Practice management software
- WriteUpp - UK-based, GDPR-strong, popular among UK therapists. Booking, notes, invoicing, GP letters.
- Cliniko - clinic-friendly, multi-practitioner, strong booking and reminder flows.
- BACPAC - BACP-affiliated, designed for counsellors specifically.
- TherapyMate - simpler, good for solo practitioners.
- SimplePractice - US-built but UK-compliant, larger ecosystem.
The right choice depends on whether you're solo or a clinic, GP-letter integration needs, and your budget. £15-50/month per practitioner is typical.
GDPR for therapists - the basics
Therapy notes are special category data under UK GDPR (categorised with health information, religious beliefs, and other sensitive types). Higher protection requirements:
- Lawful basis - typically consent + provision of healthcare for therapy notes.
- Data minimisation - only record what's necessary for clinical work.
- Retention policy - typically 7 years from last contact for adults; longer for minors (until age 25 or 7 years from last contact, whichever is later). Document this in your privacy notice.
- Breach notification - 72 hours to ICO for serious breaches.
- Subject access requests - clients can request their notes; you must respond within 1 month.
- Data Protection Officer - not required for solo practitioners but worth voluntary appointment for clinics.
Online sessions - tools and considerations
- Doxy.me - healthcare-focused, no install for clients, free tier available.
- VSee Clinic - similar, more clinical features.
- Zoom Healthcare - HIPAA/GDPR enhanced version of standard Zoom (different from regular Zoom).
- Microsoft Teams (with healthcare config) - enterprise option for clinics.
Key considerations: end-to-end encryption, no recording without explicit consent, no third-party transcription/AI services without specific GDPR review.
Booking and payments
- Calendly / Acuity - automated booking with availability management.
- Stripe / GoCardless - card payments and direct debit.
- Practice management software often integrates these natively.
- Late cancellation policy - automated charging via Stripe makes this enforceable without awkward conversations.
Frequently asked questions
Do I need a Data Protection Officer?+
Solo private practitioners are typically not required to appoint a DPO. Clinics with multiple practitioners and significant data processing should consider voluntary appointment. A DPO doesn't have to be full-time - many practices use external DPO-as-a-service providers.
Can I use WhatsApp for client communication?+
WhatsApp's GDPR position has nuances. For appointment reminders and basic logistics, generally OK with client consent. For sensitive clinical content, a dedicated practice management system is more defensible. Many therapists set explicit WhatsApp policies in their privacy notice.
Tell us about your situation. We'll match you with the right specialist.
No fees, no obligation. We come back within 1 working day.