How Long to Keep Client Records as a Spiritual Practitioner: GDPR Data Retention Rules in 2026
GDPR requires data kept only as long as necessary. Retention periods for readings, invoices, and birth data - and erasure rules for EU clients.
A client books a birth chart reading in 2023. You keep their name, date of birth, time, and place in a spreadsheet. In 2026 they have not returned. Are you legally required to delete that data? Under GDPR, the answer is probably yes - but the precise timeline depends on what type of record it is, what jurisdiction you are in, and whether there is a competing legal obligation to retain it.
This guide covers retention schedules by data type, the right of erasure under GDPR Article 17, and practical tools for managing deletion without breaking your tax records. It is distinct from the birth data privacy guide (which covers data minimization and consent at collection) and the protect client data guide (which covers security and access control).
The Core GDPR Rule: Storage Limitation
GDPR Article 5(1)(e) establishes the storage limitation principle: personal data must be kept in a form that permits identification of the data subject "for no longer than is necessary for the purposes for which the personal data are processed." Source: gdpr-info.eu/art-5-gdpr/ (official GDPR text).
The principle does not set a universal number. It says: when the purpose ends, delete the data. For a spiritual practitioner, purpose ends when the client relationship ends - unless a separate legal obligation (tax law, for example) requires retention.
Two things can extend retention legally:
1. An ongoing relationship with the client (the purpose continues).
2. A competing statutory obligation - for example, tax laws requiring retention of invoices.
Retention Periods by Data Type
Data type | Minimum retention | Maximum (GDPR) | Action at maximum |
|---|---|---|---|
Invoices and payment records | Per local tax law (5-10 years) | Per local tax law | Archive, then delete |
Session notes and readings records | None (no legal minimum) | While purpose exists + ~2 years | Delete on schedule |
Birth data (name, date, time, place) | None (no legal minimum) | While purpose exists | Delete when client relationship ends |
Email consent records | Duration of active consent | Until erasure request | Delete within 30 days of request |
Unsubscribe / suppression records | Indefinitely | Indefinitely (legitimate interest) | Never delete from suppression list |
Backup copies | N/A | Same as live data | Purge within next backup rotation |
Each row is explained in the sections below.
Invoices and Payment Records
Invoices are the most constrained data type. Local tax law in most EU member states imposes a minimum retention period for financial records - and GDPR explicitly does not override statutory tax obligations. Specific minimums by jurisdiction (Source: European Commission GDPR principles; national tax authority guidance):
- Germany (HGB §257): 10 years for accounting records.
- UK (HMRC): 5 years after the January 31 deadline of the relevant tax year for self-assessment records.
- Spain: 6 years for commercial records; 4 years for tax records.
[VERIFY] Your specific jurisdiction's minimum. These figures are illustrative from cited sources - confirm with your local tax authority or accountant before setting a deletion schedule.
The practical implication: you cannot delete an invoice because a client invokes their right to erasure, if that invoice falls within your statutory retention window. You can delete other records about that client (session notes, birth data, personal details) while retaining the invoice.
Session Notes and Reading Records
Session notes, reading transcripts, and intake form responses have no EU-wide statutory minimum retention period - unlike medical records, which carry clear minimums in most member states. This is favorable for practitioners: it means the maximum applies, not a mandated minimum.
Best practice: retain for the duration of the active client relationship, plus 2-3 years for dispute resolution (if a client disputes a session detail or a charge). After that window, delete.
If a client has had no contact for 2 years, their session notes have no ongoing purpose. Delete them. A scheduled annual review of inactive client folders - flagging any with no activity in 24 months - is a compliant approach.
[VERIFY] If your practice is positioned as "life coaching" or any adjacent therapeutic service, check whether your member state imposes longer retention minimums for coaching notes. Most do not, but the category edge is worth confirming locally.
Birth Data: Name, Date, Time, and Place of Birth
Birth data - name, date of birth, time of birth, and place of birth - is personal data under GDPR (it can identify a natural person). It is generally not classified as special category data under Article 9 unless combined with health information or religious data. Source: gdpr-info.eu/art-9-gdpr/ (special categories list).
This means standard GDPR storage limitation rules apply: retain only as long as necessary. When the reading is complete and the client relationship is inactive, delete the birth data. Keep only what is needed for invoicing (a name and payment reference), not the full birth chart input data.
For the full framework on collecting and handling birth data at intake, including lawful basis and consent wording, see the birth data privacy GDPR guide.
Email Subscriber Records
Retain subscriber records as long as consent is active and the subscriber has not unsubscribed or requested erasure.
