Privacy policy

2. What Data We Collect

When you use our Assessment Wizard, we collect the following data:

Identity and Contact Data

First name, last name, email address, phone number.

Health Data (Special Category Data under Art. 9 UK GDPR)

Photographs of your current hair situation (scalp), your personal assessment of hair loss (Norwood scale), the duration of your hair loss, and information regarding past or current medical treatments.

Preference Data

Your desired budget and preferred region for treatment.

Technical Data

With every visit to the website, we collect server-side log files (IP address, browser type, date and time of access) to ensure the security of our systems.

3. Purpose and Legal Basis for Processing

We process your data exclusively for the following purposes:

Matchmaking & Quoting

To transmit your medical data in an anonymized form to suitable partner clinics so they can provide you with a fixed-price offer. The legal basis for this is your explicit consent (Art. 9(2)(a) UK GDPR in conjunction with Art. 6(1)(a) UK GDPR).

Contact Handover

Only when you actively click on "Establish Contact" do we release your identity and contact data (name, phone number, email) to the specific clinic you have selected.

Authentication

We use your email address for secure login via a "Magic Link".

4. Data Transfers to Third Countries (US and Worldwide)

A core component of our service is forwarding your inquiry to specialized partner clinics to provide you with tailored fixed-price offers. Because the operator of this platform (Endert Ventures LLC) is based in the USA, your entered data is initially transferred to the USA for technical reasons. We ensure the protection of your data by primarily using European server locations for our databases (where technically feasible) and enforcing strict internal confidentiality policies.

Furthermore, we forward your inquiry to partner clinics:

Anonymous Phase

Initially, up to 6 selected clinics worldwide receive only your medical data, photos, and preferences, without your name or direct contact details.

Worldwide Transfer

These partner clinics may be located in the UK, the European Union, or in other countries worldwide (e.g., Turkey, Thailand, or other states)—depending on the availability of suitable medical expertise and the preferences you indicated in the form.

Risk Warning

We explicitly inform you that many countries outside the UK and the European Economic Area (EEA) are considered unsecure third countries under data protection law. According to the UK Government, these countries (such as the USA or various Asian states) may not provide an adequate level of data protection equivalent to the UK. There is a specific risk that state authorities in those countries may access your data without you having effective legal remedies.

Your Explicit Consent

The transfer of your sensitive health data to our US company and to worldwide clinics takes place exclusively on the basis of your explicit consent (Art. 49(1)(a) in conjunction with Art. 9(2)(a) UK GDPR). You grant us this consent actively and voluntarily before submitting your inquiry. Additionally, where legally viable, we enter into the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses with our worldwide partner clinics to contractually safeguard your data.

5. Service Providers Used (Data Processors)

To provide our platform technically securely and efficiently, we use external service providers with whom we have concluded Data Processing Agreements (DPAs):

Supabase: We use Supabase for our database, hosting of encrypted images (storage), and authentication. Data is stored encrypted; processing takes place in data centers within the European Union (hosting via AWS within the EU regions offered by Supabase).

Vercel: We use Vercel Inc. for hosting our frontend application.

Email Delivery: We use Resend to send Magic Links and notifications.

6. Storage Duration and Data Deletion

Your data will only be stored for as long as necessary for the purposes for which it was collected:

• If you do not finalize a treatment or accept an offer, you can delete your profile in your dashboard at any time.
• If there is no activity on your account for 6 months, your images and medical data will be automatically and irrevocably deleted from our servers.

7. Your Rights as a Data Subject

Under the UK GDPR, you have the right to:

• Access your stored personal data (Art. 15 UK GDPR).
• Rectification of inaccurate data (Art. 16 UK GDPR).
• Erasure of your data ("Right to be forgotten", Art. 17 UK GDPR).
• Restriction of processing (Art. 18 UK GDPR).
• Data portability (Art. 20 UK GDPR).

Withdrawal of Consent: You can withdraw your consent to the processing of your health data at any time with effect for the future. Simply send an email to our contact address mentioned above. Right to Complain: You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.