Choosing video software for therapy: Zoom vs Teams vs Google Meet vs dedicated platforms

Choosing video consultation software is one of the first practical decisions a UK therapist makes when moving work online, and most comparisons focus on call quality. For a UK private practitioner, that is rarely the deciding factor. This article looks at the questions that matter more when you are choosing a secure video platform for therapy: who is contractually responsible for the data, where it is stored, how many systems you have brought into the work, and whether anything is recording or summarising the session without you intending it.

This article is not a feature-by-feature scorecard. There are plenty of those already. What it tries to do is talk through how a UK therapist running an online therapy practice might reasonably choose between the main options for therapy video calls, using the data protection and ethical questions that actually carry weight in private practice. It is a practical companion to the BACP Ethical Framework's expectation that practitioners understand and manage the data protection and ethical implications of the digital tools they use, applied to video specifically.

Why most advice on this topic does not apply in the UK

A lot of the comparison content online is written for an American audience, and it quietly imports the wrong legal model. The recurring theme in US guidance is the Business Associate Agreement, the contract a US healthcare provider signs with a vendor under HIPAA. For a UK practitioner this is not the right reference point, and treating it as one can lead you to the wrong conclusion.

Under UK GDPR the picture is different in a few ways that change how you should weigh up a platform.

There is no single contract that "makes" health data handling compliant, in the way the BAA is often described. Therapy records are special category data under Article 9, which has additional protections. In practice that means the responsibility to identify and document a lawful basis under Article 6 and a condition under Article 9 sits with you. A platform's certifications and encryption support that work, but they do not do it for you.

For those reasons, "Is Zoom GDPR compliant?" is not quite the right question. A platform is not compliant or non-compliant on its own. It is compliant, or not, in the way you have configured and contracted for it. What you are really assessing is whether a given tool gives you the contractual cover, the controls, and the data residency to build a defensible setup, and how much effort that takes.

Two practical points follow for everyone, whichever platform you choose. Most private practitioners processing client records electronically will need to pay the ICO data protection fee. And video work involving sensitive data is the kind of higher-risk processing where a short data protection impact assessment is sensible to carry out and keep on file. Your privacy notice should also reflect the platform you use and where client data goes, which is consistent with the BACP Ethical Framework's guidance on being transparent about the digital tools and services involved in your work.

The gap in free and personal accounts

Before comparing the platforms, one issue is worth raising on its own, because it affects more solo therapists than any other: using the free or personal version of a consumer tool.

The protections that make these platforms suitable for clinical work tend to attach to the paid business tiers rather than to free or personal accounts. The clearest example is a personal Google account, where the free version of Meet and personal Gmail sit outside the Workspace data-processing terms that govern business accounts. Free Zoom and a personal Microsoft account raise the same question in a different form.

The practical implication is straightforward. A therapist running sessions on a free or personal account may not benefit from the business Data Processing Agreement that accompanies commercial subscriptions, may not have data-residency controls, and may not have the admin settings that the business versions provide. The call looks the same. The arrangement underneath it is not. For clinical use, the safer assumption is that you want the paid, business version of whatever you choose, and that you have actively accepted its data-processing terms.

Zoom

Zoom's main strengths are familiarity and a low barrier for clients. Most people have used it, joining is straightforward, and on a reasonable connection the quality is good. If your priority is the smallest possible technical hurdle for clients, that counts for a lot.

On the data side, a paid Zoom account incorporates Zoom's Data Processing Agreement into its terms, and Zoom relies on the EU to US Data Privacy Framework and Standard Contractual Clauses for transatlantic transfers. Keeping in-meeting data within EU or UK data centres is possible, but it is a setting you choose on eligible paid plans rather than a default, so it is worth checking how your account is configured. End-to-end encryption is available, but turning it on disables features such as cloud recording, so much clinical use runs on Zoom's standard encryption rather than full end-to-end encryption.

For completeness, Zoom has had past privacy controversies, including a 2023 change to its terms that appeared to permit using customer content for AI training, which it revised after feedback. The company has since invested heavily in its compliance posture and certifications. The relevant point for a practitioner today is less the history than the configuration: Zoom's AI Companion now ships with paid plans, and practitioners should understand whether it is enabled and whether its use is appropriate for clinical work.

