HowTo

How to Protect Client Data in Your Spiritual Practice: GDPR and Security Guide

Spiritual beliefs are GDPR special category data. Notion uses US servers by default. Consent, storage choices, and deletion rules for practitioners.

A client's natal chart contains their birth date, birth time, and birth city. Their reading transcript contains their fears, relationship history, health anxieties, and spiritual beliefs. You store this across Notion, Google Drive, a scheduling app, and your email platform - each on servers you don't control, governed by terms you didn't fully read.

For practitioners in the EU or serving EU clients, this is not just an ethical consideration. Spiritual and religious beliefs are classified as special category data under GDPR Article 9 - the same category as health data and sexual orientation. The consent requirements are stricter. The penalties for mishandling are steeper (up to 4% of global turnover or EUR 20 million, whichever is higher). And the "I didn't know" defense does not work.

For practitioners outside the EU: even if GDPR doesn't directly apply, the framework is the most rigorous available and forms a practical baseline for responsible client data management.

Sources: gdpr-info.eu/art-9-gdpr/ (official GDPR text); photes.io/blog/posts/obsidian-vs-notion (2026); luniq.io/en/resources/blog/descript-vs-otterai-vs-firefliesai-ai-transcription-for-consultant-meetings-in-2026 (2026).

What Data You're Actually Holding

Before thinking about where to store data, map what you're collecting:

Category A - Standard personal data (GDPR Article 6): Name, email, phone number, time zone, payment records. Requires a legal basis (contract, consent, or legitimate interest). Most practitioners have this.

Category B - Special category data (GDPR Article 9): Birth data used for astrological analysis (date, time, location), spiritual beliefs and practices, personal disclosures about mental/emotional state during readings, religious affiliations. Requires explicit written consent, not just a checkbox.

A natal chart intake form collects Category B data at the moment of form submission. A session transcript contains Category B data. The threshold for what counts as "philosophical beliefs" under GDPR is interpreted broadly - astrological interpretation of life events, numerological belief systems, and spiritual guidance all fall within it.

What this means practically: Your consent process needs to explicitly mention that you collect and process data related to astrological/spiritual beliefs, explain how it's used, and give clients a genuine choice to decline.

Step 1: Build an Explicit Consent Process

Your intake form is the right place to collect consent. An example clause that covers special category data:

> "I collect the information you provide (name, birth details, and any personal context you share) to prepare and deliver your reading. This may include data relating to your astrological profile and personal beliefs, which is protected as special category data under GDPR. I store this securely, use it only for your reading and follow-up, and will delete it within [30/90/365] days unless you request otherwise. You can request deletion at any time by emailing [your address]."

This is not legal advice for your specific jurisdiction. But it's more compliant than a generic "I agree to the terms" checkbox.

For practitioners using Dubsado, HoneyBook, or 17hats for intake: add this consent language as a required acknowledgment field in your intake form. For Typeform or JotForm: use a required checkbox with this text.

Step 2: Choose Where to Store Client Data

Where your data lives determines your risk exposure.

Notion: Stores data on US-based servers by default. Notion has signed EU Standard Contractual Clauses (SCCs), which provides a legal mechanism for EU data transfer, but US servers mean data is subject to US law (including FISA requests). For EU practitioners or those with many EU clients, this is a known risk. Notion Business ($18/user/month annual) includes an EU Data Residency option - data stays in EU data centers. At $12/month Plus tier, US servers only.

Google Workspace: EU Data Residency is available from Business Starter ($6/user/month annual). Requires opting in to the data region setting explicitly - it does not happen automatically.

Obsidian: Data stored locally on your device by default. Nothing on external servers unless you enable Obsidian Sync (end-to-end encrypted, $60/year). For practitioners who want zero third-party data exposure, Obsidian + local storage is the most private viable option. The tradeoff is no real collaboration and no access from multiple devices without Sync.

Spreadsheets (Excel, Numbers): Locally stored. Same privacy as Obsidian. Sufficient for simple client history tracking if you're not processing large volumes.

CRM tools (Dubsado, HoneyBook, 17hats): All US-based cloud services. Review their DPAs (Data Processing Agreements) if GDPR compliance matters to your practice. Most major tools have DPAs available on request or in their legal documentation.

Step 3: Handle Session Recordings Carefully

If you record sessions using Fireflies or Otter.ai, you are storing special category data on a third-party US server - the transcript contains spiritual disclosures and personal context.

