1.1. This Agreement governs the joint processing of patients' personal data carried out by the Parties through the ScalpScan.AI platform, formalising the roles, responsibilities and obligations of each Joint Controller, pursuant to applicable data protection laws, in particular:

•Brazilian General Data Protection Law No. 13.709/2018 (LGPD), Arts. 37 and 42, § 1;

•Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR), Art. 26;

•California Consumer Privacy Act (CCPA/CPRA) and the CPPA regulations effective January 1, 2026;

•Regulation (EU) 2024/1689 — Artificial Intelligence Act (EU AI Act), in force since August 2024: the Parties acknowledge the progressive application of the AI Act and commit to ensuring, regardless of the applicable risk classification, mandatory human oversight over all outputs generated by the platform's computational systems. The Joint Controller, as a qualified medical professional, is solely responsible for the clinical decision. The Parties will update this Agreement when new AI Act obligations come into force for the type of system used by the platform;

•Other applicable data protection laws depending on the jurisdiction in which the Joint Controller operates.

1.2. This Agreement is incorporated into the ScalpScan.AI Terms of Use and is accepted by the Joint Controller at the time of subscription on the platform, by means of unequivocal electronic acceptance, with an immutable record of hash, server timestamp and document version.

1.3. The relationship established between the Parties is that of Joint Controllers / Joint Data Controllers (referred to as “Co-Business” under the CCPA/CPRA), each answering autonomously and jointly before data subjects and competent authorities within the scope of their own operations, as delimited in this Agreement.

2. PERSONAL DATA PROCESSED JOINTLY

The Parties jointly process, for the purposes described in Clause 3, the following patients' personal data:

The data listed above is processed on the ScalpScan.AI platform exclusively for the medical and clinical purposes described in this Agreement and the Terms of Use. HRS does not use patient data for its own purposes unrelated to the contracted service.

3. PURPOSES OF JOINT PROCESSING

3.1. The Parties process the personal data listed in Clause 2 for the following purposes:
•Provision of the three-dimensional scalp analysis service by the Professional User to the patient;
•Secure storage of the 3D model and clinical metadata during the subscription term plus the grace period;
•Immutable recording of consents collected;
•Audit and defence of rights in the event of disputes;
•Compliance with applicable legal and regulatory obligations.
3.2. Each Party is responsible for determining the specific purposes of the processing it carries out autonomously within its own clinical operations, as delimited in Clause 5.

4. LEGAL BASES

5. RESPONSIBILITIES OF EACH PARTY

5.A. Exclusive Responsibilities of HRS

HRS, as Principal Controller of the platform, is exclusively responsible for:

•Maintaining secure technological infrastructure (AWS EC2/S3, us-east-1 region) with AES-256 encryption at rest and TLS 1.3 in transit;

•Recording and maintaining, in an immutable manner, all consents collected on the platform, including SHA-256 hash, server timestamp and document version;

•Handling requests for the exercise of rights directed to HRS by data subjects, within 15 days (or more favourable deadline required by local legislation);

•Notifying the Joint Controller and competent authorities in the event of a security incident affecting patient data, without undue delay and, where possible, within 72 hours;

•Keeping the DPO channel (dpo@scalpscan.ai) operational for communication with data subjects and authorities;

•Preparing and keeping updated the Records of Processing Activities (RoPA) and the Data Protection Impact Assessment (DPIA);

•Ensuring that sub-processors (AWS, Meta) are bound by adequate contractual data protection obligations;

•Making the data export function available during the 60-day grace period following subscription cancellation;

•Irreversibly deleting or anonymising patient data after the applicable retention period expires.

5.B. Exclusive Responsibilities of the Joint Controller

The Physician Joint Controller, as responsible for clinical operations, is exclusively responsible for:

•Obtaining the patient's free, specific and informed consent in person, before any scanning, in accordance with applicable professional medical standards in their jurisdiction;

•Recording that consent in the system by means of the mandatory checkbox provided in the Terms of Use;

•Integrating the clinical data obtained from the platform into the patient's medical record in their own management system;

•Retaining the medical record for the period required by the applicable health legislation in their jurisdiction;

•Exporting clinical data before the 60-day grace period expires;

•Answering autonomously before data protection authorities and medical regulatory bodies for the processing operations under their responsibility;

•Not using patient data for purposes other than those provided in this Agreement and the Terms of Use;

•Not sharing patient data with third parties without an adequate legal basis and without HRS's knowledge, except where required by law.

5.C. Single Point of Contact for Data Subjects

5.1. Data subjects (patients) may exercise all their rights before either Party. Each Party is responsible for handling requests directed to it regarding the processing operations under its responsibility.

5.2. The official HRS channel for data subjects to exercise their rights is: dpo@scalpscan.ai.

5.3. When a Party receives a request for the exercise of rights relating to the processing operations of the other Party, it must forward it to the competent Party within 5 (five) business days.

6. SUB-PROCESSORS

6.1. HRS uses the following sub-processors for the processing of patient data, all bound by contractual data protection obligations:

6.2. HRS will notify the Joint Controller of any changes to sub-processors that affect the processing of patient data, with a minimum of 15 (fifteen) days' notice.
6.3. The Joint Controller may not sub-contract the processing of patient data carried out through the ScalpScan.AI platform to third parties without HRS's prior written authorisation.

