As of: 06.05.2026 · Version 2026.05

Somana Health GmbH, Französische Straße 24, 10117 Berlin (hereinafter "Somana") provides the following information about how we handle your personal data when you visit this website and use our online services. The protection of your data is important to us – we handle your information responsibly and in accordance with the law.

This website is operated by Somana Health GmbH. Physiotherapy treatment in our practice at Gendarmenmarkt is provided by our operating subsidiary Somana Berlin GmbH (Französische Str. 24, 10117 Berlin). If you book an appointment at our practice via this website, we will transmit the data required for this purpose to Somana Berlin GmbH, which from that point on is independently responsible under data protection law.

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) for this website is:

Somana Health GmbH

Französische Straße 24
10117 Berlin
Germany

Email: info@somana.com

Data protection inquiries: datenschutz@somana.com

Telephone: +49 30 754 394 470

Further information (management, commercial register) can be found in our legal notice (Impressum).

2. Data Protection Officer

We have appointed an external data protection officer:

Proliance GmbH (datenschutzexperte.de)

Dominik Fünkner
Leopoldstraße 21, 80802 Munich
Telephone: +49 89 250 039 227
Email: datenschutzbeauftragter@datenschutzexperte.de

When contacting the data protection officer, please state the name of our practice. Please do not include sensitive attachments such as copies of identification documents. If identity verification becomes necessary, we will contact you securely in a second step.

3. Purposes of Processing

We process your personal data for the following purposes:

• Provision of the website and ensuring its trouble-free operation (server log files, IT security).

• Responding to your inquiries via contact forms and online appointment bookings.

• Processing applications for advertised positions.

• Reach measurement, optimization of the website, and analysis of usage behavior (only with consent).

• Management and performance measurement of our online marketing activities (only with consent).

• Transmission of relevant data to our subsidiary Somana Berlin GmbH to prepare for an arranged treatment appointment.

Processing only takes place to the extent that a legal basis under Art. 6(1) GDPR exists. The applicable legal basis is set out below for each individual processing activity.

4. Data Collected Automatically When Visiting the Website

When you access our website, our web server automatically processes technical connection data transmitted by your browser. This includes in particular:

• IP address

• Date and time of access as well as duration of the visit

• Pages accessed and amount of data transferred

• Referring website (referrer), if you reached us via a link

• Browser used, operating system, and language settings

This data is technically necessary in order to display the website to you and to ensure the stability and security of our systems.

Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest lies in the secure, trouble-free, and functional operation of this website.

Storage period: Server log files are stored for a maximum of 30 days and then automatically deleted, unless a specific security incident requires longer storage.

5. Cookies and Comparable Technologies

We use cookies and comparable technologies (e.g. Local Storage, pixels) on our website. Cookies are small text files stored in your browser that can be read again when you revisit our website. They contain no programs and cannot transmit any malware.

5.1 Technically Necessary Cookies

These cookies are required for the operation of the website (e.g. ensuring the functionality of forms, load balancing, storing your cookie decision).

Legal basis: Art. 6(1)(f) GDPR in conjunction with Section 25(2)(2) TDDDG. Consent is not required.

5.2 Cookies and Tracking Technologies Requiring Consent

All other cookies and comparable technologies, in particular for reach measurement, web analytics, marketing, and external content, will only be activated after your express consent via our consent management tool (cookie banner). The specific services covered are listed in Section 8.

Legal basis: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG (consent).

You can withdraw your consent at any time via the consent management tool or your browser settings, with effect for the future. You can delete cookies already stored at any time in your browser.

6. Contact Forms and Online Appointment Booking

For inquiries and online appointment bookings, we use the Typeform platform.

Typeform

Provider: TYPEFORM, S.L., C/Bac de Roda 163, 08018 Barcelona, Spain.

When filling out a form, we process the data you provide – in particular first and last name, email address, telephone number, and any further details about your request. Mandatory fields are marked in the form. Typeform also collects technical connection data (IP address, device and browser information, date/time) to ensure functionality and protect against misuse.

Recipients: Typeform acts as our processor pursuant to Art. 28 GDPR.

Legal basis: Art. 6(1)(b) GDPR (performance of pre-contractual measures – appointment request) as well as Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG for cookies set by Typeform.

Storage period: The data will be deleted after final processing of your request, unless statutory retention obligations prevent this.

