SUPPORT SFLC.IN

Mindfully Monitored? Privacy in Mental Health Apps

Posts

We often hear that conversations with a mental health professional are privileged — legally protected and confidential. This safeguard exists to build trust, so patients can speak freely without fearing their words will be exposed or used against them.

But in today’s digital world, many people share their most intimate details not with professionals bound by law, but with AI chatbots and mental health apps. Someone might log feelings of depression, track anxiety, or explore solutions with an AI tool. This raises a pressing question: does the same shield of confidentiality apply when you confide in an app instead of a professional?

While some of this data may be useful for users who want more personalized insights—such as ovulation tracking for pregnancy plannings—many apps fail to explain why they collect such extensive data, whether it is truly necessary for period prediction, and how it is being stored or shared.

The rapid growth of digital mental health platforms has revolutionized the delivery of psychological care, offering services that range from guided meditation and cognitive behavioural therapy (CBT) modules to AI-driven chatbots and virtual counselling. Platforms such as Headspace, Wysa, and others have gained widespread adoption because they lower barriers to access, providing affordable, flexible, and stigma-free avenues for individuals to engage with mental health support. In contexts where traditional therapy may be costly, geographically inaccessible, or socially stigmatized, these applications represent a vital innovation in expanding mental health care.

However, the functioning of such platforms depends heavily on the collection and processing of highly sensitive personal information. Beyond basic identifiers, they often gather data about users’ moods, emotional struggles, coping mechanisms, and even patterns of behaviour inferred from app usage. Some platforms request voluntary inputs such as journal reflections or self-assessment responses, while others capture metadata or passive information about engagement frequency and device activity. Since these data points collectively reveal intimate aspects of a user’s psychological profile, their collection and storage heighten concerns about privacy, security, and potential misuse.

The legal landscape underscores the importance of protecting such information. In the European Union, the General Data Protection Regulation (GDPR) classifies health-related and mental health data as “special category” information, requiring stricter safeguards and explicit consent for processing. In the United States, while the Health Insurance Portability and Accountability Act (HIPAA) sets standards for health data, many mental health apps fall outside its scope if they are not directly linked to covered healthcare providers. India’s Digital Personal Data Protection Act, 2023 (DPDP Act) recognises health data as personal data and the sectorial regulation for data protection are still evolving. Despite these regulatory frameworks, gaps remain, particularly where apps operate across jurisdictions or adopt business models that include data monetization through advertising or third-party sharing.

This tension between innovation and privacy highlights a central dilemma: while digital mental health platforms promise democratized access to care, they also create new vulnerabilities by exposing sensitive user information to risks of surveillance, profiling, and commercial exploitation. A critical analysis of how these platforms operate, what information they collect, and how legal regimes respond to associated risks is therefore essential to assess whether the mental health technology ecosystem adequately safeguards the rights and dignity of its users.

With all that hype we look into privacy policies of 5 mental health apps from around the world and India to understand whether these apps really value our confidential communication.

METHODOLOGY

We evaluate the privacy policies across five key parameters:

  1. Categories of Data Collected: This section outlines the types of data an app collects from users and its legitimacy under the privacy policy.
  2. Third Party App/Devices the App Can Access: Some apps request permission to access data from other applications on the user’s device. We analyse whether the privacy policy clarifies why this access is needed and whether users can control these permissions.
  3. Third Party Access : We analyse whether the app shares user data with external parties, whether these parties are specified, what data is shared and if users can opt out.
  4. Rights under the Digital Personal Data Protection Act, 2023 (DPDPA) : We analyse whether the privacy policy mentions the rights available to data principles as provided in DPDPA, such as  Right to Withdraw Consent, Right to Access, Right to Erasure, Right to Correction and Right to Grievance Redressal.
  5. Plain Language and Readability : We analyse whether the privacy policy is written in clear, simple language that is easy for users to understand.
  6. Data Protection Score: For the Data Protection Score, we assess apps based on the seven data protection principles. We further score them out of 7. The 7 Data Protection Principles are as follows:
    1. Lawfulness, transparency and fairness : Are the apps collecting and processing data in compliance with law, is there a legal basis (e.g., consent, contract, legitimate interest, legal obligation), whether the policy clearly specifies what data is collected, why it’s used, and inform users of their rights, whether data collection is proportionate, non-deceptive, and -non-exploitative or harmful and whether, opt-out options are available.
    2. Storage limitation: How long does the app keep your data, do they mention for what purposes they store it, and why they may need to store it indefinitely (if specified)?
    3. Purpose limitation: Do the privacy policy mention why they need your data, and for what reasons they need the different kinds of your personal data ?
    4. Data minimisation: Do they collect an adequate amount of personal data that would be relevant for their service? Or do they collect personal data beyond what is necessary for performing their service?
    5. Accuracy: Do they mention that they expect users to have provided reasonably accurate personal information, and not to provide misleading information? Do they tell you how you can correct it?
    6. Integrity and confidentiality: Does the policy mention if reasonable data security measures are implemented to protect and secure your data? Do they specify encryption, access controls, or other safeguards to ensure data protection?
    7. Accountability: Do they have policies in place that would explain these principles (terms of use, privacy policy, any other records/measures they mention)

