Privacy Policy

01 / Overview & Commitment

Crown Labs Inc. ("Crown Labs," "we," "us," or "our") is committed to protecting the privacy of every person who uses our Platform. This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and the choices you have.

As a Canadian company registered in British Columbia providing health services, we are subject to:

• The Personal Information Protection and Electronic Documents Act (PIPEDA), SC 2000, c. 5;
• British Columbia's Personal Information Protection Act (PIPA), SBC 2003, c. 63;
• British Columbia's E-Health (Personal Health Information Access and Protection of Privacy) Act, SBC 2008, c. 38;
• Applicable professional privacy obligations under the Health Professions Act, RSBC 1996, c. 183.

02 / Data We Collect

We collect information in the following categories:

Account & Identity Information

• Full name, email address, date of birth, and province of residence;
• Account login credentials (passwords are hashed and never stored in plain text);
• Billing address and payment information (processed by our payment processor — see Section 4).

Health Information

• Intake questionnaire responses about hair loss history, pattern, severity, and duration;
• Current medications, supplements, and known allergies;
• Relevant medical history including cardiovascular conditions, hormone levels, and family history of hair loss;
• Photographs of your scalp or hairline submitted for clinical assessment;
• Consultation notes and treatment plans prepared by your practitioner;
• Lab or test results you choose to share.

Communications

• Messages exchanged with your practitioner or Crown Labs support through the Platform;
• Feedback and survey responses.

Technical & Usage Information

• IP address, browser type, operating system, and device identifiers;
• Pages visited, features used, and session duration;
• Referring URLs and navigation paths.

03 / How We Use Your Data

We use the information we collect for the following purposes, each with a lawful basis under PIPEDA and BC PIPA:

Providing Services

• Creating and managing your account;
• Matching you with a licensed practitioner and facilitating consultations;
• Sharing relevant health information with your treating practitioner (with your consent);
• Coordinating prescription and product fulfillment through pharmacy partners;
• Sending appointment reminders and care follow-up communications.

Billing & Account Management

• Processing subscription payments and issuing receipts;
• Detecting and preventing fraud;
• Resolving billing disputes.

Platform Improvement

• Analysing aggregated, de-identified usage data to improve the Platform;
• Conducting voluntary user research;
• Monitoring and improving Platform security.

Communications

• Sending transactional messages about your account and care;
• Sending marketing communications with your explicit consent (withdraw at any time by unsubscribing).

Legal & Regulatory Compliance

• Complying with applicable laws and regulatory requirements;
• Responding to lawful government requests;
• Enforcing our Terms of Service.

04 / Third-Party Processors

We engage trusted third-party service providers to help operate the Platform. These processors access your personal information only to perform services on our behalf and are contractually bound to comply with applicable privacy laws.

Supabase

We use Supabase as our primary backend database and authentication provider. Supabase stores your account information, health questionnaire data, and consultation records. Data may be stored on servers in Canada or the United States. Where data is stored in the US, it may be subject to US law including laws permitting government access. We have a Data Processing Agreement with Supabase requiring PIPEDA-standard protections.

Payment Processing

Credit card and payment data is handled by a PCI-DSS compliant payment processor. We do not store full card numbers on our servers. Only the information necessary to process your transaction is shared with the processor.

Video Conferencing

Where video consultations are offered, we use a HIPAA/PIPEDA-compatible video platform. Sessions are not recorded without your explicit consent.

Email & Communications

Transactional and marketing emails are delivered via a third-party email service provider that processes your email address and engagement data (opens, clicks).

Analytics

We may use privacy-respecting analytics tools to understand aggregate usage patterns, configured to anonymize or pseudonymize data and to avoid transmitting health information.

Pharmacy & Fulfillment Partners

Where your practitioner issues a prescription fulfilled by a partner pharmacy, we share the minimum necessary information (name, shipping address, prescription details). Pharmacy partners are subject to their own professional privacy obligations.

A current list of significant sub-processors is available upon written request to legal@crownlabshair.ca.

05 / Cookies & Tracking

Our website uses cookies and similar tracking technologies. Cookies are small text files stored on your device.

Types of Cookies We Use

• Strictly Necessary: Required for Platform operation (e.g., session management). Cannot be disabled.
• Functional: Remember your preferences such as display settings.
• Analytics: Collect anonymous, aggregated usage data. You may opt out.
• Marketing: Used only with your explicit consent for relevant advertising. Not placed on authenticated health-related pages.

