HIPAA, GDPR and Your Therapy Website: What Therapists Need on Squarespace

Introduction

Data privacy laws are not optional. They're non-negotiable requirements that protect your clients and your practice. If you're running a therapy practice in the UK or EU and using Squarespace to build your website, you're subject to GDPR (General Data Protection Regulation). If you're seeing US clients, HIPAA (Health Insurance Portability and Accountability Act) applies to certain data handling. This guide walks you through the practical compliance requirements for therapy websites on Squarespace, clarifying what you must do, how to implement it, and what happens if you don't. This is not legal advice—consult a data protection specialist for your specific situation but it covers the essential compliance elements every therapy website needs.

Key Takeaways

• GDPR applies to UK/EU therapists; HIPAA applies to US practices handling health data; most therapists need to address GDPR compliance

• Squarespace includes built-in GDPR-friendly features (cookie consent, secure data handling), but you must configure them correctly

• Your privacy policy is the foundation of GDPR compliance—it must clearly explain what data you collect, why, how long you keep it, and client rights

• Contact forms and booking systems collect health-related data (special category data under GDPR); they require explicit consent and secure handling

• Data breaches must be reported to the ICO within 72 hours if they affect UK clients; your website must have a clear breach response procedure

GDPR vs HIPAA: Which Applies to Your Therapy Practice

GDPR (General Data Protection Regulation)

If you're based in the UK or EU, or if you have clients in the UK/EU, GDPR applies to your therapy website. GDPR is a European data protection law that became enforceable in May 2018. It's comprehensive and strict. Fines for non-compliance can reach 20 million euros or 4% of global annual revenue, whichever is higher. That's serious.

GDPR covers any personal data you process (collect, store, use, share) about your clients. For therapists, this includes names, email addresses, phone numbers, and—crucially—information about their mental health (anxiety, depression, trauma history, etc.). This health data is "special category data" under GDPR, which means it has extra protection requirements.

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA is a US federal law that applies to "covered entities" (medical practices, health plans, healthcare clearinghouses) and their business associates. If you're a therapist in the US handling health information, you likely fall under HIPAA. HIPAA has strict requirements for how you handle Protected Health Information (PHI). It requires encryption, secure authentication, audit logs, and breach notification.

However, not all therapists are HIPAA-covered. If you're a private therapist not billing insurance and not part of a covered organization, you might not be subject to HIPAA. Consult a US data protection attorney if you're unclear.

Key Difference: GDPR is broader and applies to any therapist processing data of UK/EU clients. HIPAA is narrower and applies to US-based covered entities. Most therapy practices need to prioritize GDPR compliance.

This Guide Focuses on GDPR because it applies to the widest audience of therapists. If you're US-based and HIPAA-subject, the principles are similar (encryption, consent, client rights), but specific compliance steps differ. Consult a HIPAA specialist for detailed US guidance.

The Privacy Policy: Your Foundation for Compliance

Your privacy policy is the legal document that explains to clients how you handle their data. It's mandatory under GDPR. Your policy must be clear, accessible, and comprehensive. A vague privacy policy exposes your practice to enforcement action.

What Your Privacy Policy Must Include

1. Who You Are and Your Contact Information

State your full name (or practice name), address, and how clients can contact you about data privacy issues. Example: "Jane Smith Psychotherapy, 123 High Street, London. Data Privacy Contact: jane@example.com or call 020 XXXX XXXX."

2. What Data You Collect

Be specific. List every data point:

• Contact form: Name, email address, phone number, reason for contact

• Booking form: Name, email, phone, date of birth, emergency contact, health information (conditions, medications, etc.)

• Email correspondence: Email address and content of emails

• Session notes: (In a separate section below) therapy notes, progress, clinical assessments

• Analytics: Squarespace analytics track visitor IP addresses, browser type, pages visited

3. Your Legal Basis for Processing Data

This is critical. GDPR requires you to have a lawful basis before processing data. For therapists, your legal bases typically are:

• Consent: "I process your contact form data because you have consented by submitting the form."

• Contractual obligation: "I process booking form data because it's necessary to provide therapy services."

• Legal obligation: "I'm required to keep certain records by professional regulation and law."

• Legitimate interest: Rare for therapists; avoid this unless necessary.

Example in your policy: "I collect contact form data on the basis of your consent. I collect booking form data on the basis of the therapy contract. I retain session notes on the basis of professional and legal requirements."

4. How You Use Client Data

Explain what you do with the data:

• "I use contact form information to respond to your inquiry and schedule an initial consultation."

• "I use booking form information to confirm your appointment, send session reminders, and maintain session notes."