If the data protection principle is complied with, you will see that the checkbox has been ticked. You’ll see that we’ve left some boxes empty- We have done that where the policy was unclear or we don’t have enough information to determine whether the principle was complied with.

Headspace

Headspace is a leading digital mental health platform with over 80 million downloads and nearly 3 million paid subscribers. The app provides guided meditation, mindfulness practices, sleep aids, and therapeutic resources through its mobile application and website. It operates on a subscription-based model, offering both free (14 day trial) and premium content tailored to improving users’ mental well-being. By leveraging interactive exercises, audio sessions, and personalized recommendations, Headspace positions itself as a convenient tool for stress management and emotional support in a fast-paced digital world. The app can also be used by children below the age of 17 with verifiable parental consent.

Users often disclose personal information such as account details, mood, sleep patterns, and emotional states. In addition, Headspace also collects technical data including device information, usage activity, and location data.

  1. Let’s analyse Headspace’s Privacy Policy in detail (Effective: March 1, 2025)

A. Categories of Data Collected: Flo allows users to log an extensive range of personal details, including:


Data Collected as per the Privacy Policy based on User Input 


Data collected as per Privacy Policy through third-parties

Data collected as per Privacy Policy automatically
  1. Contact Information and Identifiers: 
    • First name;
    • Last name;
    • E-mail address;
    • Social Media Identification Number
  2. Account Information: 
    • First Name;
    • Last Name;
    • E-mail Address;
    • Telephone Number;
    • Mailing Address;
    • Employer or Company Name;
    • Job Title;
    • Student Identification Number;
    • Emergency Contact Information
    • as well as password and other authentication-related information.

c. Health Information:

  • individual health conditions, treatment, diseases, or diagnosis;
  • social, psychological, behavioral, and medical interventions;
  • health-related surgeries or procedures;
  • use or purchase of prescribed medication;
  • bodily functions, vital signs, symptoms, or measurements of health information;
  • diagnoses or diagnostic testing, treatment, or medication;
  • gender-affirming care information;
  • reproductive or sexual health information;
  • biometric data;
  • data that identifies you seeking health care services; or
  • any inferences of the above categories of health data derived or extrapolated from non-health information.

d. Profile and Demographic Information:

  • Age; 
  • Race and Ethnicity;
  • Sexual Orientation;
  • Preferred Pronouns;
  • Gender or Gender Identity;
  • Sex at Birth;
  • Marital Status and details about your health and medical history.

e. Payment Information:

  • Card Number;
  • Type; 
  • Expiration Date;
  • Billing address and certain anonymized, limited and/or truncated versions of this information.

f. Survey Information

g.Communication Information: 

  • E-mail;
  • Name and any other personal information.

h. Support Information:

  • Text entered into this form prior to submission may be collected, retained, and used.

a. Benefit Sponsor

  • Name
  • E-mail Address and other information.

b. Sharing and Referral

  • Name;
  • Email Address, 
  • Content Engagement and preferences of individuals.

c. Personal Information from Parents/Guardians with regards to dependents aged 13-14 years.

d. Verification:

  • Third party platform allowed to access the specific personal information users provide in order to perform the verification.

a. Browser and Device Data:

  • IP address; 
  • Device Identifier; 
  • Device Type; 
  • Operating System and Internet Browser Type; 
  • Screen Resolution; 
  • Operating System Name and Version; 
  • Device Manufacturer and Model; 
  • Language; 
  • Plug-ins; 
  • Add-ons and the language version of the Websites and Products you are visiting.

b. Usage Data:

  • Pages Visited; 
  • Links Clicked;
  • Approximate Location; 
  • Language Preferences; 
  • Performance of Features; 
  • Patterns of Use and the pages that led or referred you to our Products and Websites

c. Aggregated, anonymous, and de-identified data.

