TrichoSuite is comprehensive software for hair transplant clinics that includes a LiDAR 3D scanner, AI graft calculator, and complete patient management.

How does the 3D scanner work?

The 3D scanner captures high-resolution images of the scalp using iPhone with LiDAR sensor to analyze follicular density and plan the transplant with precision.

Is TrichoSuite compatible with my clinic?

TrichoSuite is designed for clinics of any size, from individual practices to large international hair clinic chains.

How much does TrichoSuite cost?

TrichoSuite offers plans from 399 EUR/month (Core) to 1,499 EUR/month (Pro), with a custom Enterprise plan for multi-location clinics.

Is there a free trial?

Yes, we offer a free demo and a trial period so you can evaluate TrichoSuite without commitment.

Privacy Policy

Last updated: 3 February 2026

This policy complies with the General Data Protection Regulation (GDPR - EU 2016/679) and the Spanish Organic Law 3/2018 on Personal Data Protection (LOPDGDD).

At TrichoSuite, we are committed to protecting the privacy and security of personal data. As a B2B SaaS platform designed for hair transplant clinics, we process both clinic staff data and patient medical data. This comprehensive privacy policy explains what data we collect, how we use it, your rights, and how we protect your information in compliance with applicable data protection regulations.

1. Data Controller

The data controller for data processed through TrichoSuite is TrichoSuite Technologies S.L., with registered address at Calle Gran Via 28, 28013 Madrid, Spain, and Tax ID (CIF) B12345678. For clinics using our platform, the clinic acts as the data controller for patient data, while TrichoSuite acts as the data processor under Article 28 of the GDPR. A Data Processing Agreement (DPA) is signed with each clinic.

2. Types of Data We Collect

We collect different categories of personal data depending on the relationship with the data subject:

•Clinic Staff Data: Name, email, phone number, professional role, login credentials, and activity logs.
•Patient Identification Data: Name, email, phone, date of birth, address, and national ID (when required for medical records).
•Medical Data (Special Category): Norwood/Ludwig classification, scalp photos, 3D scans, medical history, allergies, medications, surgical records, and follow-up documentation.
•Communication Data: Chat messages with clinic staff, AI chatbot conversations, video consultation recordings (when consented).
•Technical Data: IP addresses, browser type, device information, access logs, and cookies for security and analytics purposes.

3. Processing of Medical Data

As a platform serving hair transplant clinics, we process special category data (health data) under Article 9(2)(h) of the GDPR - processing for healthcare purposes. This includes:

•3D LiDAR scans of the scalp for treatment planning and documentation.
•Photographic records for classification, simulation, and progress tracking.
•Hair density measurements, donor area analysis, and graft calculations.
•Surgical records including technique (FUE, FUT, DHI), graft counts, and operative notes.
•Medical history including family history of alopecia, medications, and comorbidities.
•Treatment recommendations, prescriptions, and follow-up notes.
•Digital consent forms with electronic signatures.

4. AI and Automated Processing

TrichoSuite uses artificial intelligence to enhance clinical services. We are transparent about how AI processes your data:

•AI Chatbot: Our virtual assistant powered by Claude (Anthropic) handles patient inquiries, appointment scheduling, and general information. Conversations are stored to improve service quality and may be reviewed by human agents when escalated. Personal medical advice is always deferred to qualified professionals.
•Norwood/Ludwig Classification: AI analysis of scalp photos to suggest hair loss classification. Results are always validated by medical professionals.
•3D Simulation: AI-generated predictions of potential post-transplant results. These are visual aids only and do not constitute medical guarantees.
•Lead Scoring: Automated analysis of chatbot interactions to prioritize clinic follow-up. No automated decisions with legal effects are made solely by AI.
•RAG Knowledge Base: AI retrieval from clinic-provided knowledge bases to answer frequently asked questions accurately.
•No Profiling for Marketing: We do not use AI to profile patients for marketing purposes or sell data to third parties.

5. Legal Basis for Processing

We process personal data under the following legal bases as defined in Article 6 of the GDPR:

•Contract Performance (Art. 6(1)(b)): Processing necessary to provide the TrichoSuite platform services to clinics.
•Legal Obligation (Art. 6(1)(c)): Compliance with tax, accounting, and healthcare documentation requirements.
•Legitimate Interest (Art. 6(1)(f)): Platform security, fraud prevention, service improvement, and anonymized analytics.
•Explicit Consent (Art. 6(1)(a) & Art. 9(2)(a)): For AI simulations, chatbot interactions, marketing communications, and specific data sharing scenarios.
•Healthcare Provision (Art. 9(2)(h)): Processing of health data necessary for medical treatment under the responsibility of healthcare professionals.

6. How We Use Your Data

Your data is used for the following purposes:

•Providing and maintaining the TrichoSuite platform and all its features.
•Patient management, appointment scheduling, and medical record keeping.
•AI-powered analysis including hair classification, simulations, and chatbot responses.
•Generating reports, treatment proposals, and follow-up documentation.
•Communicating service updates, security alerts, and system notifications.
•Platform improvement through anonymized analytics and usage patterns.
•Compliance with legal and regulatory requirements.
•Customer support and technical assistance.

