Last updated: 16 May 2026

Privacy

Privacy shouldn't be 40 pages of legalese. Here is a clear overview of what we collect, why we do it, and what rights you have. If you have questions, contact us at personvern@sombook.no.

— 1

Who is the data controller?

Sombook AS, company registration number [ORG.NR], is the data controller for the personal data processed in connection with operating the Sombook platform.

Contact: personvern@sombook.no

— 2

What do we collect?

Clinic data

Name, email, phone number and billing address of the clinic's contact person and/or owner. Used to administer the subscription.

Client data (on behalf of the clinic)

Name, contact info and treatment history of the clinic's clients. Sombook is the data processor for these — the clinic is the data controller.

Usage data (website analytics)

If you consent, we collect usage data via PostHog: page views, clicks, events and error reports. This is used to improve the website and the product.

— 3

Why do we collect it?

We process personal data to deliver and improve the service, invoice correctly, send important operational notices and meet legal requirements.

The legal basis is contract (delivering the service), legitimate interest (improving the product), consent (website analytics) and legal obligation (accounting, GDPR compliance).

— 4

Who do we share data with?

We share data with sub-processors necessary to run the service — such as hosting, payment provider, email provider and analytics (PostHog). All sub-processors are bound by data processing agreements.

We never sell personal data to third parties.

All data processors are located within the EEA, or have adequate transfer mechanisms under the GDPR.

— 5

Storage and security

Data is stored on servers within the EEA. We use encryption in transit (TLS) and at rest (AES-256), and limit access to personal data to staff with a legitimate need.

We perform regular security reviews and follow recognised industry standards for information security.

— 6

Your rights

Access You can request a copy of all personal data we hold about you.

Rectification You can request that incorrect information is corrected.

Erasure You can request that data is deleted (with certain exceptions under the law).

Data portability You can request your data in a machine-readable format.

Objection You can object to processing based on legitimate interest.

Withdrawal You can withdraw consent to analytics at any time via «Manage consent» in the footer.

Send requests to personvern@sombook.no . We respond within 30 days.

— 7

Cookies and analytics

We use necessary cookies to operate the service (login, session handling). These do not require consent.

For analytics we use PostHog (EU-hosted, eu.i.posthog.com). PostHog collects page views, clicks, events and error reports, and sets cookies. Analytics only starts after you have given consent in the consent banner, and you can withdraw consent at any time via «Manage consent» at the bottom of the page. If you decline, no analytics cookies are set.

You can also manage cookies in your browser.

— 8

Data processing agreement

Clinics using Sombook enter into a data processing agreement (DPA) at the start. The agreement governs Sombook's processing of client data on the clinic's behalf, in accordance with GDPR Article 28.

The data processing agreement is available on request and is signed electronically at the start.

— 9

Contact and right to complain

You have the right to complain to the Norwegian Data Protection Authority (Datatilsynet) if you believe we process personal data in breach of applicable rules. Datatilsynet can be reached at

For privacy questions: personvern@sombook.no

You have the right to complain to the Norwegian Data Protection Authority (Datatilsynet) if you believe we process personal data in breach of applicable rules. Datatilsynet can be reached at datatilsynet.no .