Privacy Policy – Inanna Wellness Berlin
Inanna GmbH
Privacy Policy
This document is a non-binding English convenience translation of the German-language Datenschutzerklärung. Only the German version is legally authoritative. In the event of any inconsistency, the German text shall prevail.
§ 1 Controller
The controller within the meaning of Art. 4(7) of Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) is:
Inanna GmbH
Charlottenstraße 19
10117 Berlin
Managing Director: Mr Siddharth Raja
Commercial Register: HRB 237773 B, Amtsgericht Charlottenburg
VAT ID: DE352548770
Email: [email protected]
WhatsApp: https://inanna.spa/whatsapp
Phone: 0800 0808 800 (toll-free within Germany)
Website: https://inanna.beauty
§ 2 Data Protection Contact
Inanna GmbH has not appointed a data protection officer, as the requirements of Art. 37 GDPR and § 38 of the German Federal Data Protection Act (BDSG) are not met. Please direct all data-protection inquiries to:
Email: [email protected]
Subject line: “Data Protection Inquiry”
We will respond without undue delay and in any event within one month of receipt (Art. 12(3) GDPR).
§ 3 Overview of Processing Activities and Legal Bases
Inanna GmbH processes personal data for the purposes set out below. Each processing activity relies on an independent legal basis under the GDPR, detailed in the corresponding section:
– Website provision and security (Art. 6(1)(f) GDPR)
– Cookie management and web analytics (§ 25 TDDDG; Art. 6(1)(a) GDPR)
– Content delivery and security services via CDN (§ 25(2) TDDDG; Art. 6(1)(f) GDPR)
– Server-side tag management and conversion tracking (Art. 6(1)(a) and Art. 6(1)(f) GDPR)
– Heatmap and session analysis (Art. 6(1)(a) GDPR)
– 3D virtual tour of premises (Art. 6(1)(a) and Art. 6(1)(f) GDPR)
– Appointment booking and management via our booking platform (Art. 6(1)(b) GDPR)
– Appointment booking via third-party platform Treatwell (Art. 6(1)(b) GDPR)
– Performance of treatment and service contracts (Art. 6(1)(b) GDPR)
– In-store product sales and point-of-sale transactions (Art. 6(1)(b) GDPR)
– Product shipping via carrier (Art. 6(1)(b) GDPR)
– Management of promotional vouchers and rewards programs (Art. 6(1)(f) GDPR)
– VAT refund for non-EU customers via Global Blue (Art. 6(1)(c) GDPR)
– Processing of health-related data for treatment purposes (Art. 9(2)(a) GDPR)
– Diagnostic imaging and skin analysis using Canfield® systems and Biologique Recherche® Skin Instant Lab™ (Art. 9(2)(a) GDPR)
– Individualized micronutrient formulation via HCK Mikronährstoffe (Art. 9(2)(a) GDPR)
– Referral for blood testing in connection with micronutrient analysis via IMD Laboratory (Art. 9(2)(a) GDPR)
– Before-and-after documentation and photography (Art. 6(1)(a) and Art. 9(2)(a) GDPR)
– CCTV surveillance of publicly accessible areas of the premises (Art. 6(1)(f) GDPR; § 4 BDSG)
– Payment processing (Art. 6(1)(b) GDPR)
– Communication via email, WhatsApp, social media, live chat, and telephone (Art. 6(1)(b) and Art. 6(1)(f) GDPR)
– AI-assisted drafting and quality assurance of communications (Art. 6(1)(f) GDPR)
– Newsletter and marketing communications (Art. 6(1)(a) GDPR)
– Event invitations and client-relationship communications (Art. 6(1)(a) and Art. 6(1)(f) GDPR)
– Compliance with tax and commercial record-keeping obligations (Art. 6(1)(c) GDPR)
– Recruitment and hiring (Art. 6(1)(b) and Art. 88 GDPR in conjunction with § 26 BDSG)
– Press and public relations (Art. 6(1)(f) GDPR)
– Google Ads campaign management via agency (Art. 6(1)(a) GDPR)
– Processing of minors’ data with parental consent (Art. 6(1)(a), Art. 8, Art. 9(2)(a) GDPR)
§ 4 Website Hosting and Server Log Files
Our website is hosted on a dedicated server operated by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany (registered at Amtsgericht Ansbach under HRB 6089). Hetzner operates data centers exclusively within the European Economic Area and acts as a data processor under Art. 28 GDPR pursuant to a data processing agreement.
When you visit our website, the hosting server automatically collects and stores information in server log files transmitted by your browser. This data is technically necessary to deliver the website and to ensure its stability and security. The processing is based on Art. 6(1)(f) GDPR (legitimate interest in the secure and efficient provision of the website).
Our website runs on Craft CMS and is maintained with current security updates. The CMS sets technically necessary session and security cookies (CRAFT_CSRF_TOKEN and CraftSessionId) that are essential for website functionality and security. These cookies are exempt from the consent requirement under § 25(2) of the German Telecommunications Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz – TDDDG). Craft CMS is self-hosted on the dedicated server described above; no data is transmitted to the developer (Pixel & Tonic, Inc.).
The following data is recorded in server log files:
– IP address of the requesting device
– Date and time of access
– Name and URL of the requested file
– Website from which access was made (referrer URL)
– Browser type and version, operating system
– Volume of data transferred
– HTTP status code
This data is not merged with other data sources. Server log files are automatically deleted after 14 days unless further retention is necessary for security purposes.
§ 5 Cookies and Consent Management
5.1 General Information
Our website uses cookies – small text files stored by your browser on your device. Some cookies are technically necessary to ensure website functionality (§ 25(2) TDDDG). Others serve analytical and marketing purposes and require your prior consent (§ 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR).
