PRIVACY POLICY

 

Last Updated: November 30, 2025

 

This Privacy Policy (“Policy”) describes how Functional Hair Wellness, operated by Peter Feldman Functional Wellness, a registered trade name of Medical Databanks Corporation (Ontario, Canada) (“Company”, “We”, “Us”, “Our”), collects, uses, stores, processes, discloses, and protects Personal Information when You (“User”, “You”, “Your”) access or use:

  • FunctionalHairWellness.com
  • All subdomains and funnels
  • The Functional Hair Wellness mobile app (iOS/Android)
  • Any Scalerize/FMFT-hosted platform
  • AI-based hair and scalp analysis tools
  • Trichology educational tools
  • Online courses and memberships
  • eStore (supplements, devices, cosmetics, topicals)
  • SMS and email communications
  • App push notifications
  • Community spaces and private groups
  • Telecommunication and video systems
  • Client dashboards and progress tracking features

By accessing or using the Service, You consent to the collection, use, and disclosure of Your information as described in this Policy.

If You do not agree, You must discontinue use of the Service immediately.

  1. LEGAL ENTITY AND CONTACT INFORMATION

This Policy is issued by: Medical Databanks Corporation
Operating under the trade name: Peter Feldman Functional Wellness
Public-facing brand: Functional Hair Wellness

Email for privacy matters: info @ functionalhairwellness dot com
Mailing address: 290 Caldari Rd, Unit 11, Vaughan, Ontario, L4K 4J4, Canada

The Company is the Data Controller for all users worldwide.
The Company engages Data Processors including (but not limited to):

  • Scalerize / FMFT Platform
  • HighLevel CRM
  • AWS / Google Cloud / Azure hosting
  • Stripe, PayPal, Scalerize Payments
  • SMS gateways
  • AI image-processing vendors
  • Customer support platforms
  • Analytics platforms (Google, Meta, TikTok, LinkedIn)
  1. SCOPE OF THIS POLICY

This Policy applies to all Personal Information collected through:

  • The website or app
  • Forms, quizzes, surveys, funnels
  • AI image submissions
  • eStore orders
  • Consultations
  • SMS/email/app notifications
  • Client dashboards
  • Telecommunication/video calls
  • Interactions with our team
  • Purchases and subscriptions
  • Participation in research or observational analysis
  • Third-party integrations used for Our operations

This Policy does not apply to:

  • Third-party links
  • External practitioners You choose to consult
  • External eCommerce merchants
  • Social media platforms not controlled by Us
  • Third-party apps integrated with Your device
  • Any service not directly operated by the Company
  1. DEFINITIONS

For purposes of this Policy:

3.1 “Personal Information”

Any information about an identifiable individual, including:

  • Name, email, phone
  • Address and location
  • Photos and videos
  • Hair/scalp images
  • Lifestyle data
  • Device identifiers
  • Account details
  • Purchase history
  • AI-extracted metrics
  • Information voluntarily disclosed in forms
  • Data collected from minors by their parent/guardian

3.2 “Sensitive Information”

Includes:

  • Hair/scalp imagery
  • Health-related information voluntarily disclosed
  • Lifestyle and wellness data
  • Supplement usage
  • Sensitive demographic characteristics
  • Data relating to minors
  • Any information the user designates as sensitive

3.3 “De-Identified Data”

Information that has been:

  • Permanently stripped of all direct identifiers
  • Cropped or obscured to remove identifiable facial or background features
  • Stored without metadata
  • Assigned a random ID
  • Unable to be used to reidentify a person
  • Used for research, statistics, and AI training

3.4 “Research Data”

De-identified or anonymized data used for:

  • Observational wellness research
  • Hair/scalp pattern analysis
  • Lifestyle correlation analyses
  • AI model improvement
  • Algorithm training
  • Internal scientific or statistical insights

3.5 “Minor”

An individual under the age of 18 (unless local law sets a different age of digital consent).

3.6 “Parent/Guardian”

A person with legal authority to consent on behalf of a minor.

3.7 “AI Tools”

Automated and semi-automated tools used to process images or data to:

  • Estimate density
  • Identify patterns
  • Highlight features
  • Provide observational insights

AI does not provide medical diagnosis or treatment.

  1. CHILDREN’S & MINORS’ PRIVACY (IMPORTANT)

The Service MAY be used by minors:

  • ONLY when a Parent/Guardian creates the account,
  • ONLY when the Parent/Guardian consents to this Policy and the T&C,
  • ONLY when the Parent/Guardian uploads photos and manages all data,
  • ONLY when the Parent/Guardian reviews all results and communications.

4.1 Children Under 13

In compliance with COPPA:

  • We do not directly collect data from children under 13.
  • The Parent/Guardian must provide and control ALL information.
  • No direct communication occurs with a child under 13.
  • Any violation will result in immediate deletion.

