When someone opens a therapy or wellness app and starts writing, they’re sharing things they might not tell their doctor, their partner, or their closest friend — anxiety about their job, fears about a relationship, thoughts about their own mental state that feel too fragile to say out loud.
Most people making that disclosure assume it’s protected. That health information shared in a health context is private the way medical records are private. That assumption is almost always wrong.
Mental health apps are not, by default, covered by HIPAA. The protections most users expect are largely absent. And the data generated in these apps is among the most sensitive category that exists.
The HIPAA Myth
HIPAA — the Health Insurance Portability and Accountability Act — is the US law that governs how health information is protected. It applies to “covered entities”: healthcare providers, health plans, and health clearinghouses, as well as their “business associates.”
A therapy app is a covered entity only if it provides healthcare services through a licensed provider. If an app connects you with a licensed therapist, the therapist-patient communications are covered by HIPAA. If the app is a self-guided mental health tool, a mood tracker, a journaling product with wellness features, or a meditation app — the category covering the vast majority of the mental health app market — it’s almost certainly not covered.
This gap is vast. The mental health app market reached approximately $8.4 billion in 2025. The overwhelming majority of products in that market are self-guided apps with no licensed provider relationship, subject only to their own privacy policies and whatever consumer privacy laws apply in the user’s jurisdiction.
In practice, this means the most sensitive personal information most people ever generate — mood logs, crisis check-ins, anxiety self-assessments, descriptions of symptoms, records of medication — can be:
- Shared with advertising platforms for behavioural targeting
- Sold to data brokers who aggregate it with other records
- Used for AI model training
- Disclosed to law enforcement under a subpoena without the procedural protections HIPAA mandates
- Inherited by an acquiring company with different data practices
None of this requires the app to do anything illegal. It requires only that the privacy policy permits it — which most do.
The BetterHelp Case
The most documented example of mental health app data misuse came from the FTC’s 2023 enforcement action against BetterHelp.
BetterHelp collected sensitive personal information through its onboarding process: whether users had previously been in therapy, what they were seeking help for, whether they had self-identified conditions. This information was shared with Meta (Facebook), Snapchat, Criteo, and Pinterest — where it was used to target advertising at users and people with similar profiles.
The FTC’s complaint was specific: BetterHelp had explicitly told users that their health information “would never be used for advertising purposes or disclosed for other purposes without prior consent.” Then it was.
The settlement was $7.8 million. Affected users received refunds. BetterHelp was prohibited from future sharing of health data with advertising platforms. The company continued operating; the settlement was a fraction of its revenue.
What the case established is not that BetterHelp was an unusual bad actor. It’s that the gap between what users believe about health app privacy and what’s actually happening is large enough to produce a major federal enforcement action. BetterHelp’s mistake was making explicit privacy promises while violating them. Many apps make no such promises at all.
The 87% Finding
A 2025 study examined hundreds of mental health apps and found that 87% had serious privacy vulnerabilities. The specific vulnerabilities varied — insecure data transmission, permissive sharing with third parties, weak or absent encryption, vague terms of service that permit broad data use — but the pattern was consistent across apps of different sizes and types.
Mental health apps have, in aggregate, weaker privacy protections than other app categories. There are structural reasons for this.
Many mental health apps are built by small teams, often by founders with backgrounds in psychology or wellness rather than security engineering. Privacy infrastructure — encryption, data minimisation, access controls, vendor management, incident response — requires technical expertise and ongoing investment. Small teams with limited resources cut corners in ways that larger companies often don’t.
The apps that succeed in the market tend to be those with the best user experience and the most compelling AI features, not the best privacy architecture. App store reviews don’t cover encryption practices. Consumer decisions are rarely informed by a close reading of privacy policies.
And the data these apps collect is particularly valuable to the marketing and insurance industries, creating financial incentives to find interpretations of privacy policies that permit broader sharing than users would expect or accept if asked directly.
The AI Features Trade-Off
The newest generation of mental health apps emphasises AI features: pattern recognition across mood entries, personalised insights, predictive alerts, journaling prompts calibrated to your history, conversational interfaces that feel therapeutic. These features are genuinely useful for many users.
They also require the app to process your mental health data in ways that introduce additional privacy exposure.
AI features that run on servers require your data to leave your device. If the app uses a third-party AI provider — which most do, given the cost and complexity of running large language models — your mental health data goes to that provider for inference. The terms governing that sharing are between the app and the AI provider. You are not party to that agreement, and the AI provider’s privacy policy applies to your data once it’s there.
The most intimate data — crisis check-ins, descriptions of symptoms, accounts of trauma, thoughts during a difficult period — may pass through this pipeline. Whether it does, and under what terms, is typically not disclosed in any form accessible to a non-lawyer.
