Why therapy documentation is in a legal league of its own
Clinical notes, diagnoses, session records — everything you record about your clients falls under special categories of personal data pursuant to Article 9 of the GDPR. This is the highest protection tier European data protection law recognises. Health data may not be processed as a rule, unless one of the narrowly defined exceptions applies.
In the therapy context, this means concretely: - Processing is only permissible with the explicit consent of the client, or on the basis of a statutory obligation (such as the documentation duty under applicable psychotherapy or psychology legislation). - Consent buried in general terms and conditions or ticked via a checkbox is not sufficient. - All processing must remain within the EU or EEA — transfers to third countries require additional safeguards that are difficult to make watertight in practice.
This is not a theoretical concern. The moment an AI tool sends your session notes to a server in the US or the UK, you bear the burden of proving that this transfer is lawful. And that burden rests with you — not with the provider.
EU AI Act: what has been in force since February 2025
On 2 February 2025, the first parts of the EU AI Act became binding. Specifically, from that date:
- Prohibited AI practices are immediately unlawful — including social scoring and certain forms of biometric categorisation.
- AI competence and training obligations: Businesses and individuals deploying AI systems must demonstrate verifiable knowledge of the systems they use. For therapists using an AI documentation tool, this means: you need to understand how the system works, what data it processes, and what risks it carries.
What is still pending — and not yet final
For so-called high-risk AI systems (which could include AI tools in healthcare), stricter obligations were originally set to apply from August 2026. The "Digital Omnibus" — a European legislative package — reached a preliminary political agreement on 7 May 2026 that would shift the key high-risk deadlines to 2 December 2027.
Important: this postponement has not yet been formally adopted and represents only a preliminary political agreement. Do not rely on it for concrete compliance decisions — and seek legal advice if in doubt.
What does "high-risk AI" mean for therapy tools?
AI systems deployed in healthcare to support clinical decision-making can be classified as high-risk systems. This applies to AI that actively influences diagnostic or therapeutic decisions.
Pure documentation and transcription tools — AI that transcribes or structures spoken words without making substantive assessments — stand on different legal ground. That said: even here you are processing health data, and all GDPR obligations apply in full.
Cloud solutions: genuine help with a genuine catch
That AI-assisted therapy documentation can work is demonstrated by providers such as Vienna-based startup Theradocx, which develops AI specifically for the therapy setting. Such tools can significantly reduce the documentation burden — and because they originate from the European market, the third-country transfer problem is at least reduced.
The structural catch remains, however: with cloud-based solutions, your clients' data leaves the device. It moves to a server — even if that server is located in Austria or the EU. This is not automatically a problem, but it creates obligations:
- A dedicated privacy notice for clients specifying how their data is processed by the AI tool.
- Explicit, informed consent — obtained before the first session in which the tool is used.
- A data processing agreement (DPA) with the provider.
- Review of whether the provider uses sub-processors (such as an underlying AI model) — and where those are located.
Ask every provider directly: "Where is my data processed? Do you use third-party AI models, and if so, which ones and where do they run?" If the answer is evasive — walk away.
Checklist: what to look for in AI documentation tools
Before deploying any tool for therapy documentation, go through this list:
- Data location: Is all processing exclusively within the EU/EEA?
- Sub-processors: Which third parties (AI models, hosting) are involved and where?
- DPA in place: Does the provider supply a complete data processing agreement?
- Consent format: Does the tool offer templates or workflows for documented client consent?
- Data deletion: Can you and your clients have data fully and verifiably deleted?
- EU AI Act compliance: Is the provider transparent about whether their system is classified as high-risk?
- Offline option: Can the tool operate without an internet connection — and does data remain local when it does?
- Encryption: Are data encrypted on the device and in transit?
- Training: Do you yourself understand how the system works? (AI competence obligation under the AI Act)
How local documentation removes the pressure
There is a category of tools that avoids all this cloud compliance complexity from the outset: applications that run entirely on your own device. No data transmission, no server, no DPA questions.
TimeInvoicer was developed for therapists and psychologists and runs entirely locally on your own Android device. Session notes, diagnoses and billing data are structured automatically and stay on your phone. There is no cloud requirement, no synchronisation with external servers. This means: you do not need to obtain a separate client consent for cloud processing — because none takes place.
That does not make TimeInvoicer an AI transcription tool. It is a documentation and billing tool that handles the administrative side — so you can be present with the person in front of you during a session, not with your notebook.
You might also like
Less admin. More therapy.
TimeInvoicer works offline, stores all data locally on your device, and is GDPR-compliant — no cloud required, no consent headaches. See how it fits into your practice.
Try it free