By the Templateez Team · Licensed Attorney · July 2026

How to Collect Client Information Securely (Without Expensive Software)

Last year, a solo immigration attorney in New Jersey told me she found out her intake data had been compromised — not because her office was hacked, but because the free Google Form she used to collect client information was linked to a shared Google Drive folder that had been indexed by a third-party scraping tool. Names, addresses, immigration status, phone numbers — all of it sitting on Google’s servers, accessible through a link that was never supposed to be public. She didn’t even get a breach notification. She found out when a client called asking why their personal details appeared in a data broker’s database.

This is not a rare edge case. It is the predictable outcome of a system designed for convenience surveys being used to collect sensitive client information. And it happens to smart, careful professionals who simply never stopped to ask: where does the data actually go after my client hits submit?

The Architecture Problem Nobody Talks About

When a client fills out a Google Form, a Typeform, or a JotForm submission, here is what actually happens: their data leaves their device, travels across the internet, and lands on a server owned by a company your client has no relationship with. That data then sits in a database — alongside millions of other submissions from other users — protected by whatever security measures that company has implemented. You are trusting a third party not just to store the data, but to encrypt it properly, patch their servers promptly, restrict employee access, and comply with regulations they may not even be subject to.

Google Forms stores submissions in Google Sheets on Google’s servers. Typeform stores them on AWS infrastructure managed by a company headquartered in Barcelona. JotForm stores data on servers they describe as being in “multiple locations.” None of these platforms were designed for regulated industries. They were designed for event RSVPs, customer feedback surveys, and marketing lead capture. The fact that attorneys, therapists, and medical practitioners use them for client intake does not make them appropriate for that purpose — it just means the breach hasn’t happened to you yet.

Compare that to a fillable PDF. When a client opens a PDF intake form on their computer, types in their information, and saves it, the data never leaves their machine until they deliberately send it to you. There is no server. There is no cloud database. There is no third-party company storing a copy. The file exists on the client’s device and, once transmitted to you, on yours. That is it. The attack surface is reduced from “every server between your client and a SaaS company’s database” to “the two computers that are supposed to have this information anyway.”

The HIPAA Question That Should Keep You Up at Night

If you are a healthcare provider — or any professional who handles protected health information — this is not just a best-practices discussion. It is a compliance one. HIPAA requires a Business Associate Agreement (BAA) with any entity that stores, processes, or transmits PHI on your behalf. Google will sign a BAA for Google Workspace, but not for the free consumer version of Google Forms that most small practices use. Typeform does not offer a BAA at all on their standard plans. JotForm offers HIPAA compliance only on their Enterprise tier, which runs north of $100 per month.

So here is the math that a therapist in private practice faces: pay $100–$200 per month for a HIPAA-compliant intake platform (that is $1,200–$2,400 per year), or use a fillable PDF intake form that costs a one-time $19.99 and never touches a third-party server. The PDF approach does not just save money. It eliminates an entire category of regulatory risk. There is no BAA needed because there is no business associate. The data stays between the provider and the patient.

I should be clear: a fillable PDF is not a complete HIPAA compliance program. You still need encrypted email, proper file storage, workforce training, and a written security policy. But removing the third-party server from the equation removes the single biggest variable you cannot control. I have written more about this in our guide to handling sensitive information on intake forms.

The “Good Enough” Security Trap

The most dangerous phrase in data security is “it’s probably fine.” I hear it constantly. A financial planner who collects Social Security numbers and bank account details through a Typeform because “it uses HTTPS.” A personal injury attorney who stores client medical records in a shared Dropbox folder because “it’s password protected.” A general contractor who emails unencrypted client contracts with home addresses and project budgets because “nobody would bother hacking a small business.”

HTTPS encrypts data in transit. It does nothing to protect data at rest on the form provider’s server. Password protection on a cloud folder does not prevent the cloud provider’s employees — or a breach of the cloud provider — from accessing your files. And small businesses are not too small to hack; they are specifically targeted because they tend to have weaker security. According to Verizon’s Data Breach Investigations Report, 43% of cyberattacks target small businesses. You are not invisible. You are easy.

The standard for “good enough” is not whether you have been breached. It is whether you could explain your data handling practices to a licensing board, a judge, or an angry client’s attorney and have them nod along. “I sent client Social Security numbers through an unencrypted web form stored on a server in Barcelona” is not going to get that nod.

