When the First Sentence Is Already a Diagnosis
A therapy inquiry almost always begins with a single sentence like this one: “I'm looking for a therapist after a traumatic experience.” That one sentence already carries two pieces of information that can have real consequences in the wrong hands: your identity, revealed through your email address, and a clear indication of your state of health. This is exactly why European data protection law treats such information as a “special category of personal data” under Article 9 of the General Data Protection Regulation, the strictest protection class the GDPR recognizes at all.
What not everyone realizes: on the way from the input field to the therapist, this information can, in theory, be read at several points. Looking more closely here helps you make a better choice of platform, and gives you greater peace of mind.
What the GDPR Counts as Health Data
Article 9 of the GDPR lists eight categories of especially sensitive data, among them “data concerning health” as well as “data concerning a person's sex life or sexual orientation.” The mere fact that someone is looking for a therapist already falls into this category, because it points to a physical or mental health condition. The Austrian Data Protection Authority follows this strict interpretation.
The practical consequence: a platform that processes such data may only do so on one of a few explicitly named legal grounds. For online therapist searches, that is usually your explicit consent under Article 9(2)(a) GDPR. And it must take “appropriate technical and organizational measures” to protect this data, as required by Article 32 GDPR.
The Four Stops Your Inquiry Makes
When you click “Send” on a therapy platform, your message typically passes through four systems. Each of them potentially has access to the plain text.
First, the platform's database. As standard, your name, your email address, and the text of your inquiry are stored in a database so that the therapist can view them after logging in. From a security standpoint, the crucial question is whether these fields sit there in plain text or encrypted. Without encryption, a database leak, whether through a hack, a misconfiguration, or insider access, would make the entire content directly readable. Encryption at the application level, for example using the well-established AES-256-GCM method, ensures that even in a full data dump an attacker sees nothing but useless ciphertext, as long as the key itself hasn't also been compromised.
Second, the email provider. To let the therapist know about a new inquiry, the platform sends an email to their inbox. There are two very different approaches here. Either the email contains the full text of the inquiry, which is convenient but problematic for data protection, or it contains only a login link to the platform, where the inquiry remains viewable in a protected environment. In the first case, the email service, such as Resend, SendGrid, Mailgun, or Brevo, also has the content in its logs. Typical retention periods for these logs range from seven to thirty days.
Third, the server logs. Web servers record every request by default: a timestamp, the IP address, the URL called up, and often the parameters passed along too. If a platform is sloppily built and transmits inquiry content in URL parameters or logs it in error messages, sensitive data ends up in plain text in the log files, where it often stays for months and is visible to operations and development teams.
Fourth, backups and subprocessors. Databases are backed up regularly. These backups often sit for longer and in different places than the live database, for instance in an AWS S3 bucket or with a specialized backup provider. CDN providers, analytics tools, and error-monitoring services are also so-called subprocessors that, depending on the configuration, get to see your data.
Why the Server Location Matters
In July 2020, the European Court of Justice struck down the transatlantic Privacy Shield agreement in its Schrems II ruling. The reasoning: US intelligence agencies have overly broad rights to access the data of European citizens processed in the United States. Since then, transferring personal data to the US has only been possible under tightened conditions, and for health data this applies all the more strictly.
For you as someone seeking therapy, this means in practice: a platform whose database sits in Frankfurt or Amsterdam is fully subject to the GDPR. A platform running on US cloud infrastructure, such as standard AWS regions in Virginia or Oregon, operates in a gray area. Even if it relies on standard contractual clauses, the European Court of Justice ruling deemed these insufficient as the sole safeguard.
Professional Confidentiality Protects You, but Only from a Certain Point On
In Austria, Section 45 of the Psychotherapy Act (Psychotherapiegesetz 2024) binds psychotherapists to a strict duty of confidentiality. A breach is even a criminal offense under Section 121 of the Criminal Code (Strafgesetzbuch). This duty, however, only takes effect at the therapist themselves; the platform through which the first contact runs is not covered by it. It is bound “only” by the GDPR, which means a noticeably lower level of protection, because here there's no threat of criminal sanctions, only ones under data protection law.
This is not an argument against online platforms. But it is an argument for taking a good look at the platform, rather than blindly assuming that every matching service is equally trustworthy.
Three Questions That Quickly Size Up a Platform
If you want to know how seriously a platform really takes data protection, three questions help, ones that should be answerable in any privacy policy or on a “Security” subpage:
- Where is the database located: ideally in the EU, such as Frankfurt, Amsterdam, or Paris. “The cloud” alone is not a sufficient answer
- What's in the notification email to the therapist: just a login link is far safer than the full text of the inquiry
- How long are inquiries stored: automatic deletion after 30, 60, or 90 days is a good sign. “Indefinitely,” or an answer that doesn't address the question at all, is a bad one
On our security page, we've answered all three questions openly. That's not a given, but in our view it should be the standard.
Your Rights, and How to Use Them
Even if you've agreed to a platform's privacy policy, you keep two important rights:
- The right of access under Article 15 GDPR: you can request a complete copy of all data stored about you at any time. The platform must respond within one month, free of charge
- The right to erasure under Article 17 GDPR: you can demand that all data relating to you be deleted. For sensitive health data with no legitimate remaining purpose, such as an active effort to set up therapy, this deletion generally has to happen
You can make both requests informally, by email to the address listed in the site's legal notice (Impressum). If a platform doesn't respond within 30 days or refuses to provide the information, you can turn to the Austrian Data Protection Authority free of charge; complaints about inadequate data processing are investigated at dsb.gv.at.
Conclusion: Trust Is Good, Asking Is Better
Searching for a therapist online is a huge step forward compared with spending hours calling one practice after another, especially at a time when many people would rather reach out through a low-pressure form than over the phone. But the convenience comes at a price: more places see your data than if you were to call directly.
The good news: you have a choice. A platform that combines EU hosting, encrypted storage, notifications without any content text, and short retention periods is entirely achievable technically in 2026, and anyone who looks for those standards is on the safe side.
Your search for therapy is a private matter. It deserves a platform that treats it that way technically, too.

