top of page

Privacy Policy

As of 06 December 2025

1. Controller

​

Studio Kajo (Svenja Kreiser)
Hämeenkatu 29 A 1 (2nd floor), 33200 Tampere, Finland
info@studiokajo.com
+358 413187256

​

I operate as a Light Entrepreneur in Finland.

​

​

2. Type of Services

I offer non-medical art therapy support, coaching, creative self-reflection  for personal development.
I do not provide diagnoses or treat illnesses in the medical sense.

​

​

3. Personal Data I Process

​

3.1 During Sessions

When we work together, the following data may be processed:

  • Your name

  • Your contact details

  • Content of our conversations or creative processes

​

These are not medical health data, as I do not provide diagnoses.

If you complete a form at the beginning of your participation with your name, date, and signature, this serves as proof of your voluntary participation. The documents are securely stored (locked cabinet or password-protected system) and only kept as long as necessary for documenting your participation. After that, they are properly destroyed.

​

3.2 When You Contact Me

  • Name

  • Email or phone number

  • Contact form: content of your message

​

3.3 Payment & Invoicing via Ukko

Ukko processes as a separate controller:

  • Your name

  • Payment and invoicing data

See also: https://www.ukko.fi/

​

3.4 Online Sessions via Tixeo

Tixeo processes:

  • Connection data

  • Live video and audio (no recording unless explicitly agreed)

See also: https://www.tixeo.com/

​

​

4. Why I Process Your Data

I process your data in order to:

​

  • Conduct our sessions

  • Arrange appointments

  • Respond to your inquiries

  • Fulfil legal obligations such as accounting

  • Enable online sessions

​

​

5. Legal Basis (GDPR)

I process your data on the following legal bases:

​

  • Contract / Pre-contractual measures (Art. 6(1)(b) GDPR): e.g., for scheduling and conducting sessions.

  • Legal obligation (Art. 6(1)(c) GDPR): e.g., for accounting and statutory record-keeping via Ukko.

  • Consent (Art. 6(1)(a) GDPR): e.g., for voluntary information, feedback, or online sessions. You can withdraw your consent at any time.

​​​

​

6. Cookies & Website (Wix)

My website is hosted via Wix.com.

​

Necessary Cookies:
Wix automatically sets cookies required for website functionality. These do not require your consent.

​

Non-necessary Cookies:
I do not use Google Analytics or advertising/tracking cookies. Wix may, however, use anonymous statistics or performance cookies.
You can choose what you allow in the cookie banner.

​

Server Log Files:

When you visit my website, certain technical data is automatically stored in server log files, such as:

​

  • Your IP address (anonymised)

  • Date and time of the visit

  • Pages you visit

  • Browser type and version

  • Operating system

​

These data are used only for the secure operation of the website, error analysis, and improving user experience. No combination with other personal data takes place.
Server log files are automatically deleted or anonymised by Wix once no longer needed.
No data is shared with third parties, except when legally required.

​

Contact Form on the Website

If you fill in the contact form on my website, the following data are collected:

​

  • Your name

  • Your email address or phone number

  • Content of your message

  • ​

I use this data only to respond to your inquiry or arrange appointments. No data is shared with third parties unless legally required.
The data are retained only as long as necessary to process your inquiry and then deleted.

​

Reviews / Testimonials

If you provide a review or testimonial, publication occurs only based on your explicit consent.
You can withdraw your consent at any time by email. After withdrawal, the review will be immediately removed from my website.
Only the information you provided is published; no other personal data is used or shared.

​

​​​

7. How Long I Keep Your Data

​

  • Session notes: up to 5 years (non-medical).

  • Emails/Contact requests: 0–6 years (depending on the content of the email, legally up to 6 years)

  • Accounting & invoicing documents: 6 years (legal requirement in Finland).

  • Data held by Ukko: according to Ukko’s legal requirements.

  • Tixeo: does not store data permanently unless explicitly agreed.

​​​

​

8. Who I Share Your Data With

I share your data only when necessary for our collaboration:

​

  • Ukko (payment & accounting – separate controller)

  • Wix.com (website hosting)

  • Tixeo (online sessions)

  • My email or cloud provider (for communication)

  • ​

I do not sell your data or use it for marketing purposes.

​

​​​

9. Transfer Outside the EU

Wix and Tixeo may process data outside the EU.


This is done based on EU Standard Contractual Clauses (SCC) and the data protection policies of the respective providers, ensuring your data is securely protected even outside the EU.

​​​

​

10. Your Rights

You have the following rights under the GDPR:

​

  • Right of access: to know what personal data I store about you and why.

  • Right to rectification: to have incorrect or incomplete data corrected.

  • Right to erasure: to request deletion of your data if it is no longer needed, if you withdraw consent, or if processing is unlawful (some data may be retained if required by law, e.g., invoices for 6 years).

  • Right to restrict processing: to temporarily suspend processing while issues are resolved.

  • Right to object: to object to processing based on legitimate interests.

  • Right to data portability: to receive your data in a structured, common digital format (e.g., PDF).

  • Right to withdraw consent: at any time, without affecting prior lawful processing.

  • Right to complain: to the Finnish Data Protection Authority (Tietosuojavaltuutetun toimisto) if you believe I am not processing your data lawfully.

​

​​​

11. Data Security

I protect your personal data using technical and organisational measures:

​

  • Secure passwords for all systems where your data is stored.

  • Encrypted devices and secure access to Wix and Ukko, ensuring only authorised persons can access data.

  • No recording of online sessions without your explicit consent.

  • Session notes: I take notes on paper, which are always anonymised. They are securely stored and destroyed once no longer needed.

  • Encrypted data transfer: all data sent via my website is encrypted (SSL/TLS). Online sessions via Tixeo use end-to-end encryption.

​

This ensures your data remains confidential and protected from unauthorised access.

​​​

​

12. Changes to This Policy

If anything changes, I will update this privacy policy.
The current version is always indicated at the top.

bottom of page