TemplatesFunktionenSichtbarkeitPreiseBlog
AnmeldenWebsite erstellen
Alle Beiträge
gdprdata privacytherapist websitecompliance

GDPR for Therapist Websites — 2026 Checklist

Therapendo Redaktion|February 10, 2026|8 Min. Lesezeit
GDPR for Therapist Websites — 2026 Checklist

Why GDPR is especially important for therapists

You're a therapist. You work with the most intimate information a person can share. Fears, traumas, mental health conditions. Under the GDPR, this data belongs to the special categories of sensitive data under Article 9.

This means: stricter rules apply to your website than to an online shop or a restaurant. And the consequences of violations are more severe.

But don't worry. The requirements are manageable once you understand them. This guide explains everything you need to know, without legal jargon. If you're currently building your practice website, now is the right time to learn these fundamentals.

The 5 most important requirements for your practice website

There are five areas you need to implement correctly on your website. None of them is technically complex, but all are legally relevant.

Where most therapist websites make mistakes

In practice, we see the same problems over and over again.

Contact form without encryption. Many WordPress themes send form data unencrypted via email. This is problematic when patients describe their concerns in the contact form — which they almost always do. Why the contact form is far more than an input field and what end-to-end encryption specifically changes, we explain in detail. How to formulate the text around the form can be found in our article on website copy for therapists.

Outdated privacy policy. A privacy policy from 2019 no longer meets today's requirements. Especially if you've added tools or plugins since then. If your website has been online for a while, a complete relaunch of your old practice website may be worthwhile.

No data processing agreement. If your hosting provider or form service has access to personal data, you need a data processing agreement (DPA). Many therapists aren't aware of this.

Data processing agreement: when you need a DPA

As soon as an external service provider has access to your patients' personal data, you need a data processing agreement (DPA) under Art. 28 GDPR. This applies to more providers than most therapists think:

  • Hosting provider (e.g., All-Inkl, Hetzner, Strato): Processes all data flowing through your website
  • Email provider (e.g., Gmail, Mailbox.org): When patients write to you by email
  • Online appointment booking (e.g., Doctolib, Jameda, Terminland): Stores names, contact details, and often the reason for booking
  • Video conferencing tool (e.g., Zoom, Doxy.me): For video therapy sessions
  • Newsletter service: If you send a practice newsletter

Most reputable providers offer DPAs free of charge. You just need to sign them and archive them. If a DPA is missing, you're personally liable — even if the service provider caused the error.

Which tools are GDPR-compliant — and which aren't

Choosing the right tools determines your GDPR compliance. Here's an overview of the most common services:

Website and hosting:

  • GDPR-compliant: All-Inkl, Hetzner, Strato (servers in Germany, DPA available)
  • Problematic: US hosting without EU servers, Squarespace (US processing)

Analytics and tracking:

  • GDPR-compliant: Matomo (self-hosted), Plausible, Fathom (cookieless, EU servers)
  • Problematic: Google Analytics without consent, Facebook Pixel

Online appointment booking:

  • GDPR-compliant: Doctolib (EU servers, DPA), Terminland, Samedi
  • Use with caution: Calendly (US servers), Google Calendar (public appointments)

Video therapy:

  • Recommended: Doxy.me (designed for therapists), arztkonsultation.de, Red Medical
  • Only with additional measures: Zoom (DPA + patient disclosure)

GDPR-compliant website: the checklist

Here's a practical checklist for your therapist website.

Tip: All our practice website templates are designed to be GDPR-compliant from the ground up — including automatically generated privacy policy and legal notice.

How Therapendo automates GDPR compliance

Therapendo was built from the ground up for the therapeutic context. This means: GDPR compliance isn't an add-on module — it's the foundation.

Servers in Frankfurt. No US cloud, no data transfers to insecure third countries. Your data stays in Germany.

Automatic legal notice and privacy policy. Based on your practice data, Therapendo generates legally compliant mandatory pages. You don't need to pay a lawyer.

Locally hosted fonts. No loading from Google servers. No risk of cease-and-desist letters.

Encrypted forms. All patient inquiries are transmitted and stored encrypted. No unencrypted email delivery.

Learn more about how Therapendo helps you create your practice website professionally — whether you build the website yourself or use ready-made templates. This also includes local visibility through your Google Business Profile. For a detailed comparison with Wix, WordPress, and Jimdo, see our website builder comparison for therapists.

GDPR-compliant in minutes

Therapendo automatically generates legally compliant mandatory pages, hosts in Frankfurt, and exclusively uses locally embedded fonts.

Discover templates