Legal information

Privacy Policy

Review the policies that govern orders, services, privacy, and use of Dr. Brown's Laboratory digital properties.

Effective Date: May 27, 2026

Last Updated: May 27, 2026

Dr. Brown's Group of Companies Ltd. (collectively referred to as "we," "us," or "our"), a Bermuda-registered entity, with headquarters in Bermuda and operations extending to South Africa, the United States, and other international jurisdictions, is deeply committed to safeguarding your privacy. As a global leader in hair restoration, dermatology, wellness treatments, trichology education through Dr. Brown's Institute, advanced software solutions including Trico Exam, proprietary product lines via Dr. Brown's Laboratory, and related healthcare and professional services (collectively, the "Services"), we handle personal information with the utmost care and in full compliance with the most stringent international data protection standards.

This Privacy Policy ("Policy") provides a comprehensive explanation of our practices concerning the collection, use, disclosure, transfer, security, and your rights regarding personal data processed through our website, affiliated sites (including but not limited to https://drbrownslab.com/, drbrownshairclinic.com, tricoexam.com, drbrownsinstitute.org, drbrownslab.com/hairclub, and others), mobile applications (if any), in-clinic consultations, online registrations, training enrollments, software usage, product purchases, and all related interactions.

We comply with, and this Policy is crafted to satisfy or exceed the requirements of, key data protection frameworks including:

  • Bermuda – Personal Information Protection Act 2016 (PIPA);
  • South Africa – Protection of Personal Information Act 4 of 2013 (POPIA);
  • European Union / European Economic Area – General Data Protection Regulation (EU) 2016/679 (GDPR);
  • United Kingdom – UK GDPR and Data Protection Act 2018;
  • United States – Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its Privacy, Security, Breach Notification, and Enforcement Rules (for protected health information – PHI – in U.S. operations); California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (CCPA/CPRA); and other state privacy laws where applicable;
  • Other relevant laws, including sector-specific health data regulations and cross-border transfer mechanisms.

We act as the data controller (or business under HIPAA/CCPA) for most processing activities. In certain cases (e.g., processing patient data on behalf of independent healthcare providers or Trico Exam users), we may act as a data processor or business associate (HIPAA).

By accessing our websites, using our Services, submitting information, or otherwise interacting with us, you acknowledge and agree to the practices described herein. If you do not agree, please discontinue use immediately.

1. Scope and Applicability

1.1 This Policy applies to all personal information we collect from or about:

  • Individual patients and clients seeking hair restoration (medical therapies, surgical transplants including FUE/FUT techniques), dermatological care, wellness services, or product recommendations;
  • Users of Trico Exam software (trichologists, dermatologists, hair restoration specialists, clinics);
  • Participants in Dr. Brown's Institute training programs (certified trichology courses, hands-on clinical training, business modules);
  • Members of the Online Hair Club;
  • Website visitors, enquirers, appointment bookers, product purchasers;
  • Healthcare professionals, affiliates, partners, and employees (where personal data is processed in a non-employment context).

1.2 It does not apply to anonymized or aggregated data that cannot be linked to an identified or identifiable individual, nor to employment-related processing (governed by separate policies).

2. Categories of Personal Information Collected

We collect the following categories of personal information:

2.1 Personal Identifiers and Contact Details

  • Full name, title, date of birth, gender;
  • Email address, telephone/mobile number, postal/mailing address;
  • Account login credentials (username, password hashes);
  • Government-issued identifiers (where required for identity verification or medical compliance, e.g., ID/passport copies for international patients).

2.2 Sensitive / Special Category Health Data (Highly Protected)

  • Medical and treatment history, hair loss patterns (Norwood/Ludwig/Savin scales), scalp conditions, dermatological diagnoses;
  • Photographs, digital scans, trichoscopy images, before-and-after images;
  • Treatment plans, surgical details (e.g., graft counts, donor/recipient sites), medication/prescription history;
  • Biometric data derived from hair/scalp analysis;
  • Wellness metrics, lifestyle factors affecting hair health (diet, stress, genetics where disclosed);
  • Protected Health Information (PHI) under HIPAA in U.S. contexts.