5.2 Consent Management (Cookiebot)
We use Cookiebot, a service of Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark, to obtain, manage, and document your cookie consent. Usercentrics acts as a data processor under Art. 28 GDPR. When you visit our website, Cookiebot displays a consent banner through which you can accept or decline non-essential cookies. Your preferences are stored in a cookie on your device and documented by Cookiebot to demonstrate compliance with § 25 TDDDG and Art. 7(1) GDPR.
Cookiebot processes the following data: your anonymized IP address, date and time of consent, browser user agent, the URL from which consent was given, an anonymous encrypted key value, and your consent status. The legal basis is Art. 6(1)(c) GDPR (documentation obligation) in conjunction with Art. 6(1)(f) GDPR (legitimate interest in lawful cookie usage). The retention period is 12 months.
5.3 Strictly Necessary Cookies
These cookies are essential for basic website functionality and do not require consent under § 25(2) TDDDG. They include session cookies, the Cookiebot consent cookie, and cookies required for the Shore booking system integration.
5.4 Analytics Cookies (Consent Required)
With your consent, we use Google Analytics 4, a web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Ireland acts as a data processor under Art. 28 GDPR. Google Analytics uses cookies to evaluate your use of the website. IP anonymization is enabled. The processing is based on your consent under § 25(1) TDDDG and Art. 6(1)(a) GDPR. You may withdraw consent at any time via the Cookiebot consent banner or your browser settings.
Google is certified under the EU-US Data Privacy Framework. For further information: https://policies.google.com/privacy.
5.5 Marketing Cookies (Consent Required)
With your consent, cookies from advertising and social media platforms may be set to deliver targeted content and measure campaign effectiveness. These cookies are placed only after explicit consent via the Cookiebot banner. The processing is based on your consent under § 25(1) TDDDG and Art. 6(1)(a) GDPR.
5.6 Content Delivery Network (Cloudflare)
Our website uses the content delivery network (CDN) and security services of Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, USA. When you access our website, your connection is routed through Cloudflare’s globally distributed server network, during which your IP address, browser information, and request data may be processed. Certain technically necessary cookies (e.g., _cfuvid) may be set by Cloudflare. These are exempt from the consent requirement under § 25(2) TDDDG; the processing is based on Art. 6(1)(f) GDPR (legitimate interest in security and performance). Cloudflare is certified under the EU-US Data Privacy Framework. Cloudflare is an independent data controller for CDN and security processing.
5.7 Server-Side Tag Management (Stape)
We use Stape Europe OÜ (registration number 16564377), Tallinn, Estonia, as the hosting provider for our server-side Google Tag Manager (sGTM). When you interact with our website, tracking data (such as page views, conversion events, and device information) is first sent to a Stape-hosted server container at the subdomain vipimo.inanna.beauty before being forwarded to analytics and advertising platforms (e.g., Google Analytics, Google Ads, Meta).
Stape acts as a data processor under Art. 28 GDPR. The Stape container runs on European infrastructure. The cookies set via the server-side container (e.g., _ga, _ga_#, _gcl_au, _gcl_ls, FPID, FPAU, FPLC, FPGSID) are first-party cookies on the domain inanna.beauty. They require your prior consent under § 25(1) TDDDG; the legal basis is Art. 6(1)(a) GDPR.
5.8 Heatmap and Session Analysis (Microsoft Clarity)
With your consent, we use Microsoft Clarity, a service of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, to analyze usage behavior on our website through heatmaps and anonymized session recordings. Microsoft Clarity sets the cookies _clck (1 year) and _clsk (1 day) on the domain inanna.beauty.
The processing is based on your consent under § 25(1) TDDDG and Art. 6(1)(a) GDPR. Microsoft is certified under the EU-US Data Privacy Framework. You may withdraw consent at any time via the Cookiebot consent banner. For further information: https://clarity.microsoft.com/terms.
5.9 3D Virtual Tour (Matterport)
Our contact page features an interactive 3D virtual tour of our premises, provided by Matterport, Inc., 352 E. Java Dr., Sunnyvale, CA 94089, USA. When the tour is loaded, Matterport processes your IP address, device information, and interaction data. Matterport is an independent data controller for this processing. Matterport sets technically necessary Cloudflare cookies (_cfuvid) and an anonymous session identifier (sc_anonymous_id) via its domains (cdn-2.matterport.com, my.matterport.com, static.matterport.com). These cookies are exempt from the consent requirement under § 25(2) TDDDG.
The 3D tour is loaded only after you give consent (two-click integration). The legal basis is Art. 6(1)(a) GDPR. Matterport is based in the United States and is certified under the EU-US Data Privacy Framework (adequacy decision of July 10, 2023). You can avoid a data transfer by not loading the tour.
5.10 Cookie Table
The table below lists all cookies identified during the Cookiebot scan of February 2, 2026, on inanna.beauty, with updated classifications. Cookies are grouped by Cookiebot consent category. Cookies in the “Necessary” category do not require consent (§ 25(2) TDDDG). All other categories require prior consent (§ 25(1) TDDDG, Art. 6(1)(a) GDPR).
