5. Export of clinical data: HRS makes available, throughout the 60-day grace period following subscription cancellation, an individual export function for videos and 3D models, accessible directly in the Professional User's panel. Failure to use the export function is the exclusive responsibility of the Professional User.
10.6. Autonomous responsibility: The physician answers independently before competent authorities and applicable professional regulatory bodies, and may not invoke HRS's records to justify their own obligations.

11. SHARING OF 3D MODELS

11.1. The Professional User may make the 3D model generated by ScalpScan.AI available to the patient by sending the USDZ file or an exported video directly, outside the ScalpScan.AI interface, through external communication channels chosen by the Professional User. Such sending does not generate a sharing record in the HRS system.

11.2. A patient with a ScalpScan.AI Patient account may share their 3D model with the Professional User by entering the Physician Code in the Application. By doing so, the patient: (i) expressly consents to the physician's access to the model; (ii) acknowledges that the physician joint controller gains access to the model for clinical purposes and is responsible for integrating it into the medical record and keeping it for the minimum period required by applicable health legislation, regardless of HRS's retention periods; (iii) declares to have been informed about the purposes of sharing. The system records the consent immutably, containing: patient ID, model ID, recipient physician ID, server timestamp, version and hash of the accepted document, and confirmation of the patient's active consent. The link is unidirectional.

11.3. Unshared model: 3D models generated by the patient in ScalpScan.AI Patient that are not shared remain stored only on the patient's local device.

11.4. Folder deletion: Irreversible operation executed as a unit: folder + metadata (EC2) + 3D file (S3). The physician is solely responsible for keeping clinical data in their medical record system before requesting deletion. Deletion is irreversible. An audit trail is maintained separately, in an immutable manner

12. DATA SUBJECT RIGHTS

HRS guarantees the following rights to all data subjects / users / consumers, regardless of their location, through the channel dpo@scalpscan.ai:
•Confirmation of the existence of processing and access to processed data, in portable and machine-readable format, where technically feasible;
•Correction of incomplete, inaccurate or outdated data;
•Erasure / deletion of data, within the limits provided by law;
•Data portability to another provider, in a structured and commonly used format;
•Withdrawal of consent at any time, free of charge, without prejudice to processing carried out prior to withdrawal;
•Objection to processing based on legitimate interest;
•Restriction of processing in specific circumstances;
•Not to be subject to a decision based solely on automated processing with significant effects;
•Not to be discriminated against for exercising any of the above rights;
•Limit the use of sensitive data to what is strictly necessary for the provision of the service;
•Information about the entities with whom their data was shared;
•Lodge a complaint with the data protection authority competent in their country;
•Request the history of data collected since 1 January 2022, or specify the desired period — HRS fulfils up to 2 access requests per data subject in each 12-month period.

Response time: Up to 15 days for data subjects in Brazil | up to 1 month, extendable by a further 2 months, for data subjects in the EEA/UK | up to 45 days, extendable by a further 45 days, for consumers in California | up to 30 days for all other jurisdictions.
Identity verification: HRS may request additional information to verify identity before processing a request.
Authorised agent: The data subject may designate a representative to exercise their rights on their behalf. HRS may require proof of the authorisation.

ℹ Data protection authorities: Brazil — ANPD (www.gov.br/anpd) | European Union — authority of the Member State of residence (edpb.europa.eu) | United Kingdom — ICO (ico.org.uk) | California — CPPA (cppa.ca.gov) | Canada — OPC (priv.gc.ca) | Australia — OAIC (oaic.gov.au) | For other jurisdictions, the full list of competent authorities is provided upon request at dpo@scalpscan.ai.

13. DATA RETENTION AND DELETION

13.A. Retention Table by Data Category

⚠ Medical record: ScalpScan.AI does not constitute a medical record system. HRS makes video and 3D model export available during the 60-day grace period. The physician joint controller is solely responsible for exporting and keeping clinical data in their own system before this period ends. The retention period for medical records required by applicable health legislation in your jurisdiction may be significantly longer than the 60-day grace period.

13.B. Deletion Procedures

13.1. Following subscription cancellation by the Professional User, access is restricted to export during the 60 (sixty) day grace period. After this period, 3D models, metadata and patient folders will be irreversibly deleted or anonymised.

13.2. Applicable retention and deletion periods are described in the table above and in the Privacy Policy, available at https://www.scalpscan.ai/privacy-policy.

13.3. Expiry of the grace period without export by the Professional User releases HRS from liability for the loss of information necessary to comply with applicable health regulations or other legal obligations of the physician.

14. SENSITIVE DATA

HRS processes the following categories of sensitive data / special categories / sensitive personal information:

•Biometric data: three-dimensional (3D) scalp model in USDZ format, used exclusively for the provision of the contracted medical service.

•Health data: clinical metadata and annotations associated with the 3D model, used exclusively for the provision of the contracted medical service.

HRS does not use sensitive data to infer characteristics about data subjects, nor for any purpose beyond the provision of the medical service requested by the user. Use is restricted to the minimum necessary.

ℹ Right to Limit Use of Sensitive Data: HRS already limits the use of sensitive data to what is strictly necessary for the provision of the service. There is no additional use to be limited at this time. For questions or to formally exercise this right: dpo@scalpscan.ai.

15. INTERNATIONAL DATA TRANSFERS

15.1. Due to the use of AWS services (USA) and Meta/WhatsApp Business API (USA/EEA), personal data of users is transferred internationally to the United States of America.

15.2. All transfers are covered by Standard Contractual Clauses (SCCs/CCPs) approved by competent authorities, incorporated without modification in contracts with each processor: Resolution CD/ANPD No. 19/2024 (Brazil) and European Commission Decision 2021/914, Module 2 (EEA/UK).

15.3. Pursuant to the Schrems II ruling (Case C-311/18), HRS has conducted a Transfer Impact Assessment (TIA) for each transfer to the USA, concluding that the supplementary technical measures adopted (AES-256 at rest and TLS 1.3 in transit) ensure a level of protection equivalent to that of the country of origin of the data. Copies of the SCCs/CCPs and TIA are available upon request at dpo@scalpscan.ai.

15.4. Processors responsible for transfers:

•Amazon Web Services, Inc. — storage and processing (EC2/MySQL + S3), USA;

•Meta Platforms Ireland Ltd. / Meta Platforms, Inc. — OTP verification via WhatsApp Business API, USA/EEA.

16. DATA MIGRATION

16.1. Users who already had an account before the backend implementation may continue using the Applications in legacy flow or new flow (with backend authentication).
16.2. HRS undertakes to migrate all active users to the backend flow in the shortest possible time, communicating in advance through public channels.
16.3. 3D models created in the legacy flow (stored on the device or iCloud) are not automatically migrated to the cloud. The user is responsible for any manual migration.

17. INTELLECTUAL PROPERTY

17.1. The Application, its algorithms, measurement methods, source code, trademarks, pending or granted patents, interfaces and content are the exclusive property of HRS or licensed third parties.

17.2. Nothing in these Terms grants the User any ownership right, broad licence or economic exploitation of the technology.

18. LIMITATION OF LIABILITY

18.1. HRS is not liable for: (a) clinical decisions, diagnoses or results of procedures; (b) indirect damages, loss of profits, loss of clinical data or business interruption resulting from failures originating outside HRS's infrastructure, including device failures, connectivity disruptions, unavailability of third-party services (Apple App Store, AWS, Meta) and force majeure events beyond HRS's technical control, provided HRS did not contribute to the event; (c) loss of clinical data resulting from failure to use the export function made available by the platform under Clause 10.5.

The above limitations apply to the fullest extent permitted by mandatory consumer protection legislation applicable in the user's jurisdiction. Nothing in these Terms limits or excludes HRS's liability for breach of applicable data protection laws.

19. AVAILABILITY AND TECHNICAL SUPPORT

19.1. HRS will use commercially reasonable efforts to maintain 99% monthly availability, excluding scheduled maintenance, force majeure events and failures in the User's device or connectivity.

19.2. Scheduled maintenance will be communicated with at least 48 hours' notice via email or in-app notification.

19.3. The availability guarantee does not apply to: (i) user connectivity failures; (ii) device hardware issues; (iii) use of non-approved versions; (iv) factors outside HRS's infrastructure.

19.4. In the event of unavailability due to HRS's exclusive fault, the Professional User will be entitled to a proportional credit on the next invoice, limited to the subscription value corresponding to the excess unavailability period.

20. SUSPENSION AND TERMINATION

20.1. HRS may suspend or terminate the User's access in cases of: (a) serious or repeated breach of these Terms; (b) fraudulent use; (c) false registration data; (d) irregularity in professional registration or order of a competent authority; (e) court order.
20.2. In the event of termination due to the User's fault, no refund of amounts paid will be made, subject to the mandatory consumer rights provided under applicable law.

21. AUTOMATED PROCESSING AND ALGORITHMIC TRANSPARENCY

21.1. The platform uses computational methods and algorithms to process images and depth data, generate three-dimensional scalp models and produce technical scalp analysis metrics. These processes are performed in an automated manner as technical informational support for the healthcare professional.

21.2. The automated processing described in clause 21.1 does not constitute automated decision-making with significant legal or clinical effects on the data subject. The generated metrics and models are technical inputs mandatorily subject to the evaluation and validation of the physician, who is solely responsible for the clinical decision.

21.3. HRS guarantees the data subject the right to request, at any time, information about the criteria and procedures used in the platform's automated processes, as well as to contest any result they consider incompatible with their data, through the channel dpo@scalpscan.ai.

21.4. ADMT Notice — effective from 01/01/2027: Should HRS begin using automated decision-making technology (ADMT) with significant effects on data subjects, before any such use HRS will: (i) provide specific prior notice describing the ADMT logic, categories of data used and the nature of the effects; (ii) make a clear and accessible opt-out mechanism available; and (iii) update these Terms.

21.5-A. EU Artificial Intelligence Act (EU AI Act): HRS monitors the progressive application of Regulation (EU) 2024/1689 (EU AI Act), in force since August 2024. ScalpScan.AI uses computational systems to generate 3D models and scalp metrics. A definitive assessment of the applicable risk classification under the AI Act depends on specific legal and technical analysis, which HRS conducts on an ongoing basis. Regardless of classification, HRS guarantees: (i) mandatory human oversight — the physician joint controller is solely responsible for the clinical decision; (ii) transparency about algorithm criteria and procedures, available upon request to the DPO; and (iii) updating these Terms when new AI Act obligations come into force for the type of system used by the platform.

21.5. Technological evolution: HRS may update features, algorithms and analysis methods without formal amendment of these Terms, provided such changes do not entail: (i) a new processing purpose incompatible with the original consent; (ii) new processing of sensitive data not previously disclosed; or (iii) sharing with new third parties not listed herein. When any of these circumstances arise, the rules of clause 22.2 apply.

22. AMENDMENTS TO THESE TERMS

22.1. Material changes will be communicated with a minimum of 15 (fifteen) days' notice before taking effect, by means of a transactional email sent to registered users and publication of the new version on the Privacy Policy page (https://www.scalpscan.ai/privacy-policy).
22.2. Continued use after changes take effect constitutes tacit acceptance exclusively for clauses of a commercial and operational nature. For changes that entail: (i) new processing of sensitive data; (ii) new purposes incompatible with the original consent; or (iii) sharing with new third parties, new explicit and specific consent from the data subject will be required, collected before the change takes effect. The User may cancel the subscription before the effective date of the changes without additional charge.

23. APPLICABLE LAW AND JURISDICTION

23.1. These Terms are governed by international data protection standards and the highest standard of the main applicable privacy laws. For users in jurisdictions not expressly mentioned, HRS voluntarily applies the same high standard adopted in these Terms.

23.2. Data subjects have the right to lodge a complaint with the data protection authority competent in their country (see Clause 12). Mandatory consumer rights provided under local mandatory law are fully preserved, regardless of any contrary contractual provision.

23.3. For contractual disputes between the parties, the courts of the Judicial District of Linhares, State of Espirito Santo, Brazil, are elected as the competent forum, without prejudice to mandatory consumer rights in countries where local law is mandatory.

23.4. Before resorting to legal proceedings, the Parties undertake to seek amicable resolution by formal notification to the channel support@scalpscan.ai, with a negotiation period of up to 30 (thirty) business days.

24. CONTACT CHANNELS

The official HRS channels and the Data Protection Officer / DPO are identified below:

The DPO is the official channel of communication between HRS, data subjects and competent authorities in any jurisdiction. The identity of the person responsible for the channel may be obtained upon request at the same address.

HAIR RESTORATION SCIENCE LTDA.

dpo@scalpscan.ai | support@scalpscan.ai
https://www.scalpscan.ai/privacy-policy | Version 2.0 (Global) — March 2026

TERMS OF USE

ScalpScan.AI | ScalpScan.AI Patient

HAIR RESTORATION SCIENCE LTDA.