(Table 1)

General Observations: 

Headspace collects a wide range of personal information, including health data, wellness goals, demographic details (like race, ethnicity, sexual orientation, and gender identity), and extensive usage data; it’s not clear how some of this data is relevant for the services provided. If you access the app through a workplace program or healthcare plan, Headspace may also share enrollment information with your sponsor.

B. Third-Party Apps/Devices that Flo can access:

N/A

C. Third-Party Access to Data 

Your personal information may be shared with:

  1. Service Providers – For services like analytics, payments, marketing, hosting, and support, under strict confidentiality and security obligations.
  2. Third-Party Integrations – When you connect external services (e.g., Apple Health), information is shared per their privacy policies.
  3. Community Features – Information you choose to share (e.g., your name and comments) will be visible to other users.
  4. Benefit Sponsors – Limited details (e.g., name, email, registration and usage dates) may be shared with healthcare providers, insurers, or sponsors, but not detailed activity unless required for treatment or payment.
  5. Business Partners – In certain cases, with partners in joint promotions or subscription offers, consistent with your consent or expectations.
  6. Advertising Platforms – Headspace works with third-party companies to analyze user engagement and deliver targeted ads.
  7. Legal/Compliance Needs – To comply with legal obligations, protect rights/safety, prevent fraud, or reduce risks.
  8. Affiliates/Business Transfers – Within the company group (subsidiaries, affiliates including Ginger Medical) or during mergers, acquisitions, or sales. Notice will be given if this results in a material change in data use.

Opt-in/out Feature:

  • Voluntary choice: Integrations Feature (for e.g., Apple Health Kit)
  • Explicit Consent: Third party business partners, Affiliates and Business Transfers.
  • Implied Consent : Service providers, community activity, benefit sponsor, third party advertising platforms, legal compliance

D. Rights under DPDPA

Observations:

  1.  Users generally have the right to withdraw their consent for the collection and processing of their personal data by Headspace, keeping in mind that Headspace may be required to retain some data by law, and it will inform their users if their request is denied for such reasons or if it cannot  be authenticated
  2. Users are entitled to know what personal information Headspace collects about them and how it is used. This Privacy Policy explains Headspace’s practices regarding that collection and use. If it holds personal information about users, they may also request access to a copy of it.
  3. Users have the right to delete, under certain circumstances.
  4.  Users may request correction of their inaccurate personal details.
  5.  Users may contact Support/Help for grievance redressal (for e.g., security breaches)

E. Readability:

The text entailed in the platform’s Privacy Policy comes off as user-friendly and easy to comprehend, with the exception of certain open-ended statements.

F. Data Protection Score

Data Protection Score : 2/7

Observations: 

  1. Lawfulness, transparency and fairness: Different statutory provisions are applied in the UK, EU, Switzerland and the US, according to their respective jurisdictions. Headspace operates both as a data controller and a data processor under the GDPR. Despite this, certain sections of data as contained in the table above such as content engagement and preferences of individuals (Table 1 Column 2) in addition to browser and usage data (Table 1 Column 3) are either collected through third party apps or automatically without explicit consent and there’s a lack of reasoning in the Privacy Policy as to show if the same collection is in the platform’s legitimate interests.
  2. Storage limitation: Headspace retains personal information only for as long as necessary to meet its obligations or as allowed by law. In deciding how long to keep the data, it considers factors such as the duration of its relationship with users, any legal requirements to be complied with, and whether keeping the information is prudent to protect its legal interests, including statutes of limitation, potential disputes, or regulatory inquiries. No specific period is mentioned.
  3. Purpose limitation:There is some level of ambiguity seen in the Privacy Policy surrounding collection relating to the contents mentioned in Table 1 Column 3.
  4. Data minimisation: Headspace’s attempts at following the data minimisation principle have been futile so far. Owing to the contents mentioned in Table 1 Column 3 and the interference of third-party apps, the data collection process is extensive and more than likely to collect data which isn’t directly related to its Products/Services.
  5. Accuracy: The privacy policy does not clearly emphasize the importance of data accuracy. However, Headspace provides mechanisms for users to correct personal information if required. 
  6. Integrity and Confidentiality: Headspace maintains the integrity and confidentiality of user information through a risk-based security program adhering to standards like HIPAA, HITRUST, SOC 2 Type II, and ISO 27001/27002. Key measures include physical security for data centers, technical and organisational security controls, written policies for proper information use, risk assessments, and continuous review and monitoring
  7. Accountability: Headspace has requisite policies in place i.e., Privacy Policy, Terms of Use, Cookie Policy, FAQs etc. It uses robust, HIPAA-compliant privacy and security for its clinical services but has a more relaxed policy for its general meditation app. Headspace also has a dedicated security and privacy team, led by a Chief Information Security Officer (CISO). While the company states it does not sell user data, the meditation app shares some user data with third-party advertisers like Facebook and Google.  
Wysa

