Proton Drive Privacy Policy Explained: What Therapists Need to Know
If you are a therapist considering Proton Drive for storing client files, you need to understand exactly what their privacy policy covers—and what it doesn't.
This article breaks down the Proton Drive privacy policy in plain English, specifically for UK health practitioners who must comply with GDPR and maintain client confidentiality.
What Is Proton Drive?
Proton Drive is end-to-end encrypted cloud storage built by the team behind Proton Mail. Unlike Google Drive or Dropbox, Proton Drive encrypts your files on your device before they reach Proton's servers. This means Proton cannot read, scan, or access your stored data—even if compelled by law enforcement.
For therapists handling sensitive client notes, intake forms, and session recordings, this architecture is fundamentally different from mainstream alternatives.
What the Proton Drive Privacy Policy Covers
Proton's privacy policy is built on several core principles that matter directly for health practitioners:
1. End-to-End Encryption by Default
All files uploaded to Proton Drive are encrypted on your device before upload. Proton holds the encrypted data but does not hold the decryption keys. Only you (and anyone you explicitly share with) can decrypt and read your files.
This is the critical distinction from services like Google Drive, where the provider holds the keys and can access your content at any time.
2. Swiss Jurisdiction
Proton AG is headquartered in Switzerland. This matters for two reasons:
- Strong privacy laws: Switzerland has some of the world's strictest data protection legislation, exceeding baseline GDPR requirements.
- Outside intelligence alliances: Switzerland is not a member of the Five Eyes, Nine Eyes, or Fourteen Eyes intelligence-sharing alliances. US authorities cannot compel Proton to hand over data through mechanisms like the CLOUD Act.
3. Minimal Data Collection
Proton's privacy policy states they collect only the minimum data necessary to provide the service:
- Account data: Username and recovery email (optional).
- Payment data: Handled by third-party processors; Proton does not store your full card details.
- Usage data: Proton does not track which files you access, when you access them, or who you share them with.
4. Open Source and Independently Audited
Proton Drive's encryption code is open source, meaning independent security researchers can inspect it for vulnerabilities. Proton also undergoes regular independent audits to verify their privacy claims.
For practitioners who need to demonstrate due diligence to regulators, this transparency is valuable. You can point to published audit reports as evidence that your storage provider meets security standards.
5. GDPR Compliance
Proton Drive data is stored within the European Economic Area (EEA), specifically in Switzerland and Germany. This ensures full GDPR compliance for UK and EU practitioners. Data does not leave EEA jurisdiction at any point.
What the Privacy Policy Does NOT Cover
No system is perfect. Here are the limitations therapists should be aware of:
- Metadata visibility: Proton can see that you have an account and how much storage you use. They cannot see file names, contents, or sharing activity (all encrypted).
- Swiss legal orders: While Switzerland has strong protections, Swiss courts can order Proton to provide whatever unencrypted data they hold. Because of end-to-end encryption, this is limited to account metadata—not file contents.
- Shared links: If you generate a public sharing link, anyone with that link can access the shared file. The encryption protects data at rest and in transit, but shared links bypass access controls if leaked.
Proton Drive vs. Mainstream Alternatives
Here is how the Proton Drive privacy policy compares to what mainstream providers offer:
| Feature | Proton Drive | Google Drive | Dropbox |
|---|---|---|---|
| End-to-end encryption | Yes | No | No |
| Content scanning | None | Yes | Limited |
| Jurisdiction | Switzerland | USA | USA |
| CLOUD Act exposure | No | Yes | Yes |
| GDPR compliant (EEA) | Yes | Partial | Partial |
| Open source | Yes | No | No |
🔐 Try Proton Drive Securely
Start protecting your client files with end-to-end encrypted storage.
Get Proton Drive (40% Off)Support Clear Practise: Using this link helps fund our privacy advocacy work.
Completing Your Privacy Stack
Proton Drive secures your files. But a therapy practice needs more than secure storage. To build a fully compliant operation, you need every layer protected:
- Email: Proton Mail — End-to-end encrypted communications.
- Passwords: Proton Pass — Encrypted credential management.
- Connection: Proton VPN — Secure remote access.
From Secure Storage to Secure Presence
Proton Drive protects your files. But your website is where clients first encounter your practice. If your files are encrypted but your website runs on shared hosting with no data sovereignty guarantees, your privacy stack has a gap.
Clear Practise extends the same privacy-first principles to your website hosting. Sovereign, isolated containers in Finland. No shared resources. No tracking. Full GDPR compliance. Your online presence matches the security of your file storage.
🛡️ Complete Proton Suite
Get full access to Proton Mail, VPN, Pass, and Drive with one subscription.
Get Proton Unlimited (64% Off)Support Clear Practise: Using this link helps fund our privacy advocacy work.
Final Thoughts
The Proton Drive privacy policy is one of the strongest in the consumer cloud storage market. End-to-end encryption, Swiss jurisdiction, minimal data collection, and open-source transparency make it a sound choice for therapists who take client confidentiality seriously.
But storage is just one layer. Pair it with sovereign hosting from Clear Practise, and your entire practice operates on privacy-first infrastructure—from the files you store to the website your clients visit.
Learn how Clear Practise secures your entire practice infrastructure.