Necessary Cookies (10)
CookieConsent (inanna.beauty) — HTTP — 1 year — Stores cookie consent status (Cookiebot)
CookieConsent (vipimo.inanna.beauty) — HTTP — 1 year — Stores cookie consent status (server-side)
CRAFT_CSRF_TOKEN (inanna.beauty) — HTTP — Session — CSRF protection token for CMS (Craft CMS)
CraftSessionId (inanna.beauty) — HTTP — Session — Session identifier for CMS (Craft CMS)
_cfuvid (cdn-2.matterport.com) — HTTP — Session — Cloudflare CDN load balancing
_cfuvid (my.matterport.com) — HTTP — Session — Cloudflare CDN load balancing
_xsd (vipimo.inanna.beauty) — HTML — Persistent — Server-side GTM internal data
sc_anonymous_id (static.matterport.com) — HTML — Persistent — Anonymous session for 3D tour
v3:superchat-session-* (widget.superchat.de) — HTML — Session — Superchat: live chat widget session status
v3:superchat-session-previous-state-* (widget.superchat.de) — HTML — Session — Superchat: previous live chat widget session status
Statistics Cookies (6) – Consent Required
_clck (inanna.beauty) — HTTP — 1 year — Microsoft Clarity: visitor identification for heatmaps
_clsk (inanna.beauty) — HTTP — 1 day — Microsoft Clarity: session-level behavioral data
FPAU (inanna.beauty) — HTTP — 90 days — Google Analytics: first-party audience identifier (server-side)
FPGSID (inanna.beauty) — HTTP — 1 day — Google Analytics: session identifier (server-side)
FPID (inanna.beauty) — HTTP — 400 days — Google Analytics: persistent visitor identifier (server-side)
FPLC (inanna.beauty) — HTTP — 1 day — Google Analytics: cross-domain linking (server-side)
Marketing Cookies (18) – Consent Required
_ga (inanna.beauty) — HTTP — 2 years — Google Analytics: cross-device and cross-channel visitor tracking
_ga_# (inanna.beauty) — HTTP — 2 years — Google Analytics: session and visitor data (property level)
_gcl_au (inanna.beauty) — HTTP — 90 days — Google Ads: conversion linker for ad attribution
_gcl_ls (vipimo.inanna.beauty) — HTML — Persistent — Google Ads: conversion tracking rate
_fbp (inanna.beauty) — HTTP — 90 days — Meta/Facebook: ad delivery and measurement
IDE (doubleclick.net) — HTTP — 400 days — Google/DoubleClick: advertising identification
ads/ga-audiences (google.com) — Pixel — Session — Google Ads: remarketing audience matching
pagead/1p-user-list/# (google.com) — Pixel — Session — Google Ads: first-party audience list matching
_/set_cookie (vipimo.inanna.beauty) — Pixel — Session — Server-side GTM: sets required analytics/marketing cookies
lastExternalReferrer (connect.facebook.net) — HTML — Persistent — Meta: referral source tracking
lastExternalReferrerTime (connect.facebook.net) — HTML — Persistent — Meta: referral timestamp
channel_flow (inanna.beauty) — HTTP — 400 days — Marketing channel attribution (server-side)
channel_flow_first (inanna.beauty) — HTTP — 400 days — First marketing channel attribution
channel_flow_last (inanna.beauty) — HTTP — 400 days — Last marketing channel attribution
kuki (inanna.beauty) — HTTP — 400 days — Session and visitor identification (server-side)
test_cookie (doubleclick.net) — HTTP — 1 day — Google advertising: checks browser cookie support
_gtmeec (inanna.beauty) — HTTP — 90 days — Google Tag Manager: enhanced conversion data
§ 6 Appointment Booking (Shore)
We use Shore GmbH, Ridlerstraße 31, 80339 Munich, Germany, as our booking and appointment management platform. When you book an appointment via our website, by phone, via WhatsApp, or in person, the following data is processed through Shore:
– Name, email address, phone number
– Requested appointment date and time
– Selected service(s)
– Any notes you provide during the booking process
The processing is based on Art. 6(1)(b) GDPR (performance of a contract or pre-contractual measures). Shore acts as a data processor on our behalf under Art. 28 GDPR. Your booking data is stored on servers within the European Union.
We also receive appointment bookings via Treatwell B.V., Nieuwezijds Voorburgwal 120–126, 1012 SH Amsterdam, the Netherlands. Treatwell is an independent data controller for its own platform and transmits booking data (name, email address, phone number, selected service, and requested appointment time) to us for appointment fulfillment. The legal basis for our processing of data received via Treatwell is Art. 6(1)(b) GDPR.
§ 7 Contract Performance, Service Delivery, and Product Sales
When you receive treatments or services at Inanna, we process the personal data necessary for contract performance. This includes your contact details, appointment history, treatment records, service preferences, and all correspondence relating to your care. The legal basis is Art. 6(1)(b) GDPR.
When you purchase cosmetic or personal-care products in our premises, we process the data necessary for the purchase transaction, including item description, purchase price, payment method, and transaction reference. This data is processed through our point-of-sale system (Shore POS) and transmitted to our accounting platform (LexOffice) to meet tax obligations. The processing is based on Art. 6(1)(b) GDPR (contract performance) and Art. 6(1)(c) GDPR (tax record-keeping obligations).
In exceptional cases where a product is shipped at your request, we also process your delivery address and transmit it to our shipping provider DHL (Deutsche Post DHL Group, Charles-de-Gaulle-Straße 20, 53113 Bonn) solely for the purpose of delivery. DHL is an independent data controller for the transport and delivery process. The legal basis is Art. 6(1)(b) GDPR.
For non-EU customers who purchase products in our premises, we use the Global Blue Tax Free App (Global Blue AG, Zugerstrasse 70, 6340 Baar, Switzerland) to process VAT-refund documentation. Passport or ID data, nationality, purchase details, and the refund amount are processed. The processing is based on Art. 6(1)(c) GDPR (compliance with VAT regulations) and Art. 6(1)(b) GDPR (performance of the purchase contract). Global Blue is an independent data controller for the tax-free refund process. Switzerland has an adequacy decision under Art. 45 GDPR.