4.2 Teens Aged 13–17

Teens may use the Service with parental consent, but:

  • Parent is the contracting party
  • Parent manages settings, uploads, and permissions
  • Parent maintains full responsibility
  • Parent must review all results and messages

4.3 Deletion of Children’s Data

A parent may request deletion of a minor’s Personal Information at any time by contacting Us.

4.4 Anonymized Data for Research

Even if a parent requests deletion:

  • Fully de-identified data may be retained,
  • As permitted under PIPEDA, GDPR, CPRA, and COPPA,
  • Because such data is no longer considered personal data.

This is essential for Your Option A model.

  1. INFORMATION WE COLLECT

We collect several categories of data.

5.1 Identification Information

  • Name
  • Contact details
  • Account credentials
  • Parent/guardian details for minors

5.2 Hair/Scalp Imagery & Video (Sensitive)

Photos and videos voluntarily submitted for:

  • Hair density observation
  • Scalp condition observation
  • AI-assisted pattern analysis
  • Trichology interpretations

These may include:

  • Hairline photos
  • Crown/vertex images
  • Part line images
  • Eyebrow/eyelash images
  • Images showing shedding
  • Images used for before-and-after tracking

5.3 Lifestyle & Wellness Information

Submitted through forms, quizzes, or consultations:

  • Nutrition
  • Stress levels
  • Sleep patterns
  • Scalp symptoms
  • Hormonal self-descriptions
  • Product/supplement usage
  • Environmental factors
  • Routines and interventions
  • Changes over time
  • Goals and wellness preferences

5.4 eStore & Billing Data

  • Address
  • Phone
  • Order history
  • Device and product purchases
  • Shipping preferences
  • Payment metadata (not card numbers)

5.5 Technical & Device Information

Automatically collected:

  • IP address
  • Browser type
  • Operating system
  • App version
  • Crash logs
  • Device identifiers
  • Cookies and pixel tags
  • App permissions (camera/photos)

5.6 Communication Data

  • SMS history
  • Email and broadcast history
  • App push notifications
  • Support requests
  • Consultation bookings

5.7 AI-Derived Data

AI tools may extract:

  • Density indicators
  • Follicular grouping/tufting flags
  • Redness/erythema scoring
  • Scaling indicators
  • Pattern classification
  • Hair caliber uniformity
  • Temporal changes

5.8 Community & User-Generated Content

  • Posts
  • Comments
  • Uploaded files
  • Testimonials
  • Interactions with other users
  1. HOW WE USE PERSONAL INFORMATION

We use Your data for:

6.1 Service Delivery

To provide:

  • Trichology education
  • AI-assisted observation
  • Photo analysis
  • eStore fulfilment
  • Program guidance
  • Customer support
  • Appointment scheduling
  • Community features

6.2 Personalization

To tailor:

  • Recommendations
  • Learning paths
  • Progress tracking
  • Product suggestions
  • Educational messaging

6.3 Communications

For:

  • SMS reminders
  • Email updates
  • App notifications
  • Support replies
  • Membership content
  • Transactional alerts

6.4 Research & Algorithm Development (Option A Default Consent)

We use anonymized, de-identified data for:

  • Observational hair research
  • Lifestyle influence studies
  • Behavior-outcome correlations
  • Non-medical scientific insights
  • AI model improvement
  • Algorithm training
  • Internal analytics
  • Benchmarking
  • Longitudinal change analysis

6.5 Legal, Security & Compliance

Including:

  • Fraud prevention
  • Tax and financial regulations
  • Record keeping
  • Security monitoring
  • Enforcing Terms and community rules
  1. HOW WE USE AI-PROCESSED DATA

AI is used to:

  • Evaluate patterns
  • Provide non-medical insights
  • Estimate density and severity
  • Detect signs of breakage or miniaturization
  • Highlight visible changes
  • Support You with educational interpretation

AI is NOT used to:

  • Diagnose disease
  • Provide medical advice
  • Detect cancer or medical pathology
  • Replace clinical examination or biopsy
  • Make decisions without human oversight

All AI outputs are observational only.

  1. NO HIPAA RELATIONSHIP / PHIPA STATUS

We reaffirm that:

  • The Company is NOT a “Health Information Custodian” under PHIPA.
  • We are NOT a “Covered Entity” or “Business Associate” under HIPAA.
  • Your submissions are not protected health information (“PHI”) under HIPAA.
  • We voluntarily implement high-grade privacy but are not regulated by HIPAA.
  1. DISCLOSURE OF INFORMATION TO THIRD PARTIES

We do not sell Your Personal Information.

We may share Personal Information with third parties only as described below and only to the extent necessary to provide the Service.

9.1 Service Providers

We engage vetted third-party processors for:

  • Website and app hosting
  • Email and SMS distribution
  • CRM and funnel management
  • AI image processing
  • Payment processing
  • eCommerce fulfillment
  • Customer service
  • Video conferencing
  • Analytics and crash reporting
  • Data storage and backups

These providers operate under binding confidentiality agreements.