• "I use email correspondence to communicate with you about your therapy."

• "I do not share your data with third parties without your explicit written consent, except where required by law."

5. How Long You Keep Data

Be clear about retention periods. Example: "I retain contact form submissions for 1 year. I retain booking confirmation data for 6 years (standard professional requirement). I retain session notes for 8 years after the last session (as required by professional bodies). I delete your account data 30 days after you request deletion, unless legal obligations require longer retention."

6. Client Rights

GDPR gives clients specific rights over their data:

• Right to access: "You have the right to request a copy of all data I hold about you."

• Right to correction: "You have the right to ask me to correct inaccurate data."

• Right to erasure: "You have the right to request deletion of your data (subject to legal retention requirements)."

• Right to data portability: "You have the right to request your data in a portable format (e.g., PDF)."

• Right to object: "You have the right to object to processing for specific purposes."

Example: "To request access to your data, or to exercise any of the above rights, contact me at with your request. I will respond within 30 days."

7. Data Breaches and Security

Explain how you handle data security and what happens if there's a breach: "I store all client data securely using [specific security measures—encryption, password protection, etc.]. If there's a data breach affecting UK clients, I will notify the Information Commissioner's Office (ICO) within 72 hours and notify affected clients without undue delay."

8. Links to Third Parties

If your Squarespace website links to external sites (booking software, therapy platforms, etc.), mention it: "My website uses Squarespace hosting and analytics. I may use third-party booking software (e.g., Calendly) and therapy platforms (e.g., Zoom). Each of these services has its own privacy policy, and I recommend reviewing them."

9. Contact for Data Privacy Concerns

Provide a way for clients to contact you about privacy or report concerns: "If you have questions about your data or concerns about how I handle it, contact . You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk."

How to Publish Your Privacy Policy on Squarespace

1. Go to Squarespace > Pages > Add New Page

2. Create a page titled "Privacy Policy"

3. Paste your privacy policy text

4. Add it to your footer navigation (under "Settings")

5. Ensure it's easily findable from every page

Pro Tip: Use plain language. Don't copy generic privacy policies from other websites. Your policy should be specific to your practice. If clients can't understand it, it's not compliant and won't build trust.

Contact Forms and Data Consent: Getting It Right

Your contact form is often the first point of data collection. It must have explicit consent built in.

The Essential Consent Checkbox

Every contact form on your therapy website needs a checkbox (not pre-checked) with clear language:

"I consent to Your Name using my contact information to respond to my inquiry, schedule a consultation, and communicate about potential therapy services. I understand my data will be stored securely and used only for this purpose. I have read the privacy policy and understand my rights regarding my data."

This checkbox isn't optional. Without explicit, informed consent, you're violating GDPR. Clients must actively check the box; they can't be pre-checked or implied.

Squarespace Form Setup

1. Go to Squarespace > Pages > Your Contact Page

2. Add a Form block

3. Configure fields: Name, Email, Phone (optional), Message/Inquiry

4. Add a checkbox field at the bottom

5. Label it clearly: "I consent to contact"

6. In the checkbox settings, set "Required: Yes" so the form can't be submitted without consent

7. Link to your privacy policy in the consent text

What Happens to Form Data?

Configure Squarespace form handling:

1. Go to Form Settings > Email Notifications

2. Ensure form submissions go to your secure email

3. Squarespace stores form submissions for 3 months by default; you can change this

4. After 3 months, manually download submissions you need to keep, then delete them from Squarespace

Best practice: Download form submissions monthly, store them securely (encrypted), and delete them from Squarespace after retention period expires.

Booking Forms and Health Data: Special Category Data Under GDPR

Booking forms collect health information. This is "special category data" under GDPR and requires stricter protection.

What Counts as Special Category Data

• Mental health conditions (anxiety, depression, trauma, etc.)

• Physical health information (medication, allergies, disabilities)

• Emergency contacts (implies potential vulnerability)

• Any reference to past trauma or current distress

GDPR Protection Requirement

Special category data can only be processed if you have:

1. Explicit consent from the client (written, unambiguous, freely given), AND

2. A specific legal basis

For therapists, the legal basis is usually "necessary for the provision of healthcare services" (if you have explicit consent).

Booking Form Consent Language

Add this to your booking form consent checkbox:

"I consent to [Your Name] collecting and processing sensitive personal health information about my mental and physical health. I understand this information will be used to:

• Provide tailored therapy appropriate to my needs

• Ensure my safety and the safety of others

• Comply with professional and legal obligations

• Store securely for X years after the last session

I have read the privacy policy and understand my rights regarding my health data. This data will not be shared without my explicit written consent, except where legally required (e.g., serious risk of harm)."