Where we retain records following a treatment or sale for statutory purposes (e.g., tax and commercial obligations under § 147 of the German Fiscal Code (AO) and § 257 of the German Commercial Code (HGB)), the legal basis is Art. 6(1)(c) GDPR. Retention follows the statutory periods (up to ten years for tax records, up to six years for commercial correspondence); data is deleted thereafter.
If you participate in a promotional voucher or rewards program (§ 16 of the General Terms and Conditions), we process the data necessary for program administration: your name, date of birth (for the Inanna Birthday® program), referral status (for the Inanna Ambassador® program), and credit balance and redemption history. This processing is based on Art. 6(1)(f) GDPR (legitimate interest in customer retention and referral management). You have the right to object at any time under Art. 21 GDPR.
§ 8 Health-Related Data (Special Categories)
Inanna provides non-medical wellness, skincare, body, and hair/scalp treatments. To deliver these services safely, we may collect and process health-related information that constitutes special categories of personal data within the meaning of Art. 9(1) GDPR. This includes:
– Information from our health and intake questionnaire (skin conditions, allergies, medication, medical history, pregnancy status, recent procedures)
– Skin and scalp findings during consultations
– Contraindication checks before certain treatments (e.g., laser, radiofrequency, chemical peels, microneedling)
– Treatment notes and progress documentation
Skin and scalp findings may be captured using Canfield® VISIA® and D2® HairMetrix® imaging systems, which take high-resolution photographs of your skin or scalp, as well as the Biologique Recherche® Skin Instant Lab™, which measures biophysical skin parameters such as hydration, sebum, and elasticity. Image and measurement data are stored securely on our premises and treated as special categories of personal data under Art. 9(1) GDPR. The legal basis is your explicit consent under Art. 9(2)(a) GDPR.
Our Canfield® imaging systems require periodic maintenance by Canfield Scientific GmbH, Otto-Brenner-Straße 203, 33604 Bielefeld, Germany (a wholly owned subsidiary of Canfield Scientific, Inc., USA). During support activities, Canfield technical personnel may access diagnostic images stored on the device. Canfield Scientific GmbH acts as a data processor under Art. 28 GDPR. Processing takes place in Germany.
The general legal basis for processing health-related data is your explicit consent under Art. 9(2)(a) GDPR, which you provide by completing the health questionnaire and signing the treatment consent form before your first appointment. You may withdraw this consent at any time with future effect; withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. If withdrawal makes it impossible to deliver certain treatments safely, we reserve the right to decline the service (§ 9 of the General Terms and Conditions).
For the preparation of individualized micronutrient formulations, we use the platform of HCK Mikronährstoffe (HCK Mikronährstoffe AG, Untere Bahnhofstrasse 28, 9500 Wil, Switzerland). Client health data – including nutritional information, supplementation needs, and, where applicable, blood values – are entered into the HCK platform to compile individualized supplement formulations. This data constitutes special categories of personal data under Art. 9(1) GDPR. The processing is based on Art. 9(2)(a) GDPR (your explicit consent). HCK acts as a data processor under Art. 28 GDPR. Switzerland has an adequacy decision under Art. 45 GDPR.
Where blood tests are conducted as part of a micronutrient assessment, we refer specimens to IMD Institut für Medizinische Diagnostik Berlin-Potsdam GbR, Nicolaistraße 22, 12247 Berlin. IMD is an independent data controller and is subject to medical-laboratory regulations and medical professional confidentiality. We transmit your name and relevant health information solely for the purpose of conducting the analysis. The legal basis is Art. 9(2)(a) GDPR (your explicit consent). Blood-test results returned to us are processed as part of your health record under this section.
Health-related data is treated with the highest level of confidentiality, is accessible only to the treating professionals and strictly necessary administrative personnel, and is stored separately from general client data wherever technically feasible.
§ 9 Before-and-After Documentation
With your separate, explicit consent, we may take photographs of treatment areas before and after a course of treatment for the purpose of progress documentation and treatment planning. These photographs may contain health-related information and are treated as special categories of personal data under Art. 9(1) GDPR.
The processing is based on Art. 9(2)(a) GDPR; consent is obtained separately from the general treatment consent. Photographs are stored securely and are not shared with third parties, published, or used for marketing purposes unless you provide a separate, additional written consent. Withdrawal and exercise of the right to erasure are possible at any time.
§ 10 CCTV Surveillance of Premises
We operate a CCTV system in the entrance area, at reception, in corridors, and in the retail area (Spa Shop) of our premises. The surveillance serves to protect the premises and inventory, to ensure the safety of staff and clients, and to prevent and investigate criminal activity including theft. Treatment rooms, consultation areas, and restrooms are not monitored. The system records video footage only; no audio is captured.
The processing is based on Art. 6(1)(f) GDPR in conjunction with § 4 BDSG (legitimate interest in the security of publicly accessible areas). Recordings are stored locally on recording equipment on the premises and are not transmitted to third parties, cloud services, or external data processors.
The retention period is 72 hours, after which recordings are automatically overwritten. An exception applies to footage whose retention is necessary for the investigation of a specific incident or for the establishment, exercise, or defense of legal claims. In such cases, footage is retained until the matter is resolved.
Monitored areas are identified by signage in accordance with Art. 13 GDPR and § 4(2) BDSG.