Wysa is an AI-powered mental health platform that provides users with tools to manage stress, anxiety, and other emotional challenges. One of its key features is its no sign-in policy, allowing individuals to use the app without creating an account, which enhances privacy and lowers barriers to access. Wysa operates in two main modes: a free AI chatbot, where users can engage in self-help exercises and supportive conversations, and a paid therapist-assisted mode, where licensed professionals provide structured guidance for those seeking more in-depth care. This dual approach makes Wysa accessible to a wide range of users while maintaining a focus on confidentiality and user control.

Let’s analyse Wysa’s Privacy Policy in detail (Last updated on July 24, 2025 GMT) 

A. Categories of Data Collected: Wysa allows users to log an extensive range of personal details, including:


Data Collected as per the Privacy Policy based on User Input 

Data collected as per the Privacy Policy (automatically/through third-parties

Data collected but not explicitly mentioned in the Privacy Policy
  1. Information about User:
    • Nickname; 
    • Age-range; 
    • Gender; 
    • Pronouns or Identifiers users may voluntarily reveal about themselves.
  2. Conversation Data:
    • Messages;
    • Challenges; 
    • Preferences; 
    • Feelings; 
    • Moods; 
    • Thoughts; 
    • Task Lists; 
    • Safety Information;
    • Answers To Surveys Or Questionnaires from Wysa or users’ Institution and how users respond to the tools and exercises that Wysa offers.
  3. Correspondence Data:
    • Name; 
    • Email Address; 
    • Home Address; 
    • The company users are part of; 
    • Job title and what users talk about in the message.s.
  4. Feedback Data:
    • Contact Information and other basic details
  1. Information sharing with your Institution:
    • Contact details;
    • Usage and safety data.
  2.  App event data:
    • Where users tap;
    • What actions users take; 
    • Users’ settings; Notifications users get and the screens users visit in the app.
  3. Device Data:
    • ID for users’ device from the Google Play Store; 
    • Type of phone; 
    • Time zone; 
    • Operating system;
    • IP address.
  4. Cookie Information
  5. Digital Front Door Service:
    • Pronouns; 
    • Country; 
    • Service group (not limited to).
  6. AI Coach over Whatsapp:
    • CoMobile number; 
    • Whatsapp profile name; 
    • City; 
    • Interests; 
    • Language (not limited to).
  7. Wysa Medical Assistance Service:
    • Name;
    • Current or past medication details;
    • Clinical assessments and evaluation details;
    • Physical health details;
    • Mental health details;
    • Assessment evaluations.
  8. Wysa Research Study:
    • Contact Details;
    • Country;
    • Gender;
    • Socio-economic details;
    • Age range;
    • Ethnicity;
    • Alcohol or substance use concerns;
    • Use of medication;
    • Mental disorder diagnosis or treatment;
    • Hallucination-related information;
    • Validated assessment responses.
  9.  Website/Social Media/Web Page visits:
    • Personal and business contact details (name, email, address, company, job title);
    • Message content (correspondence);
    • Technical data (not limited to – browser type, language, OS, IP, page views, clicks);
    • Personal information shared via social media interactions.
  10.  Digital Referral Assistant Use:
    • Member ID and plan details;
    • Demographic information;
    • Name and contact details;
    • Date of birth;
    • Answers to health-related questions;
    • Long-term health issues or disabilities.
  11.  Institution Clinician/ Well-being Advisor:
    • Title;
    • Gender;
    • Primary language;
    • Time zone.
  12. Wysa+ or Generative AI services:
    • Conversation data with the AI Coach (processed through Gen AI with safety checks);
    • Mood description (from smiley face selection);
    • Topics and feelings (keywords from conversations, e.g., sad, calm, work, education);
    • Tools used within the app;
    • Derived insights for weekly reports and personalized recommendations.
  13.  Campaigns, Promotions, and Marketing Events:
    • Name;
    • Contact details.
  14. Recruitment Data:
    • Name and contact details;
    • Resume, references, credentials, transcripts;
    • Government-issued identification;
    • Compensation information;
    • Demographic and sensitive data (race/ethnicity, opinions/beliefs, health condition, sexual orientation).

