Four mental health apps display nearly identical promises on their login screens: Wysa promises that users' identities will remain "private," Youper says conversations are "private and safe," Happify says responses will remain "completely confidential," and Aura promises that everything shared on the platform will remain "private and will not be shared." That message, which appears before the first conversation even begins, is effectively the only thing most users read before they start typing, given that the overwhelming majority automatically approve privacy policies without reading them. Behind the scenes, however, the code powering those four apps does something entirely different: it routes user data to third-party trackers – companies like Facebook, AppsFlyer, Amplitude and Mixpanel, none of which are mentioned in the privacy policies. The promise and the reality are not contradictory by accident. They operate together. And what connects them, of course, are the users themselves. Haaretz PodcastBack to full-on war with Iran? Amos Harel on Trump’s dilemma and Netanyahu’s desire Haaretz PodcastBack to full-on war with Iran? Amos Harel on Trump’s dilemma and Netanyahu’s desire total-- : --time0:00The unsigned contractPeople enter into an unsigned contract every time they reveal something painful to a listener. That contract rests on one of the most basic human expectations: one side reveals, the other protects. Different professions have built different systems around it – the Hippocratic oath for doctors, attorney-client privilege for lawyers, the seal of confession for priests and ethical codes for psychologists – but all of those systems are merely the external form of another, internal contract that predates them by tens of thousands of years and operates in human consciousness before a person has even opened their mouth. That contract unfolds on three separate levels, and mental health apps intersect with all three simultaneously. Illustration: AI-generated/Shiri Brook SagiThe first level is linguistic: certain words automatically trigger trust mechanisms in the mind, without leaving room to examine whether the person making the promise is actually capable of keeping it. "Private," "confidential," "protected" – these words function as signals that trigger near-instant trust. The second level is behavioral: the very structure of disclosure, in which one side shares and another listens, creates an automatic expectation of reciprocity. When a person entrusts someone else with a heavy emotional burden, the obligation to protect it falls almost intuitively on whoever receives it, if only because of the behavioral symmetry embedded in the exchange. The third level is categorical: the moment something is defined as a "therapy app," we project onto it the entire trust model we already associate with human psychotherapy – professional confidentiality, regulation, ethical codes and professional accountability. The category itself is enough to open the door. A new study uploaded days ago to arXiv – an online repository for pre-peer-review academic papers – measures this gap systematically for the first time. Researchers from the University of California, Irvine and the University of California, Riverside, analyzed 25 of the most popular Android apps for mental health and emotional support. Their central finding: every single app embedded at least one third-party tracker that was not disclosed in its privacy policy. The researchers also found that in 68 percent of the apps, at least half of the trackers embedded in the code were not disclosed to users at all. The most extreme case is Talkie, which has more than 10 million installs. The app embedded 20 different third-party trackers, including advertising networks such as Vungle, AppLovin, TikTok/Pangle, Moloco and Mintegral – without naming a single one of them in its privacy policy. Rosebud, an AI-assisted emotional journaling app, states in its privacy policy that journal entries are simultaneously sent to three AI providers – OpenAI, Anthropic and Groq. In practice, however, a user typing thoughts about depression or trauma sends every entry they write to three separate entities at the same time, with all the implications that carries for data security and the ability to later erase the information. That flow of information does not stop within the app itself. A study published in Communications of the ACM in 2021 found that Facebook already categorizes 67 percent of its users across 197 countries into "sensitive interest" categories – labels that, under the General Data Protection Regulation (GDPR), cannot legally be processed without explicit consent, including categories related to health. An earlier 2018 study found that 73 percent of users in the European Union alone had already been categorized this way. Spain later fined Facebook 1.2 million euros ($1.4 million) for collecting and processing sensitive personal data for advertising purposes. In other words, the advertising ecosystem to which mental health apps funnel data has already completed much of the inference process before the user types a single word. Illustration: AI-generated/Shiri Brook SagiThe paradox of awarenessMost users understand, at least abstractly, that free apps survive on advertising and that advertising survives on data. And yet a gap remains when it comes to the internal contract. The moment the word "private" appears on the screen, or when users begin sharing emotionally charged stories, the automatic trust mechanism takes over decision-making. The reason is simple. The unsigned contract evolved long ago and is rooted in interpersonal relationships. Humans developed it in environments where every listener was another human being – someone with a face, someone identifiable, someone whose eyes could be examined before speaking. In the evolutionary environment where this contract emerged, the question "Who is really listening?" barely existed, because the listener was the person standing in front of the speaker. Mental health apps encounter this contract in an environment it was never designed for, where the speaker lacks the most basic ability: determining who is actually in the room. In 2020, hackers breached the records database of Finnish psychotherapy provider Vastaamo, exposing the files of 33,000 patients, including session summaries, descriptions of trauma and suicidal thoughts, before demanding ransom payments. The company refused, and the materials were published. Some patients reportedly died by suicide following the leak. Vastaamo was not an app. It was a conventional mental health provider, with licensed therapists, regulation and signed agreements on all sides. And yet the materials still became public. The Vastaamo case demonstrated what happens when the contract – even a signed one – collapses. Most apps never signed it in the first place. Last year, in April 2025, Italy's data protection authority fined the company behind Replika, an AI chatbot app, 5 million euros ($5.7 million) for GDPR violations and inadequate age-verification enforcement. In 2023, the U.S. Federal Trade Commission imposed a $7.8 million fine on online therapy platform BetterHelp after finding that the service had shared sensitive mental health data with Facebook, Snapchat and Pinterest despite promising users their information would remain confidential. A Duke University researcher published a report in 2023 on 11 data brokers selling lists of people categorized by mental health conditions – depression, anxiety, bipolar disorder and PTSD – for as little as 20 cents per record. The records included full names, addresses and income ranges. Most mental health apps are not covered under the U.S. HIPAA framework, meaning there is no federal regulatory structure preventing the flow of data collected by their trackers into the same data-broker market. The confession, once sent, already belongs to the product developers as data. In some cases, it becomes the product itself. Credit: AI-generated/Shiri Brook SagiThe moderate interpretationNot every gap between promise and reality originates in malicious intent. Most app developers are not sitting in a room trying to devise ways to deceive users. More often, the gap stems from industry structures: standard software development kits that embed tracking tools without privacy audits before launch; privacy policies copied from templates and left unupdated as the code changes; organizational priorities that direct budgets toward new features rather than compliance. These systemic explanations do not erase responsibility, but they do alter the strategy required to address the problem. The issue extends beyond regulatory enforcement alone and calls for a broader professional and cultural shift toward privacy auditing in apps functioning as therapeutic interfaces. John Torous, director of digital psychiatry at Beth Israel Deaconess Medical Center and Harvard Medical School, summarized the prevailing position among leaders in the field in a broad 2025 review published in World Psychiatry: Digital tools can benefit mental health care so long as they expand human treatment rather than attempt to replace it. An app may therefore be able to uphold part of the contract – it can listen, respond and even adapt itself to the emotional tone of the person in front of it. But it cannot uphold the rest: memory, context, responsibility and, above all, presence. The unsigned contract never required a person – it required a listener. The difference between the two appears negligible. It is not. Adi Frenkenberg is a doctoral candidate at the AI-DICE Lab at Reichman University, where she studies the psychological dynamics of AI adoption.