§ 11 Payment Processing
We offer various payment methods. The data processed depends on the method you choose:
11.1 Card and Digital-Wallet Payments via Shore Pay (Stripe)
Card payments on our premises – including Visa, Mastercard, American Express, EC card/Girocard, Apple Pay, and Google Pay – as well as online payments via our booking platform are processed through Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland, as part of the integrated Shore Pay system. Contactless payments via NFC-enabled cards and mobile devices are processed through the same infrastructure. Stripe processes your payment card data directly; we do not receive or store your full card details. Stripe is certified under the EU-US Data Privacy Framework. The legal basis is Art. 6(1)(b) GDPR. Stripe acts as a data processor under Art. 28 GDPR for transaction execution on our behalf and simultaneously as an independent data controller for PCI-regulated card-data processing and fraud prevention.
11.2 Remote Payment Links (SumUp)
For remote payments – including deposits, voucher purchases, and the settlement of cancellation fees via payment links sent (e.g., by WhatsApp or email) – we use SumUp Limited, Block 8, Harcourt Centre, Charlotte Way, Dublin 2, Ireland. SumUp processes your payment card data directly; we do not receive or store your full card details. The processing is based on Art. 6(1)(b) GDPR. SumUp acts as a data processor under Art. 28 GDPR for transaction execution on our behalf and simultaneously as an independent data controller for PCI-regulated card-data processing and fraud prevention.
11.3 PayPal
PayPal payments are processed by PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, 2449 Luxembourg, as an independent data controller. The processing is based on Art. 6(1)(b) GDPR.
11.4 Bank Transfer (Commerzbank)
Bank transfers and direct-debit payments are processed by Commerzbank AG, Kaiserplatz, 60261 Frankfurt am Main, in accordance with banking-supervisory regulations. Commerzbank is an independent data controller. The legal basis is Art. 6(1)(b) GDPR.
11.5 Cash Payment
No payment-related processing of personal data occurs for cash payments. Receipts are retained for tax purposes under Art. 6(1)(c) GDPR in conjunction with § 147 AO.
§ 12 Communication Channels
12.1 Email (Microsoft 365)
Our email correspondence is handled through Microsoft 365 by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. When you contact us at [email protected] , your message content, email address, and associated metadata are processed on Microsoft’s infrastructure. Microsoft acts as a data processor under Art. 28 GDPR pursuant to a data processing agreement. Microsoft is certified under the EU-US Data Privacy Framework. The processing is based on Art. 6(1)(b) GDPR (contractual communication) and Art. 6(1)(f) GDPR (legitimate interest in efficient business communication).
12.2 WhatsApp, Instagram, Facebook, Telegram, and SMS (Superchat)
We use Superchat GmbH, Franz-Joseph-Straße 11, 80801 Munich, Germany, as a unified messaging platform to manage client communications via WhatsApp Business API, Facebook Messenger, Instagram Direct Messages, Telegram, and SMS (via Twilio, Inc., 101 Spear Street, San Francisco, CA 94105, USA, as the underlying SMS gateway). Superchat acts as a data processor on our behalf under Art. 28 GDPR.
When you contact us through any of these channels, the following data may be processed: your name and profile information as provided by the respective platform, your messages and any attachments, your phone number (WhatsApp, Telegram, and SMS), and communication timestamps. The processing is based on Art. 6(1)(b) GDPR (contractual communication) and Art. 6(1)(f) GDPR (legitimate interest in responding via your preferred channel).
The underlying platform operators process your data as independent data controllers:
– WhatsApp, Instagram, Facebook Messenger: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland
– SMS: Twilio, Inc., San Francisco, CA, USA (certified under the EU-US Data Privacy Framework)
– Telegram: Telegram FZ-LLC, Dubai, United Arab Emirates
Please refer to each platform’s own privacy policy for further details. If you prefer not to use these services, you can reach us by email at [email protected].
12.3 Telephone (Deutsche Telekom Cloud PBX)
Our telephone service is provided through Deutsche Telekom Cloud PBX, a product of Deutsche Telekom AG, Friedrich-Ebert-Allee 140, 53113 Bonn. When you call us at 0800 0808 800 (within Germany), your phone number and call metadata (time, duration) are processed by Deutsche Telekom within the Cloud PBX infrastructure. Deutsche Telekom acts as a data processor pursuant to a data processing agreement. We may record your phone number in our client records for callback or appointment management purposes. The processing is based on Art. 6(1)(f) GDPR (legitimate interest in managing client communications).
Phone calls are not recorded.
12.4 Live Chat Widget (Superchat)
Our website includes a live chat widget operated by Superchat GmbH (see § 12.2). When you use the live chat, Superchat processes your messages, session status, and browser metadata. Technically necessary session cookies (v3:superchat-session-*) are set on widget.superchat.de to maintain the chat session. These cookies do not require consent under § 25(2) TDDDG. The processing is based on Art. 6(1)(b) GDPR (pre-contractual communication) and Art. 6(1)(f) GDPR (legitimate interest in providing real-time support).
§ 13 AI-Assisted Communication (Anthropic / Claude)
We use Claude, a large language model developed by Anthropic, PBC, 548 Market Street, San Francisco, CA 94104, USA (European operations through Anthropic UK Limited), to assist in drafting, reviewing, and improving internal and client-facing communications, treatment documentation, and operational content. Claude is used under Anthropic’s business plan, which includes a data processing agreement and contractual data-handling commitments.
When Claude is used, relevant texts – which may contain anonymized or pseudonymized client information, treatment descriptions, or correspondence content – are transmitted to Anthropic’s infrastructure for processing. We minimize the personal data included in each input and anonymize or pseudonymize information that could identify a client wherever practically feasible.