Alternative contact channels: You can also reach us at any time by email at info@somana.com or by telephone.

Further information: Typeform privacy notices

Appointments at the practice: As soon as you arrange an appointment at our practice via the form, we transmit the data required for treatment preparation to our subsidiary Somana Berlin GmbH. From that point on, Somana Berlin GmbH is the independent controller. The legal basis for the transmission is Art. 6(1)(b) GDPR (initiation of a treatment contract). Detailed information on processing in the practice will be provided to you with the intake form and in the 

Comosio Privacy Information.

7. Applications via Personio

Provider: Personio SE & Co. KG, Seidlstraße 3, 80335 Munich, Germany.

We use Personio to publish job offers and manage incoming applications. When accessing our careers page or a job posting, Personio may set technically necessary cookies.

When you apply, we process the data you submit – in particular first and last name, contact data, application documents (CV, cover letter, certificates), and technical connection data. We use this data exclusively to process your application and to carry out the application process.

Recipients: Personio acts as our processor pursuant to Art. 28 GDPR.

Legal basis: Section 26(1) BDSG in conjunction with Art. 88 GDPR (initiation of an employment relationship) and Art. 6(1)(b) GDPR (pre-contractual measures). Insofar as special categories of personal data (e.g. severe disability status) are voluntarily provided, processing is based on Section 26(3) BDSG and Art. 9(2)(b) GDPR. For technically necessary cookies: Art. 6(1)(f) GDPR.

Storage period: In the event of a rejection, application data are generally deleted six months after completion of the application procedure (retention with regard to the AGG/General Equal Treatment Act). If you are hired, relevant data will be transferred to your personnel file.

Further information: https://www.personio.de/datenschutzerklaerung/

8. Analytics and Marketing Services Used

The following services are activated only after your consent via our consent management tool. No data processing by these services takes place without consent.

Legal basis for all services in this section: Art. 6(1)(a) GDPR in conjunction with Section 25(1) TDDDG. You can withdraw your consent at any time via our consent management tool with effect for the future.

8.1 Google Tag Manager

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

We use Google Tag Manager for the technical management and delivery of scripts (e.g. for web analytics or marketing tools). Tag Manager itself does not perform any analyses, does not store cookies, and does not create its own user profiles. It only controls the delivery of the services described below.

Tags that use cookies or comparable technologies, or that transmit personal data to third parties, are activated only after your consent via our consent management tool. Technical connection data (e.g. IP address) are processed for the delivery of Tag Manager. Where possible, we load Tag Manager via our own infrastructure (server-side tagging, see 8.2), thereby reducing the data transfer to Google.

8.2 Server-Side Tagging (Google Cloud Run)

Infrastructure provider: Google Ireland Limited.

We operate a server-side tagging container on Google Cloud Run in the EU-West 3 region (Frankfurt). Through this server, data on your website usage is first transferred to our own infrastructure in the EU. There – where technically possible – the data is anonymized or pseudonymized (e.g. by truncating the IP address). Only afterwards is the processed information forwarded to the services listed in 8.3–8.7.

A data processing agreement pursuant to Art. 28 GDPR is in place with Google Cloud. In addition, we apply the European Commission's Standard Contractual Clauses to the extent that processing outside the EU cannot be ruled out.

8.3 Google Analytics 4

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

We use Google Analytics 4 (GA4) to analyze the use of our website, generate reports on visitor activity, and optimize our content. GA4 uses cookies and comparable technologies.

The information collected about your use of the website (e.g. pages accessed, browser and device information, click paths) is not transmitted directly to Google but is first processed via our server-side tagging server (see 8.2). On this server, your IP address is anonymized or pseudonymized before the data is forwarded to Google for further processing.

According to our settings, the analytics data is not merged with other Google data. The storage period for GA4 data is 14 months.

In addition, we use the Google Signals feature. It enables cross-device reports if you have activated the "personalized advertising" option in your Google account. In this context, we receive only anonymous, statistical evaluations.

A data processing agreement pursuant to Art. 28 GDPR is in place with Google. For any transfers to the USA, Google relies on the EU-U.S. Data Privacy Framework as well as on the European Commission's Standard Contractual Clauses.

Further information: policies.google.com/privacy

8.4 Google Ads Conversion Tracking

Provider: Google Ireland Limited.

