Biometric Consent Form

CONSENT FORM

FOR COLLECTION AND USE OF BIOMETRIC AND HEALTH DATA

ScalpScan.AI Patient

HAIR RESTORATION SCIENCE LTDA. | Brazilian Company Registration (CNPJ) 50.807.318/0001-57

Version 1.0 | March 20, 2026

⚠ This document clearly and objectively describes what data will be collected, for what purpose, who will have access and what your rights are. Please read carefully before proceeding.

1. What is ScalpScan.AI Patient

ScalpScan.AI Patient is an application developed by HAIR RESTORATION SCIENCE LTDA. (“HRS”) that allows the patient to perform a three-dimensional (3D) scan of their own scalp and, if they choose, share the generated model with a physician of their choice.

The application is a technical support tool. It does not perform medical diagnosis, does not replace clinical consultation and does not prescribe treatment. Clinical assessment and therapeutic decision-making are the exclusive responsibility of the physician.

Pursuant to Regulation (EU) 2024/1689 (EU AI Act), in force since August 2024, HRS guarantees mandatory human oversight over all outputs generated by the platform's computational systems. The physician is solely responsible for the clinical decision.

2. What data will be collected

When you create an account and use ScalpScan.AI Patient, the following data will be collected:

ℹ Photographs captured during scanning are stored exclusively on your device and are NEVER sent to HRS. Only the final 3D model (USDZ) is transmitted, and only if you choose to share it with a physician.

3. How your data will be used

Your data will be used exclusively for:
•Creating and managing your account in the ScalpScan.AI Patient application;
•Generating the 3D model of your scalp from images captured by your device;
•Sharing the model with a physician of your choice, only if you expressly authorise it;
•Maintaining an immutable record of this consent for accountability and legal defence purposes;
•Complying with applicable legal and regulatory obligations.

⚠ HRS does NOT use your biometric or health data for: advertising, consumer profiling, sale to third parties, research without additional consent or any purpose other than those listed above.

4. Who will have access to your data

Your data may be accessed by the following parties:

•HAIR RESTORATION SCIENCE LTDA. (HRS): to operate and maintain the platform, ensure data security and comply with legal obligations.

•Physician of your choice: only if you choose to share the 3D model by entering the Physician Code in the application. Sharing is always activated by you, never automatically.

•Amazon Web Services, Inc. (AWS): HRS's storage service provider, bound by contract that prohibits use of data for its own purposes.

HRS does NOT sell, rent or share your data with third parties for advertising or commercial purposes.

5. Storage and security

Your data is stored on Amazon Web Services (AWS) servers, us-east-1 region (United States), with the following protections:
•AES-256 encryption at rest for all stored data;
•TLS 1.3 protocol for secure data transmission;
•Role-based access control (RBAC) and identity management (IAM);
•Immutable audit logs for all operations involving your data.

Retention period: Your registration data and consent records are retained for up to 10 years for legal and accountability purposes. The 3D model and clinical metadata are deleted within 60 days after cancellation of the subscription held by the physician who received the share.

6. International data transfers

Your data is stored in the United States (AWS us-east-1). This transfer is covered by Standard Contractual Clauses approved by competent data protection authorities, ensuring a level of protection equivalent to that of your country of origin. Documentation is available upon request at dpo@scalpscan.ai.

7. Your rights

You have the following rights regarding your personal data, which you may exercise at any time through the channel dpo@scalpscan.ai:

•Access: request information about what data of yours is being processed, including history since 1 January 2022;

•Correction: request correction of inaccurate or outdated data;

•Erasure: request deletion of your data, subject to legal retention periods;

•Withdrawal of consent: withdraw this consent at any time, without affecting the lawfulness of processing carried out beforehand. After withdrawal, the 3D model and clinical metadata will be deleted within 30 days, subject to legal retention obligations;

•Portability: receive your data in a structured, machine-readable format;

•Information: know with whom your data has been shared;

•Complaint: lodge a complaint with the data protection authority competent in your country.

Response time: HRS will respond to your requests within 15 days (general standard), subject to more favourable deadlines required by the legislation of your country.

8. Contact

Data Protection Officer (DPO): dpo@scalpscan.ai
Technical support: support@scalpscan.ai
Full Privacy Policy: https://www.scalpscan.ai/privacy-policy

CONSENT DECLARATION

By accepting this Form, I declare that:
•I have read and understood the information above regarding the collection and use of my biometric and health data;
•I am 18 (eighteen) years of age or older;
•I freely, specifically and informedly consent to the collection and storage of the 3D model of my scalp and associated clinical metadata by HAIR RESTORATION SCIENCE LTDA., for the purposes described in this Form;
•I understand that sharing the 3D model with a physician is a separate, optional act that I will only perform when and if I choose to do so;
•I am aware that I may withdraw this consent at any time, free of charge, through the channel dpo@scalpscan.ai, that withdrawal does not affect the validity of processing carried out before it, and that after withdrawal the 3D model and clinical metadata will be deleted within 30 days, subject to legal retention obligations;
•I am aware that photographs captured during scanning are stored exclusively on my device.

DATA SUBJECT IDENTIFICATION

Full name:

Date of birth:

Country of residence:

Email registered in the application:

CONSENTS

☐ I CONSENT to the collection and storage of the biometric 3D model of my scalp. (required to use the application)

☐ I CONSENT to the use of clinical metadata associated with the 3D model for the provision of the service. (required to use the application)

☐ I AM AWARE that sharing the 3D model with a physician is a separate, optional act that I will only perform when and if I choose to do so.

SIGNATURE

Data Subject Signature

Date: ____/____/________

ℹ When accepted electronically in the ScalpScan.AI Patient application, this consent has full legal validity. The system immutably records: data subject ID, SHA-256 hash of this document, server timestamp and Form version. The record may be obtained at any time through the channel dpo@scalpscan.ai.

HAIR RESTORATION SCIENCE LTDA.

dpo@scalpscan.ai | https://www.scalpscan.ai/privacy-policy
Biometric Data Consent Form ScalpScan.AI Patient | Version 1.0 — March 20, 2026