Clients trust us (and you) with sensitive information, and from time to time they may ask for that data to be deleted. This article explains how that process works, what you are responsible for, and what you need to do when a deletion request comes in. For more background, you can also refer to our Privacy Policy and our Data Processing Agreement (DPA).
First things first: the GDPR and data deletion
As a Berlin-based platform, the General Data Protection Regulation (GDPR) is the main data protection law that applies to us. It's a comprehensive EU regulation that governs how organisations collect, store, and process the personal data of EU residents. It also grants individuals a number of rights over their data, including the right to access it, correct it, and have it deleted. You can find an overview of these rights in section 9 of our Privacy Policy or in Chapter 3 of the GDPR.
The right most relevant to this article is the Right to Erasure, also known as the "right to be forgotten" (Art. 17 GDPR). This means a client can reach out to It's Complicated (or to you as a therapist) and ask us to delete all the data we hold about them. It doesn't happen very often, but it does happen from time to time.
Handling a deletion request from a client
When a client reaches out to us asking for their data to be deleted, we reply to confirm receipt of the request and let them know that some of their data is controlled by It's Complicated while some is controlled by their therapist. If the client wants all of their data deleted, including data held by their therapist(s), we will automatically notify you by email.
As a data controller for that data, it is then your legal responsibility to comply with the request and delete the client's data. Here is a quick overview of how the full process works:
- The client submits a deletion request to It's Complicated.
- We verify their identity, confirm receipt, and explain the split in data responsibility.
- We delete all platform-level data that we control.
- We notify you by email with a 30-day deadline to act.
- You export any records you need, then delete the client's data from your Client Center.
- We send the client a final confirmation once deletion is complete.
When you receive our email, you will have 30 days to act, starting from the date the client originally submitted their request. In your Client Center, you will find two options for each client: an Export button and a Delete button. We strongly recommend exporting the client's data before deleting it, both to keep a copy for your own records and to ensure you can meet any applicable legal retention requirements. Once you click Delete, all data associated with that client will be permanently removed from the platform.
๐ Important: Deletion is permanent and cannot be undone. Please export the client's data first if there is any chance you will need it later.
Do you have to delete everything?
Not necessarily. Receiving a deletion request does not always mean you are required to delete everything immediately, and in some cases you may be legally obligated to retain certain records for a minimum period after treatment ends.
In Germany, for example, the Musterberufsordnung (MBO) issued by the Bundespsychotherapeutenkammer (Federal Chamber of Psychotherapists) requires therapists to retain patient records for at least ten years after the conclusion of treatment, in line with ยง9 MBO. Similar rules exist in many other countries and may differ depending on your professional background and specialisation. If you are unsure what applies to your situation, we recommend checking with your professional association or a legal adviser. Please note that It's Complicated is not able to provide legal advice on retention obligations or any other legal matters.
Who controls what (and why this matters)
You might be wondering why It's Complicated doesn't just handle all client data and delete everything in one go. The short answer is that it would not be the right approach, neither from a GDPR perspective nor a practical one.
Under the GDPR, It's Complicated acts as the data controller for platform-level data, such as a client's account details, marketing and analytics data, payment records, and general platform usage. You, as the therapist, are an independent data controller for any personal data you collect and process in the context of providing therapy, including session notes, invoices, and clinical records. For certain platform features like our chat and video tools, we therefore act as a data processor on your behalf. This is set out in detail in our DPA.
There are a few reasons why it works this way. Clinical data is created by you, relates directly to your work with a client, and is governed by your professional obligations. It would not make sense for a platform to make decisions about that data on your behalf. Beyond that, with over 2,500 mental health professionals from 60+ countries on our platform, it's simply not possible for us to know and apply every applicable retention rule. Data retention requirements vary not just from country to country, but also between professional groups such as psychologists, psychotherapists, and coaches. You are best placed to know what applies to you and your practice.
Finally, as an independent professional, you should be in control of your own client data. The export and delete tools in your Client Center are designed to give you exactly that, rather than having the platform make those decisions for you.
What if a client contacts you directly?
If a client sends their deletion request directly to you rather than through It's Complicated, just handle it the same way: export what you need and delete their data from your Client Center. Please also let us know at support@complicated.life so we can take care of deleting the platform-level data on our end.
What about deleting your own therapist account?
If you decide to leave the platform and want your account and all associated data fully deleted, you can request this at any time by reaching out to us at support@complicated.life. Once we receive your request, we will work through your client list and trigger a deletion process for each of your clients, notifying each one along the way. After all client data has been handled, we will delete your therapist account and send you a final confirmation email.
Before submitting your request, we'd recommend taking care of a few things first:
- Export any client records you need for your own files.
- Make sure all outstanding invoices have been settled.
- Give your active clients a heads-up so they have time to make alternative arrangements.
Please note: Cancelling your subscription does not automatically delete your account or your data. If you want your account fully removed, please contact us directly.
Still have questions?
For more details on how data responsibility works, please take a look at our Privacy Policy and our DPA. If you have further questions, our support team is always happy to help. You can reach us at support@complicated.life or visit our Help Center.