The legal basis is Art. 6(1)(f) GDPR (legitimate interest in efficient, high-quality communication and operational support). Where processing may involve health-related data, we ensure that inputs are anonymized to the extent that they no longer constitute personal data, or we rely on Art. 9(2)(a) GDPR (your explicit consent for treatment-related processing).
Anthropic is based in the United States. The data transfer is safeguarded by Anthropic’s contractual commitments, including standard contractual clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, to the extent the EU-US Data Privacy Framework does not apply. Claude does not retain conversation data for model training under the business plan.
§ 14 Newsletter Communications (Brevo)
We use Brevo GmbH (formerly Sendinblue), Köpenicker Straße 126, 10179 Berlin, to send newsletters and regular treatment information to clients who have given their consent. Brevo acts as a data processor under Art. 28 GDPR.
When you subscribe to our newsletter, the following data is processed: your email address, name (if provided), subscription timestamp, IP address at the time of sign-up (for double opt-in verification), and interaction data (open and click behavior) for the purpose of content relevance. Subscription follows a double opt-in process.
The legal basis is Art. 6(1)(a) GDPR (your consent). You may unsubscribe at any time via the unsubscribe link in each newsletter, by email to [email protected], or via WhatsApp at https://inanna.spa/whatsapp. Withdrawal takes effect for the future and does not affect the lawfulness of prior processing. After unsubscribing, your email address is retained solely on a suppression list to prevent re-enrollment; this retention is based on Art. 6(1)(f) GDPR (legitimate interest in honoring your withdrawal).
§ 15 Event Invitations and Client Communications (Greenvelope)
For personalized event invitations, birthday greetings, delivery of promotional vouchers (including Inanna Ambassador® and Inanna Birthday® vouchers under § 16 of the General Terms and Conditions), and selected client-relationship communications, we use Greenvelope, Inc., Gig Harbor, WA, USA, a digital invitation service. Greenvelope is an independent data controller and processes the recipient’s name, email address, and response data. No automated sending occurs.
The processing is based on Art. 6(1)(a) GDPR (your consent, to the extent the communication is marketing-related) and Art. 6(1)(f) GDPR (legitimate interest in maintaining the client relationship through personalized communication, e.g., birthday greetings where you have voluntarily provided your date of birth). You may withdraw consent at any time by email to [email protected] or via WhatsApp.
Greenvelope is based in the United States. The transfer is safeguarded by standard contractual clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. Further information is available in Greenvelope’s privacy policy at greenvelope.com/privacy.
§ 16 Social Media Presence
We maintain public profiles on the following platforms: Instagram (instagram.com/inanna.wellness, active), YouTube (active), Facebook (dormant profile), and LinkedIn (used primarily for recruitment). When you interact with any of these profiles, your data is processed by the respective platform operator as an independent data controller. We receive anonymized, aggregated analytics data under joint controllership arrangements pursuant to Art. 26 GDPR (for Instagram and Facebook under the Meta Page Insights Terms; for LinkedIn under the LinkedIn Page Insights Joint Controller Addendum).
Direct messages are managed via Superchat (see § 12.2). The legal basis for our processing of social media interactions is Art. 6(1)(f) GDPR (legitimate interest in the public representation of the company and in engaging with clients and prospective clients).
Photographs and video content published on our social media profiles and website may feature models who have provided separate written consent for the use of their image across all of the provider’s platforms. Model image rights are governed by individual consent agreements and are not covered by this Privacy Policy.
§ 17 Accounting and Tax Compliance (LexOffice)
For the digital management, processing, and retention of accounting and tax-relevant data, we use LexOffice, a cloud-based accounting platform operated by Haufe-Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg im Breisgau. LexOffice processes invoice data, payment receipts, and client transaction data transmitted from our point-of-sale system (Shore POS) for the purpose of ongoing bookkeeping and compliance with statutory retention obligations.
The processing is based on Art. 6(1)(c) GDPR (compliance with tax obligations under § 147 AO and § 257 HGB). Haufe-Lexware acts as a data processor under Art. 28 GDPR. Data is processed and stored within the European Economic Area.
Our annual financial statements and tax returns are prepared by Ernst & Young GmbH Wirtschaftsprüfungsgesellschaft (EY), Friedrichstraße 140, 10117 Berlin. EY is an independent data controller and is subject to statutory professional confidentiality obligations (Wirtschaftsprüferordnung – WPO; Steuerberatungsgesetz – StBerG). We transmit invoice data, payment receipts, and client transaction data to EY solely for the purpose of preparing financial statements and tax returns. The processing is based on Art. 6(1)(c) GDPR (compliance with tax and commercial obligations).
No transfer to third countries takes place.
§ 18 Recruitment (JOIN)
We use JOIN (join.com GmbH, Berlin) as our recruitment platform. When you apply to Inanna GmbH via JOIN or a job listing published on JOIN, the following data is processed: your name, contact details, resume, cover letter, qualification certificates, and any additional documents you submit. JOIN acts as a data processor under Art. 28 GDPR.
The processing is based on Art. 6(1)(b) GDPR (pre-contractual measures) in conjunction with § 26 BDSG (data processing for employment purposes; transitional provision pending enactment of a dedicated employee data protection act). If your application is unsuccessful, your data will be deleted within six months of the conclusion of the recruitment process unless you have consented to longer retention for future vacancies. No automated pre-selection takes place.
§ 19 Press and Public Relations (Presseportal)
For the distribution of press releases and public communications, we use Presseportal, a service of news aktuell GmbH (a company of the dpa Group), Mittelweg 144, 20148 Hamburg. news aktuell acts as a data processor under Art. 28 GDPR. Presseportal processes the content of press releases and associated contact details (press contact name and email address) for the purpose of media distribution. The processing is based on Art. 6(1)(f) GDPR (legitimate interest in public communication). It concerns professional media contacts only and does not include personal client data.