9.2 Payment Processors

  • Stripe
  • PayPal
  • Scalerize Payments
  • Apple/Google in-app purchases

They receive:

  • Billing name
  • Partial payment information
  • Transaction metadata

They do not receive any AI analysis data or sensitive images.

9.3 eStore Shipping Partners

For order fulfilment, We share:

  • Shipping name
  • Address
  • Phone number (where required)

We do not share sensitive wellness data with shipping partners.

9.4 Consultants and Affiliates

Only with Your explicit consent or request (e.g., referral to a physician or trichologist).

9.5 Legal Requirements

We may disclose data when required by law, including:

  • Court orders
  • Regulatory inquiries
  • Canadian, U.S., or international legal processes
  • Requests necessary to enforce legal rights

We oppose overly broad or unlawful requests.

  1. FMFT / SCALERIZE / CRM PLATFORM DISCLOSURES

Certain data flows through Scalerize (FMFT platform) and HighLevel CRM infrastructure, including:

  • Form submissions
  • Appointments
  • Funnel progression
  • Email/SMS logs
  • Dashboard usage
  • Community engagement
  • Website/session tracking
  • Account metadata

FMFT is bound by:

  • HIPAA-style Business Associate Agreements (for its U.S. users)
  • Data security and confidentiality commitments
  • Non-use of Your data except to operate the platform

No AI images, sensitive data, or research outputs are shared externally without de-identification.

  1. INTERNATIONAL DATA TRANSFERS

Your data may be transferred to:

  • Canada
  • United States
  • European Union
  • United Kingdom
  • Cloud regions outside North America

11.1 Legal Safeguards for International Transfers

We rely on:

  • PIPEDA Principle 4.1.3 (accountability for foreign processing)
  • GDPR Standard Contractual Clauses (2021 SCCs)
  • UK International Transfer Addendum
  • Adequacy decisions (if applicable)
  • Contractual obligations with processors

11.2 Security in International Transfers

All transfers are:

  • Encrypted in transit
  • Access-controlled
  • Logged and monitored
  • Restricted to authorized personnel only
  1. DATA RETENTION

We retain different categories of data according to legal and operational requirements.

12.1 Retention Schedule

Data Type

Retention Period

Notes

Account details

Duration of account + 3 years

Required for legal claims

Uploaded photos/videos

3–7 years

Earlier deletion available on request

AI-derived metrics

Duration of account

May be anonymized and retained

eStore purchase records

Min. 7 years

Required for tax law compliance

Communication logs

24–36 months

Includes SMS/email

Community posts

Duration of account

May be archived

Research Data

Indefinitely

De-identified; Option A applies

Backups

Rolling cycles

Cannot be immediately purged

12.2 Retention for Minors

Parents may:

  • Request deletion of any child’s identifiable data
  • Request restriction of processing

De-identified data may remain for research.

12.3 De-Identified Data Retention

Under Option A, anonymized data:

  • May be retained permanently
  • Cannot be associated with a specific user
  • May be used for AI and research after account deletion

This is legally permitted under PIPEDA, GDPR Recital 26, and CPRA.

  1. SECURITY SAFEGUARDS

We implement administrative, technical, and physical measures including:

  • AES-256 encryption of data at rest
  • TLS 1.2+ encryption for data in transit
  • Segmented databases
  • Secure cloud architecture (AWS, GCP, or Azure)
  • Role-based access control
  • Staff confidentiality agreements
  • Logging and intrusion detection
  • Malware scanning
  • Regular access audits
  • Encrypted backups
  • Periodic vulnerability assessments
  • Two-factor authentication for admin access
  • Workflow separation (no single employee has full access to all datasets)

13.1 Limitations

No system is completely secure.
You use the Service at Your own risk.

  1. BREACH NOTIFICATION

If a breach involving Personal Information occurs:

14.1 We will:

  • Investigate promptly
  • Contain and remediate
  • Notify affected individuals if risk of harm is present
  • Notify regulators if required under PIPEDA, GDPR, CPRA, or COPPA
  • Provide guidance to protect You from possible misuse

14.2 GDPR Users

We follow the 72-hour rule for notifying EU/UK authorities when legally required.

14.3 Minors

If a breach involves minor data, parents/guardians will be notified with priority.

  1. APP-SPECIFIC PRIVACY (iOS & ANDROID)

Our mobile app may collect additional information necessary for functionality.

15.1 Permissions

Depending on Your device settings, the app may request access to:

  • Camera (uploading photos)
  • Photo library/storage
  • Internet connectivity
  • Mobile data
  • Notifications
  • Device model/version
  • App refresh data
  • Local storage

You may disable permissions in device settings; certain features may become unavailable.

