The Therapist's GDPR Tech Stack: 5 Safe Tools & 3 to Avoid (2026 Checklist)

April 26, 2026 • Updated May 9, 2026 • 10 min read

Jump to: 3 Tools to Avoid · 5 Safe Tools · Audit Your Practice · FAQ

Your practice might be GDPR compliant on paper, but is your tech stack?

Many UK therapists unknowingly violate data protection laws by using mainstream tools like Google Workspace, Slack, or Zoom for client communications. These platforms are designed for productivity, not confidentiality.

Here is your definitive audit checklist: the tools that protect your license and the ones that put it at risk.

The "Don't Use" List: 3 Tools That Violate GDPR

These tools are convenient, but they fail the "Data Sovereignty" and "End-to-End Encryption" tests required for mental health professionals.

Google Workspace (Gmail, Drive, Docs)

The Risk: Google scans email content for advertising and training data. They are US-based, subject to the CLOUD Act, which allows US authorities to access data regardless of where it's stored. Even with a BAA (Business Associate Agreement), the liability shifts to you.

Slack / Microsoft Teams

The Risk: These platforms log metadata (who talked to whom, when, and for how long). They are not end-to-end encrypted by default, meaning the provider holds the keys and can access your internal case discussions.

Mainstream Shared Hosting (Bluehost, GoDaddy, etc.)

The Risk: Your website sits on a server with hundreds of others. If a neighbour is hacked, your site is at risk. Data residency is often unclear, and you have no control over the physical security of the server. See our guide to the hosting trap.

The Reality: Under GDPR, you are responsible for the security of your clients' data. If a breach occurs because you used a non-compliant tool, the fine falls on you. Read our full GDPR compliance checklist for therapists.

The "Do Use" List: 5 Tools That Actually Comply

These tools are built with privacy as a core feature, not an afterthought. They use end-to-end encryption, Swiss or EU jurisdiction, and zero-knowledge architecture.

1. Proton Mail (Encrypted Email)

Why it works: End-to-end encryption means only you and your recipient can read messages. Based in Switzerland (outside Five Eyes). No scanning, no tracking.

Get Proton Mail

2. Proton Drive (Secure File Storage)

Why it works: Files are encrypted on your device before upload. Proton cannot read your files. Ideal for storing session notes and intake forms securely. See our Proton Drive privacy policy breakdown.

Get Proton Drive

3. Proton Pass (Password Management)

Why it works: Securely store and share credentials with your team without exposing passwords. Encrypted vaults ensure no one else can access your logins.

Get Proton Pass

4. Proton VPN (Secure Connection)

Why it works: Encrypts your connection when working from cafés or home. Prevents ISP tracking and Man-in-the-Middle attacks. Read why a VPN alone isn't enough.

Get Proton VPN

5. Clear Practise (Sovereign Hosting)

Why it works: The foundation of your stack. We provide dedicated, isolated containers for your website and client portal. No shared resources, fixed EU jurisdiction (Finland), and full GDPR compliance.

View Sovereign Hosting Plans

From Tools to Infrastructure

You can swap your email and storage, but if your website is hosted on a shared server, your stack is still compromised. Clear Practise provides the infrastructure layer that ties your entire stack together, ensuring your website is as secure as your email.

Build Your Compliant Stack

🛡️ Complete Your Privacy Stack

Get full access to Proton Mail, VPN, Pass, and Drive with one subscription.

Support Clear Practise: Using this link helps fund our privacy advocacy work.

How to Audit Your Practice Today

  1. Inventory: List every tool you use for client data (email, storage, video, scheduling).
  2. Check Jurisdiction: Is the company US-based? If yes, they are subject to the CLOUD Act.
  3. Check Encryption: Is it end-to-end encrypted? If the provider holds the keys, it's not secure.
  4. Replace: Swap non-compliant tools with the "Do Use" list above.

Frequently Asked Questions

Is Google Workspace (Gmail) GDPR compliant for therapists?
No. While Google offers a BAA, they are US-based and subject to the CLOUD Act, which allows US authorities to access data. Additionally, Google scans content for advertising, violating the principle of data minimization for health professionals.
What is the best email for therapists in the UK?
Proton Mail is the recommended choice. It is based in Switzerland (outside Five Eyes), uses end-to-end encryption, and does not scan your emails. It is the only major provider that guarantees zero-knowledge access.
Is shared hosting safe for therapy websites?
No. Shared hosting places your site on a server with hundreds of others, increasing the risk of cross-site contamination. For GDPR compliance, therapists need sovereign, isolated hosting with fixed EU jurisdiction.
Do I need a Business Associate Agreement (BAA) for GDPR?
No, BAAs are a US HIPAA requirement. For GDPR, you need a Data Processing Agreement (DPA) and must ensure the provider offers end-to-end encryption and resides in the EEA or a country with adequate data protection.

Related Reading

GDPR for Therapists: The 2026 Compliance Checklist Why Therapists Need a Sovereign VPN (And Why It's Not Enough) Essential Privacy Tools for Therapists in 2026

Final Thoughts

Privacy is not a luxury — it's a requirement for ethical practice. By choosing the right tools and sovereign hosting, you protect your clients, your license, and your reputation.

Learn how Clear Practise secures your entire practice infrastructure.