§ 20 Google Ads Campaign Management (Oplayo)
We use Oplayo GmbH, Skalitzer Strasse 33, 10999 Berlin (registered at Amtsgericht Berlin-Charlottenburg under HRB 195942), as our agency for managing Google Ads campaigns. Oplayo manages our campaigns including keyword strategy, bid management, audience targeting, and conversion analysis. In this capacity, Oplayo may access aggregated campaign performance data, conversion data, and audience insights from the Google Ads platform.
We do not provide Oplayo with directly personally identifiable client data. However, through administrative access to our Google Ads account, Oplayo may process pseudonymized or aggregated user data from the Google advertising ecosystem (e.g., conversion events, remarketing audiences). Oplayo acts as a data processor under Art. 28 GDPR. The legal basis is Art. 6(1)(a) GDPR (your consent to marketing cookies) in conjunction with Art. 6(1)(f) GDPR (our legitimate interest in effective advertising).
§ 21 Recipients and Data Processors
We disclose personal data to the following categories of recipients:
Data Processors (Processing on Our Behalf under Art. 28 GDPR)
– Hetzner Online GmbH, Gunzenhausen – Dedicated server hosting
– Shore GmbH, Munich – Appointment booking, CRM, and point-of-sale system
– Superchat GmbH, Munich – Unified messaging platform and live chat widget
– Twilio, Inc., San Francisco, CA, USA – SMS gateway (via Superchat)
– Microsoft Ireland Operations Limited, Dublin, Ireland – Email hosting (Microsoft 365) and heatmap analysis (Microsoft Clarity)
– Usercentrics A/S (Cookiebot), Copenhagen, Denmark – Cookie consent management
– Google Ireland Limited, Dublin, Ireland – Web analytics (Google Analytics 4)
– Deutsche Telekom AG, Bonn – Cloud PBX telephony
– Anthropic, PBC / Anthropic UK Limited – AI-assisted communication (Claude)
– Brevo GmbH, Berlin – Newsletter and email marketing
– Haufe-Lexware GmbH & Co. KG (LexOffice), Freiburg im Breisgau – Cloud-based accounting
– HCK Mikronährstoffe AG, Wil, Switzerland – Individualized micronutrient formulation
– Canfield Scientific GmbH, Bielefeld – Diagnostic imaging system maintenance
– join.com GmbH, Berlin – Recruitment platform
– news aktuell GmbH (Presseportal), Hamburg – Press distribution
– Stape Europe OÜ, Estonia – Server-side Google Tag Manager hosting
– Oplayo GmbH, Berlin – Google Ads campaign management
Independent Data Controllers
– SumUp Limited, Dublin, Ireland – Remote payment link processing; also a data processor for transaction execution
– Stripe Payments Europe, Ltd., Dublin, Ireland – Card, digital-wallet, and online payment processing (via Shore Pay); also a data processor for transaction execution
– PayPal (Europe) S.à r.l. et Cie, S.C.A., Luxembourg – Payment processing
– Commerzbank AG, Frankfurt am Main – Banking services
– Meta Platforms Ireland Limited, Dublin, Ireland – WhatsApp, Instagram, Facebook
– Telegram FZ-LLC, Dubai, UAE – Telegram messaging
– Greenvelope, Inc., USA – Digital invitations
– Deutsche Post DHL Group, Bonn – Product shipping (where applicable)
– Cloudflare, Inc., San Francisco, USA – Content delivery network and security services
– Matterport, Inc., Sunnyvale, USA – 3D virtual tour
– Treatwell B.V., Amsterdam, Netherlands – Appointment booking platform
– Global Blue AG, Baar, Switzerland – VAT refund
– IMD Institut für Medizinische Diagnostik Berlin-Potsdam GbR, Berlin – Blood-testing laboratory
– YouTube (Google Ireland Limited), Dublin, Ireland – Video hosting
– LinkedIn Ireland Unlimited Company, Dublin, Ireland – Professional network
– Ernst & Young GmbH Wirtschaftsprüfungsgesellschaft (EY), Berlin – Annual financial statements and tax returns (controller under professional confidentiality)
Other Recipients
– Public authorities – where disclosure is required by law (Art. 6(1)(c) GDPR)
Personal data is neither sold to third parties nor disclosed for purposes beyond those described in this Privacy Policy.
§ 22 Transfers to Third Countries
Some of the service providers named in this Privacy Policy are based outside the European Economic Area (EEA) or transfer data there. We ensure that appropriate safeguards are in place:
– United States (Microsoft, Google, Stripe, Cloudflare): Certified under the EU-US Data Privacy Framework (adequacy decision of July 10, 2023).
– United States (Meta Platforms): Certified under the EU-US Data Privacy Framework.
– United States (Matterport): Certified under the EU-US Data Privacy Framework.
– United States (Anthropic / Claude): Safeguarded by standard contractual clauses (SCCs) pursuant to Art. 46(2)(c) GDPR. Claude does not retain conversation data for model training under the business plan.
– United States (Twilio): Certified under the EU-US Data Privacy Framework.
– United States (Greenvelope): Safeguarded by standard contractual clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
– Switzerland (HCK Mikronährstoffe, Global Blue): Adequacy decision under Art. 45 GDPR.
– United Arab Emirates (Telegram): No adequacy decision. The transfer is based on Art. 49(1)(a) GDPR (your explicit consent through voluntary use of Telegram). You can avoid this transfer by using email or WhatsApp instead.
