KuuloAI notes for therapists in the EU: GDPR Article 9 and on-device session documentation
Therapy session content is special category health data under GDPR Article 9. Any cloud AI processing it requires an Article 28 DPA and often an Article 46 transfer mechanism. On-device processing keeps session audio on the therapist's device — the only architecture consistent with therapeutic confidentiality and EU data law.
- Therapy session content is GDPR Article 9 special category health data — the highest protection tier. Cloud AI processing requires Article 28 DPA and Article 46 transfer mechanism for US-hosted tools.
- German DSGVO culture, French CNIL oversight, and Dutch AP enforcement make the cloud transfer question concrete and auditable.
- On-device processing means session audio stays on the therapist's device — no DPA required for the processing tool, no cross-border data transfer, and the consent explanation to clients is architecturally honest.
- Multilingual therapy sessions — common in EU expat markets — can be captured and summarised on-device in the client's language with no cloud dependency.
A psychotherapy session generates more documentation than almost any other professional encounter. Progress notes, treatment plans, session summaries, risk assessments, coordination records with referring physicians — all classified as sensitive health data under EU GDPR Article 9, requiring the highest standard of data protection available in European law.
For therapists in private practice across Germany, France, the Netherlands, Sweden, and elsewhere in the EU, the documentation burden follows the same shape as it does globally: sessions are 50 minutes; notes take 20–30; the minutes come from somewhere. What differs from the US context is the regulatory architecture, the professional frameworks, and the specific data sovereignty obligations that make the choice of documentation tool a clinical governance decision.
GDPR Article 9 and therapy data
Psychotherapy session content is special category data under Article 9 of the EU General Data Protection Regulation. Special category data includes information about physical and mental health, which encompasses all clinical content — presenting symptoms, disclosures, diagnostic impressions, treatment response, and risk.
Processing special category data requires either the explicit consent of the data subject (Article 9(2)(a)) or a specific legal basis related to healthcare provision (Article 9(2)(h), subject to professional secrecy obligations). For therapists, both bases may apply: client consent plus the professional obligation of the practitioner.
The critical implication for documentation tools: any cloud service that processes therapy session content — including AI transcription and summarisation tools — becomes a data processor under GDPR Article 28. The practice must enter into a Data Processing Agreement (DPA) with that processor. The processor must operate within the EU data protection framework (or under adequacy decisions or appropriate safeguards for third-country processors). If the processor is US-based — and many AI tools are — Article 46 transfer mechanisms apply.
This is not bureaucratic formality. EU supervisory authorities — CNIL in France, the BfDI in Germany, the Datatilsynet in Denmark and Norway — actively audit compliance with Article 28 obligations for healthcare data processors. A therapist in private practice using a US-hosted cloud AI tool to process session content without a valid DPA and transfer mechanism is non-compliant, regardless of the tool's marketing claims.
The architecture that removes the compliance burden
Kuulo processes everything on-device. Session audio is transcribed and summarised on the iPhone's Neural Engine. Nothing leaves the device.
When no data is transmitted to an external processor, GDPR Article 28 does not apply — there is no processor. The therapist's device processes the audio in the same way a human would write notes while listening: the processing occurs on a tool owned and controlled by the data controller (the therapist), not by a third party.
The remaining GDPR obligations are those that apply to any clinical record: lawful basis for processing (consent or health treatment provision), data minimisation (retain the note, delete the audio), appropriate technical and organisational security measures for the device, and compliance with the patient's access rights under Articles 15–22.
These are obligations the therapist holds regardless of documentation tool. On-device AI processing does not add a layer of processor compliance that requires a separate legal instrument.
Germany: documentation in regulated psychotherapy
In Germany, statutory psychotherapy (Richtlinienpsychotherapie) is reimbursed by Gesetzliche Krankenversicherung (GKV) health insurers, with strict documentation requirements set by the Gemeinsamer Bundesausschuss (G-BA). Private practitioners (Privatpraxis) operate under similar professional obligations under the Berufsordnung of their Kammer.
German psychotherapists report among the highest documentation burdens in Europe: intake assessments, treatment plans submitted to health insurers, session-by-session progress documentation, and termination summaries all generate significant paperwork that extends beyond session time.
The Datenschutz culture in Germany is particularly stringent. German practitioners and their patients are generally more cautious about cloud data processing than practitioners in other markets — a cultural position that aligns with the regulatory requirement and makes on-device processing an argument that resonates professionally as well as legally.
France: the médecin et psychologue libéral context
French private practice psychologists and psychotherapists operating under the titre de psychothérapeute framework carry similar documentation obligations. Patient records (dossier médical) must be maintained in compliance with CNIL guidance on health data.
CNIL has been an active enforcer of health data processing obligations, including against healthcare software providers. The standard expected of a French practitioner processing patient data with a third-party tool is an Article 28 DPA with a processor operating in compliance with French and EU law.
The practical reality for many French private practitioners is that CNIL compliance for cloud processing is difficult to verify independently. On-device processing removes the question: no processor, no DPA required, no CNIL examination of a processor relationship.
The multilingual therapy context
The EU's multilingual therapy context creates a documentation challenge that on-device AI uniquely addresses. A French therapist working with Portuguese-speaking clients, a German therapist working with Turkish-speaking patients, or a Dutch therapist working with English-language expats — all face the same problem: clinical notes must be accurate in the therapist's working language, but the session content may include extended dialogue in another language.
Kuulo's live translation runs on-device, in real time, covering the session's dialogue in the client's language and generating the summary and note in the practitioner's language. No audio in either language leaves the device. For a multilingual clinical context in which the session content is GDPR Article 9 special category data, on-device processing is not just convenient — it is the only compliant architecture for AI-assisted translation.
Documentation, burnout, and direct care time
EU therapists face the same fundamental documentation trade-off as their US counterparts: every hour spent on notes is an hour not spent with clients, not spent in supervision, and not spent maintaining clinical competence.
At 20–30 minutes of documentation per 50-minute session, a full-time private practice generates roughly 500 hours of documentation annually on top of direct care. AI-assisted documentation — producing a draft SOAP or DAP note in 5–8 minutes of post-session review — recovers approximately 350–400 hours per year.
For a psychotherapy practice charging €100–180 per session, those hours represent €35,000–€72,000 in additional clinical capacity annually — or the time to take 8–12 weeks of proper leave without reducing caseload.
The economics of recovering documentation time are compelling everywhere. In the EU, the architecture that recovers the time while maintaining GDPR compliance is on-device, not cloud.
Frequently asked questions
Is AI therapy documentation GDPR compliant in the EU?
With on-device processing, yes. Therapy session audio processed on the therapist's device does not trigger Article 28 (no third-party processor) or Article 46 (no cross-border transfer). Cloud AI tools require both — making them significantly more complex to use compliantly for mental health practitioners.
What makes therapy data special category under GDPR?
GDPR Article 9 classifies data concerning health as special category data requiring heightened protection. Therapy session content — mental health diagnoses, psychological history, trauma disclosures — falls squarely within this definition and requires specific lawful basis under Article 9(2) for processing.
Can EU therapists use AI notetakers without a DPA?
Only if the tool processes data on-device without transmitting it externally. On-device AI like Kuulo processes session audio locally — no third party receives the data, so no Article 28 DPA is required. This is the only architecture that avoids the DPA obligation entirely.
How does on-device AI help with multilingual therapy sessions?
Kuulo's on-device live translation allows a therapist to conduct sessions in the client's language and receive a structured note in the therapist's working language. No audio in any language leaves the device — directly relevant for EU expat therapy where client and therapist may use different languages.