15.2 App Analytics

We may collect:

  • Crash logs
  • App performance logs
  • Session duration
  • Screen navigation patterns
  • Device model and OS version
  • Error reports

These are used for stability and user experience improvements.

15.3 App Store Requirements

We comply with:

  • Apple’s App Store Privacy Requirements (“nutrition label”)
  • Google Play Data Safety requirements
  • iOS App Tracking Transparency (ATT) rule
  • Android Privacy Sandbox frameworks

Where required, tracking is only performed with explicit user consent.

  1. COOKIES, PIXELS & TRACKING TECHNOLOGIES

We use cookies, pixels, tags, SDKs, and tracking technologies to enhance and optimize the Service.

16.1 Types of Cookies

Type

Purpose

Essential cookies

Authentication, security, session

Functional cookies

Preferences, device optimization

Analytics cookies

Google Analytics, heatmaps

Marketing cookies

Meta Pixel, TikTok Pixel, LinkedIn

Retargeting cookies

Advertising optimization

16.2 Opt-Out Options

Users may:

  • Adjust browser settings to block cookies
  • Use cookie consent tools (where required)
  • Disable pixels via browser extensions
  • Opt-out of interest-based advertising
  • Revoke marketing permissions

16.3 No Sale of Personal Information

We do not sell PI under CPRA definitions.

  1. COMMUNICATION PREFERENCES (EMAIL, SMS, PUSH)

17.1 Email

We send:

  • Account confirmations
  • eStore receipts
  • Program updates
  • Educational emails
  • Marketing emails (if opted in)

Unsubscribe via the link in any message.

17.2 SMS

By submitting Your mobile number, You consent to:

  • Appointment reminders
  • Educational wellness messages
  • Account alerts
  • Promotional offers (if opted in)

Reply STOP to unsubscribe.

17.3 Push Notifications (App)

You may enable or disable push notifications in Your device settings.

  1. USER-GENERATED CONTENT (UGC) & COMMUNITY INTERACTIONS

UGC may include:

  • Posts
  • Comments
  • Testimonials
  • Reviews
  • Uploaded photos
  • Progress updates
  • Messages in community spaces

UGC may be visible to other users (if posted in community spaces).

18.1 Privacy of UGC

UGC may be:

  • Stored in our systems
  • Moderated or removed
  • Archived
  • Analyzed for safety or compliance
  • Anonymized for research if permitted under Section 30

We do not publish UGC externally without explicit consent.

18.2 Minors & UGC

Parents assume full responsibility for any UGC posted on behalf of a minor.

  1. SOCIAL MEDIA FEATURES

Our website or app may integrate with:

  • Meta/Instagram
  • TikTok
  • LinkedIn
  • YouTube
  • X (Twitter)

Interactions with these platforms are governed by their respective privacy policies.

We are not responsible for the behavior, content, or data practices of social networks.

  1. DISCLOSURE OF INFORMATION TO THIRD PARTIES

We do not sell Your Personal Information.

We may share Personal Information with third parties only as described below and only to the extent necessary to provide the Service.

9.1 Service Providers

We engage vetted third-party processors for:

  • Website and app hosting
  • Email and SMS distribution
  • CRM and funnel management
  • AI image processing
  • Payment processing
  • eCommerce fulfillment
  • Customer service
  • Video conferencing
  • Analytics and crash reporting
  • Data storage and backups

These providers operate under binding confidentiality agreements.

9.2 Payment Processors

  • Stripe
  • PayPal
  • Scalerize Payments
  • Apple/Google in-app purchases

They receive:

  • Billing name
  • Partial payment information
  • Transaction metadata

They do not receive any AI analysis data or sensitive images.

9.3 eStore Shipping Partners

For order fulfilment, We share:

  • Shipping name
  • Address
  • Phone number (where required)

We do not share sensitive wellness data with shipping partners.

9.4 Consultants and Affiliates

Only with Your explicit consent or request (e.g., referral to a physician or trichologist).

9.5 Legal Requirements

We may disclose data when required by law, including:

  • Court orders
  • Regulatory inquiries
  • Canadian, U.S., or international legal processes
  • Requests necessary to enforce legal rights

We oppose overly broad or unlawful requests.

  1. FMFT / SCALERIZE / CRM PLATFORM DISCLOSURES

Certain data flows through Scalerize (FMFT platform) and HighLevel CRM infrastructure, including:

  • Form submissions
  • Appointments
  • Funnel progression
  • Email/SMS logs
  • Dashboard usage
  • Community engagement
  • Website/session tracking
  • Account metadata

FMFT is bound by:

  • HIPAA-style Business Associate Agreements (for its U.S. users)
  • Data security and confidentiality commitments
  • Non-use of Your data except to operate the platform

No AI images, sensitive data, or research outputs are shared externally without de-identification.