Managing Cookies

You can control cookies through your browser settings. Disabling strictly necessary cookies may affect Platform functionality. Opt out of analytics cookies through the cookie preference centre in the Site footer.

Do Not Track

We honour browser-level Do Not Track (DNT) signals for analytics cookies. We do not cross-track your activity on third-party websites.

06 / PIPEDA Compliance

Our privacy practices are built on PIPEDA's ten fair information principles and BC PIPA's substantially similar requirements:

1. Accountability: Crown Labs Inc. is responsible for personal information under our control. Our Privacy Officer is reachable at legal@crownlabshair.ca.
2. Identifying Purposes: We identify the purpose for collection at or before the time we collect information (as described in this Policy).
3. Consent: We obtain meaningful consent for collection, use, and disclosure of personal information, except where PIPEDA permits otherwise.
4. Limiting Collection: We collect only the information necessary for identified purposes.
5. Limiting Use, Disclosure, and Retention: Information is used and disclosed only for the purposes collected. We retain information only as long as necessary.
6. Accuracy: We maintain personal information as accurate and up-to-date as required. You may update account information through your settings.
7. Safeguards: We protect personal information with security safeguards appropriate to its sensitivity.
8. Openness: We make this Policy readily available and communicate updates before they take effect.
9. Individual Access: Upon written request, we will provide access to the personal information we hold about you.
10. Challenging Compliance: You may challenge our compliance through our Privacy Officer or the Office of the Privacy Commissioner of Canada.

Cross-Border Data Transfers

Some service providers process data in the United States. Data transferred outside Canada may be subject to foreign laws including laws permitting government access. We take contractual steps to require comparable privacy protections, but we encourage you to review this risk before using the Platform.

07 / Your Rights

Subject to applicable law, you have the following rights regarding your personal information:

Access

Request a copy of the personal information we hold about you. We respond within 30 days of a written request.

Correction

Request correction of inaccurate or incomplete information. Most account information can be updated directly in your settings.

Withdrawal of Consent

Withdraw consent to non-essential processing (such as marketing emails) at any time. Withdrawing consent for essential processing (such as sharing health data with your practitioner) may mean we can no longer provide services to you.

Deletion

Request deletion of your account and personal information. Deletion is subject to legal retention requirements — health records may be retained for a minimum period under provincial law, and financial records for tax purposes. Retained data will not be used for any other purpose.

Data Portability

Request a machine-readable export of your account and health data in a common format (e.g., JSON or CSV) within 30 days.

Complaint

If you believe your privacy rights have been violated, contact:

• Our Privacy Officer at legal@crownlabshair.ca;
• The Office of the Information and Privacy Commissioner for BC at oipc.bc.ca; or
• The Office of the Privacy Commissioner of Canada at priv.gc.ca.

To exercise your rights, email legal@crownlabshair.ca with your name, account email, and description of your request. We may verify your identity before processing.

08 / Data Retention

We retain personal information for as long as necessary to fulfil collection purposes, provide services, and comply with legal obligations:

• Health records: Minimum 10 years after last entry (or until age 29 if you were a minor), consistent with BC healthcare standards;
• Financial records: 7 years for tax and accounting purposes;
• Account data: Duration of your account plus 2 years after closure;
• Marketing data: Until consent is withdrawn or 3 years of inactivity, whichever is sooner.

When data is no longer required, it is securely deleted or anonymized.

09 / Security

We implement industry-standard technical and organizational security measures to protect your personal information, including:

• TLS/SSL encryption for all data in transit;
• Encryption at rest for sensitive health data;
• Role-based access controls restricting data access to authorized personnel;
• Regular security assessments and penetration testing;
• Multi-factor authentication for practitioners and staff;
• Breach response and notification procedures compliant with PIPEDA's breach reporting requirements.

In the event of a breach posing a real risk of significant harm, we will notify affected individuals and the applicable privacy commissioner(s) as required by law.

No system is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.

10 / Contact & Complaints

Questions about this Privacy Policy or our privacy practices? Contact our Privacy Officer:

We commit to responding to privacy inquiries within 10 business days and resolving complaints within 30 days. If we cannot resolve your complaint satisfactorily, you have the right to escalate to the Office of the Information and Privacy Commissioner for BC or the Office of the Privacy Commissioner of Canada.