Privacy policy

2. What data we collect

When you use our assessment wizard, we collect and process the following categories of personal data:

Identity and contact data

First name, last name, email address, phone number.

Particularly sensitive personal data (health data)

Photographs of your current hair situation (scalp), your personal assessment of hair loss (Norwood scale), how long you have experienced hair loss, and information on past or current medication-based treatments.

Preference data

Your desired budget and preferred region for treatment.

Technical data

On each visit to the website we collect server log files (IP address, browser type, date and time of access) to ensure the security and stability of our systems.

3. Purpose of processing

We process your data exclusively for the following purposes:

Brokerage & preparation of offers

To transmit your medical data in anonymised form to suitable partner clinics so they can provide you with a fixed-price offer. Because this involves particularly sensitive personal data, processing is carried out solely on the basis of your explicit consent.

Contact handover

Only when you actively click “Establish contact” in your dashboard do we release your identity and contact data (name, phone number, email) to the clinic you have exclusively selected.

Authentication

We use your email address for secure sign-in via a “magic link”.

4. Disclosure of data abroad (USA and worldwide)

A core part of our service is forwarding your request to specialised partner clinics. Because the operator of this platform (Endert Ventures LLC) is based in the USA, your data is transferred to the USA for technical reasons. We primarily host our databases on servers in Europe to maintain a high level of protection.

We also forward your request to partner clinics:

Anonymous phase

Initially, up to six selected clinics worldwide receive only your medical data and photos (without your name or contact details).

Worldwide disclosure

These partner clinics may be located in Switzerland, in the European Economic Area (EEA), or in other countries worldwide (e.g. Turkey, Thailand).

Inadequate level of data protection

We inform you that the Swiss Federal Council currently does not recognise an adequate statutory level of data protection for certain countries (such as the USA or Turkey). There is a risk that authorities in those countries may access your data.

Your consent & safeguards

The transfer of your particularly sensitive personal data to these countries is primarily based on your explicit consent. In addition, wherever possible we enter into standard data protection clauses recognised by the Federal Data Protection and Information Commissioner (FDPIC) with our partner clinics to safeguard your data contractually.

5. Service providers used (processors)

To operate our platform securely, we use external service providers who are contractually required to comply with data protection requirements:

Supabase: database, hosting of encrypted images, and authentication. Data is stored encrypted in data centres within the EU.

Vercel: hosting of our frontend application (Vercel Inc.).

Resend: reliable delivery of system emails and magic links.

6. Retention and deletion

Your data is stored only for as long as necessary for the stated purposes:

• If you do not accept an offer, you can delete your profile in your dashboard at any time.
• If there is no activity on your account for six months, your images and medical data are automatically and permanently deleted from our servers.

7. Your rights

Under the Swiss Federal Act on Data Protection (FADP), you have the following rights at any time:

• Information: you can request information about which personal data we process about you.
• Rectification: you can have inaccurate data corrected.
• Erasure: you can request erasure of your data.
• Data disclosure: you have the right to obtain certain personal data in a commonly used electronic format or to have it transferred to another controller.

Withdrawal of consent: you may withdraw your consent to the processing of your health data at any time with effect for the future. An email to support@capillus360.com is sufficient. Right to lodge a complaint: if you believe that the processing of your data breaches data protection law, you may contact the Federal Data Protection and Information Commissioner (FDPIC) in Bern (www.edoeb.admin.ch).