TrichoSuite is comprehensive software for hair transplant clinics that includes a LiDAR 3D scanner, AI graft calculator, and complete patient management.

How does the 3D scanner work?

The 3D scanner captures high-resolution images of the scalp using iPhone with LiDAR sensor to analyze follicular density and plan the transplant with precision.

Is TrichoSuite compatible with my clinic?

TrichoSuite is designed for clinics of any size, from individual practices to large international hair clinic chains.

How much does TrichoSuite cost?

TrichoSuite offers plans from 399 EUR/month (Core) to 1,499 EUR/month (Pro), with a custom Enterprise plan for multi-location clinics.

Is there a free trial?

Yes, we offer a free demo and a trial period so you can evaluate TrichoSuite without commitment.

Data Processing Agreement (DPA)

Last updated: 3 February 2026

This Data Processing Agreement (DPA) is entered into pursuant to Article 28 of the GDPR (EU 2016/679) and Article 33 of the LOPDGDD (LO 3/2018), and forms an integral part of the service agreement between TrichoSuite and the clinic.

Download DPA (PDF)

Contracting Parties

Data Controller

The clinic contracting TrichoSuite services ("the Client")

Data Processor

TrichoSuite Technologies S.L. (CIF: — · Pending registration)

1. Scope and Purpose

The purpose of this agreement is to regulate the conditions under which TrichoSuite Technologies S.L. (hereinafter "the Processor") will process personal data on behalf of the clinic (hereinafter "the Controller") within the framework of providing TrichoSuite platform services.

This DPA applies to all processing of personal data that the Processor carries out on behalf of the Controller, including storage, modification, consultation, transmission, and deletion of data.

2. Data Processed

The Processor will process the following categories of personal data:

•Patient identification data: name, surname, national ID, email, phone, date of birth, address.
•Health data (Art. 9 GDPR): Norwood/Ludwig classification, clinical photographs, 3D scans, medical history, allergies, medications, surgical records, follow-up documentation.
•Communication data: messages with clinical staff, AI chatbot conversations, digitally signed consent forms.
•Clinical staff data: name, professional email, role, login credentials, activity logs.
•Financial data: invoices, quotes, payment records (managed through Stripe).

IMPORTANT: Health data is special category data under Article 9 of the GDPR. Its processing is carried out under the exception of Art. 9(2)(h) - purposes of preventive medicine, medical diagnosis, or provision of healthcare.

3. Processor Obligations

The Processor undertakes to:

•Process data only in accordance with documented instructions from the Controller.
•Not use personal data for own purposes, including marketing, profiling, or sale to third parties.
•Ensure that authorized persons have committed to confidentiality obligations.
•Implement appropriate technical and organizational measures in accordance with Article 32 GDPR.
•Assist the Controller in fulfilling data subject rights requests.
•Assist the Controller in carrying out Data Protection Impact Assessments (DPIA).
•Make available all information necessary to demonstrate compliance with Article 28 GDPR.
•Notify the Controller without undue delay of any request received from a data subject.

4. Controller Obligations

The Controller undertakes to:

•Obtain appropriate consent from patients for the processing of their health data.
•Provide lawful and GDPR-compliant instructions to the Processor.
•Ensure there is a legal basis for the processing of personal data.
•Inform the Processor of any changes to processing instructions.
•Maintain a record of processing activities in accordance with Art. 30 GDPR.

5. Sub-processors

The Controller generally authorizes the Processor to engage sub-processors. The Processor will inform of changes at least 30 days in advance.

Provider	Service	Location	Safeguard
AWS	Cloud infrastructure	EU (Frankfurt)	SCCs + DPA
Railway	Hosting	EU	SCCs + DPA
Anthropic	AI (Claude Chatbot)	US	EU-US DPF + SCCs
OpenAI	Embeddings	US	EU-US DPF + SCCs
Stripe	Payments	EU/US	PCI-DSS + SCCs
Resend	Email	EU	DPA
PostHog	Analytics	EU	DPA
Sentry	Monitoring	EU/US	SCCs + DPA

6. Security Measures

The Processor will implement the following measures under Art. 32 GDPR:

•Encryption in transit (TLS 1.3) and at rest (AES-256).
•Role-based access control (RBAC) with least privilege.
•Mandatory multi-factor authentication (MFA) for administrators.
•Immutable audit logging of all access and modifications.
•Encrypted backups with geo-redundancy.
•Regular security assessments and annual penetration testing.
•Continuous monitoring and threat detection.
•Documented incident response procedures.

7. Data Breach Notification

In the event of a data breach, the Processor will notify the Controller within 24 hours. The notification will include:

•Nature of the breach, categories, and approximate number of data subjects affected.
•Contact details of the Data Protection Officer.
•Likely consequences of the breach.
•Measures taken or proposed to address the breach.

The Processor will assist the Controller in notifying the AEPD (72h, Art. 33 GDPR) and affected data subjects (Art. 34 GDPR).

8. Data Subject Rights

The Processor will assist the Controller in fulfilling rights requests (access, rectification, erasure, restriction, portability, and objection). The platform provides built-in tools for data export and selective record deletion.

9. International Transfers

Medical data is primarily stored in the EU. For transfers outside the EEA, Standard Contractual Clauses (SCCs) or adherence to the EU-US Data Privacy Framework are ensured.

10. Term and Termination

This DPA will remain in effect for the duration of the service agreement and will automatically terminate upon its conclusion. Confidentiality obligations will survive termination.

11. Data Return and Deletion

Upon termination, the Processor will return or delete all personal data (including copies), at the Controller's choice. Return will be in standard formats (CSV, JSON, PDF) within 30 days. Backups will be deleted within 90 days.

12. Audit and Supervision

The Processor will make available all information necessary to demonstrate compliance and will allow audits with minimum 30 days notice, during business hours, and without interfering with service operations.

Signatures

For the Data Controller:

Name, title, date, and signature

For the Data Processor:

TrichoSuite Technologies S.L.

Contact

For questions about this DPA or to request a signed copy:

dpo@trichosuite.com

Calle Gran Via 28, 28013 Madrid, Spain