This constitutes special category personal data under GDPR/POPIA (health data),

sensitive personal information under PIPA, and PHI under HIPAA.

2.3 Financial and Transactional Data

  • Payment card details (processed via PCI-DSS compliant third parties – we do not store full card numbers);
  • Billing/shipping addresses, transaction IDs, invoices, receipts.

2.4 Professional and Educational Data

  • Qualifications, licenses, certifications (for Institute trainees and Trico Exam users);
  • Training records, course progress, certifications issued, feedback/evaluations.

2.5 Usage, Device, and Technical Data

  • IP address, device type/model, operating system, browser type/version;
  • Geolocation data (approximate from IP or precise with consent);
  • Cookies, pixels, web beacons, session data, referral sources;
  • Interaction logs (pages viewed, time spent, clicks, form submissions);
  • Trico Exam-specific logs (workflow usage, patient documentation patterns – anonymized where feasible).

2.6 Communications and Preferences

  • Enquiries, support tickets, chat transcripts, feedback, survey responses;
  • Marketing preferences, opt-in/opt-out status;
  • Social media interactions (if you link accounts or tag us).

2.7 Other Sources

  • Data from third-party referrals, partners, public sources (with legal basis), or integrated platforms (e.g., appointment booking via healow).

We do not knowingly collect data from children under 16 (or the applicable age of digital consent in your jurisdiction) without explicit verifiable parental/guardian consent. Such data will be deleted immediately upon discovery.

3. How We Collect Personal Information

  • Directly from you: Registration forms, contact/enquiry forms, appointment bookings, consultation intakes, Hair Club join forms, Institute enrollment, Trico Exam account creation, purchases, communications.
  • Automatically: Through cookies/trackers (with consent where required), server logs, analytics tools.
  • From third parties: Referring healthcare providers, payment processors, marketing partners, public databases (limited), integrated booking systems.
  • During service delivery: In-clinic consultations, procedures, follow-ups, software usage.

4. Purposes of Processing and Legal Bases

4.1 We process personal information only for specified, explicit, and legitimate purposes, with appropriate legal bases:

Purpose Examples Primary Legal Bases
Provision and administration of Services Delivering consultations, transplants, dermatology care, wellness plans; operating Trico Exam; conducting Institute training; processing bookings/payments Contract performance; Legitimate interests; Legal obligation (health/safety)
Health care delivery and records management Maintaining accurate medical records; ensuring treatment continuity/safety; HIPAA-covered treatment, payment, operations Vital interests; Legal obligation; Explicit consent (special categories); HIPAA permitted uses
Personalization and improvement Tailoring recommendations; analyzing treatment outcomes (de-identified where possible) Legitimate interests; Consent
Marketing and communications Newsletters, promotions, service updates, Hair Club tips Consent (where required); Legitimate interests (soft opt-in in some jurisdictions)
Compliance, security, fraud prevention Auditing, detecting misuse, legal defense, mandatory reporting Legal obligation; Legitimate interests
Research and analytics Improving products/services via aggregated/de-identified data Legitimate interests; Consent for identifiable use
Professional development Certifying trainees, issuing credentials Contract performance; Legitimate interests

4.2 For GDPR/POPIA/PIPA special category data: Explicit consent, substantial public interest (healthcare), or necessity for preventive/occupational medicine. For HIPAA: Treatment, payment, healthcare operations, or with authorization. We conduct legitimate interests assessments (where relied upon) and do not sell personal information (CCPA definition).

5. Sharing and International Transfers

5.1 We disclose personal information only as necessary, with safeguards:

  • Service providers/processors: Cloud hosting, payment gateways, analytics (Google Analytics – anonymized), CRM, email providers – bound by DPA/BAA equivalent to GDPR Art. 28, POPIA conditions, PIPA, HIPAA BAA.
  • Affiliates: Intra-group transfers within Dr. Brown's Group entities.
  • Healthcare collaborators: Referring providers, labs (with consent/authorization).
  • Professional regulators/accreditors: For Institute certifications.
  • Legal and safety: Courts, regulators, public health authorities.
  • Business transactions: Successors in merger/acquisition (with notice).