HAIR RESTORATION SCIENCE LTDA CNPJ: 50.807.318/0001-57 | Av. Genesio Durao, 1160, apto 702, Ed. Morada do Sol, Tres Barras, Linhares/ES, CEP 29.907-010, Brazil

Version: 2.0 | Date: March 2026

Applicable to: Physicians, Clinics and Patients | DPO: dpo@scalpscan.ai

Applicable legislation

1. ACCEPTANCE OF TERMS

1.1. By registering, accessing or using the ScalpScan.AI or ScalpScan.AI Patient applications (“Applications”), you declare that you have read, understood and expressly agree to these Terms of Use, the integrated Privacy Policy (available at https://www.scalpscan.ai/privacy-policy) and any future updates. This constitutes unequivocal electronic acceptance (Art. 10, §2, Marco Civil da Internet; Art. 425, Civil Code).
1.2. Acceptance is formalised upon account creation. The current version of these Terms and the Privacy Policy are available on the App Store page before download. The system automatically and immutably records the document version, cryptographic hash and server timestamp on the registration date (Art. 8, §2, LGPD).
1.3. If you do not agree with any clause, you must immediately stop using the Applications and delete your account via the app settings or by contacting support@scalpscan.ai.

2. DEFINITIONS

2.2. ScalpScan.AI Patient — Application designed for Patient Users, enabling autonomous 3D scanning of the scalp, with subsequent sharing of the model with a Professional User (via code). Models not shared with a physician are stored exclusively on the patient's device and are not sent to the HAIR RESTORATION SCIENCE LTDA. backend.

2.3. Professional User — Physician with an active registration in the CRM (Brazilian Medical Council) or clinic under the technical responsibility of a qualified physician, licensee.

2.4. Patient User — Natural person who uses ScalpScan.AI Patient for their own scanning, on their own initiative or at a physician's request.

2.5. Patient / Data Subject — Natural person whose images, depth data, 3D models and derived metrics are processed in the Applications.

2.6. Sensitive Data — Health data and biometric data (3D models and clinical metadata capturing unique physical characteristics of the scalp), classified as sensitive pursuant to Art. 5, II of the LGPD, requiring specific and highlighted consent (Art. 11, I, LGPD).

2.7. Joint Controllers — HAIR RESTORATION SCIENCE LTDA. (Controller of platform data) and the Professional User (Joint Controller of the data of patients in their account), with roles formalised by the DPA.

2.8. AWS Backend — Amazon Web Services infrastructure (EC2/MySQL + S3), us-east-1 region (USA). EC2 stores registration data, metadata and credentials; S3 stores USDZ 3D files.

2.9. Registration Data — Name, email, phone number, date of birth and city/state/country, collected at registration for both user profiles.

2.10. Authentication Credentials — Registered email, password encrypted in an irreversible hash (never in plain text) and internal user identifier (user ID).

2.12. OTP — Identity verification by one-time use code sent via WhatsApp Business API (Meta Platforms, USA) to the Professional User, or by email to Professional and Patient Users.

2.13. Sub-processors — (i) Amazon AWS (EC2 + S3) — storage, USA; (ii) Meta/WhatsApp Business API — OTP verification, USA. All subject to the mechanisms of Art. 33 of the LGPD and the Standard Contractual Clauses approved by the ANPD (Resolution CD/ANPD No. 19/2024, Annex II).

2.14. DPA — Joint Controllers Agreement, entered into between HAIR RESTORATION SCIENCE LTDA. and the Professional User, formalising roles and responsibilities regarding the processing of patient data.

2.15. Admin Panel — Internal interface accessible exclusively by authorised staff of HAIR RESTORATION SCIENCE LTDA., for technical support, compliance and legal defence purposes.

2.16. Physician Code — Unique identifier generated by the Professional User to link the patient's scan to their clinical record.

2.17. "HRS" — abbreviated name used in these Terms for HAIR RESTORATION SCIENCE LTDA., a private legal entity registered under CNPJ No. 50.807.318/0001-57, with registered address at Av. Genesio Durao, 1160, apto 702, Ed. Morada do Sol, Tres Barras, Linhares/ES, CEP 29.907-010, Brazil, Controller of the data processed on the Platform under this Policy.

3. PURPOSE AND TECHNICAL LIMITATIONS

⚠ IMPORTANT: ScalpScan.AI and ScalpScan.AI Patient are technical support tools only. They do not perform medical diagnoses, replace in-person clinical examinations, prescribe treatments, indicate surgical techniques or carry out any medical act.

3.1. Data architecture and minimisation (Art. 6, III, LGPD): Photographs captured during scanning remain stored exclusively on the user’s device and are never transmitted to HRS’s backend. The management, storage and deletion of these photographs are the user’s sole responsibility. HRS has no access to the device and is therefore neither able to control nor responsible for such files (Art. 42, §2, LGPD). Only the final 3D model (USDZ) is sent to AWS.

3.3. Annotations on 3D models entered by the Professional User constitute sensitive health data (Art. 11, LGPD) and may form part of the medical record, subject to the obligations of CFM Resolution No. 1.821/2007.

3.4. ScalpScan.AI may be used domestically and internationally, provided that applicable local laws are observed.

4. ELIGIBILITY AND REGISTRATION

4.A. Professional User (Physicians and Clinics)

4.1. Use of ScalpScan.AI is restricted to physicians duly registered with the Brazilian Medical Council (CRM) or clinics under the technical responsibility of a qualified physician.

4.2. The following data is collected at registration: name, email, phone number, city, state, country, date of birth. The system also records: (i) registration source (signup source); and (ii) authentication identifiers (email, encrypted password, internal ID).

4.3. The Professional User declares, under the penalties of law, to hold an active CRM registration upon accepting these Terms, assuming exclusive responsibility for the accuracy of this declaration.

4.4. The identity of the Professional User is verified by OTP via WhatsApp Business API (Meta) or by email.

4.B. Patient User (ScalpScan.AI Patient)

4.5. Any natural person who is at least 18 (eighteen) years old may register in ScalpScan.AI Patient.

4.6. Minors: ScalpScan.AI is not intended for use by or on patients under 18 years of age. Scanning of minors is strictly prohibited. By creating an account, you expressly declare that you are at least 18 years old and that you will not scan any person under 18. Any non-compliance is your exclusive responsibility (Art. 43, III, LGPD and Art. 12, §3, III, Consumer Protection Code). HRS assumes no liability in such cases.

4.7. HRS may refuse registration, suspend or terminate access in cases of false information, professional irregularity or breach of these Terms.

5. LICENCE AND SUBSCRIPTION

5.1. HRS grants you a limited, revocable, non-exclusive, non-transferable and paid licence to use ScalpScan.AI for the duration of your active subscription. ScalpScan.AI Patient is provided free of charge.

5.2. Free Trial: ScalpScan.AI offers a 7-day free trial. Unless cancelled at least 24 hours before the end of the trial, the subscription will automatically renew and billing will begin according to the chosen plan. Cancellation must be made directly through Apple (Settings → [your name] → Subscriptions → ScalpScan.AI → Cancel Subscription). HRS does not process payments and has no access to your payment information.

5.3. Billing: Payment is processed via the App Store (Apple). HAIR RESTORATION SCIENCE LTDA. does not process payment data directly.

5.4. Price Changes: For subscriptions managed by Apple, communication of price changes and user acceptance occur entirely within the App Store ecosystem. HAIR RESTORATION SCIENCE LTDA. does not control this process and is not responsible for price communications, which are the exclusive responsibility of Apple towards the user. The User may cancel the subscription before the effective date of the new price without additional charge.

The following are expressly prohibited:

•use for unlawful or unauthorised purposes;

•sharing credentials or access by unauthorised third parties;

•reverse engineering, decompilation, modification or exploitation of algorithms;

•use of bots, scripts or unauthorised automation;

•any conduct that compromises the security, integrity or availability of the platform.

6. CLOUD STORAGE (AWS) AND SUB-PROCESSORS

6.1. Data transmitted by the Application is stored on Amazon Web Services (AWS) servers, us-east-1 region (USA):

•AWS EC2/MySQL: registration data (name, email, phone number, date of birth, city/state/country), signup source, authentication credentials (irreversible hash), 3D model metadata and annotation metadata.

•AWS S3: finalised USDZ 3D files. Photographs captured during scanning remain on the user's device and are not transmitted to the cloud.

6.2. Security measures adopted:

•AES-256 encryption at rest (EC2 and S3);

•TLS 1.3 or higher protocol for transmission;

•IAM access controls with least privilege principle (RBAC);

•Access and audit logs; automatic backups pursuant to the retention periods in Clause 13.

6.3. International transfer: The transfer of data to the AWS backend (USA) is carried out based on the safeguards of Art. 33 of the LGPD, including the Standard Contractual Clauses approved by the ANPD (Resolution CD/ANPD No. 19/2024, Annex II), incorporated literally and without modification in the contracts with each sub-processor. Details in the Privacy Policy.

6.4. Admin Panel: Accessible exclusively to authorised HAIR RESTORATION SCIENCE LTDA. staff upon secure authentication, for technical support, compliance and legal defence purposes. All access is recorded in audit logs.

7. IDENTITY VERIFICATION (OTP / WHATSAPP / EMAIL)

7.1. HRS uses OTP sent via WhatsApp Business API (Meta Platforms Ireland Ltd.) to the registered phone number of the Professional User, or via email to the registered address of Professional and Patient Users, ensuring the authenticity of registrations and the security of access.
7.2. The OTP identity verification mechanism operates differently depending on the user profile:
(i) Professional User: OTP may be sent via WhatsApp Business API (Meta Platforms, USA) or by email, according to the channel selected by the User at registration. When the Professional User opts for WhatsApp, they expressly consent to their phone number being shared with Meta exclusively for code delivery, which constitutes an international data transfer to the USA covered by the safeguards described in Clause 14. Meta processes the number exclusively for OTP delivery purposes. When the selected channel is email, no data is shared with Meta.
(ii) Patient User: OTP is sent exclusively by email, without any sharing of data with Meta or third parties. No international data transfer occurs in this flow.
7.3. OTP is single-use and has limited validity. The user is responsible for the confidentiality of the received code.
7.4. HRS does not store the content of WhatsApp messages; it only records the verification event (success/failure) and the date/time. The log is deleted after 90 days (boolean flag) — LGPD Art. 6, III.

8. DATA PROCESSING ROLES UNDER THE LGPD

8.A. HRS as Controller

8.1. HAIR RESTORATION SCIENCE LTDA. is the Controller (Art. 5, VI, LGPD) and is directly accountable to the ANPD for the processing of: (i) registration and authentication data of Professional and Patient Users; (ii) OTP verification logs; (iii) patient folders entered on the platform; (iv) 3D models and metadata stored on AWS.

8.2. Legal bases used by HAIR RESTORATION SCIENCE LTDA.:

•Performance of a contract (Art. 7, V, LGPD): for data necessary for the provision of the service to the Professional User.

•Health purposes by a healthcare professional (Art. 11, II, f, LGPD): legal basis of the Professional User (joint controller), as a healthcare professional, for the processing of the patient's sensitive data during the in-person examination and scanning. For HAIR RESTORATION SCIENCE LTDA., as platform controller in this same flow, the primary legal basis is performance of a contract (Art. 7, V, LGPD) for non-sensitive data, combined with specific consent of the patient (Art. 11, I, LGPD) — formalised by the mandatory checkbox in clause 10.2 — for sensitive data processed directly by HRS.

•Specific consent (Art. 7, I and Art. 11, I, LGPD): legal basis for sensitive data of Patient Users in the direct sharing flow via ScalpScan.AI Patient, collected directly from the data subject.

•Legitimate interest (Art. 7, IX, LGPD): for signup source, assessed in a balancing test documented in the DPIA.

8.B. Professional User as Joint Controller

8.3. The Professional User acts as joint controller of their patients’ data for clinical purposes and is independently accountable to the ANPD and the CFM.

8.5. The Professional User may not invoke HAIR RESTORATION SCIENCE LTDA.'s records to justify their obligations before the CFM or the ANPD. The obligation to keep the medical record for a minimum of 20 years, to obtain the patient's informed consent and clinical responsibility for data processed for diagnostic and therapeutic purposes are exclusive obligations of the physician joint controller, independent and parallel to HRS's obligations, pursuant to CFM Resolution No. 1.821/2007 and Art. 42, §1 of the LGPD.

9. RESPONSIBILITIES OF HAIR RESTORATION SCIENCE LTDA. AS CONTROLLER

HAIR RESTORATION SCIENCE LTDA., as Controller, is responsible for:

•Maintaining immutable technical records (append-only) of all consents collected, including: data subject ID, version and hash of the accepted document, server timestamp and collection mechanism (Art. 8, §2, LGPD);

•Informing users that photographs captured remain on the device and may be manually deleted, with management of files on the user's device not being the responsibility of HAIR RESTORATION SCIENCE LTDA. (Art. 42, §2, LGPD);

•Keeping the DPO channel (dpo@scalpscan.ai) operational, responding to data subjects within 15 (fifteen) days (Art. 18, §3, LGPD);

•Complying with the retention and deletion periods defined in Clause 13;

•Notifying the ANPD and affected Data Subjects, within 72 hours of becoming aware of the event, of any security incident with relevant risk or harm (Art. 48, LGPD; Resolution CD/ANPD No. 15/2024);

•Preparing and keeping updated the RoPA (Records of Processing Activities) and the DPIA (Data Protection Impact Assessment).

