mental health therapy apps

Mental Health Therapy Apps vs Wellness Apps Privacy Exposed

— 7 min read
Mental health apps are collecting more than emotional conversations — Photo by MART PRODUCTION on Pexels
Photo by MART PRODUCTION on Pexels

Medical Disclaimer: This article is for informational purposes only and does not constitute medical advice. Always consult a qualified healthcare professional before making health decisions.

Privacy policies: the numbers you need to hear

Look, the reality is stark - a 2024 ACCC review found that less than a quarter of mental health therapy apps disclose how they store, share or delete user data. By contrast, a 2023 survey of wellness-focused apps showed about 45% offering a full-length privacy statement.

In my experience around the country, the gap isn’t just about wording. Many mental health platforms use the same back-end infrastructure as general health trackers, yet they skip the transparency that the ACCC flagged as “unfair contract terms”. When I spoke to a privacy lawyer in Sydney, she warned that without a clear policy, users can’t enforce their rights under the Australian Privacy Principles.

Below is a quick snapshot of the top-ranked apps on the market, drawn from CNET’s "Best Mental Health Apps of 2026" and the Sleep Foundation’s "Best Sleep Apps of 2026". The table flags whether each app publishes a full policy, allows data export and offers opt-out mechanisms.

App Category Full Privacy Policy Data Export Opt-out Options
MindMate Therapy No Yes Limited
CalmSpace Therapy Yes No Yes
Headspace Therapy/Wellness Yes Yes Yes
SleepCycle Wellness Yes Yes Yes
FitWell Wellness Partial No Limited
Calm Wellness Yes Yes Yes

Key Takeaways

  • Only 22% of therapy apps publish clear privacy policies.
  • Wellness apps are twice as likely to be transparent.
  • Look for data-export and opt-out features.
  • Read the fine print before you share sensitive info.
  • Australian privacy law gives you rights to request deletion.

When I dug into the ACCC’s report, the lack of clarity fell into three buckets:

  1. Vague language: Statements like "we may use data for improving services" without specifying who, what and how.
  2. Missing contact points: No dedicated email or portal for privacy requests.
  3. Third-party sharing: Apps often partner with advertising networks that operate outside Australian jurisdiction.

These three problems can turn a well-meaning digital therapy session into a data-leak nightmare. The good news is that a handful of apps are bucking the trend - I’ll flag them later in the guide.

How mental health therapy apps collect data

Fair dinkum, the data-collection practices of mental health apps are more invasive than most users realise. Most of them rely on health informatics - the discipline of using computer science to manage medical information - to personalise therapy modules, mood-tracking charts and AI-driven chatbots.

During a briefing with a developer from a leading Australian tele-health platform, I learned they capture:

  • Daily mood scores (often via a 1-10 slider).
  • Voice recordings for sentiment analysis.
  • Location data to suggest nearby support groups.
  • Device identifiers, including advertising IDs.
  • Interaction timestamps that feed into predictive algorithms.

Because these apps handle what the Privacy Act calls "sensitive information", they are supposed to meet higher standards. Yet the ACCC audit found that many apps treat this data the same as generic usage metrics, storing it on cloud servers located in the US or EU without explicit consent.

Another issue is the use of virtual reality (VR) therapy - a growing segment where patients navigate digital environments to tackle anxiety. According to Wikipedia, VR sessions generate biometric data (heart rate, eye tracking) that can be repurposed for research or commercial analytics unless a strict data-governance framework is in place.

In my own testing of a VR-enabled therapy app, the privacy screen popped up only after I’d already logged a session, meaning the app had already recorded my biometric feed. That’s the kind of after-the-fact consent that the ACCC warned against.

What does this mean for you? If an app asks for permissions that seem unrelated to the core therapy - like access to contacts or calendar - flag it. Under the Australian Privacy Principles, you can refuse non-essential permissions without losing the core functionality.

Wellness apps: a different story?

Here's the thing - wellness apps (sleep trackers, meditation guides, fitness logs) sit in a grey zone. They often collect similar data types - heart rate, sleep patterns, activity logs - but they market themselves as lifestyle tools rather than medical services.

Because they’re not classified as “health services” under the Health Records Act, some providers claim a lighter privacy regime. The Sleep Foundation’s 2026 review highlighted that top sleep apps tend to publish longer privacy notices, partly because they’re audited for data-security certifications like ISO 27001.

That said, the privacy gap is narrowing. A 2024 consumer watchdog report showed that 38% of wellness apps still bundle third-party advertising SDKs that can harvest data for behavioural profiling.

When I compared a popular sleep app with a mental health chatbot, the former offered a one-click data-export button and a clear “Delete my data” link in the settings. The latter buried its deletion request behind a support email form.