Minimum practice:
- Get explicit verbal (and ideally written) consent before recording
- In two-party consent US states (California, Florida, Illinois, Massachusetts, Maryland, Washington, others), verbal consent before recording is legally required
- In the EU, GDPR requires explicit consent for recording - the bot appearing in the meeting room is notice, not consent
- Set a retention schedule: delete recordings and transcripts after 30 or 90 days unless there is a specific reason to keep them
- Document that consent was obtained (a note in your CRM or a timestamped confirmation email)

Sources: gdpr-info.eu/art-9-gdpr/; luniq.io blog (2026).

Step 4: Have a Deletion Process Ready

GDPR Article 17 (Right to Erasure) gives EU clients the right to request that you delete all their personal data. You must comply within 30 days.

This sounds simple until you realize how many places client data lives:

- Email platform (Kit, Mailchimp, Beehiiv): unsubscribe + delete contact record
- CRM (Dubsado, HoneyBook, 17hats): delete client file
- Scheduling tool (Calendly, Acuity): delete booking history
- Cloud storage (Notion, Google Drive, Dropbox): delete all documents containing their data
- Transcription tool (Fireflies, Otter): delete recording and transcript
- Payment processor: check retention requirements - Stripe legally requires retaining transaction records for a period even after deletion requests

The practical solution: maintain a simple "client data map" - a private note listing every tool where each client's data exists. When a deletion request comes in, you have a checklist rather than trying to remember from scratch.

Note on payment records: Tax law in many jurisdictions requires retention of payment records for 5-7 years. You can delete personal data while retaining only the financial transaction record (amount, date, anonymized identifier). This satisfies both GDPR and tax law simultaneously.

Step 5: Secure How You Share Information

Common weak points:

Email: Sending natal chart reports, reading notes, or sensitive client information via regular email is unencrypted in transit. Use services with encryption in transit (most major providers do this) and consider using ProtonMail or Tutanota for sensitive practitioner-client correspondence.

Client portals: If you share reading documents through a client portal (Notion, Google Drive, HoneyBook), use expiring share links rather than permanent URLs. An email forwarded two years later could expose client data to the wrong person.

Shared devices: If you use a shared computer or tablet for sessions, use a separate browser profile for client work. Don't leave CRM windows open on shared screens.

Checklist: Minimum Data Protection for Spiritual Practitioners

- [ ] Intake form includes explicit consent for special category data (astrological/spiritual beliefs)
- [ ] Privacy notice published on website explaining what data you collect and why
- [ ] Deletion request procedure defined and documented
- [ ] Session recording consent obtained before recording begins (verbal + written)
- [ ] Client data map maintained (which tools hold which client's data)
- [ ] Retention schedule set: how long you keep reading notes, transcripts, intake forms
- [ ] Payment records separated from personal data for archiving

For related tools and decisions, see GDPR and cookie consent for spiritual businesses, legal disclaimers for readings, and automating client onboarding.

Frequently Asked Questions

Do I need a formal Privacy Policy on my website?

If you collect any personal data from website visitors - including an email signup form, a contact form, or a booking widget - yes. In the EU, a Privacy Policy is required under GDPR. In the US, it's required if you have a California audience (CCPA) and is good practice everywhere. Most website builders (Squarespace, WordPress, Webflow) have Privacy Policy template generators that produce a starting point. Review it for accuracy before publishing.

Does birth data (date, time, location) count as special category data?

In most EU jurisdictions, birth date and location alone are not special category. They become special category when processed in combination with astrological or spiritual interpretation - when you use them to derive information about someone's philosophical or spiritual orientation. A natal chart reading crosses that line. The intake data plus the reading notes together constitute special category processing.

Can I store client data in the US if I'm an EU practitioner?

Yes, with appropriate safeguards. EU Standard Contractual Clauses (SCCs) provide the legal mechanism for data transfer from the EU to the US. Most major SaaS tools (Notion Business, Google Workspace, HubSpot) have signed SCCs and publish their DPAs. You as the data controller must verify this before using any US-based tool with EU client data.

What happens if a client asks me to delete their data and I don't have a system?

The 30-day window to comply is mandatory under GDPR. Missing it is a violation. If you don't have a system: when a request comes in, immediately go through every tool you use and document what you find and delete. Then build the checklist described above so the next request takes 30 minutes instead of 3 hours.

Should I use Obsidian or Notion for client notes from a privacy standpoint?

Obsidian with local storage keeps data entirely on your device. Notion stores on cloud servers (US by default, EU optional on paid plans). If you have EU clients and strict GDPR compliance is a priority, Obsidian's local storage model carries less regulatory risk. If you value access from multiple devices and collaboration over pure privacy, Notion Business with EU Data Residency is the workable cloud option.