Privacy policy

2. Data we collect

When you use our assessment wizard, we collect the following data:

Identity and contact data

First name, last name, email address, phone number.

Health data (Art. 9 GDPR)

Photographs of your current hair situation (scalp), your personal assessment of hair loss (Norwood scale), duration of hair loss, and information on past or current medication-based treatments.

Preference data

Your desired budget and preferred treatment region.

Technical data

Each time you visit the website, we collect server log files (IP address, browser type, date and time of access) to maintain the security of our systems.

3. Purpose and legal basis of processing

We process your data exclusively for the following purposes:

Brokerage & preparation of offers

To transmit your medical data in anonymised form to suitable partner clinics so that they can prepare a fixed-price offer for you. The legal basis is your explicit consent (Art. 9(2)(a) GDPR in conjunction with Art. 6(1)(a) GDPR).

Contact handover

Only when you actively click “Get in touch” do we release your identity and contact data (name, phone number, email) to the clinic you selected.

Authentication

For secure sign-in via “magic link”, we use your email address.

4. Transfers to third countries (USA and worldwide)

A core part of our service is forwarding your request to specialised partner clinics so that we can broker tailored fixed-price offers for you. Because the operator of this platform (Endert Ventures LLC) is established in the United States, the data you enter will initially be transferred to the USA for technical reasons. We safeguard your data through preferential use of European server locations for our databases (where technically feasible) and through strict internal confidentiality policies.

We also forward your request to partner clinics as follows:

Anonymous phase

Initially, up to six selected clinics worldwide receive only your medical data, photos, and preferences — not your name or your direct contact details.

Worldwide transmission

These partner clinics may be located in the European Union or elsewhere worldwide (e.g. Turkey, Thailand, or other countries) — depending on the availability of suitable medical expertise and the preferences you indicate in the form.

Risk notice

We expressly inform you that many countries outside the European Union (EU) and the European Economic Area (EEA) are regarded under data protection law as so-called unsafe third countries. In such countries (including, for example, the USA and various Asian states), the European Commission considers that there is no level of data protection equivalent to that of the EU. In particular, there is a risk that public authorities there may access your data without you having effective legal remedies.

Your explicit consent

The transfer of your sensitive health data to our US company and to clinics worldwide takes place solely on the basis of your explicit consent (Art. 49(1)(a) GDPR in conjunction with Art. 9(2)(a) GDPR). You give this consent actively and voluntarily before submitting your request. In addition, we conclude EU standard contractual clauses with our partner clinics worldwide where legally practicable in order to safeguard your data contractually.

5. Service providers used (processors)

To operate our platform securely and efficiently, we use external service providers with whom we have concluded data processing agreements (DPAs):

Supabase: We use Supabase for the database, hosting of encrypted images (storage), and authentication. Data are stored encrypted; processing takes place in data centres within the European Union (hosting via AWS within Supabase’s EU regions).

Vercel: We use Vercel Inc. to host our frontend application.

Email delivery: We use Resend to send magic links and notifications.

6. Retention and deletion

We store your data only for as long as necessary for the purposes for which they were collected:

• If you do not complete treatment or accept an offer, you can delete your profile in your dashboard at any time.
• If there is no activity on your account for six months, your images and medical data are automatically and permanently deleted from our servers.

7. Your rights as a data subject

You have the right, at any time, to:

• Access your stored data (Art. 15 GDPR).
• Rectification of inaccurate data (Art. 16 GDPR).
• Erasure of your data (“right to be forgotten”, Art. 17 GDPR).
• Restriction of processing (Art. 18 GDPR).
• Data portability (Art. 20 GDPR).

Withdrawal of consent: You may withdraw your consent to the processing of your health data at any time with effect for the future. To do so, simply send an email to the contact address stated above.