§ 23 Retention Periods
We retain personal data only for as long as necessary for the respective purpose or as required by law:
– Server log files: 14 days.
– Consent records (Cookiebot): 12 months.
– Server-side tagging data (Stape): No persistent storage of personal data; data is relayed to the respective destination platforms in transit.
– Microsoft Clarity heatmap data: 13 months maximum (Microsoft’s default retention setting).
– Treatment and client records: Duration of the client relationship plus three years (§ 195 BGB), unless a longer statutory retention period applies.
– Purchase receipts: Ten years for tax-relevant invoices (§ 147 AO); delivery address data is retained until successful delivery and expiry of any applicable return or warranty period.
– Promotional voucher and loyalty program data: Duration of program participation plus the validity period of any outstanding vouchers; date of birth is retained for the duration of the client relationship.
– Global Blue tax-free transaction data: Ten years (§ 147 AO).
– Health questionnaires and treatment consent forms: Duration of the client relationship plus three years. If consent is withdrawn before that period expires, the forms are retained on the basis of Art. 6(1)(f) GDPR (legitimate interest in the defense of legal claims) until the applicable limitation period has run.
– Canfield® diagnostic images: Until withdrawal of consent or three years after the most recent appointment, whichever is later.
– HCK micronutrient formulations: Duration of the client relationship plus three years.
– IMD laboratory referral data: Duration of the client relationship plus three years.
– Before-and-after photographs: Until withdrawal of consent or three years after the most recent appointment, whichever is later.
– CCTV recordings: 72 hours; extended only where required for the investigation of a specific incident or the establishment, exercise, or defense of legal claims.
– AI-processed data (Claude): No retention by Anthropic under the enterprise plan.
– Newsletter subscriber data: Until unsubscription; the email address is subsequently maintained on a suppression list.
– Event invitation data (Greenvelope): Duration of the event communication cycle; deleted upon request or once the processing purpose no longer applies.
– Invoices and tax-relevant records: Ten years (§ 147 AO).
– Commercial correspondence: Six years (§ 257 HGB).
– Telephony connection data (cloud PBX metadata): Six years as commercial correspondence (§ 257 HGB); call contents are not recorded.
– Social media interaction data: Retention is platform-controlled under the applicable joint controllership arrangement (Art. 26 GDPR); aggregated analytics retrieved by the Controller are retained for the duration of the respective channel’s use.
– Recruitment records (unsuccessful applicants): Six months after the conclusion of the recruitment process.
– Google Ads conversion data: In accordance with Google’s retention settings; currently configured at 14 months.
After the applicable retention period expires, data is securely deleted or anonymized.
§ 24 Your Rights
You have the following rights under the GDPR. To exercise them, please contact [email protected] or via WhatsApp at https://inanna.spa/whatsapp with the subject line “Data Protection Inquiry”:
24.1 Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation as to whether we process personal data concerning you and, if so, to receive a copy of such data together with information about processing purposes, data categories, recipients, retention periods, and your further rights.
24.2 Right to Rectification (Art. 16 GDPR)
You have the right to request the prompt rectification of inaccurate data and the completion of incomplete data.
24.3 Right to Erasure (Art. 17 GDPR)
You may request erasure where the data is no longer necessary for the processing purpose, consent has been withdrawn (and no other legal basis applies), or processing is unlawful. This right does not apply where retention is required by law or for the establishment, exercise, or defense of legal claims.
24.4 Right to Restriction of Processing (Art. 18 GDPR)
Under certain conditions, you may request the restriction of processing – for example, while the accuracy of the data is being verified, or where processing is unlawful and you do not wish to request erasure.
24.5 Right to Data Portability (Art. 20 GDPR)
Where processing is based on consent or contract performance and is carried out by automated means, you have the right to receive your data in a structured, commonly used, and machine-readable format.
24.6 Right to Object (Art. 21 GDPR)
Where processing is based on Art. 6(1)(f) GDPR, you may object at any time on grounds relating to your particular situation. We will cease processing unless we demonstrate compelling legitimate grounds.
24.7 Right to Withdraw Consent (Art. 7(3) GDPR)
Where processing is based on consent, you may withdraw it at any time with future effect. The lawfulness of processing carried out on the basis of consent prior to withdrawal remains unaffected.
We will respond within one month of receipt. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests; we will inform you within the first month.
§ 25 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. The authority responsible for Inanna GmbH is:
Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstraße 219, 10969 Berlin
Phone: +49 30 13889-0
Email: [email protected]
Website: https://www.datenschutz-berlin.de
§ 26 Obligation to Provide Data
The provision of personal data is required by law in certain cases (e.g., tax regulations under § 147 AO) and may also be necessary for contract performance. In the case of health-related data, failure to provide accurate information may mean that certain treatments cannot be delivered safely.
§ 27 Automated Decision-Making
We do not engage in automated decision-making, including profiling, within the meaning of Art. 22 GDPR that produces legal effects concerning you or similarly significantly affects you.
§ 28 Processing of Minors’ Data
Where services are provided to clients under 18 years of age, personal data is processed on the basis of the consent of the legal guardian (Art. 6(1)(a), Art. 8 GDPR). Health-related data of minors is processed under Art. 9(2)(a) GDPR with the explicit consent of the legal guardian. The same confidentiality and data-minimization standards that apply to all client data apply to data of minors.
§ 29 Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR). Where the breach is likely to result in a high risk, we will also notify you without undue delay (Art. 34 GDPR).
§ 30 Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our processing activities, the legal landscape, or our services. The current version is always available at https://inanna.beauty/en/privacy/. Material changes will be communicated at least 30 days before taking effect in text form (§ 126b of the German Civil Code (BGB)).
