Privacy and Data Protection Policy

This policy explains how I collect, use, and store your personal data in line with the EU General Data Protection Regulation (GDPR) and relevant Greek data protection law.

I process personal data in accordance with the General Data Protection Regulation (GDPR), including Article 6(1)(b) for the provision of therapeutic services and Article 9(2)(h) for the processing of health-related data.

By contacting me via email, phone, website, or online enquiry, you are informed that your information will be handled as described in this policy.

I, Anna Kamperou, am the Data Controller for this service. I operate the company ‘Scribble Art Therapy’.

All payments and administrative processes are handled through this practice, and any personal data is held securely by it.

About this Policy

What information I collect

I collect and process the following types of information:

Identifiable personal information: This includes your name, contact details, and any information you provide when contacting me or during therapeutic work. This is used to communicate with you, manage appointments, and provide therapy services.

Clinical records: These include session notes and relevant therapeutic information. Clinical notes are recorded for professional, clinical, safeguarding, and supervision purposes. Where possible, identifying details are minimised and stored separately from contact information.

How your information is stored

  • Paper records are kept in locked storage

  • Digital records are protected with strong passwords, and multi-factor authentication is used where available

  • I use Microsoft OneDrive as my cloud storage provider. Identifiable and clinical data are stored separately, and access is restricted

  • Email communication is handled through Microsoft Outlook

  • My website is hosted on Squarespace

  • Online sessions may take place via Zoom, which uses encryption and password protection

All third-party providers operate under their own GDPR-compliant data processing agreements.

How long I keep your information

  • In line with professional guidance and insurance requirements:

    • Clients: records are retained for seven years following the end of the therapeutic relationship

    • Enquiries (non-clients): records are retained for one year following last contact

    After these periods, data is securely deleted from digital systems and securely destroyed if held in paper form, or anonymised where appropriate.

    Records are reviewed periodically to ensure that data is not retained longer than necessary.

    Artwork created during sessions is stored securely between sessions in a locked cupboard or filing cabinet. At the end of therapy, you are welcome to take your artwork home. Any artwork not collected will be securely destroyed.

    If you do not attend final sessions and I am unable to contact you regarding your wishes, artwork will also be securely destroyed after a reasonable period.

Confidentiality and Sharing of information

All sessions and therapeutic materials, including artwork, are treated as confidential.

Confidentiality will only be broken in exceptional circumstances, including:

  • Where there is a serious risk of harm to you or another person

  • Where I am legally required to do so (e.g. a court order)

  • Where disclosure is required by professional obligations, insurance requirements, tax authorities, or data protection authorities in relation to complaints, audits, or legal obligations

Where appropriate, I will aim to discuss any such disclosure with you in advance.

As part of my professional practice, I am required to engage in regular clinical supervision. Supervision involves discussing my clinical work with a qualified supervisor to ensure safe and effective practice.

No identifiable information is shared in supervision, and all discussions are conducted in line with professional confidentiality standards.

In the unlikely event that I am unable to practise due to death or incapacity, a trusted professional colleague may contact current clients solely to provide information regarding continuity of care and appropriate next steps.

Your rights under GDPR

You have rights under the General Data Protection Regulation, including:

  • The right to access your personal data

  • The right to request correction of inaccurate data

  • The right to request deletion of your data (where applicable)

  • The right to restrict or object to processing in certain circumstances

  • The right to lodge a complaint with the Hellenic Data Protection Authority (HDPA)

  • The right to withdraw consent where processing is based on consent.

If you would like to access or correct your records, I encourage you to contact me first so I can help directly.

Contact

If you have any questions about this policy or your data, you can contact me:

Anna Kamperou
Email: scribblearttherapy@outlook.com
Practice: Scribble Art Therapy

Last updated: 20/05/2026