Clients must actively consent to this. It can't be pre-checked or implied.

What NOT to Ask in Booking Forms

Don't ask for:

• Full psychiatric history (ask in the therapy session, not the form)

• Detailed trauma narratives (ask later, face-to-face)

• Child safeguarding information (ask in-person after trust is established)

• Bank details or payment card information (collect payment separately via secure payment system)

Keep booking forms minimal: name, contact, brief reason for contacting, emergency contact, and consent. Detailed health information comes later in-person, not via a web form.

Data Security for Booking Forms

Since booking forms collect health data, ensure:

• HTTPS (all Squarespace sites use HTTPS by default) ✓

• Form submissions stored in encrypted email

• No sensitive data in URLs or browser history

• Downloaded submissions stored on encrypted devices

• Submissions deleted from Squarespace after retention period

Cookies, Analytics, and Consent Banners on Squarespace

Squarespace websites use cookies for analytics. Under GDPR, you need to inform visitors about cookies and get consent.

What Cookies Does Squarespace Use?

Squarespace uses

• Essential cookies (keep the website functioning)

• Analytics cookies (track visitor behaviour, page views, etc.)

• Third-party cookies (Google Analytics, etc.)

Squarespace Cookie Banner

Squarespace includes a built-in cookie consent banner. To enable it:

1. Go to Squarespace > Settings > Privacy

2. Toggle "Cookie Consent Banner" to ON

3. Customize the banner message: "This website uses cookies to enhance your experience. By continuing to browse, you consent to our use of cookies. See our Privacy Policy."

4. Visitors can accept or manage cookies

The banner is GDPR-compliant as long as:

• It appears before analytics cookies load (Squarespace does this) ✓

• Visitors can easily decline or manage cookies

• Accepting is not pre-checked

• You link to your privacy policy

Do You Need Google Analytics?

Google Analytics on Squarespace is fine under GDPR if:

• You have a Privacy Policy explaining you use analytics

• You have the cookie banner enabled

• You anonymize IP addresses (optional but recommended)

To anonymize IPs in Google Analytics on Squarespace:

1. Go to Squarespace > Settings > Analytics

2. Enable Google Analytics

3. In Google Analytics settings, enable "IP anonymization"

This removes the last octet of IP addresses, making data less personally identifiable.

Data Retention, Deletion, and Client Rights

GDPR gives clients specific rights over their data. Your website and practice must support these.

Retention Periods for Therapy Data

Set clear retention periods:

• Contact form submissions: 1 year (unless you book the client, then follow therapy retention rules)

• Initial consultation notes: 3 years from last contact

• Active client session notes: During therapy + 8 years after last session (per BACP/UKCP professional standards)

• Email correspondence with clients: Same as session notes (8 years)

• Booking confirmations: 6 years (for contractual/tax purposes)

Right to Erasure (Right to be Forgotten)

Clients can request deletion of their data. You must comply, with exceptions:

• You must delete: Unbooked contact form submissions after 1 year

• You must delete (if requested): Personal data after therapy ends (unless legal/professional obligation requires retention)

• You may retain: Session notes for 8 years (professional obligation); data required by law (tax, insurance); data necessary for legal claims

When a client requests erasure, respond within 30 days explaining which data you've deleted and which you must retain (and why).

Squarespace Deletion Procedure

1. Download a copy of all form submissions and any data you need to retain

2. Delete the client's account in Squarespace (if applicable)

3. Delete form submissions from Squarespace's system

4. Confirm deletion to the client in writing

Data Access Requests

Clients can request a copy of all their data. Process within 30 days:

1. Gather all data you hold: contact forms, session notes, emails, etc.

2. Compile into a portable format (PDF or spreadsheet)

3. Send to client securely (encrypted email or secure file transfer)

4. Keep a record of the request

Frequently Asked Questions

Ensure Your Therapy Website Is Compliant

GDPR compliance might feel like bureaucracy, but it's fundamentally about respecting your clients' privacy and building trust. A compliant website signals that you take ethics seriously—that the confidentiality and security of their mental health data is your priority. Clients notice this. It builds confidence.

If you're uncertain about your current compliance status or need help configuring your Squarespace website for full GDPR adherence, Squareko can help. We audit therapy websites for compliance, set up privacy policies, configure contact and booking forms correctly, and ensure your Squarespace settings protect client data. Visit squareko to book a compliance consultation. Your clients deserve a website as secure as your therapy room.