7. INTERNATIONAL DATA TRANSFERS

7.1. Due to the use of the sub-processors listed in Clause 6, patients' personal data is transferred internationally to the United States of America.
7.2. HRS adopts Standard Contractual Clauses (SCCs/CCPs) approved by competent authorities, incorporated without modification in contracts with each sub-processor:
•Brazil: Resolution CD/ANPD No. 19/2024;
•EEA/UK: European Commission Decision 2021/914, Module 2.
7.3. HRS has conducted a Transfer Impact Assessment (TIA) for each transfer to the USA, with supplementary technical measures (AES-256 + TLS 1.3). Documentation available upon request at dpo@scalpscan.ai.

8. SECURITY AND CONFIDENTIALITY

8.1. Each Party implements technical and organisational measures appropriate to the risk of the processing it carries out, ensuring a level of security appropriate to the sensitive data involved.

8.2. HRS adopts, at minimum, the following measures:

•AES-256 encryption at rest and TLS 1.3 in transit;

•Role-based access control (RBAC) and identity management (IAM);

•Immutable audit logs for all operations involving sensitive data;

•Least privilege policy for internal access.

8.3. The Joint Controller undertakes to:

•Not share platform access credentials with unauthorised third parties;

•Use the application exclusively on devices with adequate security controls;

•Immediately notify HRS of any suspected unauthorised access to the platform.

8.4. The Parties undertake to maintain confidentiality over patients' personal data and not to disclose it to third parties, except where required by law or for compliance with the purposes set out in this Agreement.

9. SECURITY INCIDENTS

9.1. In the event of a security incident that affects or may affect patient data, the Party that becomes aware of the incident must:
•Notify the other Party within 24 (twenty-four) hours, by email to dpo@scalpscan.ai;
•Immediately adopt available containment measures;
•Cooperate in the investigation and in the notification to competent authorities and affected data subjects.
9.2. HRS, as Principal Controller of the platform, will assume coordination of the incident response in relation to the processing operations carried out by the platform.
9.3. The Joint Controller answers autonomously before competent authorities for incidents arising from processing operations under their exclusive responsibility.

10. DATA SUBJECT RIGHTS

10.1. The Parties guarantee data subjects (patients) the following rights, exercisable before either Party:

•Access to and copy of processed data;

•Correction of inaccurate or incomplete data;

•Erasure of data, within the limits provided by law;

•Data portability in a structured format;

•Withdrawal of consent at any time;

•Objection to processing based on legitimate interest;

•Information about the entities with whom data was shared;

•Lodging a complaint with the competent data protection authority.

10.2. The Party that receives a request for the exercise of rights relating to processing operations under its exclusive responsibility must respond within 15 days (or a more favourable deadline required by local legislation).

11. TERM AND TERMINATION

11.1. This Agreement enters into force on the date the Joint Controller registers on the ScalpScan.AI platform and remains valid for the duration of the contractual relationship between the Parties.
11.2. Cancellation of the ScalpScan.AI subscription entails the automatic termination of this Agreement, except with regard to retention and liability obligations that survive termination.
11.3. After termination:
•HRS will retain consent records and audit logs for the periods set out in the Privacy Policy;
•The Joint Controller remains responsible for retaining the medical record for the period required by applicable health legislation in their jurisdiction.

12. LIABILITY AND INDEMNIFICATION

12.1. Each Party is liable for damages resulting from non-compliance with the obligations assigned to it under this Agreement, pursuant to applicable data protection laws.

12.2. HRS is not liable for:

•Clinical decisions made by the Joint Controller based on data and models generated by the platform;

•Damages resulting from false or incomplete declaration by the Joint Controller regarding the obtaining of the patient's consent;

•Loss of clinical data resulting from failure to use the export function within the grace period.

12.3. The Joint Controller shall indemnify HRS for any damages, fines or penalties that HRS may suffer as a result of breaches by the Joint Controller of the obligations set out in this Agreement.

13. GENERAL PROVISIONS

13.1. This Agreement supersedes any prior agreement between the Parties regarding the processing of patients' personal data on the ScalpScan.AI platform.
13.2. Amendments to this Agreement will be communicated with a minimum of 15 (fifteen) days' notice. Continued use of the platform after the amendments take effect constitutes acceptance.
13.3. If any provision of this Agreement is declared invalid or unenforceable, the remaining provisions shall remain in full force and effect.
13.4. For disputes between the Parties, the courts of the Judicial District of Linhares, State of Espirito Santo, Brazil, are elected as the competent forum, without prejudice to the mandatory rights of data subjects in countries where local law is mandatory.
13.5. Enquiries and notifications related to this Agreement should be directed to: dpo@scalpscan.ai.

SIGNATURES

The Parties, through their legal representatives, declare to have read, understood and agreed to all provisions of this Agreement.

HAIR RESTORATION SCIENCE LTDA. — Principal Controller

Signature

Date: ____/____/________

Name: ______________________________________
Role: DPO / Legal Representative
Email: dpo@scalpscan.ai

PHYSICIAN JOINT CONTROLLER

Signature

Date: ____/____/________

Name: ___________________________________________

Medical Licence / Professional Registration: _______________________

Email registered on the platform: ____________________

ℹ Note: When accepted electronically at the time of subscription on the ScalpScan.AI platform, this Agreement has full legal validity pursuant to applicable electronic commerce legislation. The electronic record is maintained in an immutable manner by HRS and may be obtained upon request at dpo@scalpscan.ai.