10. RESPONSIBILITIES OF THE PROFESSIONAL USER AS JOINT CONTROLLER

10.1. Mandatory consent: When manually creating the patient folder — i.e., when the patient does not have their own account in ScalpScan.AI Patient — the Professional User is required to obtain the patient's informed consent in person, before scanning, as required by the CFM. The record generated in the system by the physician's declaration does not replace this obligation, with the Professional User bearing exclusive responsibility for compliance with the formalities required by the CFM for collecting and documenting consent.
For this flow, HAIR RESTORATION SCIENCE LTDA. bases the processing of patient data on the legal basis of health purposes by a qualified professional (Art. 11, II, f, LGPD), which does not remove or reduce the autonomous obligations of the physician joint controller before the CFM and the ANPD.

⚠ Important Note for Physicians: The declaration recorded in the system is only proof that you stated you obtained consent. It does not constitute the patient’s actual consent nor relieve you of your independent obligations under CFM Resolution No. 1.821/2007 (including retaining the medical record for 20 years).

10.2. System declaration — mandatory checkbox: When creating each patient folder, the Professional User must tick the mandatory declaration checkbox: "I declare that I informed this patient about the functioning of ScalpScan.AI and obtained their free and informed consent for the scan and for the storage and processing of the generated data, in accordance with applicable data protection and medical regulations." The "Create Patient" button remains disabled until the checkbox is ticked. The system generates an immutable record with server timestamp, linked to the Professional User ID and the folder ID created.
10.2-A. Nature of the record and exclusive responsibility of the joint controller: The record generated by the system on the "Add New Patient" screen does not constitute direct consent by the patient, but rather proof of the physician joint controller's declaration that they obtained such consent from the patient. The system immutably records: (i) data subject identifier (subjectId); (ii) folder identifier (patientId); (iii) consentDeclaration=true; (iv) declared document version (documentVersion="v2.0"); (v) SHA-256 hash of the document (documentHash); (vi) collection method (collectionMethod="checkbox"); and (vii) server timestamp. Responsibility for the accuracy of this declaration lies exclusively with the physician joint controller, who answers autonomously before the ANPD and the CFM for any falsity or omission, pursuant to Art. 43, III of the LGPD.
10.3. Persons under 18: Scanning of minors is expressly prohibited by the Application. The Professional User declares, by accepting these Terms, that they will not use the platform to scan patients under 18 years of age. Non-compliance is the exclusive responsibility of the Professional User, pursuant to Art. 43, III of the LGPD.
10.4. Documentation in the medical record: The physician must export and archive the consent record and relevant clinical information in their medical record system (CFM Resolution No. 1.821/2007).
10.5. Export of clinical data: Annotations on 3D models may form part of the medical record, with a minimum retention period of 20 years (CFM No. 1.821/2007). HAIR RESTORATION SCIENCE LTDA. makes available, throughout the 60-day grace period, an individual video and 3D model export function, accessible directly in the Professional User's panel. Failure to use the export function is the exclusive responsibility of the Professional User; HAIR RESTORATION SCIENCE LTDA. cannot be held liable for loss of clinical data resulting from the joint controller's omission, pursuant to Art. 43, III of the LGPD. The Professional User is solely responsible for keeping and maintaining the clinical data in their own medical record system.
10.6. Autonomous responsibility: The physician answers independently before the ANPD and the CFM and may not invoke HAIR RESTORATION SCIENCE LTDA.'s records to justify their obligations.

11. SHARING OF 3D MODELS

11.1. The Professional User may make the 3D model generated by ScalpScan.AI available to the patient by sending the USDZ file or an exported video directly, outside the ScalpScan.AI interface. This sending occurs through external communication channels chosen by the Professional User (message, email, etc.) and does not constitute sharing within the platform, generating no sharing record in HAIR RESTORATION SCIENCE LTDA.'s system.

11.2. A patient with a ScalpScan.AI Patient account may share their 3D model with the Professional User by entering the Physician Code in the Application. By doing so, the patient: (i) expressly consents to the physician's access to the model; (ii) acknowledges that the physician joint controller gains access to the model for clinical purposes, being responsible for integrating it into the medical record and keeping it for the minimum period required by the CFM, regardless of the retention periods adopted by HAIR RESTORATION SCIENCE LTDA.; (iii) declares to have been informed about the purposes of sharing. The system records the consent immutably, containing: patient ID, model ID, recipient physician ID, server timestamp, version and hash of the accepted document, and confirmation of the patient's active consent (Art. 8, §2, LGPD). The link is unidirectional: the Professional User does not access the patient's application data without active sharing by the patient.

11.3. Unshared model: 3D models generated by the patient in ScalpScan.AI Patient that are not shared remain stored only on the patient's local device, without being sent to HAIR RESTORATION SCIENCE LTDA.'s backend.

11.4. Folder deletion: Irreversible operation executed as a unit: folder + metadata (EC2) + 3D file (S3). The physician is solely responsible for keeping clinical data in their medical record system before requesting deletion. Deletion is irreversible and HAIR RESTORATION SCIENCE LTDA. is not liable for loss of data resulting from the user's own action. An audit trail is maintained separately, in an immutable manner.

12. DATA SUBJECT RIGHTS

Pursuant to Art. 18 of the LGPD, any Data Subject may exercise the following rights before HAIR RESTORATION SCIENCE LTDA. through the channel dpo@scalpscan.ai:
•Confirmation of the existence of processing;
•Access to processed personal data;
•Correction of incomplete, inaccurate or outdated data;
•Anonymisation, blocking or deletion of unnecessary, excessive or non-compliant data;
•Portability of data to another service or product provider, subject to trade and industrial secrets;
•Deletion of data processed on the basis of consent;
•Information about the entities with which HAIR RESTORATION SCIENCE LTDA. has carried out shared use;
•Withdrawal of consent, at any time, by free procedure (Art. 8, §5, LGPD);
•Lodging a complaint with the ANPD (National Data Protection Authority).

Response time: Requests will be handled free of charge within 15 (fifteen) days from receipt of the request (Art. 18, §3, LGPD).

13. DATA RETENTION AND DELETION

13.A. RETENTION TABLE BY DATA CATEGORY

⚠ Important Note for Physicians: Under CFM Resolution No. 1.821/2007, medical records must be retained for 20 years. The 60-day grace period offered by HRS is shorter than this requirement. You are solely responsible for exporting and archiving all necessary clinical data in your own system before the grace period expires.

13.B. DELETION PROCEDURES

13.1. After subscription cancellation by the Professional User, access is restricted to export during the 60 (sixty) day grace period. After this period, 3D models, metadata and patient folders will be irreversibly deleted or anonymised.

13.2. Applicable retention and deletion periods are described in the table above and in the Privacy Policy, available at https://www.scalpscan.ai/privacy-policy.

13.3. Expiry of the grace period without export by the Professional User releases HAIR RESTORATION SCIENCE LTDA. from liability for the loss of information necessary to comply with CFM regulations or other legal obligations of the physician.

14. INTERNATIONAL DATA TRANSFERS

14.1. Due to the use of AWS services (USA) and Meta/WhatsApp Business API (USA), users' personal data is transferred internationally to the United States of America.

14.2. HAIR RESTORATION SCIENCE LTDA. adopts, for all international data transfers described in this clause, the Standard Contractual Clauses (SCCs) approved by the National Data Protection Authority — ANPD, pursuant to Annex II of Resolution CD/ANPD No. 19/2024, incorporated literally and without modification in the contracts with each sub-processor (Art. 33, II, LGPD). A copy of the incorporated SCCs is available upon request at dpo@scalpscan.ai.

14.3. Sub-processors responsible for transfers:

•Amazon Web Services, Inc. — storage and processing (EC2/MySQL + S3), USA;

•Meta Platforms Ireland Ltd. — OTP verification via WhatsApp Business API, USA.

15. DATA MIGRATION

15.1. Users who already had an account before the backend implementation may continue using the Applications in legacy flow or new flow (with backend authentication).
15.2. HAIR RESTORATION SCIENCE LTDA. undertakes to migrate all active users to the backend flow in the shortest possible time, communicating in advance through public channels: Privacy Policy update, notice displayed in the Application on the user's next access, or publication on the website.
15.3. 3D models created in the legacy flow (stored on the device or iCloud) are not automatically migrated to the cloud. The user is responsible for any manual migration.

16. INTELLECTUAL PROPERTY

16.1. The Application, its algorithms, measurement methods, source code, trademarks, pending or granted patents, interfaces and content are the exclusive property of HAIR RESTORATION SCIENCE LTDA. or licensed third parties.

16.2. Nothing in these Terms grants the User any ownership right, broad licence or economic exploitation of the technology.

17. LIMITATION OF LIABILITY

17.1. To the fullest extent permitted by law, HRS is not liable for:
(a) any clinical decisions, diagnoses or medical procedures;
(b) indirect, consequential or incidental damages, including loss of profits or loss of clinical data, arising from events outside HRS’s control (such as device failure, internet issues, or third-party service failures);
(c) loss of clinical data resulting from your failure to export information during the 60-day grace period (see clause 10.5).

18. AVAILABILITY AND TECHNICAL SUPPORT

18.1. HAIR RESTORATION SCIENCE LTDA. will use commercially reasonable efforts to maintain 99% monthly availability, excluding scheduled maintenance, force majeure events and failures in the User's device or connectivity.

18.2. Scheduled maintenance will be communicated with at least 48 hours' notice via email or in-app notification.

18.3. The availability guarantee does not apply to: (i) user connectivity failures; (ii) device hardware issues; (iii) use of non-approved versions; (iv) factors outside HAIR RESTORATION SCIENCE LTDA.'s infrastructure.

18.4. In the event of unavailability due to HAIR RESTORATION SCIENCE LTDA.'s exclusive fault, the Professional User will be entitled to a proportional credit on the next invoice, limited to the subscription value corresponding to the excess unavailability period.

19. SUSPENSION AND TERMINATION

19.1. HAIR RESTORATION SCIENCE LTDA. may suspend or terminate the User's access in cases of: (a) serious or repeated breach of these Terms; (b) fraudulent use; (c) false registration data; (d) irregularity in CRM registration or order of a competent authority; (e) court order.
19.2. In the event of termination due to the User's fault, no refund of amounts paid will be made, subject to the consumer's right to proportionality provided under the Consumer Protection Code.

20. AUTOMATED PROCESSING AND ALGORITHMIC TRANSPARENCY

20.1. The platform uses computational methods and algorithms to process images and depth data, generate three-dimensional scalp models and produce technical scalp analysis metrics. These processes are performed in an automated manner as technical informational support for the healthcare professional.

20.2. The automated processing described in clause 20.1 does not constitute automated decision-making with legal or clinical effects on the data subject, pursuant to Art. 20 of the LGPD. The generated metrics and models are technical inputs mandatorily subject to the evaluation and validation of the physician, who is solely responsible for the clinical decision. There is therefore no automated decision with direct effect on the rights or interests of the data subject that, in itself, gives rise to the right of review provided in Art. 20 of the LGPD.

20.3. Without prejudice to Art. 20 of the LGPD, HAIR RESTORATION SCIENCE LTDA. guarantees the Data Subject the right to request, at any time, information about the criteria and procedures used in the platform's automated processes, as well as to contest any result they consider incompatible with their data, through the channel dpo@scalpscan.ai (Art. 20, §1, LGPD).

20.4. Technological evolution: HAIR RESTORATION SCIENCE LTDA. may update features, algorithms, analysis methods and technological resources of the platform to improve its accuracy, performance and security, without formal amendment of these Terms, provided such changes do not entail: (i) a new processing purpose incompatible with the original consent (Art. 6, I, LGPD); (ii) new processing of sensitive data not previously disclosed; or (iii) sharing of data with new third parties not listed as sub-processors. When any of these circumstances arise, the rules of clause 21.2 of these Terms apply.

21. AMENDMENTS TO THESE TERMS

21.1. Material changes will be communicated with a minimum of 15 (fifteen) days' notice before taking effect, by means of a transactional email sent to registered users and publication of the new version on the Privacy Policy page (https://www.scalpscan.ai/privacy-policy).
21.2. Continued use after the changes take effect constitutes tacit acceptance exclusively for clauses of a commercial and operational nature. For changes that entail: (i) new processing of sensitive data; (ii) new purposes incompatible with the original consent; or (iii) sharing with new third parties, new specific and highlighted consent from the data subject will be required, collected before the change takes effect (Art. 9, §2, LGPD). The User may cancel the subscription before the effective date of the changes without additional charge.

22. APPLICABLE LAW AND JURISDICTION

22.1. These Terms are governed by the laws of the Federative Republic of Brazil.

22.2. For the resolution of disputes arising from this Policy, the courts of the Judicial District of Linhares, State of Espirito Santo are elected as the competent forum.

22.3. Before resorting to legal proceedings, the Parties undertake to seek amicable resolution by formal notification to the channel support@scalpscan.ai or WhatsApp channel, with a negotiation period of up to 30 (thirty) business days.