  1. INTERNATIONAL DATA TRANSFERS

Your data may be transferred to:

  • Canada
  • United States
  • European Union
  • United Kingdom
  • Cloud regions outside North America

11.1 Legal Safeguards for International Transfers

We rely on:

  • PIPEDA Principle 4.1.3 (accountability for foreign processing)
  • GDPR Standard Contractual Clauses (2021 SCCs)
  • UK International Transfer Addendum
  • Adequacy decisions (if applicable)
  • Contractual obligations with processors

11.2 Security in International Transfers

All transfers are:

  • Encrypted in transit
  • Access-controlled
  • Logged and monitored
  • Restricted to authorized personnel only
  1. DATA RETENTION

We retain different categories of data according to legal and operational requirements.

12.1 Retention Schedule

Data Type

Retention Period

Notes

Account details

Duration of account + 3 years

Required for legal claims

Uploaded photos/videos

3–7 years

Earlier deletion available on request

AI-derived metrics

Duration of account

May be anonymized and retained

eStore purchase records

Min. 7 years

Required for tax law compliance

Communication logs

24–36 months

Includes SMS/email

Community posts

Duration of account

May be archived

Research Data

Indefinitely

De-identified; Option A applies

Backups

Rolling cycles

Cannot be immediately purged

12.2 Retention for Minors

Parents may:

  • Request deletion of any child’s identifiable data
  • Request restriction of processing

De-identified data may remain for research.

12.3 De-Identified Data Retention

Under Option A, anonymized data:

  • May be retained permanently
  • Cannot be associated with a specific user
  • May be used for AI and research after account deletion

This is legally permitted under PIPEDA, GDPR Recital 26, and CPRA.

  1. SECURITY SAFEGUARDS

We implement administrative, technical, and physical measures including:

  • AES-256 encryption of data at rest
  • TLS 1.2+ encryption for data in transit
  • Segmented databases
  • Secure cloud architecture (AWS, GCP, or Azure)
  • Role-based access control
  • Staff confidentiality agreements
  • Logging and intrusion detection
  • Malware scanning
  • Regular access audits
  • Encrypted backups
  • Periodic vulnerability assessments
  • Two-factor authentication for admin access
  • Workflow separation (no single employee has full access to all datasets)

13.1 Limitations

No system is completely secure.
You use the Service at Your own risk.

  1. BREACH NOTIFICATION

If a breach involving Personal Information occurs:

14.1 We will:

  • Investigate promptly
  • Contain and remediate
  • Notify affected individuals if risk of harm is present
  • Notify regulators if required under PIPEDA, GDPR, CPRA, or COPPA
  • Provide guidance to protect You from possible misuse

14.2 GDPR Users

We follow the 72-hour rule for notifying EU/UK authorities when legally required.

14.3 Minors

If a breach involves minor data, parents/guardians will be notified with priority.

  1. APP-SPECIFIC PRIVACY (iOS & ANDROID)

Our mobile app may collect additional information necessary for functionality.

15.1 Permissions

Depending on Your device settings, the app may request access to:

  • Camera (uploading photos)
  • Photo library/storage
  • Internet connectivity
  • Mobile data
  • Notifications
  • Device model/version
  • App refresh data
  • Local storage

You may disable permissions in device settings; certain features may become unavailable.

15.2 App Analytics

We may collect:

  • Crash logs
  • App performance logs
  • Session duration
  • Screen navigation patterns
  • Device model and OS version
  • Error reports

These are used for stability and user experience improvements.

15.3 App Store Requirements

We comply with:

  • Apple’s App Store Privacy Requirements (“nutrition label”)
  • Google Play Data Safety requirements
  • iOS App Tracking Transparency (ATT) rule
  • Android Privacy Sandbox frameworks

Where required, tracking is only performed with explicit user consent.

  1. COOKIES, PIXELS & TRACKING TECHNOLOGIES

We use cookies, pixels, tags, SDKs, and tracking technologies to enhance and optimize the Service.

16.1 Types of Cookies

Type

Purpose

Essential cookies

Authentication, security, session

Functional cookies

Preferences, device optimization

Analytics cookies

Google Analytics, heatmaps

Marketing cookies

Meta Pixel, TikTok Pixel, LinkedIn

Retargeting cookies

Advertising optimization

16.2 Opt-Out Options

Users may:

  • Adjust browser settings to block cookies
  • Use cookie consent tools (where required)
  • Disable pixels via browser extensions
  • Opt-out of interest-based advertising
  • Revoke marketing permissions

16.3 No Sale of Personal Information

We do not sell PI under CPRA definitions.

  1. COMMUNICATION PREFERENCES (EMAIL, SMS, PUSH)

17.1 Email

We send:

  • Account confirmations
  • eStore receipts
  • Program updates
  • Educational emails
  • Marketing emails (if opted in)

Unsubscribe via the link in any message.