We use Google Ads Conversion Tracking to measure the effectiveness of our advertisements. If you reach our website via a Google ad, a cookie with a limited lifetime (max. 90 days) is stored, which serves exclusively to measure advertising effectiveness.

We only obtain aggregated values (e.g. number of clicks and subsequent conversions). Personally identifiable information is not possible for us on this basis.

Google Consent Mode v2 has been mandatory since March 2024. Our cookie banner ensures that consents for the categories "ad_user_data" and "ad_personalization" are obtained in compliance with the GDPR. Without consent, Google only processes anonymized, modeled conversions.

Any transfers to the USA are based on the EU-U.S. Data Privacy Framework and on the European Commission's Standard Contractual Clauses.

8.5 Google Customer Match

Provider: Google Ireland Limited.

With your consent, we use the Customer Match function to make our advertising more targeted. For this purpose, your contact data (e.g. email address or telephone number) is converted into an unreadable string using a hashing process (SHA-256) before being transmitted to Google. Google therefore does not receive your data in plain text but compares the hash values with existing Google accounts.

This allows us to deliver our advertisements more precisely, show you more relevant content, or avoid showing you advertising for services you already use. Direct conversion measurement does not take place as part of this function.

A data processing agreement pursuant to Art. 28 GDPR is in place with Google. According to Google, the transmitted hash values are deleted immediately after the matching process. You can also object to the use of your data at any time in the settings of your personal Google account under "Ad Settings."

8.6 Enhanced Conversions

Provider: Google Ireland Limited.

We use the Google features "Enhanced Conversions" and "Enhanced Conversions for Leads" for improved attribution of conversions. In the event of a conversion (e.g. form submission), data you have entered (name, email address, address) may be transmitted to Google in encrypted form using a hashing process (SHA-256). For lead forms, your email address is hashed and transmitted to Google; the storage period is up to 63 days.

8.7 Meta Pixel (Facebook/Instagram)

Provider: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland.

We use the Meta Pixel to measure the effectiveness of our advertising campaigns on Facebook and Instagram. The pixel collects in particular IP address, device and browser data, page views and user behavior, referrer URL, and time stamps. This allows us to track conversions (e.g. form submissions), create custom audiences, and optimize future advertising campaigns.

Note on joint controllership: For the collection and transmission of data to Meta, we and Meta are joint controllers within the meaning of Art. 26 GDPR. The essential content of the agreement concluded between us and Meta can be viewed at

facebook.com/legal/controller_addendum. For the subsequent processing of data by Meta for its own purposes, Meta is solely responsible.

We do not receive any personal data from Meta, only aggregated reports on ad performance. Transfers to the USA are based on the EU-U.S. Data Privacy Framework and on the European Commission's Standard Contractual Clauses.

Adjust ad settings: facebook.com/ads/preferences

8.8 Microsoft Clarity

Provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

We use Microsoft Clarity to analyze how visitors interact with our website and to improve usability.

Linking with Google Analytics 4: If you have also consented to the use of Google Analytics 4 (see Section 8.3), we link Clarity sessions with GA4 in order to assign analyses to individual marketing campaigns. This linking only takes place where both services have been consented to cumulatively.

Data processed:

• Technical connection data (IP address – processed in shortened form, browser and device information, operating system, screen resolution, language settings),

• Behavioral data (clicks, scrolling behavior, mouse movements, pages visited, referrer URL, time spent),

• Aggregated analyses in the form of heatmaps and anonymized session recordings (session replays).

Masking of sensitive data: We use Clarity with the masking function activated. Text input in forms and areas marked as sensitive are masked before being transmitted to Microsoft (shown as "X" or black bars in the recordings). Microsoft does not receive this content.

Cookies and storage period: Clarity sets cookies that are stored for up to 12 months. Recorded sessions are automatically deleted after 30 days.

Transfer to third countries: Processing on servers of Microsoft Corporation in the USA cannot be ruled out. We base such transfers on the EU-U.S. Data Privacy Framework, which Microsoft has joined, and on the European Commission's Standard Contractual Clauses.

Data processing: A data processing agreement pursuant to Art. 28 GDPR is in place with Microsoft.

Direct opt-out: In addition to withdrawal via our consent management tool, you can permanently disable Clarity at clarity.microsoft.com/privacy.