5.2 International transfers: Data may move to/from Bermuda (adequate under GDPR via PIPA alignment), South Africa, USA, EU/UK, and other countries. Safeguards include:

  • Standard Contractual Clauses (SCCs 2021) or UK Addendum;
  • Binding Corporate Rules (intra-group);
  • Adequacy decisions;
  • HIPAA-compliant mechanisms.

6. Data Security Measures

6.1 We maintain state-of-the-art safeguards:

  • Encryption (TLS 1.3+ in transit; AES-256 at rest for health data);
  • Access controls (RBAC, MFA, least privilege);
  • Firewalls, intrusion detection, regular vulnerability scanning/penetration testing;
  • HIPAA Security Rule technical/administrative/physical controls;
  • Employee training, confidentiality agreements;
  • Incident response and breach notification protocols (72 hours GDPR; prompt POPIA/PIPA/HIPAA).

6.2 No transmission or storage method is 100% secure; we cannot guarantee absolute protection.

7. Data Retention Periods

7.1 We retain data only as long as necessary:

  • Medical/treatment records: Minimum 7–10 years post-last contact (HIPAA, medical standards, limitation periods);
  • Trico Exam / Institute records: Duration of relationship + 5 years;
  • Account / marketing data: Active period + 2 years post-inactivity (or withdrawal);
  • Logs/technical data: Up to 12–24 months;
  • Legal requirements override (e.g., tax, litigation holds).

7.2 Thereafter: secure deletion, anonymization, or destruction.

8. Your Privacy Rights

8.1 Depending on your location/jurisdiction, you may have:

  • Access – Confirm processing and obtain copy;
  • Rectification – Correct inaccuracies;
  • Erasure ("right to be forgotten") – Subject to exceptions (e.g., legal/medical retention);
  • Restriction – Limit processing (e.g., during disputes);
  • Objection – To legitimate interests or direct marketing;
  • Portability – Structured, machine-readable format (GDPR/POPIA);
  • Withdraw consent – At any time (no effect on prior processing);
  • Automated decisions – Not to be subject (if profiling occurs);
  • CCPA/CPRA – Know, delete, opt-out of sale/sharing, limit sensitive use, non-discrimination;
  • HIPAA – Access PHI, amend, accounting of disclosures, confidential communications, restrictions.

8.2 To exercise rights, contact our Data Protection Officer (DPO) at info@drbrownsgroup.com or postal addresses below. Provide sufficient detail for verification (identity proof may be required). We respond within statutory periods (e.g., 1 month GDPR – extendable; 45 days CCPA). No fee unless manifestly unfounded/excessive.

8.3 You may lodge complaints with:

  • Bermuda Privacy Commissioner;
  • South African Information Regulator;
  • Relevant EU/UK supervisory authority (e.g., ICO);
  • U.S. Department of Health and Human Services (HIPAA).

9. Cookies, Tracking Technologies, and Do Not Track

We use essential, analytics, functional, and advertising cookies/pixels. Consent management is provided via banner/tool (GDPR/POPIA-compliant). See our separate Cookie Policy (linked on site) for details.

We honor browser Do Not Track (DNT) signals where legally required.

10. Children's Privacy

Our Services are not directed to children under 16. We do not knowingly collect their data without parental consent. Contact us immediately if concerned.

11. Changes to This Policy

We may revise this Policy to reflect legal, operational, or Service changes. Continued use after changes constitutes acceptance.

12. Contact Information

Data Protection Officer Email: info@drbrownsgroup.com

Physical Addresses:

  • Bermuda (Headquarters): 7 Northshore Road, Devonshire, DV01, Bermuda | Tel: +1 (441) 542 4919
  • South Africa: Spaces Design Quarters, Office G20, Leslie Road, Fourways, Johannesburg 2191 | Tel: +27 10 141 6530
  • USA: +1 470 276 4278

This Policy is governed by Bermuda law. Please refer to the Section 11 of this website’s Terms and Conditions.

We appreciate your trust and remain dedicated to protecting your privacy at the highest global standards.