Right of erasure (GDPR Article 17): a subscriber can request full deletion at any time. The practitioner must action the request within 30 days. Source: gdpr-info.eu/art-17-gdpr/.
One important nuance: do not delete the email address of someone who has unsubscribed from your marketing list. Keep it on a suppression list - a record of addresses that must not be re-added. Deleting the record entirely risks re-subscribing that person if their email re-enters your system from a new form submission. Suppression list retention is a legitimate GDPR purpose (preventing re-contact of people who have opted out).
Backup Copies
GDPR applies to backup copies. If a client requests erasure and you delete their data from your live system, you are also obligated to delete it from backups - or ensure it is inaccessible / overwritten within a defined rotation window.
The practical approach: a rolling 30-day backup window. Data deleted from the live system will be purged from backups within the next backup rotation cycle. This is compliant and operationally manageable. An indefinitely retained backup containing deleted client data is a GDPR exposure.
For the infrastructure side of backup management for a spiritual practice, see the GDPR cookie consent guide for related compliance context.
The Right of Erasure Under Article 17
Any client can invoke the right to be forgotten at any time. When they do, you must:
1. Delete all personal data held about them within 30 days.
2. Retain only what a legal obligation requires (invoices within tax retention window).
3. Confirm deletion to the client in writing.
You cannot refuse erasure because it is inconvenient. You can refuse if a legal obligation requires retention - for example, an invoice within the statutory tax window. In that case, inform the client which records you are retaining and why, and delete everything else.
Session notes, birth data, intake form responses, and personal details beyond the minimum for invoicing are all deletable on request. The invoice itself and payment reference are not, if they fall within your statutory retention period.
Practical Tools for Managing Retention
Retention management does not require expensive software. Approaches that work for small practices:
- Notion: Create a "Client Records" database with a "Last Active" date field and a "Delete By" calculated field (Last Active + 2 years). Run a monthly filter to find records due for deletion. Review and purge quarterly.
- Airtable: Same logic - a "Delete By" date field and a filter view showing records past that date.
- Dubsado or HoneyBook: Neither platform has native retention scheduling as of 2026. Export client data annually, review for inactive records, and delete manually from the platform.
- Google Workspace (Business/Enterprise): Google Vault supports retention policies with auto-delete after a set period. This handles Gmail and Drive records automatically.
For the legal disclaimers guide, which covers what disclosures to include in session agreements, a data retention clause is worth adding: state how long you keep session records and how clients can request deletion.
Break-Even and Cost Framing
GDPR compliance for a solo practitioner is not a software purchase - it is a time investment. A realistic annual audit takes 2-3 hours:
```
Annual retention audit time: ~2 hours
Practitioner hourly rate: $75
Opportunity cost: ~$150/year
Cost of a GDPR fine for inadequate data handling:
Up to 4% of annual global turnover, or EUR 20 million - whichever is higher
(GDPR Article 83(5))
ROI of 2-hour annual audit: very high
```
For a solo practitioner earning $50,000/year, 4% of turnover is $2,000. A fine is unlikely for a first-time accidental breach if you demonstrate a good-faith compliance effort - but the audit time is small compared to the exposure.
Frequently Asked Questions
How long should I keep a client's birth chart data after their reading?
For as long as the client relationship is active, plus a buffer of 1-2 years for dispute resolution. If a client has had no contact for 2 years, delete their birth data - name, date, time, and place of birth. Retain the invoice (not the birth details) for your statutory tax period. If the client returns, collect the data again at intake.
Can a client demand I delete their invoice?
No, if the invoice falls within your statutory tax retention period. In Germany, that is 10 years. In the UK, 5 years from the relevant tax year deadline. In Spain, 4-6 years depending on record type. Inform the client which records you retain and why. Delete everything else.
Do GDPR retention rules apply to practitioners outside the EU?
GDPR applies whenever you process data of EU residents, regardless of where you are based. A practitioner in Argentina or the US who serves EU clients is subject to GDPR for those clients' data. The enforcement risk is higher for larger businesses, but the legal obligation exists regardless of practitioner location.
What counts as a "purpose" that justifies keeping client data?
Active engagement: booked appointments, open invoices, ongoing coaching programs, or a subscription. Once all of those are closed and the client has had no contact for your defined window (typically 2-3 years for dispute resolution purposes), purpose has ended and deletion is required.
Does GDPR apply to paper records, not just digital files?
Yes. GDPR applies to both digital and structured paper records (filing systems organized by individual). Unstructured paper notes (a notepad with scattered jottings) are generally outside scope. A client folder organized by name is in scope. Shred paper records following the same schedule as digital deletion.