23. CONTACT CHANNELS

Pursuant to Art. 41, §1 of the LGPD and Art. 9, IV of the LGPD, the official channels of HAIR RESTORATION SCIENCE LTDA. and the Data Protection Officer are identified below:

Data Protection Officer (DPO): Pursuant to Art. 41, §1 of the LGPD and Resolution CD/ANPD No. 2/2022, HAIR RESTORATION SCIENCE LTDA. provides an efficient communication channel with data subjects at dpo@scalpscan.ai. The identity of the person responsible for the channel is public and may be obtained upon request at the same address (Art. 41, §1, LGPD).

The Data Subject may also lodge complaints directly with the ANPD — National Data Protection Authority (www.gov.br/anpd), pursuant to Art. 18, §1 of the LGPD.

Linhares/ES, 17 March 2026.

HAIR RESTORATION SCIENCE LTDA.

Version 2.0 | March 2026 | dpo@scalpscan.ai

TERMS OF USE

ScalpScan.AI | ScalpScan.AI Patient

HAIR RESTORATION SCIENCE LTDA.

Company Registration (CNPJ): 50.807.318/0001-57
Av. Genésio Durão, 1160, apto 702, Ed. Morada do Sol, Três Barras, Linhares/ES, CEP 29.907-010, Brazil
Version: 2.0 — GDPR Edition | Date: March 2026
Applicable to: Physicians, Clinics and Patients | DPO: dpo@scalpscan.ai

Applicable legislation

Regulation (EU) 2016/679 (GDPR) | UK GDPR (UK Data Protection Act 2018) | Directive 2002/58/EC (ePrivacy) | Directive 2011/24/EU (Cross-Border Healthcare)

ℹ These Terms of Use are governed by the General Data Protection Regulation (EU) 2016/679 (GDPR) and apply to data subjects located in the European Economic Area (EEA) and the United Kingdom. For users located in Brazil, the applicable document is the Terms of Use — LGPD Edition.

1. ACCEPTANCE OF TERMS

1.2. Acceptance is formalised at the point of registration, through account creation in the Application. The Terms of Use and the Privacy Policy are available on the application page in the App Store prior to download. The system automatically and immutably records: the version of the documents in force at the date of registration, the cryptographic hash and the server timestamp (Art. 7(1) GDPR — demonstrability of consent).

1.3. Refusal or disagreement with any clause obliges the User to immediately cease use of the Applications and delete their account directly in the Application Settings, or through the channel: support@scalpscan.ai.

2. DEFINITIONS

2.1. Application / ScalpScan.AI — Software intended for Professional Users that captures scalp images and depth data, generates real-scale 3D models (USDZ), performs quantitative measurement of alopecia areas and produces follicular density metrics. Operates on a hybrid architecture: local processing (edge computing) on the device + final 3D model storage on AWS backend.
2.2. ScalpScan.AI Patient — Application intended for Patient Users, enabling autonomous 3D scanning of the scalp, with subsequent sharing of the model with a Professional User (via code). Models not shared with a physician are stored exclusively on the patient's device — they are not sent to the HAIR RESTORATION SCIENCE LTDA. backend.
2.3. Professional User — Physician with an active medical registration or clinic under the technical responsibility of a licensed physician, contracting party for the licence.
2.4. Patient User — Natural person who uses ScalpScan.AI Patient for their own scanning, independently or at the request of a physician.
2.5. Data Subject / Patient — Natural person whose images, depth data, 3D models and derived metrics are processed in the Applications.
2.6. Special Categories of Data — Health data and biometric data (3D models and clinical metadata capturing unique physical characteristics of the scalp), classified as special categories under Art. 9(1) GDPR, requiring explicit consent under Art. 9(2)(a) GDPR or reliance on another applicable exception.
2.7. Joint Controllers — HAIR RESTORATION SCIENCE LTDA. (Controller of platform data) and the Professional User (Joint Controller of the data of patients in their account), with roles formalised pursuant to Art. 26 GDPR through the DPA.
2.8. AWS Backend — Amazon Web Services infrastructure (EC2/MySQL + S3), us-east-1 region (USA). EC2 stores registration data, metadata and credentials; S3 stores USDZ 3D files.
2.9. Registration Data — Name, email, telephone, date of birth and city/state/country, collected upon registration for both user profiles.
2.10. Authentication Credentials — Registered email, password encrypted in an irreversible hash (never stored in plain text) and internal user identifier (user ID).
2.11. Annotation Metadata — Geometric and display configuration data saved on the 3D model (selected vertices, colours and markings), constituting special category health data under Art. 9(1) GDPR and potentially forming part of the medical record.
2.12. OTP — Identity verification by one-time-use code sent via WhatsApp Business API (Meta Platforms Ireland Ltd., EU/USA) to the Professional User, or by email to both Professional and Patient Users.
2.13. Sub-processors — (i) Amazon AWS (EC2 + S3) — storage, USA; (ii) Meta Platforms Ireland Ltd. / WhatsApp Business API — OTP verification, EEA/USA. All subject to Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) pursuant to Art. 46(2)(c) GDPR.
2.14. DPA — Joint Controllers Agreement, concluded between HAIR RESTORATION SCIENCE LTDA. and the Professional User pursuant to Art. 26 GDPR, formalising roles and responsibilities regarding the processing of patient data.
2.15. Administrative Panel — Internal interface accessible exclusively to authorised HAIR RESTORATION SCIENCE LTDA. staff for technical support, compliance and legal defence purposes.
2.16. Physician Code — Unique identifier generated by the Professional User to link the patient's scan to their clinical record.
2.17. 'HRS' — abbreviated designation used in these Terms to refer to HAIR RESTORATION SCIENCE LTDA., a private legal entity registered under CNPJ No. 50.807.318/0001-57, with registered address at Av. Genésio Durão, 1160, apto 702, Ed. Morada do Sol, Três Barras, Linhares/ES, CEP 29.907-010, Brazil, Controller of the data processed on the Platform pursuant to the GDPR.

3. OBJECT AND TECHNICAL LIMITATIONS

3.1. Data architecture — Data minimisation (Art. 5(1)(c) GDPR): Photographs captured during scanning remain stored exclusively on the user's device and are not transmitted to the backend. The management, retention and eventual deletion of such images is the exclusive responsibility of the user. HRS has no access to the device and therefore does not control or bear responsibility for those files (Art. 82(3) GDPR). Only the final 3D model (USDZ) is sent to AWS.

3.2. The metrics, 3D models and estimates generated constitute objective technical inputs for clinical planning, without guarantee of absolute accuracy, as they depend on positioning, capture quality and individual patient characteristics.

3.3. Annotations on 3D models entered by the Professional User constitute special category health data (Art. 9(1) GDPR) and may form part of the medical record, subject to applicable national healthcare legislation and professional obligations.

3.4. ScalpScan.AI may be used in the EEA, United Kingdom and internationally, provided that applicable local legislation is observed.

4. ELIGIBILITY AND REGISTRATION

4.A. Professional User (Physicians and Clinics)

4.1. Use of ScalpScan.AI is restricted to duly licensed physicians or clinics under the technical responsibility of a licensed physician.

4.2. The following are collected upon registration: name, email, telephone, city, state, country, date of birth. The system also records: (i) registration origin (signup source); and (ii) authentication identifiers (email, encrypted password, internal ID).

4.3. The Professional User declares, under penalty of applicable law, to hold a valid medical licence upon accepting these Terms, assuming exclusive responsibility for the truthfulness of this declaration.

4.4. The Professional User's identity is verified by OTP via WhatsApp Business API (Meta Platforms Ireland Ltd.) or by email.

4.B. Patient User (ScalpScan.AI Patient)

4.5. Any natural person aged 18 (eighteen) or over may register on ScalpScan.AI Patient.

4.6. Persons under 18: ScalpScan.AI is not intended for use by patients under 18 years of age. Scanning of minors is expressly prohibited. Upon creating an account, the User expressly declares to be over 18 years of age and that they will not use the application to scan patients who are minors. Breach of this prohibition is the exclusive responsibility of the User (Art. 8 GDPR; Art. 82(3) GDPR), without any liability on the part of HAIR RESTORATION SCIENCE LTDA.

4.7. The Company may refuse registration, suspend or terminate access in the event of false information, professional irregularities or breach of these Terms.

5. LICENCE AND SUBSCRIPTION

5.1. HAIR RESTORATION SCIENCE LTDA. grants a limited, revocable, non-exclusive, non-transferable and fee-bearing licence to use ScalpScan.AI for the duration of the active subscription. ScalpScan.AI Patient is licensed free of charge.

5.2. Trial period: ScalpScan.AI offers a free 7 (seven)-day trial period. If not cancelled before the end of the trial, automatic billing will commence in accordance with the selected plan (monthly, half-yearly or annual). Cancellation must be made directly through Apple, via: Settings → your name → Subscriptions → ScalpScan.AI → Cancel Subscription. Cancellation must be made at least 24 hours before the end of the trial period to avoid billing for the first cycle. HRS does not process payments directly and has no access to the User's payment data; subscription management is the exclusive responsibility of Apple.

5.3. Billing: Payment is made via the App Store (Apple). HAIR RESTORATION SCIENCE LTDA. does not process payment data directly.

5.4. Price changes: For subscriptions managed by Apple, notification of price changes and user acceptance occur entirely within the App Store ecosystem, in accordance with Apple's Terms of Service. HAIR RESTORATION SCIENCE LTDA. does not control this process and is not responsible for price communications, which are the exclusive responsibility of Apple vis-à-vis the user. The User may cancel the subscription before the date on which the new price takes effect without additional charge.

The following are expressly prohibited:

•use for unlawful or unauthorised purposes;

•sharing of credentials or access by unauthorised third parties;

•reverse engineering, decompilation, modification or exploitation of the algorithms;

•use of bots, scripts or unauthorised automation;

•any conduct that compromises the security, integrity or availability of the platform.

6. CLOUD STORAGE (AWS) AND SUB-PROCESSORS

6.1. Data transmitted by the Application is stored on Amazon Web Services (AWS) servers, us-east-1 region (USA):
•AWS EC2/MySQL: registration data (name, email, telephone, date of birth, city/state/country), signup source, authentication credentials (irreversible hash), 3D model metadata and annotation metadata.
•AWS S3: finalised USDZ 3D files. Photographs captured during scanning remain on the user's device and are not transmitted to the cloud.
6.2. Security measures adopted:
•AES-256 encryption at rest (EC2 and S3);
•TLS 1.3 or higher protocol for transmission;
•IAM access controls with least privilege principle (RBAC);
•Access and audit logs; automatic backups in accordance with the retention periods in Clause 13.
6.3. International transfer: The transfer of data to the AWS backend (USA) is carried out on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision 2021/914 of 4 June 2021 (Module 2: Controller to Processor), incorporated without modification into the contracts with Amazon Web Services, Inc. (Art. 46(2)(c) GDPR). A Transfer Impact Assessment (TIA) has been conducted in accordance with the Schrems II ruling (Case C-311/18). Full details are set out in the Privacy Policy.
6.4. Administrative Panel: Accessible exclusively to authorised HAIR RESTORATION SCIENCE LTDA. employees upon secure authentication, for technical support, compliance and legal defence purposes. All access is recorded in audit logs.

7. IDENTITY VERIFICATION (OTP / WHATSAPP / EMAIL)

7.1. The Company uses OTP sent via WhatsApp Business API (Meta Platforms Ireland Ltd.) to the registered telephone number for the Professional User, or via email to the registered address for both Professional and Patient Users, ensuring the authenticity of registrations and the security of access.

7.2. The OTP identity verification mechanism operates differently depending on the User profile:

•(i) Professional User: the OTP may be sent via WhatsApp Business API (Meta Platforms Ireland Ltd., with servers in the EEA and USA) or by email, depending on the channel selected by the User upon registration. When the Professional User opts for WhatsApp delivery, they expressly consent to their telephone number being shared with Meta exclusively for the purpose of delivering the code, which constitutes an international data transfer to the USA covered by the safeguards described in this Clause. Meta processes the number exclusively for OTP delivery purposes, pursuant to its own Privacy Policy. When the selected channel is email, no data is shared with Meta.

•(ii) Patient User: the OTP is sent exclusively by email, without any sharing of data with Meta or third parties. No international data transfer occurs in this flow.

7.3. The OTP is for single use only and has limited validity. The user is responsible for the confidentiality of the code received.

7.4. The Company does not store the content of WhatsApp messages; it only records the verification event (success/failure) and the date/time. The log is deleted after 90 days (boolean flag) — Art. 5(1)(e) GDPR (storage limitation).