What Secure Intake Actually Looks Like (Without a Monthly Bill)

Secure client intake does not require a six-figure IT budget or a monthly SaaS subscription. It requires making deliberate choices about where data lives. Here is a practical workflow that works for solo practitioners and small firms across any profession:

Step 1: Use fillable PDFs instead of web forms. A well-designed intake form in PDF format lets your client type directly into structured fields, save the file locally, and send it to you. No data touches a third-party server. Our forms are password-protected with fill-and-print permissions enabled and editing locked — meaning clients can fill them out and print them, but cannot alter the form structure or fields.

Step 2: Establish an encrypted transmission channel. Email is the weak link in most intake workflows. Standard email is not encrypted end-to-end. The simplest fix for most small practices is a secure file-sharing service like Tresorit, SpiderOak, or even a properly configured OneDrive or Google Drive link with restricted access. If you practice in a HIPAA-regulated field, use a service that signs a BAA. The important thing is that the file is encrypted both in transit and at rest — and that you control the storage, not the form provider.

Step 3: Store completed forms in an encrypted local or firm-managed location. Once you receive a completed intake PDF, store it where you would store any other client file — your case management system, an encrypted local drive, or a firm-managed cloud storage with proper access controls. The difference between this and a SaaS intake form is that you are choosing the storage. You control the encryption. You control the access. You are not hoping that some form company you have never met is doing those things on your behalf.

This workflow costs you the one-time price of the intake form — whether that is a financial planning intake set, a general contracting intake set, or any of our 164 profession-specific templates — plus whatever you are already paying for file storage. There is no per-month charge. No per-submission fee. No tiered pricing that spikes when you grow. For a deeper comparison of the intake software approach versus the PDF approach, take a look at our breakdown of intake form software vs. PDF templates.

Client Trust Is a Competitive Advantage

There is a softer dimension to this that does not show up in compliance checklists but matters enormously in practice: clients notice how you handle their information. When a prospective client fills out a Google Form, they see Google’s branding. They know their data is going to Google. Some of them care about that — especially clients who are already in a vulnerable position, like someone filing a personal injury claim or disclosing medical history to a new provider.

When you send a client a clean, professionally branded PDF intake form, they see your practice. They fill it out on their own computer. They send it directly to you. The implicit message is: “Your information stays between us.” That is a trust signal that no amount of SaaS branding can replicate. I have had attorneys tell me they switched to PDF intake forms not because of a security scare, but because clients asked why their law firm was using Google Forms. The question itself was the problem — it seeded doubt about professionalism before the relationship even started.

What About E-Signatures and Digital Consent?

A common objection to PDF-based intake is that web forms can capture e-signatures and consent acknowledgments inline. That is true — and it matters for questionnaires that need a client’s signature. But intake forms and client questionnaires serve different purposes. An intake form is an internal business document — it captures the information you need to open a file, assess a case, or begin a project. It does not need a client signature. A client questionnaire, on the other hand, often includes consent language, acknowledgments, and a signature block. Both work perfectly well as fillable PDFs. The questionnaire can include a signature field that the client completes digitally or by printing, signing, and scanning.

If you need true e-signature functionality with an audit trail, use a dedicated e-signature service like DocuSign or HelloSign for the specific documents that require it — not as your intake data collection tool. Using DocuSign to collect intake data is like using a dump truck to deliver groceries. It works, but you are paying for capacity and complexity you do not need. For more on protecting sensitive data throughout the entire intake process, see our guide on intake forms and data privacy for small businesses.

The Bottom Line

The security calculus for client intake is simpler than the software industry wants you to believe. Every server that touches your client’s data is a server that can be breached. Every third-party platform that stores submissions is a third party that needs a BAA, a data processing agreement, or at minimum a hard look at their security posture. Every monthly subscription you pay for a HIPAA-compliant intake form is money spent solving a problem that does not need to exist.

Fillable PDFs are not a workaround or a budget compromise. They are architecturally simpler, inherently more private, and orders of magnitude cheaper than the SaaS alternative. The data stays on the devices that are supposed to have it. There is no third-party server to breach, no database to scrape, no vendor to vet. For solo practitioners, small firms, contractors, and healthcare providers who take client privacy seriously, that is not a limitation — that is the point.

Ready to Upgrade Your Intake Process?

Browse 164 profession-specific intake form sets designed by a licensed attorney.

Browse All Forms