Privacy Policy — HairPath

Overview

HairPath ("we", "us", "our") is a hair transplant recovery companion app. We take your privacy seriously. This policy explains what data we collect, why we collect it, how we protect it, and your rights regarding your personal information.

We never sell your personal data. Your information is used solely to support your recovery and coordinate care with your clinic.

What Data We Collect

Data Type	Examples	Why We Need It
Identity	First name, last name, email, phone	To identify you and enable clinic communication
Surgery Details	Surgery date, graft count, procedure type, pre-surgery medications	To personalize your recovery timeline and care steps
Recovery Progress	Daily check-in scores, medication adherence, comfort levels	To track your healing and alert your clinic if needed
Photos	Milestone progress photos (Day 15, 30, 60, etc.)	For your clinic to review healing remotely
Messages	Questions to the AI assistant, clinic coordinator messages	To provide recovery guidance and improve the AI assistant
Usage	Session duration, sections viewed, language preference	To improve the app experience

How We Use Your Data

We process your data for the following purposes:

Care coordination — sharing your progress with your treating clinic so they can monitor your recovery
Recovery reminders — sending email reminders for daily care tasks and photo milestones
AI assistance — answering your recovery questions through our AI assistant (Zeki)
App improvement — understanding usage patterns to make HairPath better for all patients

We process your data based on: (a) your consent given during onboarding, (b) our legitimate interest in providing recovery support, and (c) the performance of our service agreement with your clinic.

Who Has Access to Your Data

Recipient	What They See	Why
Your Clinic	All your recovery data, photos, messages	Care coordination — they are your treating provider
Supabase (database)	All stored data (encrypted at rest)	Secure cloud database hosting
Vercel (hosting)	API requests, server logs	App and API hosting
Resend (email)	Your email address, email content	Delivering recovery reminder emails
Anthropic (AI)	Your questions to the AI assistant (no PII sent)	Powering the Zeki recovery assistant

We do not sell, rent, or trade your personal data with any third parties for marketing or advertising purposes.

How We Protect Your Data

Encryption in transit — all data transmitted via HTTPS/TLS
Encryption at rest — database encrypted using AES-256
Access control — row-level security ensures patients only see their own data, clinics only see their own patients
Token authentication — signed tokens with 30-day expiry for patient access
No passwords stored — we use a passwordless authentication system
Service role isolation — API keys are server-side only, never exposed to browsers

How Long We Keep Your Data

We retain your personal data for the duration of your active recovery period plus one year after your recovery is marked complete. After this period:

You can request deletion at any time from your Profile page
Deleted accounts are anonymized (personal details removed) rather than hard-deleted, so your clinic's aggregate statistics remain intact
Photos are permanently deleted upon account deletion request

Your Rights

Under GDPR, KVKK (Turkish data protection law), and applicable privacy regulations, you have the right to:

Access — download a copy of all your personal data (available from your Profile)
Correction — update or correct your personal information at any time
Deletion — request deletion of your account and personal data
Portability — receive your data in a structured, machine-readable format (JSON)
Withdraw consent — opt out of email communications at any time
Object — object to processing of your data for specific purposes

To exercise any of these rights, use the "My Data" section in your Profile, or contact us at the address below.

Cookies & Local Storage

HairPath uses only essential browser storage (localStorage and sessionStorage) to:

Keep you signed in during your session
Store your language preference
Remember your onboarding progress

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Google Fonts is loaded for visual styling — Google's privacy policy applies to font delivery.

Children's Privacy

HairPath is designed for adults undergoing hair transplant procedures. We do not knowingly collect data from anyone under the age of 18. If we learn that we have collected data from a minor, we will delete it promptly.

Changes to This Policy

We may update this privacy policy from time to time. When we make significant changes, we will notify you through the app and update the version number and date at the top of this page. Continued use of HairPath after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this privacy policy or your personal data, contact us:

Email: support@hairpath.app
Website: hairpath.app

For GDPR-related inquiries, you also have the right to lodge a complaint with your local data protection authority.