8. ROLES IN DATA PROCESSING (GDPR)

8.A. HAIR RESTORATION SCIENCE LTDA. as Controller
8.1. HAIR RESTORATION SCIENCE LTDA. is Controller pursuant to Art. 4(7) GDPR and is directly accountable to the competent supervisory authority for the processing of: (i) registration and authentication data of Professional and Patient Users; (ii) OTP verification logs; (iii) patient folders created on the platform; (iv) 3D models and metadata stored on AWS.
8.2. Legal bases used by HAIR RESTORATION SCIENCE LTDA. (Arts. 6 and 9 GDPR):
•Performance of a contract (Art. 6(1)(b) GDPR): for data necessary for the provision of the service to the Professional User.
•Healthcare purposes by a healthcare professional (Art. 9(2)(h) GDPR): legal basis of the Professional User (Joint Controller), acting as a healthcare professional, for the processing of the patient's special category data during in-person examination and scanning. For HAIR RESTORATION SCIENCE LTDA., as Controller of the platform in this same flow, the primary legal basis is performance of a contract (Art. 6(1)(b) GDPR) for non-special category data, combined with the patient's explicit consent (Art. 9(2)(a) GDPR) — formalised by the mandatory checkbox set out in Clause 10.2 — for special category data processed directly by HRS.
•Explicit consent (Arts. 6(1)(a) and 9(2)(a) GDPR): legal basis for special category data of Patient Users in the direct sharing flow via ScalpScan.AI Patient, collected directly from the data subject.
•Legitimate interests (Art. 6(1)(f) GDPR): for signup source, assessed by a documented balancing test in the Record of Processing Activities (ROPA).

8.B. Professional User as Joint Controller
8.3. The Professional User is Joint Controller pursuant to Art. 26 GDPR of the data of their Patients for clinical use purposes (preparation of medical records, surgical planning, etc.), and is independently accountable to the competent supervisory authority.
8.4. The roles are formalised by the DPA, incorporated into these Terms of Use and accepted by the Professional User upon registration, which defines the responsibilities of each party regarding the legal basis, security, data subject rights handling and incident notification.
8.5. The Professional User may not invoke HAIR RESTORATION SCIENCE LTDA.'s registration to justify their obligations before the competent supervisory authority. The obligation to maintain medical records for the legally required period under applicable national healthcare legislation, to obtain the patient's informed consent, and clinical responsibility for data processed for diagnostic and therapeutic purposes are obligations exclusive to the Joint Controller physician, independent of and parallel to HRS's obligations, pursuant to Art. 26 GDPR and applicable medical professional regulations.

9. RESPONSIBILITIES OF HAIR RESTORATION SCIENCE LTDA. AS CONTROLLER

HAIR RESTORATION SCIENCE LTDA., as Controller, is responsible for:

•Maintaining immutable (append-only) technical records of all consents collected, including: data subject ID, version and hash of the accepted document, server timestamp and collection mechanism (Art. 7(1) GDPR — demonstrability of consent);

•Informing users that photographs captured remain on the device and may be manually deleted, the management of files on the user's device not being the responsibility of HAIR RESTORATION SCIENCE LTDA.;

•Maintaining the DPO channel (dpo@scalpscan.ai) operational, responding to data subjects within 1 (one) month (Art. 12 GDPR), extendable by a further 2 months where necessary;

•Complying with the retention and deletion periods defined in Clause 13;

•Notifying the competent supervisory authority and affected Data Subjects, without undue delay and where feasible within 72 hours of becoming aware of the event, of any personal data breach likely to result in a risk to the rights and freedoms of natural persons (Arts. 33 and 34 GDPR);

•Preparing and maintaining up to date the Record of Processing Activities (ROPA) and the Data Protection Impact Assessment (DPIA) pursuant to Arts. 30 and 35 GDPR.

10. RESPONSIBILITIES OF THE PROFESSIONAL USER AS JOINT CONTROLLER

10.1. Mandatory consent: When manually creating the patient folder — i.e., when the patient does not have their own account on ScalpScan.AI Patient — the Professional User is obliged to obtain the patient's informed consent in person, prior to scanning, in accordance with applicable healthcare professional obligations and Art. 9(2)(h) GDPR. The record generated in the system by the physician's declaration does not replace this obligation, and exclusive responsibility for complying with the formal requirements for collecting and documenting consent rests with the Professional User.
For this flow, HAIR RESTORATION SCIENCE LTDA. bases the processing of the patient's data on the legal basis of healthcare purposes by a licensed professional (Art. 9(2)(h) GDPR), which does not remove or reduce the Joint Controller physician's autonomous obligations before the competent supervisory authority.

⚠ ATTENTION — PHYSICIAN: The declaration recorded in the system at the time of creating the patient folder does not replace the formal consent required by applicable medical professional regulations, nor the obligation to document that consent in the medical record. The Professional User is independently accountable to the competent supervisory authority for any non-compliance, including the obligation to maintain medical records for the period required under applicable national healthcare legislation, independently of the retention periods adopted by HAIR RESTORATION SCIENCE LTDA.

10.2. System declaration — mandatory checkbox: When creating each patient folder, the Professional User must tick the mandatory declaration checkbox: "I declare that I informed this patient about the functioning of ScalpScan.AI and obtained their free and informed consent for the scan and for the storage and processing of the generated data, in accordance with applicable data protection and medical regulations." The "Create Patient" button remains disabled until the checkbox is ticked. The system generates an immutable record with a server timestamp, linked to the Professional User ID and the ID of the folder created.
10.2-A. Nature of the record and exclusive responsibility of the Joint Controller: The record generated by the system on the "Add New Patient" screen does not constitute direct consent from the patient, but rather evidence of the Joint Controller physician's declaration that they obtained that consent from the patient. The system immutably records the following fields: (i) data subject identifier (subjectId); (ii) folder identifier (patientId); (iii) consentDeclaration=true; (iv) version of the declared document (documentVersion="v2.0"); (v) SHA-256 hash of the document (documentHash); (vi) collection method (collectionMethod="checkbox"); and (vii) server timestamp. Responsibility for the truthfulness of this declaration rests exclusively with the Joint Controller physician (Art. 26(3) GDPR and Art. 82 GDPR).
10.3. Persons under 18: Scanning of minors is expressly prohibited by the Application. The Professional User declares, upon accepting these Terms, that they will not use the platform to scan patients under 18 years of age. Non-compliance is the exclusive responsibility of the Professional User (Art. 82(3) GDPR).
10.4. Documentation in the medical record: The physician must export and archive in their medical records system the consent record and relevant clinical information, in accordance with applicable national healthcare legislation.
10.5. Export of clinical data: Annotations on 3D models may form part of the medical record, with minimum retention obligations under applicable national healthcare legislation. HAIR RESTORATION SCIENCE LTDA. makes available, throughout the 60-day grace period, individual export functionality for videos and 3D models, accessible directly in the Professional User's panel. Non-use of the export functionality made available is the exclusive responsibility of the Professional User; HAIR RESTORATION SCIENCE LTDA. may not be held liable for loss of clinical data resulting from the Joint Controller's omission (Art. 82(3) GDPR). The Professional User is solely responsible for the retention and integrity of clinical data in their own medical records system.
10.6. Independent responsibility: The physician is independently accountable to the competent supervisory authority and applicable professional regulatory bodies, and may not invoke HAIR RESTORATION SCIENCE LTDA.'s registration to justify their obligations.

11. SHARING OF 3D MODELS

11.1. The Professional User may provide the patient with the 3D model generated by ScalpScan.AI by directly sending the file in USDZ format or an exported video through the Application, outside the ScalpScan.AI interface. Such sending occurs through external communication channels chosen by the Professional User (messaging, email, etc.) and does not constitute sharing within the platform, generating no sharing record in the HAIR RESTORATION SCIENCE LTDA. system.

11.2. A patient with a ScalpScan.AI Patient account may share their 3D model with the Professional User by entering the Physician Code in the Application. In doing so, the patient: (i) expressly consents to the physician's access to the model pursuant to Arts. 6(1)(a) and 9(2)(a) GDPR; (ii) acknowledges that the Joint Controller physician thereby gains access to the model for clinical purposes, being responsible for integration into the medical record and retention for the minimum period required under applicable national healthcare legislation, independently of the retention periods adopted by HAIR RESTORATION SCIENCE LTDA.; (iii) declares to have been informed of the purposes of the sharing. The system records the consent immutably, containing: patient ID, model ID, recipient physician ID, server timestamp, version and hash of the accepted document and confirmation of the patient's active consent (Art. 7(1) GDPR). The link is unidirectional: the Professional User does not access data from the patient's application without active sharing by the patient.

11.3. Model without sharing: 3D models generated by the patient in ScalpScan.AI Patient that are not shared remain stored solely on the patient's local device, without being sent to the HAIR RESTORATION SCIENCE LTDA. backend.

11.4. Folder deletion: Irreversible operation executed as a unit: folder + metadata (EC2) + 3D file (S3). The physician is solely responsible for retaining clinical data in their medical records system before requesting deletion. Deletion is irreversible and HAIR RESTORATION SCIENCE LTDA. is not liable for data loss resulting from the user's own action. An audit trail is maintained separately, in an immutable manner.

12. DATA SUBJECT RIGHTS

Pursuant to Arts. 15–22 GDPR, any Data Subject may exercise the following rights against HAIR RESTORATION SCIENCE LTDA. via the channel dpo@scalpscan.ai:
•Right of access to personal data and to obtain a copy thereof (Art. 15 GDPR);
•Rectification of inaccurate or incomplete personal data (Art. 16 GDPR);
•Erasure of personal data ('right to be forgotten') under Art. 17 GDPR;
•Restriction of processing in the circumstances set out in Art. 18 GDPR;
•Data portability in a structured, commonly used and machine-readable format (Art. 20 GDPR);
•Objection to processing based on legitimate interests (Art. 21 GDPR);
•Not to be subject to automated individual decision-making producing legal or similarly significant effects (Art. 22 GDPR — see Clause 20);
•Withdrawal of consent at any time, without affecting the lawfulness of processing based on consent before withdrawal (Art. 7(3) GDPR);
•Lodge a complaint with the competent supervisory authority in the EEA member state of residence (Art. 77 GDPR).
Deadline: Requests will be handled free of charge within 1 (one) month of receipt (Art. 12 GDPR), extendable by a further 2 months where necessary, taking into account the complexity and number of the requests. HRS will inform the data subject of any such extension within 1 month of receiving the request.

ℹ EEA Supervisory Authorities: A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en | United Kingdom — ICO (ico.org.uk).

13. DATA RETENTION AND DELETION

13.A. RETENTION TABLE BY DATA CATEGORY

13.B. DELETION PROCEDURES
13.1. After cancellation of the subscription by the Professional User, access is restricted to export during the 60 (sixty)-day grace period. Upon expiry, 3D models, metadata and patient folders will be irreversibly deleted or anonymised.
13.2. The applicable retention and deletion periods are set out in the table above and in the Privacy Policy, available at https://www.scalpscan.ai/privacy-policy.
13.3. The expiry of the grace period without export by the Professional User exempts HAIR RESTORATION SCIENCE LTDA. from liability for the loss of information necessary for compliance with applicable national healthcare regulations or other legal obligations of the physician.

⚠ ATTENTION — PHYSICIAN: The medical record retention period under applicable national healthcare legislation may be significantly longer than the 60-day grace period. The physician is responsible for exporting and archiving clinical data in their own system before the deadline expires.

14. INTERNATIONAL DATA TRANSFERS

14.1. Due to the use of AWS services (USA) and the Meta/WhatsApp Business API (EEA/USA), users' personal data is transferred internationally to the United States of America.

14.2. HAIR RESTORATION SCIENCE LTDA. adopts, for all international data transfers described in this clause, the Standard Contractual Clauses (SCCs) adopted by the European Commission under Decision 2021/914 of 4 June 2021 (Module 2: Controller to Processor), incorporated literally and without modification into the contracts concluded with each sub-processor (Art. 46(2)(c) GDPR).

14.3. Transfer Impact Assessment (TIA): In accordance with the ruling of the Court of Justice of the EU in Schrems II (Case C-311/18), HRS has conducted a TIA for each transfer to the USA, assessing the laws and practices of the destination country that may affect the effectiveness of the safeguards, in particular regarding US surveillance legislation (FISA 702). The TIA concluded that, having regard to the nature of the data, the purposes of processing and the supplementary technical measures adopted (AES-256 at rest and TLS 1.3 in transit), the SCCs provide a level of protection substantially equivalent to that guaranteed in the EEA. A copy of the incorporated SCCs and the TIA is available upon request to dpo@scalpscan.ai.

14.4. Sub-processors responsible for the transfers:

•Amazon Web Services, Inc. — storage and processing (EC2/MySQL + S3), USA;

•Meta Platforms Ireland Ltd. — OTP verification via WhatsApp Business API (EEA/USA).

15. DATA MIGRATION

15.1. Users who already had an account prior to the implementation of the backend may continue using the Applications in legacy flow or new flow (with backend authentication).
15.2. HAIR RESTORATION SCIENCE LTDA. undertakes to migrate all active users to the backend flow in the shortest possible timeframe, communicating in advance through public channels: update of the Privacy Policy, notice displayed in the Application on the user's next access, or publication on the website.
15.3. 3D models created in the legacy flow (stored on the device or iCloud) are not automatically migrated to the cloud. The user is responsible for any manual migration.

16. INTELLECTUAL PROPERTY

16.1. The Application, its algorithms, measurement methods, code, trademarks, pending or granted patents, interfaces and content are the exclusive property of HAIR RESTORATION SCIENCE LTDA. or licensed third parties.