8.9 Marketing Attribution (UTM Parameters and Click Identifiers)

When you access our website via an advertising campaign, we collect parameters from the URL as well as information about the referring website (referrer), in particular:

• UTM parameters (e.g. utm_source, utm_medium, utm_campaign) for identifying the campaign source,

• Click identifiers (e.g. gclid, wbraid, gbraid) for attributing advertising activities.

These data are temporarily stored as first-party cookies in your browser (lifetime max. 365 days). If you subsequently make an inquiry, book an appointment, or use a form, the cached information is passed on to our form and transferred to our internal systems (CRM).

We use this data for statistical analysis of our marketing activities and for improved attribution of inquiries. There is no direct return transmission of this specific linkage to third-party providers.

Storage period: The marketing attribution data transferred to our CRM is stored together with the associated record and deleted as soon as the purpose ceases to apply – at the latest, however, in accordance with the statutory retention periods for business correspondence.

9. Transfer to Third Countries

Insofar as we transfer data to providers based or processing data outside the European Economic Area (EEA), we ensure that appropriate safeguards exist pursuant to Art. 44 et seq. GDPR. Specifically:

• For transfers to the USA to providers that have joined the EU-U.S. Data Privacy Framework (adequacy decision of the European Commission of 10 July 2023): based on the adequacy decision; supplemented by Standard Contractual Clauses.

• For transfers to other third countries: based on the European Commission's Standard Contractual Clauses and supplementary technical and organizational measures.

A current overview of the sub-processors used and the respective protection bases can be obtained on request from our data protection officer.

10. Storage Period

We store your personal data only for as long as is necessary for the respective processing or as required by statutory retention obligations. Specifically:

• Server log files: max. 30 days.

• Inquiries via contact forms: until your request has been finally processed, then deletion; for business correspondence, retention pursuant to Section 257 HGB / Section 147 AO (6 or 10 years).

• Applications: usually 6 months after completion of the application procedure (AGG/General Equal Treatment Act).

• Google Analytics 4: 14 months.

• Google Ads conversion cookies: max. 90 days.

• Microsoft Clarity cookies: max. 12 months; session recordings: max. 30 days.

• Marketing attribution cookies: max. 365 days; CRM records: until the purpose ceases or the statutory period.

• Consent decision in the cookie banner: usually 6 months, then re-querying.

For the storage periods of data processed in the practice, please refer to the data protection information provided in the intake form and at

somana.com/de/datenschutz-comosio.

11. Your Rights

You have the following rights vis-à-vis us:

• Information about the data processed about you (Art. 15 GDPR),

• Rectification of inaccurate or completion of incomplete data (Art. 16 GDPR),

• Erasure, insofar as no statutory retention obligations apply (Art. 17 GDPR),

• Restriction of processing (Art. 18 GDPR),

• Data portability in a structured, commonly used format (Art. 20 GDPR),

• Objection to processing based on Art. 6(1)(f) GDPR (Art. 21 GDPR),

• Withdrawal of any consent given, with effect for the future (Art. 7(3) GDPR).

To exercise your rights, please contact datenschutz@somana.com or our data protection officer (see Section 2).

12. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is:

Berlin Commissioner for Data Protection and Freedom of Information

Friedrichstraße 219

10969 Berlin

datenschutz-berlin.de

Please feel free to contact us directly first – many issues can be resolved quickly in personal conversation.

13. Links to Other Websites

Our online offering contains links to external websites of third parties whose content and data protection practices we have no influence over. We recommend that you observe the privacy notices of the respective other providers when leaving our offering.

14. Security

We use technical and organizational security measures to protect your data against accidental or intentional manipulation, loss, destruction, or unauthorized access. Our security measures are continuously improved in line with technological developments.

15. Scope and Amendments

This Privacy Policy applies to the online offering of Somana Health GmbH at somana.com and to our online communication channels. For the processing of your data in our practice (treatment, billing, voice-assisted documentation), supplementary data protection information applies, which you will receive with your intake form and can be viewed at somana.com/de/datenschutz-comosio.

We reserve the right to amend this Privacy Policy in order to adapt it to changes in the legal situation or to changes in our offering. The most recent version is available on this website.

As of: 06.05.2026 · Version 2026.05

Somana Health GmbH · Französische Straße 24 · 10117 Berlin