7. Data Sharing and Third Parties

We share data only when necessary to provide our services, all under strict data processing agreements:

•Cloud Infrastructure: AWS (Amazon Web Services) and Railway for hosting, with data centers in the EU (Frankfurt, Ireland).
•AI Services: Anthropic (Claude) for chatbot functionality and OpenAI for embeddings - under EU-US Data Privacy Framework.
•Email Services: Resend for transactional emails with GDPR-compliant processing.
•Payment Processing: Stripe for subscription billing - PCI-DSS compliant.
•Analytics: PostHog for privacy-focused product analytics with data stored in EU.
•Error Monitoring: Sentry for application stability monitoring.
•We never sell personal data to third parties or use it for advertising purposes.

8. International Data Transfers

Some of our service providers are based outside the EU/EEA. For these transfers, we ensure appropriate safeguards are in place: Standard Contractual Clauses (SCCs) approved by the European Commission, or participation in the EU-US Data Privacy Framework. You may request a copy of the applicable safeguards by contacting our DPO. Patient medical data is primarily stored in EU data centers.

9. Data Retention

We retain data for the minimum period necessary to fulfill our purposes and comply with legal obligations:

•Clinic Account Data: Retained for the duration of the subscription plus 5 years for legal compliance.
•Patient Medical Records: Minimum 15 years as required by Spanish healthcare regulations (Ley 41/2002).
•3D Scans and Photos: Retained as part of the medical record unless deletion is specifically requested and legally permitted.
•Chatbot Conversations: 3 years for service quality and dispute resolution, then anonymized.
•Signed Consent Documents: Retained indefinitely or as required by applicable medical regulations.
•Analytics Data: Anonymized within 26 months of collection.
•Security Logs: 1 year for security and fraud prevention purposes.

10. Security Measures

We implement comprehensive technical and organizational measures to protect your data:

•Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256).
•Access Control: Role-based access control (RBAC) with principle of least privilege.
•Authentication: Multi-factor authentication (MFA) and WebAuthn/passkey support.
•Audit Logging: Comprehensive logging of all data access and modifications.
•Infrastructure Security: SOC 2 compliant cloud providers, regular security assessments, and penetration testing.
•Employee Training: Regular privacy and security training for all team members.
•Incident Response: Documented incident response procedures with 72-hour breach notification.
•Data Backup: Encrypted backups with geo-redundancy and tested recovery procedures.

11. Cookies and Tracking

We use cookies and similar technologies for essential functionality, user preferences, and anonymized analytics. Essential cookies are required for security and cannot be disabled. Functional and analytics cookies require your consent, which you can manage at any time via the cookie settings banner. We do not use third-party advertising cookies. For detailed information, please see our Cookie Policy accessible from the footer.

12. Your Rights

Under GDPR and LOPDGDD, you have the following rights regarding your personal data:

•Right of Access (Art. 15): Obtain confirmation and a copy of the data we hold about you.
•Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data.
•Right to Erasure (Art. 17): Request deletion of your data, subject to legal retention requirements.
•Right to Restriction (Art. 18): Limit how we process your data in certain circumstances.
•Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
•Right to Object (Art. 21): Object to processing based on legitimate interest or for direct marketing.
•Right to Withdraw Consent: Withdraw previously given consent at any time, without affecting prior processing.
•Rights Related to Automated Decisions (Art. 22): Not be subject to decisions based solely on automated processing with legal effects.
•To exercise these rights, contact privacy@trichosuite.com. We will respond within 30 days. For medical data held by clinics, please contact the clinic directly as they are the data controller.

13. Children's Privacy

TrichoSuite is a B2B platform for medical professionals. We do not knowingly collect data from individuals under 16 years of age. If a clinic treats patients under 18, parental consent is required for processing their data. If you believe we have inadvertently collected data from a minor without appropriate consent, please contact us immediately.

14. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. Material changes will be notified via email to registered users at least 30 days before taking effect. The 'Last Updated' date at the top of this policy indicates when it was last revised. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

15. Contact Information

For any privacy-related questions, data protection requests, or to exercise your rights, please contact our Data Protection Team at privacy@trichosuite.com. For formal inquiries or complaints, you may also write to our registered address: TrichoSuite Technologies S.L., Calle Gran Via 28, 28013 Madrid, Spain.

16. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD - Agencia Española de Protección de Datos) at www.aepd.es or by post at C/ Jorge Juan 6, 28001 Madrid. EU residents may also contact their local data protection authority.

Data Protection Officer (DPO)

TrichoSuite has appointed a Data Protection Officer to oversee compliance with data protection regulations and serve as a point of contact for data subjects and supervisory authorities.

Email:dpo@trichosuite.com

Address: TrichoSuite Technologies S.L., Attn: DPO, Calle Gran Via 28, 28013 Madrid, Spain