16.2. No provision of these Terms confers upon the User any right of ownership, broad licence or economic exploitation over the technology.

17. LIMITATION OF LIABILITY

17.1. HAIR RESTORATION SCIENCE LTDA. is not liable for: (a) clinical decisions, diagnoses or outcomes of procedures; (b) indirect damages, loss of profits, loss of clinical data or business interruption arising from failures originating outside the HAIR RESTORATION SCIENCE LTDA. infrastructure, including device failures, connectivity interruptions, unavailability of third-party services (Apple App Store, AWS, Meta) and force majeure events beyond the company's technical control, provided that HRS has not contributed to the event (Art. 82(3) GDPR); (c) loss of clinical data arising from non-use of the export functionality made available by the platform, pursuant to Clause 10.5, such omission being the exclusive responsibility of the Professional User.

ℹ The above limitations apply to the fullest extent permitted by applicable mandatory EU consumer protection legislation. Nothing in these Terms limits or excludes HRS's liability for processing of personal data carried out in breach of the GDPR.

18. AVAILABILITY AND TECHNICAL SUPPORT

18.1. HAIR RESTORATION SCIENCE LTDA. will use commercially reasonable efforts to maintain 99% monthly availability, excluding scheduled maintenance, force majeure and failures in the User's device or connectivity.

18.2. Scheduled maintenance will be communicated with a minimum of 48 hours' notice by email or in-app notification.

18.3. The availability guarantee does not apply to: (i) user connectivity failures; (ii) device hardware issues; (iii) use of non-approved versions; (iv) factors beyond HAIR RESTORATION SCIENCE LTDA.'s infrastructure.

18.4. In the event of unavailability due to the exclusive fault of HAIR RESTORATION SCIENCE LTDA., the Professional User shall be entitled to a proportional credit on the next invoice, limited to the value of the monthly fee corresponding to the period of excess unavailability.

19. SUSPENSION AND TERMINATION

19.1. HAIR RESTORATION SCIENCE LTDA. may suspend or terminate the User's access in the event of: (a) serious or repeated breach of these Terms; (b) fraudulent use; (c) false registration data; (d) medical licence irregularity or order of a competent authority; (e) court order.
19.2. In the event of termination due to the User's fault, no refund of amounts paid shall be made, subject to the consumer's right to proportionality under applicable EU consumer protection legislation.

20. AUTOMATED PROCESSING AND ALGORITHMIC TRANSPARENCY

20.1. The platform uses computational methods and algorithms to process images and depth data, generate three-dimensional scalp models and produce technical scalp analysis metrics. These processes are carried out in an automated manner as informational technical support for the healthcare professional.

20.2. The automated processing described in Clause 20.1 does not constitute a decision based solely on automated processing which produces legal effects or similarly significantly affects the data subject within the meaning of Art. 22(1) GDPR. The metrics and models generated are technical inputs mandatorily subject to evaluation and validation by the medical professional, who is solely responsible for the clinical decision. There is therefore no automated decision with direct effect on the data subject's rights or interests that would, in itself, give rise to the right of review provided for in Art. 22 GDPR.

20.3. Without prejudice to the provisions of Art. 22(3) GDPR, HAIR RESTORATION SCIENCE LTDA. guarantees the Data Subject the right to obtain, at any time, information about the criteria and procedures used in the platform's automated processes, as well as to contest any result they consider incompatible with their data, via the channel dpo@scalpscan.ai.

20.4. Technological evolution: HAIR RESTORATION SCIENCE LTDA. may update platform features, algorithms, analysis methods and technological resources with the aim of improving accuracy, performance and security, without formal amendment of these Terms, provided that such changes do not entail: (i) a new purpose of personal data processing incompatible with the original consent (Art. 5(1)(b) GDPR); (ii) new processing of special categories of data not previously disclosed; or (iii) sharing of data with new third parties not listed as sub-processors. When any of these situations arise, the rules of Clause 21.2 of these Terms shall apply.

21. AMENDMENTS TO THESE TERMS

21.1. Material changes will be communicated with a minimum of 15 (fifteen) days' notice before taking effect, by means of a transactional email sent to registered users and publication of the new version on the Privacy Policy page (https://www.scalpscan.ai/privacy-policy).
21.2. Continued use following the entry into force of the changes constitutes tacit acceptance exclusively for clauses of a commercial and operational nature. For changes entailing: (i) new processing of special category data; (ii) new purposes incompatible with the original consent; or (iii) sharing with new third parties, new explicit and specific consent from the data subject will be required, collected before the change takes effect (Art. 7 GDPR). The User may cancel the subscription before the date on which the changes take effect without additional charge.

22. GOVERNING LAW AND JURISDICTION

22.1. These Terms of Use — GDPR Edition are governed by the General Data Protection Regulation (EU) 2016/679 (GDPR) and other applicable European data protection legislation, as well as by the laws of the Federal Republic of Brazil for contractual matters not covered by mandatory EU law.

22.2. Data subjects located in the EEA have the right to lodge a complaint with the supervisory authority in their member state of residence (Art. 77 GDPR). A list of EU supervisory authorities is available at: https://edpb.europa.eu. For data subjects in the United Kingdom, the competent authority is the ICO (https://ico.org.uk).

22.3. For contractual disputes between the parties, the courts of the Judicial District of Linhares, State of Espírito Santo, Brazil, shall have jurisdiction, without prejudice to the mandatory rights of EU and UK consumers under applicable consumer protection legislation, including the right to bring proceedings before courts in the consumer's country of residence where required by mandatory law.

22.4. Before resorting to judicial proceedings, the Parties undertake to seek amicable resolution by formal notice to the channel support@scalpscan.ai or WhatsApp channel, with a negotiation period of up to 30 (thirty) business days.

23. CONTACT CHANNELS

Pursuant to Arts. 37-39 GDPR, the following are the official channels of HAIR RESTORATION SCIENCE LTDA. and of the Data Protection Officer (DPO):

DPO (Data Protection Officer): Pursuant to Art. 37 GDPR, HAIR RESTORATION SCIENCE LTDA. has appointed a DPO, given the large-scale processing of special category data (biometric and health). The DPO is contactable at dpo@scalpscan.ai and is the official communication channel between HRS, data subjects and supervisory authorities. The DPO's identity is public and may be obtained upon request to the same address (Art. 38(4) GDPR).
The Data Subject may also lodge complaints directly with the supervisory authority in their EEA member state of residence (Art. 77 GDPR): https://edpb.europa.eu | United Kingdom — ICO: https://ico.org.uk.

Linhares/ES, 17 March 2026.

HAIR RESTORATION SCIENCE LTDA.

Version 2.0 — GDPR Edition | March 2026 | dpo@scalpscan.ai

https://www.scalpscan.ai/privacy-policy

TERMS OF USE

ScalpScan.AI | ScalpScan.AI Patient

HAIR RESTORATION SCIENCE LTDA.

Company Registration (CNPJ): 50.807.318/0001-57

Av. Genésio Durão, 1160, apto 702, Ed. Morada do Sol, Três Barras, Linhares/ES, CEP 29.907-010, Brazil

Version: 2.0 — CCPA/CPRA Edition | Date: March 2026

Applicable to: Physicians, Clinics and Patients (California Consumers) | Privacy Officer: dpo@scalpscan.ai

Applicable legislation

California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) | California Privacy Rights Act (CPRA, Prop. 24, 2020) | CPPA Regulations (effective Jan. 1, 2026) | California Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code § 56 et seq.) | California data breach notification law (Cal. Civ. Code § 1798.82)

ℹ These Terms of Use apply to consumers residing in the State of California (USA), pursuant to the CCPA as amended by the CPRA. For users located in Brazil, the applicable document is the Terms of Use — LGPD Edition. For users in the EEA/UK, the applicable document is the Terms of Use — GDPR Edition.

1. ACCEPTANCE OF TERMS

1.1. By registering, accessing or using either Application, the User declares to have read, understood and expressly agreed to these Terms, to the integrated Privacy Policy (available at https://www.scalpscan.ai/privacy-policy) and to any future updates, thereby providing unequivocal electronic acceptance pursuant to Cal. Civ. Code § 1798.100 et seq. (CCPA/CPRA) and applicable California e-commerce law.
1.2. Acceptance is formalized at the point of registration, through account creation in the Application. The Terms of Use and the Privacy Policy are available on the application page in the App Store prior to download. The system automatically and immutably records: the version of the documents in force at the date of registration, the cryptographic hash and the server timestamp (CPRA — demonstrability of consent for sensitive personal information).
1.3. Refusal or disagreement with any clause obliges the User to immediately cease use of the Applications and delete their account directly in the Application Settings, or through the channel: support@scalpscan.ai.

2. DEFINITIONS

2.2. ScalpScan.AI Patient — Application intended for Patient Users, enabling autonomous 3D scanning of the scalp, with subsequent sharing of the model with a Professional User (via code). Models not shared with a physician are stored exclusively on the patient's device — they are not sent to the HAIR RESTORATION SCIENCE LTDA. backend.

2.3. Professional User — Physician with an active medical license or clinic under the technical responsibility of a licensed physician, contracting party for the license.

2.4. Patient User — Natural person who uses ScalpScan.AI Patient for their own scanning, independently or at the request of a physician.

2.5. Consumer / Patient — A natural person who is a California resident whose images, depth data, 3D models and derived metrics are processed in the Applications (Cal. Civ. Code § 1798.140(j)).

2.6. Sensitive Personal Information — Health data and biometric data (3D models and clinical metadata capturing unique physical characteristics of the scalp), classified as sensitive personal information under the CPRA (Cal. Civ. Code § 1798.140(ae)), subject to additional rights and restrictions, including the right to limit use.

2.7. Business / Co-Business — HAIR RESTORATION SCIENCE LTDA. (Business determining the purposes and means of processing platform data) and the Professional User (who acts as a co-business with respect to patient data for clinical purposes), with roles formalized through the DPA.

2.8. AWS Backend — Amazon Web Services infrastructure (EC2/MySQL + S3), us-east-1 region (USA). EC2 stores registration data, metadata and credentials; S3 stores USDZ 3D files.

2.9. Personal Information — Name, email, telephone, date of birth, city/state/country, authentication identifiers, 3D scalp model, clinical metadata and platform activity logs, as defined under Cal. Civ. Code § 1798.140(v).

2.10. Authentication Credentials — Registered email, password encrypted in an irreversible hash (never stored in plain text) and internal user identifier (user ID).

2.11. Annotation Metadata — Geometric and display configuration data saved on the 3D model (selected vertices, colors and markings), constituting sensitive health personal information under the CPRA and the California Confidentiality of Medical Information Act (CMIA, Cal. Civ. Code § 56 et seq.).

2.12. OTP — Identity verification by one-time-use code sent via WhatsApp Business API (Meta Platforms, Inc., USA) to the Professional User, or by email to both Professional and Patient Users.

2.13. Service Providers — (i) Amazon AWS (EC2 + S3) — storage, USA; (ii) Meta Platforms, Inc. / WhatsApp Business API — OTP verification, USA. All subject to contracts prohibiting the use of personal information beyond the provision of the contracted service (CPPA Reg. § 7011).

2.14. DPA — Data Processing Agreement, concluded between HAIR RESTORATION SCIENCE LTDA. and the Professional User, formalizing roles and responsibilities regarding the processing of patient personal information.

2.15. Administrative Panel — Internal interface accessible exclusively to authorized HAIR RESTORATION SCIENCE LTDA. staff for technical support, compliance and legal defense purposes.

2.16. Physician Code — Unique identifier generated by the Professional User to link the patient's scan to their clinical record.

2.17. 'HRS' — abbreviated designation used in these Terms to refer to HAIR RESTORATION SCIENCE LTDA., a private legal entity registered under CNPJ No. 50.807.318/0001-57, with registered address at Av. Genésio Durão, 1160, apto 702, Ed. Morada do Sol, Três Barras, Linhares/ES, CEP 29.907-010, Brazil, the Business responsible for the processing of personal information on the Platform pursuant to the CCPA/CPRA.

3. OBJECT AND TECHNICAL LIMITATIONS

3.1. Data architecture — Data minimization: Photographs captured during scanning remain stored exclusively on the user's device and are not transmitted to the backend. The management, retention and eventual deletion of such images is the exclusive responsibility of the user. HRS has no access to the device and therefore does not control or bear responsibility for those files. Only the final 3D model (USDZ) is sent to AWS.

3.3. Annotations on 3D models entered by the Professional User constitute sensitive health personal information under the CPRA and the CMIA (Cal. Civ. Code § 56 et seq.) and may form part of the medical record, subject to applicable California healthcare professional obligations.

3.4. ScalpScan.AI may be used within California and in other jurisdictions, provided that applicable local laws are observed.

4. ELIGIBILITY AND REGISTRATION

4.A. Professional User (Physicians and Clinics)

4.1. Use of ScalpScan.AI is restricted to duly licensed physicians or clinics under the technical responsibility of a licensed physician.

4.2. The following personal information is collected upon registration: name, email, telephone, city, state, country, date of birth. The system also records: (i) registration origin (signup source); and (ii) authentication identifiers (email, encrypted password, internal ID).