There’s a version of AI-powered mental health support that’s genuinely private: analysis that happens entirely on-device, never transmitted to a server, subject to no third-party terms. Most apps don’t work this way, because the infrastructure cost of on-device AI is higher and the competitive advantage of cloud-based models is greater.
Psychotherapy Notes and the Protection Gap
In the US, clinical psychotherapy notes — the notes a licensed therapist maintains about a patient — receive special protection under HIPAA that goes beyond standard medical records. Psychotherapy notes cannot be disclosed even with a general medical authorization; they require a specific, separate authorization from the patient. This protection exists because legislators recognised that the intimacy of therapy content required stronger safeguards.
App-based mental health tools exist entirely outside this framework. A mood journal in an app has none of the protections of a therapist’s psychotherapy notes, even if it contains more raw and sensitive personal information than a clinical note would.
This gap is not widely understood. Users who write in a mental health app about something they would discuss in therapy — a difficult relationship, a fear, a period of crisis — are protected not by HIPAA but by whatever the app’s terms of service provide. In most cases, that’s considerably less protection than clinical notes receive. In some cases, it’s no meaningful protection at all.
What Good Privacy Practice Looks Like
A mental health app that takes privacy seriously should be able to demonstrate the following:
On-device AI processing where technically possible. Mood pattern analysis, journaling insights, and similar features can increasingly run on modern smartphones without a server round-trip. An app that routes this processing to cloud servers has made a deliberate choice that prioritises cost or capability over user privacy.
Named third-party processors. If any user data goes to a third party for any purpose, that party should be identified in the privacy policy. “We may share with third-party service providers” is not meaningful disclosure — you cannot evaluate the privacy implications of an unnamed partner with an unknown privacy policy.
Voluntary HIPAA-grade commitments. An app not legally required to follow HIPAA can still choose to apply its standards. The commitments around minimum necessary data access, patient rights, and disclosure restrictions exist independently of legal compulsion. Apps that apply them voluntarily are making a meaningful choice.
Explicit treatment of mental health data as a special category. GDPR explicitly categorises health data as requiring heightened protection and explicit consent. A well-designed privacy policy applies this standard regardless of whether the user is in a GDPR jurisdiction.
Clear data retention limits. Mental health data should not be retained indefinitely. If you stop using an app, your mood history from three years ago should not persist permanently in a company’s database. A clear retention policy, with specific timeframes and deletion commitments, is a minimum standard.
The Acquisition Risk
Mental health apps hold something valuable and unusual: long-term, intimate, emotionally-engaged data about users who’ve self-selected by caring about their mental health. That’s a profile that health companies, insurance providers, advertising platforms, and AI companies would pay to access.
The acquisition path from “privacy-focused wellness app” to “entity with different data practices” is well-documented in adjacent sectors. A small app builds trust through privacy commitments and user-friendly design, grows a user base, and is acquired by a larger company whose business model differs significantly.
When acquisition happens, the new owner inherits the user data. The privacy policy may change with a required notice period — but there’s no right of refusal that doesn’t involve losing your entire archive. Data practices that users accepted when choosing the original app may be replaced by practices they would never have agreed to.
For mental health data specifically, this risk deserves serious consideration. What you write in a wellness app today might be governed by very different terms in five years, under a different owner, in a different regulatory and business context.
Personal Memory and Sensitive Content
Mental health data — mood logs, voice notes recorded after therapy, reflections on difficult periods, notes written during a personal crisis — is often part of a broader personal archive. It sits alongside photos, documents, and other life records.
The standard for this kind of content should match the standard you’d apply to medical records. It belongs in an environment with explicit and limited-use commitments, strong encryption, a business model that creates no incentive to monetise it, and clear deletion policies.
daftei isn’t a mental health app — it doesn’t offer mood tracking, therapeutic features, or AI-powered wellness insights. But the privacy architecture applies to everything stored in it, including personal notes and voice recordings that contain sensitive personal content. No advertising, no data sales, no third-party AI training, AES-256 encryption at rest, TLS 1.3 in transit, and GDPR and CCPA compliance.
This isn’t an equivalent to clinical protection. It is, at minimum, a clearer commitment than most mental health apps make to people who trust them with their most private thoughts.
The Minimum Standard
The minimum you should expect from any app where you share information about your mental health:
A specific, not general, statement about what data is shared and with whom. An explicit commitment on AI training. A retention policy with real timeframes. Encryption that’s described in enough detail to be evaluated. A business model funded by fees rather than data.
Most mental health apps don’t meet this standard. Most users don’t know to ask for it. The combination produces a market where the most intimate personal data flows to places its owners would never sanction if they understood what was happening.
Understanding the gap is the first step toward making a different choice.