17.2 SMS

By submitting Your mobile number, You consent to:

  • Appointment reminders
  • Educational wellness messages
  • Account alerts
  • Promotional offers (if opted in)

Reply STOP to unsubscribe.

17.3 Push Notifications (App)

You may enable or disable push notifications in Your device settings.

  1. USER-GENERATED CONTENT (UGC) & COMMUNITY INTERACTIONS

UGC may include:

  • Posts
  • Comments
  • Testimonials
  • Reviews
  • Uploaded photos
  • Progress updates
  • Messages in community spaces

UGC may be visible to other users (if posted in community spaces).

18.1 Privacy of UGC

UGC may be:

  • Stored in our systems
  • Moderated or removed
  • Archived
  • Analyzed for safety or compliance
  • Anonymized for research if permitted under Section 30

We do not publish UGC externally without explicit consent.

18.2 Minors & UGC

Parents assume full responsibility for any UGC posted on behalf of a minor.

  1. SOCIAL MEDIA FEATURES

Our website or app may integrate with:

  • Meta/Instagram
  • TikTok
  • LinkedIn
  • YouTube
  • X (Twitter)

Interactions with these platforms are governed by their respective privacy policies.

We are not responsible for the behavior, content, or data practices of social networks.

  1. YOUR PRIVACY RIGHTS

You may exercise the rights below depending on Your jurisdiction.

The rights differ slightly under:

  • GDPR (EU)
  • UK-GDPR (United Kingdom)
  • PIPEDA (Canada)
  • CPRA/CCPA (California)
  • COPPA (U.S. minors)

20.1 Right to Access

You may request:

  • Confirmation whether We process Your Personal Information
  • A copy of the Personal Information We hold
  • A list of categories of information collected
  • A list of categories of disclosures

For minors, only the parent/guardian may access the child’s data.

20.2 Right to Correction (Rectification)

You may request correction of inaccurate or incomplete Personal Information.

Parents may request correction of information submitted for minors.

20.3 Right to Deletion

You may request deletion of Your Personal Information, except where We must retain it for:

  • Tax law
  • Fraud prevention
  • Compliance obligations
  • Transaction history
  • Security logs
  • Backup integrity
  • Research exceptions (see Section 30)

20.3.1 Minor Deletion

Parents may request deletion of:

  • A child’s account
  • A child’s photos
  • A child’s Personal Information

De-identified research data is exempt (Option A).

20.4 Right to Restrict Processing

GDPR/UK-GDPR users may request restriction of:

  • Marketing
  • Profiling
  • Certain data uses
  • Certain sharing with service providers

20.5 Right to Withdraw Consent

You may withdraw consent to:

  • Marketing messages
  • SMS notifications
  • Non-essential data collection
  • Research participation (except for already de-identified data)

Withdrawal does not affect:

  • Legality of past processing
  • Required retention under law

20.6 Right to Portability (GDPR/UK-GDPR)

You may request a machine-readable copy (JSON/CSV) of:

  • Profile data
  • Submitted wellness information
  • Uploaded data (where feasible)

AI models, derived metrics, or research datasets are not portable.

20.7 Right to Opt-Out of “Sale” or “Sharing” (CPRA)

We do not sell or “share” Personal Information under CPRA definitions.

20.8 Right to Opt-Out of Profiling / Automated Decision-Making (GDPR)

We do not perform automated decision-making that produces legal or similarly significant effects.

AI outputs are observational, not diagnostic.

20.9 Right to Non-Discrimination

We will not:

  • Deny services
  • Change pricing
  • Reduce functionality

based on Your exercise of privacy rights.

20.10 Right to Appeal (CPRA)

If We deny a privacy request, You may appeal within 30 days.

  1. EXERCISING YOUR RIGHTS

You may submit privacy requests by Email to: info @ functionalhairwellness dot com

Requests must include:

  • Full name
  • Email used for the account
  • Country/region of residence
  • Description of request
  • Identity verification (required)
  • Proof of parental authority for minor requests

We respond within:

  • 30 days (PIPEDA)
  • 45 days (CPRA/CCPA)
  • 30 days (GDPR/UK-GDPR)
  • Extensions permitted for complex cases
  1. FINANCIAL INCENTIVES (CPRA REQUIREMENT)

If We ever offer:

  • Discounts
  • Coupon codes
  • Membership perks
  • Referral rewards

in exchange for:

  • Email submission
  • Account creation
  • Survey completion
  • Engagement

We will disclose the value of the data and provide opt-out rights.

Currently, We do not operate any financial incentive programs.

  1. DO NOT TRACK / GLOBAL PRIVACY CONTROL

Some browsers allow You to send DNT signals or Global Privacy Control (GPC) headers.