(Table 2)

Observations: While Wysa offers a separate Privacy Policy for its UK and US userbase, the Global Privacy Policy is scrutinised in this piece. A very detailed and transparent account of data collection is provided. We observe that certain classes of data that may be personal or special in nature, are also being collected but at the choice of the user. Certain phrases present in the Global Privacy Policy add up to some ambiguity such as “not limited to” – the limit not being mentioned. Further, in the updated Policy, there is no explicit declaration that Wysa aligns with the statutory provisions as provided by the GDPR, something which was mentioned in prior versions.

B. Third Party Apps/Devices that Wysa can access:

On consent:

  • Microphone 
  • Camera

C. Third-Party Access to Data 

Wysa has a separate section that provides us with a list of service providers or third-parties that have access to data.

  • Amazon Web Services (AWS) – All app-submitted data | USA (or UK for certain clients)
  • MongoDB Atlas – All app-submitted data | USA (or UK for certain clients)
  • Firebase & Google Analytics – Anonymized event & cookie data | USA
  • Branch.io – Communication data (institution-supplied email ID) | USA
  • Google Workspace – Communication data (email identifiers) | Europe
  • Cloudflare – Device data (IP addresses) | USA
  • Mailgun (Sinch) – Communication data (institution emails) | USA
  • Zendesk – Communication data | USA
  • Microsoft Azure Translator API, Google Translate, Dubpro – Conversation data | USA
  • Zoom – Conversation data (audio-video) | USA
  • Private AI – Conversation data | USA
  • OpenAI – Conversation data from Gen AI/Wysa+ | USA
  • Twilio – Conversation data | USA
  • Google Voice – Conversation data | USA
  • DeepL Translation API – Conversation data | USA
  • Meta Ads Manager – User-provided information | India

Wysa claims that third-party interference is necessary for smooth functioning of the platform. The platform has entered into agreements or partnerships with third-party apps to cover those aspects which the platform isn’t capable of covering itself.

C. Rights under DPDPA

Other than the criterion mentioned above, Wysa additionally provides its users with a few more data protection options such as – right to ask questions, right to pause data collection, right to no sale of data, right to object, right to send your data elsewhere, right to no marketing.

D. Readability:

The text entailed in the platform’s Privacy Policy comes off as user-friendly and easy to comprehend

E. Data Protection Score:

Data Protection Score : 6/7

Observations: 

  1. Lawfulness, transparency and fairness: Processing is based on valid legal grounds (consent, contract, legitimate interests, legal requirements), with clear explanations to users about why and how personal data is collected and used, fulfilling GDPR Articles 5(1)(a), 6, and 12.
  2. Storage Limitation: Data is retained for defined periods (generally up to 10 years unless law or contract requires otherwise); users can trigger erasure options, in compliance with GDPR Article 5(1)(e) and Article 17.
  3. Purpose limitation: Each category of data is processed only for explicit, specified purposes (service provision, research, support, compliance) stated within the policy, meeting GDPR Article 5(1)(b)
  4. Data minimisation: Only the minimum necessary personal data is collected for each function, with identifiers removed or pseudonymised, as required by GDPR Article 5(1)(c).
  5. Accuracy: Users may update or correct personal data via app settings or institutions, and Wysa responds to such requests in accordance with GDPR Article 5(1)(d) and Article 16.
  6. Integrity and Confidentiality: The policy provides for technical and organizational measures (encryption, secure servers, limited staff access) to ensure data security, consistent with GDPR Article 5(1)(f) and Article 32.
  7. Accountability:Wysa has requisite policies in place i.e., Privacy Policy, Terms of Service, Cookie Policy. Wysa also has appointed a grievance officer to address privacy-related concerns.
YourDost

YourDOST is an India-based emotional wellness and mental health support platform that connects users with psychologists, counselors, and life coaches through chat, audio, and video sessions, and offers self-help resources like articles and community forums. It is accessible via mobile apps and web, and is used both by individuals and organizations such as colleges and corporations for wellness programs. The app offers anonymity and flexibility in access to therapists compared to traditional in-person therapy.