Key differences to watch:

  • Purpose wording: Wellness apps often say “to improve your experience”, while therapy apps say “to enhance treatment outcomes”.
  • Regulatory oversight: Therapy apps may be subject to Therapeutic Goods Administration (TGA) guidelines if they claim clinical benefit.
  • Data sharing: Wellness apps more frequently share anonymised data with research partners, but they usually disclose it.

So, while wellness apps aren’t a free-for-all, they tend to be more transparent - at least on the surface.

What to look for in a trustworthy app

When I’m vetting an app for my own mental-health practice, I keep a checklist. It’s the same list I share with readers who want to protect their privacy while still getting the benefits of digital therapy.

  1. Full privacy policy: Look for a dedicated page, not a collapsed footer link.
  2. Clear data-purpose statements: Each data point collected should have a reason tied to the app’s function.
  3. Australian user-support contact: A local email address or phone line shows accountability.
  4. Opt-out or delete option: The ability to remove your data with a few taps.
  5. Third-party audit: Certifications like ISO 27001 or a privacy seal from the Office of the Australian Information Commissioner (OAIC).
  6. Location of servers: Preference for data stored in Australia or the EU (where GDPR provides strong safeguards).
  7. Minimal permissions: Only request what’s needed for therapy - no contacts, no camera unless the feature explicitly requires it.
  8. Transparency about AI: If the app uses a chatbot, it should disclose the model’s training data source and any human-in-the-loop review.
  9. Version updates: Regular privacy-policy updates should be dated and highlighted.
  10. User reviews: Look for comments about data-breaches or hidden fees - they’re often early warning signs.

One app that ticks most of these boxes is CalmSpace (as per CNET’s 2026 ranking). It provides a downloadable PDF of its privacy policy, stores data on Australian servers, and lets users export their mood logs in CSV format. By contrast, MindMate lacks a public policy and requires users to email a generic support address for any data-related request.

If you’re in a hurry, start with the top three therapy apps that meet at least four of the ten checklist items - that’ll give you a solid privacy baseline.

Putting privacy into practice: steps for consumers

In my experience around the country, the most common mistake is assuming “free” equals “no strings attached”. Even a free mental health app can monetise your data through research licences or targeted advertising.

Here’s a step-by-step plan you can follow the next time you download a digital mental health app:

  1. Read the policy before you sign up: Skim for sections on data sharing, storage location and user rights.
  2. Check the permissions screen: On Android and iOS, tap “Permissions” after installation. Revoke anything that looks unrelated to therapy.
  3. Set up two-factor authentication: If the app offers it, enable it to guard your account against unauthorised access.
  4. Export your data regularly: Keep a personal copy of mood journals or session notes - that way you retain ownership.
  5. Exercise your right to be forgotten: Use the app’s built-in delete feature or, if missing, submit a request to the OAIC under the Privacy Act.
  6. Monitor app updates: Developers sometimes add new data-collection features in updates - read the changelog.
  7. Stay informed about breaches: Subscribe to the OAIC’s breach notification service; they publish alerts for health-sector incidents.

By following these steps, you keep control of your personal health information while still benefiting from the convenience of digital therapy.

Remember, privacy isn’t a one-off checkbox - it’s an ongoing conversation between you, the app provider and the regulators. If an app doesn’t meet the basic standards outlined above, walk away. There are plenty of alternatives that respect your data as much as they respect your mental health.

FAQ

Q: Are Australian mental health apps required to follow the same privacy rules as overseas apps?

A: Yes. Any app that handles "sensitive information" about an Australian user must comply with the Australian Privacy Principles, regardless of where the server is located. The ACCC can take action if a provider fails to meet those standards.

Q: What’s the difference between a mental health therapy app and a wellness app in terms of data collection?

A: Therapy apps often collect detailed mood, voice and location data to personalise treatment, while wellness apps usually track activity or sleep. Both can share data with third parties, but therapy apps are more likely to be subject to TGA scrutiny if they claim clinical outcomes.

Q: How can I tell if an app’s privacy policy is genuine?

A: A genuine policy is comprehensive, dated, and lists a physical Australian address or OAIC contact. Look for sections on data purpose, storage location, sharing partners and user rights. Vague language or missing contact details are red flags.

Q: Can I request my data to be deleted from a mental health app?

A: Yes. Under the Privacy Act you have the right to ask any Australian-based service to delete your personal information. If the app doesn’t provide a clear delete button, you can lodge a request with the OAIC.

Q: Are there any Australian-based mental health apps that meet the privacy checklist?

A: Yes. As of 2026, apps like CalmSpace and Headspace (which operates an Australian data centre) publish full policies, allow data export and provide easy opt-out options. Always double-check the latest version before signing up.

Read more