Our Response:

  • We honour legally binding GPC requests for California users (CPRA).
  • DNT signals outside CPRA jurisdictions are not consistently recognized due to lack of standards.
  • You may still disable cookies or tracking manually.
  1. THIRD-PARTY LINKS & EXTERNAL SERVICES

Our Service may contain links to:

  • Social media
  • External websites
  • Products not owned by Us
  • Third-party content

We are not responsible for:

  • Their privacy practices
  • Their content
  • Their accuracy or security

You should review their privacy policies independently.

  1. AUTOMATED DECISION-MAKING & PROFILING

We do not use automated decision-making that:

  • Makes medical decisions
  • Assigns risk scores
  • Predicts disease
  • Affects rights or eligibility
  • Has legal consequences

AI and profiling disclosures:

  • AI helps with pattern recognition, density estimates, and observational classification.
  • AI is not 100% accurate.
  • AI does not diagnose or treat any medical condition.
  • AI output is always interpreted within an educational, non-medical framework.
  1. RESEARCH CONSENT (OPTION A — DEFAULT “OPT-OUT”)

This is the section you specifically requested.

26.1 Automatic Consent

By using the Service, You grant permission to use de-identified data for:

  • Observational hair/wellness research
  • Lifestyle and intervention correlation studies
  • Non-medical scientific inquiries
  • Longitudinal trend analysis
  • Algorithm development
  • AI model training
  • Quality assurance
  • Internal reporting
  • Benchmarking
  • Statistical insights
  • Pattern recognition validation
  • Developing non-medical wellness insights

26.2 Scope of Research

Research may include, but is not limited to:

  • Hair density patterns
  • Shedding patterns
  • Scalp appearance
  • Vellus/terminal hair patterns
  • Redness/erythema trends
  • Follicular tufting indicators
  • Lifestyle factors (sleep, stress, nutrition)
  • Environmental exposures
  • Product/supplement usage patterns
  • Changes over time
  • Observational improvements
  • Self-reported wellness outcomes
  • Analysis of interventions and routines
  • Age/gender/hormonal correlations (de-identified)

26.3 Minor Research Consent

Parent/guardian:

  • Consents on behalf of the minor
  • May opt out at any time

26.4 Opt-Out

To opt-out of future research:

Contact by Email: info @ functionalhairwellness dot com

Opt-out applies going forward only.
Already de-identified data cannot be removed (legal and technical standard).

26.5 Irreversibility

Once Personal Information is de-identified, it:

  • Cannot be linked back to You
  • Cannot be removed from research datasets
  • May be retained indefinitely

26.6 Not Clinical Research

  • Not a clinical trial
  • Not FDA/Health Canada–regulated research
  • Not medical research
  • No medical interventions tested
  • No human-subjects research under REB/IRB rules
  • All data is observational and non-therapeutic
  1. PUBLICATION & SCIENTIFIC USE (ANONYMIZED ONLY)

We may publish:

  • Aggregated statistics
  • Trends
  • Non-identifiable insights
  • Scientific wellness findings
  • AI performance metrics
  • Longitudinal pattern results
  • Observational outcomes

We will never publish:

  • Identifiable photos
  • User names or initials
  • Data that could trace back to You
  • Raw images

Unless You give explicit additional consent.

  1. ANONYMIZATION & DE-IDENTIFICATION PROCESS

To convert data into non-personal information:

We remove:

  • Names
  • Emails
  • Device IDs
  • IP addresses
  • Phone numbers
  • Metadata
  • Background identifiable features
  • Faces (cropping)
  • Geolocation data

We also:

  • Randomize identifiers
  • Store separately from Personal Information
  • Apply irreversible transformations
  • Prohibit re-identification
  1. LIMITS ON DE-IDENTIFICATION (TRANSPARENCY)

We disclose that:

  • No anonymization method is perfect
  • Extremely rare risks may exist
  • We implement state-of-the-art de-identification
  • No reasonable method exists for Us to re-identify anonymized data

This fulfills GDPR Recital 26 transparency requirements.

  1. LIMITS OF THIS PRIVACY POLICY

This Privacy Policy does not apply to:

  • External practitioners You consult
  • Physicians, dermatologists, or trichologists outside Our organization
  • Third-party supplements, merchants, or devices not sold by Us
  • External apps or websites linked from Our Service
  • Platforms hosting user-generated ads
  • Independent medical decisions made by users or parents

You must review third-party privacy policies for all external services.

