7 Truths About Mental Health Therapy Apps vs Brokers

Do mental health therapy apps pose the same privacy risks as data brokers? In short, yes - many apps collect, store and even sell personal data in ways that mirror traditional brokers. Look, here's the thing: in the first year of the COVID-19 pandemic, prevalence of common mental health conditions, such as depression and anxiety, went up by more than 25 percent (WHO). This surge drove a flood of users onto digital platforms, many of which are ill-equipped to guard their information.

Medical Disclaimer: This article is for informational purposes only and does not constitute medical advice. Always consult a qualified healthcare professional before making health decisions.

Truth 1: Most apps harvest more data than you think

When I spoke to a developer in Melbourne last year, they admitted that a typical mental health app records not just mood entries but also location, device identifiers and even speech patterns. That data can be repurposed for advertising, research or sold to third-party marketers. The ACCC has repeatedly warned that privacy policies are often written in legalese that hides these practices.

• Behavioural tracking: apps monitor how often you open the app, which exercises you complete and the time of day you log in.
• Device fingerprinting: unique IDs from your phone allow firms to build a profile that follows you across apps.
• Location data: GPS coordinates are collected even when you disable location services, via IP address mapping.
• Content analysis: natural-language processing can parse your journal entries for keywords that advertisers value.

In my experience around the country, users rarely read the fine print, and even when they do, consent boxes are pre-checked, making it easy for data to slip out.

Key Takeaways

• Apps collect more data than most users realise.
• Privacy policies often mask data-sharing practices.
• Location and device IDs can be sold to advertisers.
• Consent is frequently assumed, not explicit.
• Regulation lagging behind tech growth.

Truth 2: The cost model fuels data-selling incentives

Most free-to-download mental health apps rely on a freemium model: basic features are free, premium tiers cost $10-$30 a month. To keep the free tier viable, companies monetize user data. A 2024 News-Medical report noted that 58% of surveyed students said they chose an app because it was free, not because of its clinical credentials. That free access often comes at the price of privacy.

1. Ad-supported plans: users see targeted mental-health-related ads based on their logged feelings.
2. Data-broker partnerships: some apps license anonymised data to research firms for a fee.
3. Premium upsell: paying users may get a ‘no-share’ guarantee, but the baseline data may already be sold.
4. Subscription traps: auto-renewal clauses lock users into long-term data exposure.

I've seen this play out when a university health service switched from a paid platform to a free one, only to discover a sudden spike in unsolicited marketing emails to students.

Truth 3: Regulation is patchy and often reactive

The Australian Digital Health Agency (ADHA) introduced the My Health Records Act in 2020, but its reach stops short of private mental-health apps. The ACCC’s 2022 privacy review flagged that only 27% of apps complied with the Australian Privacy Principles (APPs). Without mandatory audits, many providers slip through the cracks.

In my experience, the regulatory lag means users bear the brunt of any breach. The ACCC has issued warnings, but enforcement actions remain few.

Truth 4: Clinical efficacy doesn’t guarantee data safety

A 2023 Newswise study found that a digital therapy app improved student mental health scores by 30% after eight weeks. The research praised the app’s CBT modules but said nothing about data handling. That omission is common; efficacy trials focus on outcomes, not privacy.

• Evidence-based content: many apps use proven techniques like CBT or mindfulness.
• Data blind spots: the same apps may export user logs to cloud servers in the US.
• Third-party SDKs: analytics tools embedded in the app can harvest data independently.
• Regulatory exemption: therapeutic claims often place apps under health-product rules, not privacy rules.

When I reviewed a popular meditation app, I discovered its privacy policy listed “anonymous usage data” being shared with an advertising network, even though the app claimed to be “clinical grade”.

Truth 5: Free alternatives aren’t always safer

Some government-funded platforms, like the Australian e-mental health service Head to Health, promise no-sale of data. However, they still collect aggregate usage statistics for funding reports. While they don’t sell data, the information can be repurposed for policy decisions that affect you indirectly.

1. Government portals: data used for service planning, not commercial profit.
2. Open-source apps: code is transparent, but hosting may be on third-party cloud services.
3. Peer-support forums: moderators can view and export conversation logs.
4. Hybrid models: free core features with paid premium that promises “no data sharing”.

Fair dinkum, the safest route is to check the privacy impact assessment published by the service, something many commercial apps neglect.

Truth 6: Data breaches are on the rise

In 2022, the Notifiable Data Breaches scheme recorded over 1,500 health-sector incidents, a 20% increase from the previous year. While most breaches involve hospitals, the same vulnerabilities exist in app back-ends. A 2023 cyber-attack on a popular mindfulness app exposed the email addresses and mood logs of 250,000 users.

• Weak encryption: some apps store data in plain text on servers.
• Third-party exposure: API keys can be leaked, giving hackers a backdoor.
• Insider threats: employees with access may misuse data.
• Patch delays: many apps run outdated libraries with known exploits.

When I investigated a breach for a story, the company claimed “anonymous data”, yet the exposed files contained timestamps linked to user IDs - a clear privacy lapse.

Truth 7: You can protect yourself with smart choices

Even in a landscape where apps behave like data brokers, users have tools. The ACCC recommends reading privacy statements, using apps that adhere to the Australian Privacy Principles, and limiting permissions on your device. A simple step: turn off background data sharing in your phone settings.

1. Choose accredited apps: look for the Australian Digital Health Agency’s endorsement.
2. Read the fine print: focus on sections titled “Data sharing” or “Third-party partners”.
3. Limit permissions: disable location, microphone and camera unless essential.
4. Use a VPN: encrypt your connection when accessing therapy portals.
5. Regularly delete data: clear chat histories and export only what you need.
6. Prefer paid over free: paid apps are less likely to rely on ad-driven data sales.
7. Monitor your inbox: unexpected mental-health-related marketing may signal data leakage.

In my experience, users who adopt these habits report feeling more in control and are less likely to be caught off-guard by surprise ads or data-selling scandals.

Q: Are mental health therapy apps covered by the same privacy laws as health providers?

A: They fall under the Australian Privacy Principles, but many operate under a health-product exemption that leaves data-sharing practices less scrutinised than traditional providers.

Q: What’s the biggest privacy risk with free mental health apps?

A: Free apps often monetize through data sales, meaning your mood logs, location and device IDs can be bundled and sold to advertisers or research firms.

Q: How can I tell if an app shares my data with third parties?

A: Look for a “Data sharing” or “Third-party partners” clause in the privacy policy; if it’s vague or uses terms like “may be used for analytics”, assume sharing is likely.

Q: Are paid therapy apps safer for my personal information?

A: Generally yes - paid apps have less incentive to sell data, but you should still check their privacy policy because some still share anonymised data for research.

Q: What should I do if I suspect my mental health data has been misused?

A: Report the breach to the Office of the Australian Information Commissioner, request a copy of the data held on you, and consider switching to a platform with stronger privacy guarantees.