4.3. The Professional User declares, under penalty of applicable law, to hold a valid medical license upon accepting these Terms, assuming exclusive responsibility for the truthfulness of this declaration.

4.4. The Professional User's identity is verified by OTP via WhatsApp Business API (Meta Platforms, Inc.) or by email.

4.B. Patient User (ScalpScan.AI Patient)

4.5. Any natural person aged 18 (eighteen) or over may register on ScalpScan.AI Patient.

4.6. Persons under 18: ScalpScan.AI is not intended for use by consumers under 18 years of age. Scanning of minors is expressly prohibited. Upon creating an account, the User expressly declares to be over 18 years of age and that they will not use the application to scan patients under 18. HRS does not knowingly collect personal information from minors under 16 without affirmative authorization, consistent with Cal. Civ. Code § 1798.120(c) (CPRA opt-in for minors 13-15) and Cal. Bus. & Prof. Code § 22580 et seq. Non-compliance is the exclusive responsibility of the User.

4.7. The Company may refuse registration, suspend or terminate access in the event of false information, professional irregularities or breach of these Terms.

5. LICENSE AND SUBSCRIPTION

5.1. HAIR RESTORATION SCIENCE LTDA. grants a limited, revocable, non-exclusive, non-transferable and fee-bearing license to use ScalpScan.AI for the duration of the active subscription. ScalpScan.AI Patient is licensed free of charge.

5.3. Billing: Payment is made via the App Store (Apple). HAIR RESTORATION SCIENCE LTDA. does not process payment data directly.

The following are expressly prohibited:

•use for unlawful or unauthorized purposes;

•sharing of credentials or access by unauthorized third parties;

•reverse engineering, decompilation, modification or exploitation of the algorithms;

•use of bots, scripts or unauthorized automation;

•any conduct that compromises the security, integrity or availability of the platform.

6. CLOUD STORAGE (AWS) AND SERVICE PROVIDERS

6.1. Personal information transmitted by the Application is stored on Amazon Web Services (AWS) servers, us-east-1 region (USA):
•AWS EC2/MySQL: registration data (name, email, telephone, date of birth, city/state/country), signup source, authentication credentials (irreversible hash), 3D model metadata and annotation metadata.
•AWS S3: finalized USDZ 3D files. Photographs captured during scanning remain on the user's device and are not transmitted to the cloud.
6.2. Security measures adopted:
•AES-256 encryption at rest (EC2 and S3);
•TLS 1.3 or higher protocol for transmission;
•IAM access controls with least privilege principle (RBAC);
•Access and audit logs; automatic backups in accordance with the retention periods in Clause 13.
6.3. Data transfers: All personal information of California consumers is transferred to and stored in the United States (AWS, us-east-1 region). No transfers to countries outside the USA occur at this time. Service providers are bound by contractual obligations that restrict use of personal information to the purposes of the contracted service (CPPA Reg. § 7011).
6.4. Administrative Panel: Accessible exclusively to authorized HAIR RESTORATION SCIENCE LTDA. employees upon secure authentication, for technical support, compliance and legal defense purposes. All access is recorded in audit logs.

7. IDENTITY VERIFICATION (OTP / WHATSAPP / EMAIL)

7.1. The Company uses OTP sent via WhatsApp Business API (Meta Platforms, Inc.) to the registered telephone number for the Professional User, or via email to the registered address for both Professional and Patient Users, ensuring the authenticity of registrations and the security of access.

7.2. The OTP identity verification mechanism operates differently depending on the User profile:

•(i) Professional User: the OTP may be sent via WhatsApp Business API (Meta Platforms, Inc., USA) or by email, depending on the channel selected by the User upon registration. When the Professional User opts for WhatsApp delivery, they expressly consent to their telephone number being disclosed to Meta exclusively for the purpose of delivering the code. This constitutes a disclosure of personal information to a service provider for a specific business purpose (CPPA Reg. § 7011). Meta processes the number exclusively for OTP delivery purposes, pursuant to its own Privacy Policy. When the selected channel is email, no personal information is disclosed to Meta.

•(ii) Patient User: the OTP is sent exclusively by email, without any disclosure of personal information to Meta or third parties.

7.3. The OTP is for single use only and has limited validity. The user is responsible for the confidentiality of the code received.

8. ROLES IN PERSONAL INFORMATION PROCESSING (CCPA/CPRA)

8.A. HAIR RESTORATION SCIENCE LTDA. as Business
8.1. HAIR RESTORATION SCIENCE LTDA. is the Business (Cal. Civ. Code § 1798.140(d)) directly responsible for the collection, use and disclosure of: (i) registration and authentication personal information of Professional and Patient Users; (ii) OTP verification logs; (iii) patient folders created on the platform; (iv) 3D models and metadata stored on AWS.
8.2. Business purposes for which HRS collects and uses personal information (Cal. Civ. Code § 1798.140(e)):
•Provision of the contracted service (scalp analysis): registration data, authentication credentials, 3D model, clinical metadata.
•Identity verification and access security: OTP, access logs.
•Processing of sensitive personal information in the professional workflow: biometric 3D model, clinical metadata — collected and used solely for the provision of the medical service, as permitted by Cal. Civ. Code § 1798.121.
•Patient consent in the ScalpScan.AI Patient workflow: 3D model, metadata, registration data — with opt-in consent for sensitive personal information.
•Compliance with applicable legal and regulatory obligations.
•Tracking registration origin (signup source): legitimate interest, documented in the Privacy Impact Assessment.

8.B. Professional User as Co-Business
8.3. The Professional User acts as a co-business with respect to patient personal information for clinical use purposes (preparation of medical records, surgical planning, etc.), and is independently responsible for compliance with the CCPA/CPRA, the CMIA and applicable California medical professional regulations.
8.4. The roles are formalized by the DPA, incorporated into these Terms of Use and accepted by the Professional User upon registration, which defines the responsibilities of each party regarding the legal basis for collection, security, consumer rights handling and incident notification.
8.5. The Professional User may not invoke HAIR RESTORATION SCIENCE LTDA.'s registration to justify their own obligations under California law. The obligation to maintain medical records for the period required under California healthcare law, to obtain the patient's informed consent, and clinical responsibility for personal information processed for diagnostic and therapeutic purposes are obligations exclusive to the Professional User, independent of and parallel to HRS's obligations.

9. RESPONSIBILITIES OF HAIR RESTORATION SCIENCE LTDA. AS BUSINESS

HAIR RESTORATION SCIENCE LTDA., as Business, is responsible for:
•Maintaining immutable (append-only) technical records of all consents collected, including: consumer ID, version and hash of the accepted document, server timestamp and collection mechanism (CPRA — demonstrability of consent for sensitive personal information);
•Informing users that photographs captured remain on the device and may be manually deleted, the management of files on the user's device not being the responsibility of HAIR RESTORATION SCIENCE LTDA.;
•Maintaining the Privacy Officer channel (dpo@scalpscan.ai) operational, responding to California consumers within 45 days (Cal. Civ. Code § 1798.130), extendable by a further 45 days where necessary with prior notice;
•Complying with the retention and deletion periods defined in Clause 13;
•Notifying affected California consumers of any data breach involving unencrypted or unredacted personal information, as required by Cal. Civ. Code § 1798.29 and § 1798.82, in the most expedient time possible and without unreasonable delay;
•Maintaining a Record of Processing Activities (RoPA) and conducting Privacy Impact Assessments (PIAs) as required for high-risk processing of sensitive personal information.
HRS monitors its processing volumes of sensitive personal information of California consumers. Upon reaching the thresholds established by CPPA regulations (Cal. Code Regs. tit. 11, § 7101), HRS will conduct annual cybersecurity audits and submit required documentation to the CPPA. HRS maintains internal security controls consistent with reasonable security practices as required by Cal. Civ. Code § 1798.150(a).

10. RESPONSIBILITIES OF THE PROFESSIONAL USER AS CO-BUSINESS

For this flow, HAIR RESTORATION SCIENCE LTDA. bases the collection and use of the patient's personal information on the healthcare professional's explicit collection for medical treatment purposes, consistent with the CMIA exception for treatment (Cal. Civ. Code § 56.10(b)(2)), which does not remove or reduce the Professional User's autonomous obligations under the CMIA and California medical regulations.

⚠ ATTENTION — PHYSICIAN: The declaration recorded in the system at the time of creating the patient folder does not replace the formal consent required by California medical professional regulations and the CMIA, nor the obligation to document that consent in the medical record. The Professional User is independently accountable under California law for any non-compliance, including the obligation to maintain medical records for the period required under applicable California healthcare law, independently of the retention periods adopted by HAIR RESTORATION SCIENCE LTDA.

10.2. System declaration — mandatory checkbox: When creating each patient folder, the Professional User must tick the mandatory declaration checkbox: "I declare that I have informed this patient about the functioning of ScalpScan.AI, including the nature of the biometric and health data collected, the identity of the parties processing that data, the retention periods applicable, and the patient's right to withdraw consent at any time by contacting dpo@scalpscan.ai or the undersigned physician. I have obtained the patient's free, specific and informed consent for the scan and for the storage and processing of the generated data, in accordance with applicable data protection law, the California Confidentiality of Medical Information Act (Cal. Civ. Code § 56 et seq.) and applicable medical professional regulations." The "Create Patient" button remains disabled until the checkbox is ticked. The system generates an immutable record with a server timestamp, linked to the Professional User ID and the ID of the folder created.

10.2-A. Nature of the record and exclusive responsibility of the co-business: The record generated by the system on the "Add New Patient" screen does not constitute direct consent from the patient, but rather evidence of the Professional User's declaration that they obtained that consent from the patient. The system immutably records the following fields: (i) consumer identifier (subjectId); (ii) folder identifier (patientId); (iii) consentDeclaration=true; (iv) version of the declared document (documentVersion="v2.0"); (v) SHA-256 hash of the document (documentHash); (vi) collection method (collectionMethod="checkbox"); and (vii) server timestamp. Responsibility for the truthfulness of this declaration rests exclusively with the Professional User.

10.3. Persons under 18: Scanning of minors is expressly prohibited by the Application. The Professional User declares, upon accepting these Terms, that they will not use the platform to scan patients under 18 years of age. Non-compliance is the exclusive responsibility of the Professional User.

10.4. Documentation in the medical record: The physician must export and archive in their medical records system the consent record and relevant clinical information, in accordance with California healthcare law, including the CMIA.

10.5. Export of clinical data: Annotations on 3D models may form part of the medical record, with minimum retention obligations under California healthcare law. HAIR RESTORATION SCIENCE LTDA. makes available, throughout the 60-day grace period, individual export functionality for videos and 3D models, accessible directly in the Professional User's panel. Non-use of the export functionality made available is the exclusive responsibility of the Professional User; HAIR RESTORATION SCIENCE LTDA. may not be held liable for loss of clinical data resulting from the Professional User's omission. The Professional User is solely responsible for the retention and integrity of clinical data in their own medical records system.

10.6. Independent responsibility: The physician is independently accountable under California law and applicable professional regulatory obligations, and may not invoke HAIR RESTORATION SCIENCE LTDA.'s registration to justify their own obligations.

11. SHARING OF 3D MODELS

11.1. The Professional User may provide the patient with the 3D model generated by ScalpScan.AI by directly sending the file in USDZ format or an exported video through the Application, outside the ScalpScan.AI interface. Such sending occurs through external communication channels chosen by the Professional User (messaging, email, etc.) and does not constitute disclosure within the platform, generating no sharing record in the HAIR RESTORATION SCIENCE LTDA. system.

11.2. A patient with a ScalpScan.AI Patient account may share their 3D model with the Professional User by entering the Physician Code in the Application. In doing so, the patient: (i) expressly consents to the physician's access to the model, constituting an opt-in consent for the use of sensitive personal information (biometric and health data) pursuant to Cal. Civ. Code § 1798.121; (ii) acknowledges that the Professional User thereby gains access to the model for clinical purposes, being responsible for integration into the medical record and retention for the minimum period required under applicable California healthcare law, independently of the retention periods adopted by HAIR RESTORATION SCIENCE LTDA.; (iii) declares to have been informed of the purposes of the sharing. The system records the consent immutably, containing: consumer ID, model ID, recipient physician ID, server timestamp, version and hash of the accepted document and confirmation of the patient's active opt-in consent. The link is unidirectional: the Professional User does not access personal information from the patient's application without active sharing by the patient.

12. CALIFORNIA CONSUMER RIGHTS (CCPA/CPRA)

Pursuant to Cal. Civ. Code § 1798.100–140 (CCPA/CPRA), any California consumer may exercise the following rights against HAIR RESTORATION SCIENCE LTDA. via the channel dpo@scalpscan.ai:

12.1. Right to Know (Cal. Civ. Code § 1798.110)
You have the right to request disclosure of: the categories and specific pieces of personal information collected about you; the categories of sources; the business or commercial purpose for collection; the categories of service providers with whom the information was disclosed; and the specific personal information collected, in a portable, readily usable format where technically feasible.
Lookback period: Pursuant to CPPA regulations effective January 1, 2026 (Reg. § 7024), you may request personal information collected since January 1, 2022. The default response period is the past 12 months; to request the full history, indicate the desired period in your request email.
Request limit: HRS is required to fulfill up to 2 (two) access requests per consumer in each 12-month period (Cal. Civ. Code § 1798.130(a)(3)).