  1. USER RESPONSIBILITIES

You are responsible for:

  • Providing accurate information
  • Avoiding uploading identifying facial features
  • Managing account security
  • Reviewing AI outputs with understanding that they are non-medical
  • Monitoring minors’ use of the Service
  • Understanding that lifestyle, wellness, and supplement changes require medical oversight
  • Regularly reviewing this Privacy Policy

Parents/guardians must:

  • Upload all minor data
  • Supervise all minor activity
  • Accept full responsibility for minor use
  • Manage research opt-out options for minors
  • Consult healthcare providers for health concerns
  • Ensure minors do not misuse the Service
  1. NO MEDICAL ADVICE

We reaffirm:

  • We do NOT provide medical diagnosis
  • We do NOT provide medical advice
  • We do NOT prescribe or manage medications
  • We do NOT evaluate medical pathology
  • We do NOT replace dermatology or primary care
  • AI outputs are observational only
  • Recommendations are educational only

You must consult a licensed medical professional for:

  • Diagnosis
  • Treatment
  • Evaluation of symptoms
  • Interpretation of medical conditions
  • Medication changes
  1. LIMITATION OF LIABILITY (PRIVACY-SPECIFIC)

To the fullest extent permitted by applicable law, We are not liable for:

  • Unauthorized access due to user negligence
  • Loss of data caused by user error
  • Actions of third-party platforms outside Our control
  • Breach resulting from Your use of unsecured networks
  • Incorrect interpretation of wellness or AI information
  • Use of supplements or devices without supervision
  • Communications intercepted through user devices
  • Actions of external practitioners You choose to consult

33.1 Maximum Liability

If liability cannot be excluded, the total liability for privacy-related claims is limited to:

$100 CAD or the amount paid by You in the prior 3 months — whichever is less.

  1. GOVERNING LAW

This Policy is governed by:

The laws of the Province of Ontario, Canada,
without regard to conflict-of-law principles.

Users residing outside Canada remain subject to this jurisdiction for any privacy-related matters.

  1. DISPUTE RESOLUTION

We follow this process for privacy disputes:

35.1 Step 1 — Written Notice

You must provide written notice of any dispute by contacting by Email: info @ functionalhairwellness dot com:

35.2 Step 2 — Good-Faith Resolution

We will attempt to resolve the dispute through:

  • Conversation
  • Negotiation
  • Clarification

35.3 Step 3 — Mediation (Optional but Recommended)

A neutral mediator may assist.

35.4 Step 4 — Binding Arbitration

If no resolution is reached:

  • The dispute will be resolved by binding arbitration in Ontario
  • No class actions
  • No group arbitration

This applies unless prohibited by local laws (e.g., EU consumer rights).

  1. NO CLASS ACTIONS

To the maximum extent permitted:

  • You waive the right to participate in class actions
  • You waive representative actions
  • Claims must be brought individually

This applies to privacy disputes as well.

  1. CHANGES TO THIS PRIVACY POLICY

We may update this Policy periodically to reflect:

  • New services or features
  • Changes in law
  • Changes in data practices
  • Updates to AI tools
  • New research methodologies
  • New children’s privacy rules
  • Evolving global privacy frameworks

37.1 Notice of Changes

We may notify You via:

  • Email
  • App notification
  • Website banner
  • Dashboard notification

37.2 Effective Date

Changes take effect upon posting unless otherwise stated.

Continued use of the Service after changes indicates acceptance.

  1. PARENTAL RIGHTS & RESPONSIBILITIES (MINORS)

Parents or legal guardians:

38.1 Rights

Have the right to:

  • Access minor’s Personal Information
  • Request correction
  • Request deletion
  • Opt-out of research use
  • Manage all communication preferences
  • Close the minor’s account

38.2 Responsibilities

Must:

  • Provide accurate information
  • Ensure only appropriate photos of the minor are uploaded
  • Supervise all Service use
  • Understand AI limitations
  • Seek medical care when appropriate
  • Ensure minors do not treat results as medical advice
  • Review all updates, privacy notices, and changes
  1. ENFORCEMENT

We may:

  • Deny privacy requests that cannot be verified
  • Suspend accounts in cases of abuse, fraud, or security threats
  • Remove content that violates privacy or community rules
  • Take reasonable steps to protect the integrity of Our systems

We comply with:

  • PIPEDA investigations
  • GDPR/UK-GDPR data authority inquiries
  • CPRA enforcement
  • COPPA enforcement for minors
  • Consumer protection regulators
  1. CONTACT INFORMATION

For questions, requests, or privacy concerns:

Functional Hair Wellness
Operated by Peter Feldman Functional Wellness
Trade name of Medical Databanks Corporation, Ontario, Canada
Email: info @ functionalhairwellness dot com
Address: 290 Caldari Rd, Unit 11, Vaughan, Ontario, L4K 4J4, Canada

We respond within:

  • 30 days (PIPEDA/GDPR/UK-GDPR)
  • 45 days (CPRA/CCPA)
  • Appropriate timelines for COPPA (minors)
  1. ACKNOWLEDGEMENT

By using the Service, You acknowledge that:

  1. You have read and understood this Privacy Policy
  2. You consent to all practices described herein
  3. You understand the Service is educational and non-medical
  4. You understand AI functions only as an observational tool
  5. You consent to Option A research use (unless opted out)
  6. Parents accept all responsibilities for minor data
  7. You understand anonymized data may be retained indefinitely
  8. You agree to all global jurisdictional clauses where applicable