Let’s analyse YourDost’s Privacy Policy in detail

A. Categories of Data Collected:


Data Collected as per the Privacy Policy based on User Input 


Data collected but not explicitly mentioned in the Privacy Policy

Data collected as per the Privacy Policy (automatically/through third-parties)
  1. Registration Details
    • Username
    • Password
    • email address
    • phone number
    • Age
    • Gender
    • educational qualifications,
    • occupation
  2.  Publicly shared information:
    • Anything posted in group chats, chatrooms, or discussion forums
  3. Consultation information- Written transcripts and audio recordings of interactions with experts.
  4. Other Personal Information

Moods by emojis 

a. IDevice and browsing details:

  • IP address
  • device location
  • browser type/language,
  • referring/exit pages,
  • URLs, 
  • platform type, 
  • number of clicks,
  • domain names, 
  • landing pages, 
  • pages viewed and order, time spent per page, 
  • date and time of request,
  • unique cookies

b. User Behaviour Tracking:

  • Buttons clicked,
  • scroll distance, 
  • number of visits to each page.

c. Application activity:

  • Usage data, 
  • account activity,
  • interactions with the application.

d. Third-party cookies

e. Payment Information 

  • Billing name, 
  • billing address,
  • payment instrument details

(Table 3)

Observations: The categories of data collected by YourDOST largely reflect the operational needs of the platform and seems to be proportional to the the purposes the app serves. 

B. Third Party Apps/Devices that YourDost can access:

  • NA

C. Third Party Access to Data

YourDOST allows access to user data by several categories of third parties

i) Affiliates / Group Companies – Personal information (excluding consultation records unless explicitly stated) may be shared within YourDOST’s corporate group for the purpose of providing, analyzing, and improving services.

ii) Service Providers & Processors – Third-party vendors handling hosting, analytics, payments, or other support functions may process both personal and consultation information, but only to the extent necessary to provide the services, and are bound by confidentiality agreements.

iii) Other Third Parties – Data may be shared with partner organizations that help deliver services. In such cases, only relevant information is shared, and consultation data is disclosed only as permitted under the policy.

iv) Employers / Institutions – If a user accesses the platform through an employer, university, or other institution, anonymized or aggregated data may be shared for reporting purposes. Identifiable personal or consultation data is not shared without consent or legal requirement.

v) Public Disclosure – Information voluntarily posted by users on group chats, forums, or YourDOST social media accounts becomes publicly accessible and may be reshared.

vi) Legal Disclosures – Personal information may be disclosed if required under applicable laws or to comply with legal obligations.

vii) Data Protection Standards – Any transfer of data to affiliates or third parties is subject to compliance with applicable data protection laws and equivalent standards of protection.

viii) Insurance Providers- Consultation data may be shared with third-party insurers if a user makes health insurance claims requiring such information.

D. Rights under DPDPA

Observations:

  1. There are no timelines set by Yourdost to facilitate user’s data protection rights.
  2. Additional right to nominate any other individual is given in case of your death or incapacity to exercise nominee rights under the privacy notice. 

Readability:

The text in Privacy Policy reads as a legal document however it is easy to comprehend, with the exception of usage of “may” with respect to anonymisation of personal information and sharing  raises concerns.

F. Data Protection Score

Data Protection Score: 2/7

Observations: 

  1. Lawfulness, transparency and fairness: The Privacy Policy of YourDost details the types of data collected and the reasons for collection. However, the app does not explicitly collect consent for the Privacy Policy or the data collected.
  2. Storage Limitation: The Privacy Policy states that all information (including Personal Information and User Data) may be retained for at least 7 years from the date of disclosure. There’s no clarity on maximum retention (could exceed 7 years indefinitely).
  3. Purpose limitation: YourDost explains how it uses different kinds of personal data collected through various sources as well as the reasons behind such collection.
  4. Data minimisation: he personal information sought is not too extensive and is adequate for providing the services.
  5. Accuracy: The privacy policy does not clearly emphasize the importance of data accuracy. However, YourDost provides mechanisms for users to correct personal information if required.
  6. Integrity and Confidentiality: The policy states that “reasonable security measures” are in place, including technical, administrative, and physical safeguards. However no details on encryption standards, access controls, pseudonymization, or anonymization of consultation data are provided.
  7. Accountability: YourDost has requisite policies in place i.e., Privacy Policy, Terms of Service, Cookie Policy, etc. YourDost has also appointed a grievance officer to address privacy-related concerns.
 Calm 

