The form before the first session
Before a therapy app gives you a therapist, it gives you a form. It asks whether you have felt depressed, whether you are sleeping, what you are taking, whether you have thought about ending your life. You answer honestly, because the whole point is to be honest, and because the page told you this was private.
Mental health is the category where the distance between what the page promises and what the contract permits is at its widest, and where the data on the wrong side of that gap can do the most damage. So let us go through what these services actually take, what they do with it, who else receives it, and what is still theirs after you stop.
What they collect
The intake questionnaire is only the opening. Across therapy and mental-health apps the file grows to hold your mood logs, the messages and notes from your sessions, your diagnosis and prescriptions, your appointment history, and the device and usage data that records when you reach for the app and how often. Some keep audio or video of the sessions themselves.
Almost all of it is what the law calls special-category data: information about your health and your mind. It is the most protected class of personal data there is, and you are required to hand it over to use the service at all.
How they use it
The obvious use is care: matching you to a therapist, carrying your history from one session to the next. The quieter uses live in the parts no one reads. Your content can be used "to improve our services", the standard phrase for training internal systems on what you wrote, justified as a "legitimate interest", which is the legal way of saying nobody asked you and nobody had to. Your records can be "de-identified" and used for research or handed to partners. And on the page where you are typing all of this, there is often a layer you cannot see: advertising and analytics trackers that fire while you fill in the form.
The promise, and what was behind it
Here is the part that should stay with you. One of the largest online-therapy services told people, at the very moment they were disclosing depression, medication, and suicidal thoughts, that "any information provided in this questionnaire will stay private between you and your counselor." A regulator later found that the same answers, along with email addresses and device identifiers, had been handed to a social network and several advertising platforms, and used to go and find more people like you to advertise to.
The reason a company wires an advertising tracker into the page where you say whether you have wanted to die does not much matter. Growth at any cost or nobody stopping to think, the tracker fires the same way and the data travels the same distance. The intent is beside the point. The promise and the tracker are both in the record, and they contradict each other.
"We do not sell your data"
You will read some version of "we do not sell your personal information." In this category that sentence can be technically true while your information still reaches dozens of companies. The mechanism is not a sale, it is a tracker: an analytics or advertising tool embedded in the app that copies what you do back to the firm that makes it. No money changes hands, so the "we don't sell" line survives, and your diagnosis still leaves the building. One review of mental-health apps found most of them feeding data to outside firms, with a single app loading hundreds of trackers in the first minute of use.
The most protected data, and the holes in it
On paper this is the most protected personal data there is, and that reputation does a lot of the reassuring for you before you have read a word of the policy. The protection is real. It just has holes, and the holes are where the value sits.
In the United States, the health-privacy law most people have heard of covers the clinic, the hospital, the insurer. It does not cover the mood tracker or the therapy app you downloaded for yourself. For years no other federal law filled that gap, and consumer mental-health apps shared and sold into it freely: a Duke study found brokers offering lists of people sorted by condition, priced at cents a name. That gap is closing now, dragged shut one enforcement action and one new state law at a time. Closing is not closed.
The quieter exit stays open wherever you are, and it has a reassuring name. Strip the identifying details off health data and, whatever the policy calls it, de-identified or anonymised, the law can treat it as no longer about a person. From there it can be sold, reused, and fed into research and AI systems without anyone asking you, because on paper it is no longer yours. The catch is how low the bar for that word sits. The UK regulator's test is not that re-identification is impossible. It is that it is not "reasonably likely" for a motivated person to manage: a judgement call, not a guarantee. Clear it, and the data leaves the privacy rulebook altogether, with no right left to see it, object to it, or pull it back. And the ground is moving the wrong way: the tools for putting a name back onto stripped data keep improving, while a recent loosening of the rules makes "research" an easier banner to reuse it under. A national crisis text line showed how thin the word can be. Conversation data it had described as anonymised was handed to researchers and used to train systems that inferred details the writers had never typed, their age among them. The name was gone. The person was still legible.
Why "deleted" is rarely the end
Here, deletion is rarely clean or complete, and health data carries more reasons to be kept than almost any other kind. Records held for medical or legal reasons sit under retention rules that can run for years after you leave. Anything already "de-identified" and folded into research or a trained model does not come back when you close your account, because there is no longer a name on it to find. And the copies that already left through the trackers are downstream, on systems the app does not control and cannot recall. The button deletes your account. It does not reach any of that.
What it means if it leaks
This is not an email address on a list. A diagnosis, or even the bare fact that you are in treatment, is among the most stigmatising data that exists about a person. It can follow you into a job, an insurance decision, a custody dispute, a relationship. You do not have to take our word for the risk:
- A leading therapy app promised intake answers would stay between you and your counsellor, then was found to have sent those answers to a social network and several ad platforms. The regulator's order was the first of its kind to ban a company from sharing health data for advertising.
- Another sent the sensitive records of more than three million people, names and histories included, to large social and professional platforms through tracking tools, and at one point mailed promotional postcards on which a person's name and diagnosis were visible.
- A wide review of the category concluded that most of these apps were funnelling intimate information to outside firms, and rated the field among the worst for privacy it had ever examined.
None of these was a rogue outlier. This is what the category looks like, not a single bad app.
You do not have to leave to protect yourself
If the app is helping you, you do not have to choose between the help and your privacy. You have the right to object to every use that is not the care itself: profiling, targeted advertising, training their systems on your sessions, and sharing your data with outside partners. That is cutting the feeds, the channels that carry your file out to advertisers and brokers, without closing your account. Objecting does not end your treatment. It draws a line around it, and it puts your line on the record.
If you are leaving, leave properly
Deleting the app from your phone does nothing. Find the real account-deletion route and use it, and ask, in writing, for confirmation, and if they keep anything, whether it is being deleted or only anonymised. Then do not assume you left with nothing behind. Some things tend to stay: records held under a medical or legal retention rule, anything already de-identified for research, the model trained on your content, and the copies already sent downstream. Deletion is the start of that conversation, not the end of it.
Start the record
You cannot see inside their systems. What you can do is keep your own file on the companies you actually use: the day you signed up, what you handed over, the day you objected or asked to leave, and the exact words they wrote back. No service can make your data vanish from every place it ever reached. That is the honest limit, and it is the reason the record matters: it is the difference between "I think they deleted it" and "here is what they told me, in writing, on this date."
That is not fear. It is a receipt, and it is where you start. Start your record →