12.2. Right to Delete (Cal. Civ. Code § 1798.105)
You have the right to request deletion of personal information collected by HRS, subject to applicable legal exceptions (including legal retention obligations and defense of rights in litigation).

12.3. Right to Correct (Cal. Civ. Code § 1798.106)
You have the right to request correction of inaccurate personal information maintained by HRS.

12.4. Right to Non-Discrimination (Cal. Civ. Code § 1798.125)
HRS will not discriminate against you for exercising any right under the CCPA/CPRA. You will not be subject to different prices, reduced service levels or any other negative treatment as a result of exercising your rights. HRS does not offer financial incentive programs, price or service differences in exchange for the retention, sale or sharing of personal information. Should HRS implement any such program in the future, prior explicit opt-in consent will be required and the material terms will be disclosed pursuant to Cal. Civ. Code § 1798.125(b).

12.5. Right to Opt-Out of Sale and Sharing (Cal. Civ. Code § 1798.120)
HRS does not sell or share personal information of California consumers for cross-context behavioral advertising. There is therefore no opt-out to be exercised at this time. Should this practice be adopted in the future, this Policy will be updated and the link “Do Not Sell or Share My Personal Information” will be made available.

12.6. Right to Limit Use of Sensitive Personal Information (Cal. Civ. Code § 1798.121)
HRS uses sensitive personal information (biometric 3D model and health data) exclusively for the provision of the contracted medical service. There is no additional use to be limited. You may formally exercise this right through the channel dpo@scalpscan.ai.

ℹ Right to Limit Use of Sensitive Personal Information: As HRS already restricts use of sensitive personal information to what is strictly necessary for the provision of the service, there is no additional use to be limited at this time. Contact: dpo@scalpscan.ai.

Response time: HRS will respond to requests within 45 days of receipt (Cal. Civ. Code § 1798.130), extendable by a further 45 days with prior notice where necessary due to complexity or volume of requests.
Identity verification: HRS may request additional information to verify the consumer's identity before processing a request.
Authorized agent: You may designate an authorized agent to exercise your rights on your behalf. HRS may require written proof of authorization and direct identity verification from the consumer.

13. RETENTION AND DELETION OF PERSONAL INFORMATION

13.A. RETENTION TABLE BY CATEGORY

13.B. DELETION PROCEDURES
13.1. After cancellation of the subscription by the Professional User, access is restricted to export during the 60 (sixty)-day grace period. Upon expiry, 3D models, metadata and patient folders will be irreversibly deleted or de-identified.
13.2. The applicable retention and deletion periods are set out in the table above and in the Privacy Policy, available at https://www.scalpscan.ai/privacy-policy.
13.3. The expiry of the grace period without export by the Professional User exempts HAIR RESTORATION SCIENCE LTDA. from liability for the loss of information necessary for compliance with applicable California healthcare regulations or other legal obligations of the physician.

⚠ ATTENTION — PHYSICIAN: California healthcare law may require medical records to be retained for periods significantly longer than the 60-day grace period. The physician is responsible for exporting and archiving clinical data in their own system before the deadline expires.

14. SENSITIVE PERSONAL INFORMATION (CPRA — CAL. CIV. CODE § 1798.121)

HRS processes the following categories of sensitive personal information:
•Biometric data: three-dimensional (3D) scalp model in USDZ format, used exclusively for the provision of the contracted medical service.
•Health data: clinical metadata and annotations associated with the 3D model, used exclusively for the provision of the contracted medical service, consistent with the CMIA (Cal. Civ. Code § 56 et seq.).
HRS does not use sensitive personal information to infer characteristics about consumers, nor for any purpose other than the provision of the medical service requested by the user, as permitted by Cal. Civ. Code § 1798.121.

ℹ Right to Limit Use of Sensitive Personal Information: HRS already limits the use of sensitive personal information to what is strictly necessary for the provision of the service. There is no additional use to be limited at this time. For questions or to formally exercise this right, contact: dpo@scalpscan.ai.

14-A. GLOBAL PRIVACY CONTROL (GPC)

Cal. Code Regs. tit. 11, § 7025 — Opt-Out Preference Signals. HRS honors opt-out preference signals, including the Global Privacy Control (GPC), transmitted through supported browser interfaces. As HRS does not sell or share personal information for cross-context behavioral advertising, receipt of a GPC signal will be acknowledged and recorded but will produce no substantive change in HRS's data practices, as no such sale or sharing occurs. Should HRS's practices change in the future to include sale or sharing of personal information, GPC signals will be honored as opt-out requests automatically and without requiring any additional consumer action, in compliance with Cal. Code Regs. tit. 11, § 7025.

15. DISCLOSURE OF PERSONAL INFORMATION TO SERVICE PROVIDERS

In the past 12 months, HRS has disclosed the following categories of personal information to service providers for the business purposes described, pursuant to contracts compliant with CPPA Reg. § 7011:

⚠ HRS does NOT sell personal information of California consumers to third parties for any monetary or other valuable consideration. HRS does NOT share personal information for cross-context behavioral advertising. There is therefore no right of opt-out of sale or sharing to be exercised at this time (Cal. Civ. Code § 1798.120).

16. DATA MIGRATION

16.1. Users who already had an account prior to the implementation of the backend may continue using the Applications in legacy flow or new flow (with backend authentication).
16.2. HAIR RESTORATION SCIENCE LTDA. undertakes to migrate all active users to the backend flow in the shortest possible timeframe, communicating in advance through public channels: update of the Privacy Policy, notice displayed in the Application on the user's next access, or publication on the website.
16.3. 3D models created in the legacy flow (stored on the device or iCloud) are not automatically migrated to the cloud. The user is responsible for any manual migration.

17. INTELLECTUAL PROPERTY

17.1. The Application, its algorithms, measurement methods, code, trademarks, pending or granted patents, interfaces and content are the exclusive property of HAIR RESTORATION SCIENCE LTDA. or licensed third parties.

17.2. No provision of these Terms confers upon the User any right of ownership, broad license or economic exploitation over the technology.

18. LIMITATION OF LIABILITY

18.1. HAIR RESTORATION SCIENCE LTDA. is not liable for: (a) clinical decisions, diagnoses or outcomes of procedures; (b) indirect damages, loss of profits, loss of clinical data or business interruption arising from failures originating outside the HAIR RESTORATION SCIENCE LTDA. infrastructure, including device failures, connectivity interruptions, unavailability of third-party services (Apple App Store, AWS, Meta) and force majeure events beyond the company's technical control, provided that HRS has not contributed to the event; (c) loss of clinical data arising from non-use of the export functionality made available by the platform, pursuant to Clause 10.5, such omission being the exclusive responsibility of the Professional User.

ℹ The above limitations apply to the fullest extent permitted by applicable California mandatory consumer protection law. Nothing in these Terms limits or excludes HRS's liability for statutory damages under the CCPA/CPRA (Cal. Civ. Code § 1798.150) arising from unauthorized access to unencrypted or unredacted personal information due to HRS's failure to maintain reasonable security measures.

19. AVAILABILITY AND TECHNICAL SUPPORT

19.1. HAIR RESTORATION SCIENCE LTDA. will use commercially reasonable efforts to maintain 99% monthly availability, excluding scheduled maintenance, force majeure and failures in the User's device or connectivity.

19.2. Scheduled maintenance will be communicated with a minimum of 48 hours' notice by email or in-app notification.

19.3. The availability guarantee does not apply to: (i) user connectivity failures; (ii) device hardware issues; (iii) use of non-approved versions; (iv) factors beyond HAIR RESTORATION SCIENCE LTDA.'s infrastructure.

19.4. In the event of unavailability due to the exclusive fault of HAIR RESTORATION SCIENCE LTDA., the Professional User shall be entitled to a proportional credit on the next invoice, limited to the value of the monthly fee corresponding to the period of excess unavailability.

20. SUSPENSION AND TERMINATION

20.1. HAIR RESTORATION SCIENCE LTDA. may suspend or terminate the User's access in the event of: (a) serious or repeated breach of these Terms; (b) fraudulent use; (c) false registration data; (d) medical license irregularity or order of a competent authority; (e) court order.
20.2. In the event of termination due to the User's fault, no refund of amounts paid shall be made, subject to applicable California consumer protection law.

21. AUTOMATED PROCESSING AND ALGORITHMIC TRANSPARENCY

21.1. The platform uses computational methods and algorithms to process images and depth data, generate three-dimensional scalp models and produce technical scalp analysis metrics. These processes are carried out in an automated manner as informational technical support for the healthcare professional.

21.2. The automated processing described in Clause 21.1 does not constitute automated decision-making technology (ADMT) with legal or similarly significant effects on the consumer, within the meaning of the CPPA regulations effective January 1, 2026. The metrics and models generated are technical inputs mandatorily subject to evaluation and validation by the medical professional, who is solely responsible for the clinical decision.

21.3. HRS guarantees the consumer the right to obtain, at any time, information about the criteria and procedures used in the platform's automated processes, as well as to contest any result they consider incompatible with their personal information, via the channel dpo@scalpscan.ai.

21.4. ADMT notice — effective January 1, 2027: Should HRS begin using Automated Decision-Making Technology (ADMT) with significant effects on California consumers, as defined by CPPA regulations (Cal. Code Regs. tit. 11, § 7015), HRS will, prior to any such use: (i) provide a specific pre-use notice describing the ADMT logic, the categories of personal information used, and the nature of the significant effects; (ii) make available a clear and accessible opt-out mechanism; and (iii) update this Policy accordingly. HRS will not use ADMT that produces legal or similarly significant effects on consumers without providing these protections.

21.5. Technological evolution: HAIR RESTORATION SCIENCE LTDA. may update platform features, algorithms, analysis methods and technological resources with the aim of improving accuracy, performance and security, without formal amendment of these Terms, provided that such changes do not entail: (i) a new purpose incompatible with the disclosed business purposes; (ii) new use of sensitive personal information not previously disclosed; or (iii) disclosure to new service providers not listed in these Terms. When any of these situations arise, the rules of Clause 22.2 of these Terms shall apply.

22. AMENDMENTS TO THESE TERMS

22.1. Material changes will be communicated with a minimum of 15 (fifteen) days' notice before taking effect, by means of a transactional email sent to registered users and publication of the new version on the Privacy Policy page (https://www.scalpscan.ai/privacy-policy).
22.2. Continued use following the entry into force of the changes constitutes acceptance for clauses of a commercial and operational nature. For changes entailing: (i) new use or disclosure of sensitive personal information; (ii) new business purposes incompatible with those previously disclosed; or (iii) disclosure to new service providers, new opt-in consent from the consumer will be required, collected before the change takes effect (CPRA). The User may cancel the subscription before the date on which the changes take effect without additional charge.

23. GOVERNING LAW AND JURISDICTION

23.1. These Terms of Use — CCPA/CPRA Edition are governed by the laws of the State of California, including the CCPA (Cal. Civ. Code § 1798.100 et seq.), the CPRA, the CMIA (Cal. Civ. Code § 56 et seq.), and applicable California consumer protection law.

23.2. California consumers have the right to contact the California Privacy Protection Agency (CPPA) regarding CCPA/CPRA concerns: https://cppa.ca.gov.

23.3. For contractual disputes between the parties, the courts of the Judicial District of Linhares, State of Espirito Santo, Brazil, shall have non-exclusive jurisdiction. Notwithstanding the foregoing, nothing in these Terms waives, limits or restricts any California consumer's right to: (i) bring a civil action in California courts pursuant to Cal. Civ. Code § 1798.150 for unauthorized access to unencrypted or unredacted personal information resulting from HRS's failure to implement reasonable security; (ii) file a complaint with the California Privacy Protection Agency (CPPA) at https://cppa.ca.gov; or (iii) exercise any other right that cannot be waived under Cal. Civ. Code § 1798.192. Any provision of these Terms that purports to waive such rights is void and unenforceable.

23.4. Before resorting to judicial proceedings, the Parties undertake to seek amicable resolution by formal notice to the channel support@scalpscan.ai or WhatsApp channel, with a negotiation period of up to 30 (thirty) business days.

24. CONTACT CHANNELS

Pursuant to Cal. Civ. Code § 1798.130(a) (CCPA/CPRA), the following are the official channels of HAIR RESTORATION SCIENCE LTDA. and of the Privacy Officer / Designated Agent for CCPA Requests:

Privacy Officer: HAIR RESTORATION SCIENCE LTDA. has designated a Privacy Officer as the Designated Agent for CCPA requests (Cal. Civ. Code § 1798.130(a)(1)). The Privacy Officer is contactable at dpo@scalpscan.ai and is the official channel of communication between HRS and California consumers for the exercise of privacy rights.

Linhares/ES, 17 March 2026.

HAIR RESTORATION SCIENCE LTDA.

Version 2.0 — CCPA/CPRA Edition | March 2026 | dpo@scalpscan.ai
https://www.scalpscan.ai/privacy-policy