Where it fits: a workable choice for a solo practitioner on a paid plan, with EU or UK residency selected, encryption understood, and AI features reviewed for clinical use. The configuration is on you, and there is a fair amount of it.

Microsoft Teams

Teams makes most sense for a practice that already works inside Microsoft 365. If your email, calendar, and files already sit on a business Microsoft tenant, Teams adds video to an environment you have already contracted for, with Microsoft's processor commitments flowing through the Microsoft Product Terms and Data Protection Addendum, and the EU Data Boundary available to keep data within Europe.

There are trade-offs worth knowing. Teams' end-to-end encryption applies only to one-to-one calls, is off by default, and needs admin configuration to enable, and enabling it disables some features. Depending on your licensing, configuration, and Microsoft 365 retention policies, its AI assistant, Copilot, may retain prompts and responses even when recording and transcription are turned off, which is a detail that surprises people. Teams is also a broad collaboration suite rather than a clinical tool, so it brings more functionality than a solo therapist needs, which means more to configure and govern. For a group practice with someone managing the tenant, that breadth can be useful. For a solo counsellor, it is often more than the task requires.

Where it fits: a reasonable option for group practices already standardised on Microsoft 365 with administrative support. Usually more than a solo practitioner needs.

Google Meet

Meet is the easiest of the three mainstream tools for a client to join. It runs in the browser, needs no download, and asks little of the client. On a paid Google Workspace plan it is a capable option: the Workspace Data Processing Amendment makes Google your processor, and client-side encryption is available on higher tiers for organisations that want to hold their own encryption keys.

One detail matters for a UK practice. Google Workspace's data-region setting lets you pin storage and processing to Europe or the United States, but there is no UK-specific option. For most UK therapists, keeping data in the EU is acceptable, since the EU benefits from a UK adequacy decision, but it is worth being clear that this is EU residency rather than data held in the UK, and being able to say which applies in your privacy notice.

The other caveat is the one from the free-account section above, and it applies sharply here because Meet's free version is so easy to reach for. The Workspace data-processing terms and admin controls apply to business accounts, not to a personal Google account, so a therapist running Meet from a personal Gmail address is not operating under them. It is worth retiring one common worry here: the old claim that Gmail content is scanned to target ads is out of date, as Google stopped that for consumer Gmail in 2017. The real distinction now is contractual rather than about ad scanning. A personal account is simply not covered by the processor terms a business account is. As with the others, Google is building its AI assistant, Gemini, more deeply into Workspace, so the same question applies about what it is doing and whether it is switched off.

Where it fits: a clean, low-friction option on a properly configured paid Workspace plan, with EU residency understood. Not appropriate from a personal Gmail account.

Dedicated and integrated platforms

The fourth option is the one mainstream comparisons tend to skip, and it covers two related but distinct things.

The first is standalone clinical video, such as Doxy.me, VSee, and Whereby Embedded, built for healthcare rather than for office meetings. The appeal is that they strip the session back to a consultation: a client clicks a link, arrives in a named waiting room, and joins, often with no download and no account to create. They usually carry far less of the general-purpose chat and file-sharing you would otherwise have to govern, though some clinical platforms do include their own messaging or document features.

The second is video built directly into a practice management system, where the call runs inside the same system that already holds your diary, client records, notes, and billing. My-Therapy-Suite works this way: the video session is launched from the client's record, and the wider workflow surrounding it, the appointment, the session note, the invoice, stays connected to that record rather than living in a separate app. In practice that changes a few small things that add up. You are not copying a meeting link between calendar, email, and a video tool. There is no separate account for the client to create. And the session and the record sit under a single contract with your software provider, rather than a separate video vendor bolted on alongside everything else. That provider may still rely on specialist sub-processors for the video infrastructure itself, so it is one contractual relationship to understand rather than literally one company touching the data, but it is fewer separate agreements than assembling the tools yourself.

The reason this matters comes back to data minimisation, which is a GDPR principle rather than a preference. Every separate tool you add is another processor to contract with, another list of sub-processors to keep track of, another set of terms to review, and another entry in the kind of risk assessment the BACP Ethical Framework expects you to be able to show for the digital tools you use. Video that is part of a system you already use can remove one of each of those.

There is also the AI question. The mainstream platforms now include general-purpose AI assistants that can record and summarise meetings, and part of the work of using them is ensuring those features remain disabled for sessions. Platforms built specifically for therapy generally do not include a meeting recorder of that kind at all, so there is less to disable and less to monitor. Where a therapy platform does offer AI features, for example help with drafting a session note, they tend to be built around the clinical workflow and under the practitioner's control, rather than an assistant running in the background of the call.

The honest trade-offs: these platforms run smaller ecosystems than Zoom or Google, and a client is slightly less likely to have used the specific tool before, though the click-a-link experience largely removes that as a barrier. Being built for therapists is a useful signal, but it is not a substitute for asking the same questions about data residency and sub-processors that you would ask of anyone, which the questions later in this article set out.

Where it fits: a strong option where reducing the number of separate systems is a priority, and the natural choice if the video can sit inside a clinical system you already use for records and billing.

The four options at a glance

The table below summarises the trade-offs covered above. It is a prompt to shortlist, not a verdict, and the right answer depends on how you already work. Verify the current configuration and terms with each provider before you rely on it.

AI features and note-takers

This is the part of the picture that has changed most recently, and it deserves its own note. We have written about AI note-taking in more depth separately; what follows is the short version as it applies to video.

The mainstream platforms now include AI assistants that can record, transcribe, and summarise calls, and third-party note-takers can join from either side of a session. In an ordinary meeting these are productivity features. In a therapy session they create a transcript of special category data that may be stored somewhere you did not choose and handled by sub-processors you have not assessed. AI transcription is imperfect and can introduce errors or omissions, and an unreviewed summary can become a de facto record. Consent is the harder problem: a client cannot meaningfully agree to a tool they did not know would be there, and raising it mid-session is not a fair position to put them in. Some institutions have already decided not to use these tools in clinical settings for these reasons.

A client's own note-taking app joining the call is the same risk from the other direction, and it is worth a line in your working agreement.

The practical steps are simple. Find the AI features on whichever platform you use, decide whether they are appropriate for clinical work, and ensure they remain disabled where they are not, then confirm the setting holds. Prefer tools that do not enable an AI assistant by default. And make it explicit in your contracting that neither party records, transcribes, or uses AI note-taking without agreement.

Questions worth asking before you rely on a platform

The BACP Ethical Framework expects you to understand how a tool handles client data and to be able to show that you have considered it. A short, consistent set of questions does most of that work, and the answers tell you more than any feature list:

• Will you act as my data processor and sign a Data Processing Agreement?
• Where is my data stored and processed, can it stay in the UK or EU, and is that the default or something I have to enable?
• Who are your sub-processors, and how am I told when they change?
• Is client data used to train AI models?
• Is encryption in transit standard, and is end-to-end encryption available without losing features I need?
• Is any AI summarisation, transcription, or recording on by default, and can I switch it off for my account?
• What is your breach notification process and timescale?
• Can clients join without creating an account or installing software?
• Does this add another system to my practice, or fold into one I already use?

Keeping the answers on file is a reasonable way to show that you have assessed the tool, consistent with the BACP Ethical Framework's guidance on using digital services.

So which should you choose?

There is no single right answer, and the sensible choice depends on how you already work. A solo practitioner on a paid, correctly configured Zoom or Google Workspace plan, with data kept in the UK or EU and AI features switched off, can practise online lawfully and ethically. A group practice already on Microsoft 365 can make Teams work well with proper administration. These are all defensible.

What is worth noticing is the direction of travel. Tighter expectations around data minimisation, more scrutiny of where sensitive data is held, and the steady spread of AI features into mainstream tools all point the same way: towards fewer systems, data held in the UK or EU, a clear line of accountability, and no AI assistant running in the background of a session. The mainstream platforms can be configured to meet that, with attention. Tools built for therapy, whether standalone clinical video or video integrated into the system that holds your records, often start closer to these requirements.

For many practitioners, an integrated platform will reduce the number of separate systems they need to manage. For others, particularly those already invested in Microsoft 365 or Google Workspace, a well-configured mainstream platform may be entirely appropriate. The important question is not which brand you choose, but whether it allows you to meet your professional, ethical, and data protection responsibilities while giving your clients a simple, confidential experience.

Platform terms, data centres and AI defaults change frequently, so confirm the current position with each provider before you rely on it. The principles here are drawn from UK data protection law and professional guidance rather than from any single vendor.