Calm is a popular mental health and wellness platform offering guided meditations, breathing exercises, sleep stories, and mindfulness programs designed to support stress management, focus, and better sleep. The app is free to download and provides limited free content which includes some meditation programs and breathing exercises but most of its extensive library, such as the full range of sleep stories, music, and meditations, requires a paid premium subscription. Calm also has a separate category focused on children.

Let’s analyse Calm’s Privacy Policy in detail (Last Updated: December 12, 2024)

A. Categories of Data Collected: Calm allows users to log an extensive range of personal details, including:


Data collected as per Privacy Policy based on User Input


Data collected as per Privacy Policy through other sources


Data collected as per Privacy Policy through other sources
  1. Personal details:
    • Name; 
    • Email Address;
    • Linked Social Media Details; 
    • Street Address. 
  2. Payment details:
    • Payment Information.
  3. Views and opinions:
    • Feedback, 
    • Survey responses, and other information shared through interactions (including how users are feeling, but no health inferences are made).
  4. Employment information:
    • Employer details (if signing up via workplace programs)
    • Professional background (if provided voluntarily)
    • Employment info (special initiatives) 
  5. Other personal information:
    • Password;
    • Language settings;
    • Goals; 
    • Previous meditation experience; 
    • Sleep habits; 
    • Moods and reflections shared during check-ins.
    • Contest/promotions participation
    • Communications via social media or customer support
    • Profile photos (uploaded by user)
  1. Transaction information:
    • From third parties used to install the app or purchase subscriptions.
  2. Calendar information:
    • If integrated with third-party calendar services.
  3. Social media data:
    • Name and account details per your social media sharing settings.
  4. Third-party health app data:
    • Hours of sleep, sleep goals (processed only for intended purpose, no health inferences)
  5. Cookie data:
    • Information from cookies and web beacons.
  6. Public information:
    • Data made publicly available (e.g., websites, consumer research platforms, business contact databases)
  1. Usage information:
    • Sessions used;
    • Videos viewed; 
    • Content listened to;
    • Screens/features accessed.
  2. Transactional information:
    • Product details; 
    • Price; 
    • Subscription/free trial dates; 
    • Transaction date and time
  3. Log information:
    • Browser type;
    • App version;
    • Access times/dates;
    • Pages viewed;
    • IP address;
    • Referrer page.
  4. Device information
    • Hardware model;
    • OS and version; 
    • Device identifiers; 
    • Mobile network details.
  5. Communications:
    • Chat messages;
    • Phone/video calls;
    • Feedback and market research interactions (may be recorded)
  6. User ID:
    • Unique identifier associated with the user’s account.
  7. Derived information:
    • Approximate location from IP address;
    • Gender or age estimates;
    • Predictions about likelihood of continued service use.

(Table 4)

Observations:

Calm collects a broad range of personal information, including sleep habits, moods and reflections, usage patterns, device and log data, transactional details, and even data from third-party health apps like Apple HealthKit or Google Health Connect. It also derives information such as approximate location, likely age, or gender, raising questions about the necessity and relevance of some of this profiling for a meditation and wellness service. In addition, Calm may obtain information from external sources like social media accounts, calendar services, and consumer research platforms, which expands the scope of data collection well beyond what a user directly provides.

B. Third Party Apps/Devices that Calm can access:

  • Apple HealthKit 
  • Google Health Connect 
  • Calender 
  • Social Media app details 

C. Third-Party Access to Data 

Calm allows access to user data to several categories of third parties:

i) Service Providers (Processors / Vendors): Calm shares data with service providers that support its operations, such as those handling customer support, subscriptions and order fulfillment, advertising measurement, analytics, fraud prevention, cloud storage, bug fixing, and payment processing

ii) Third Parties With User Consent: it may share information with third parties when users consent, for example, with social media services they connect to the app or with academic researchers

iii) Government & Legal Entities : Calm may disclose information to government bodies, courts, or other parties when required by law, in response to legal processes, or to protect its legal rights.

There is no list of parties of whom data is actually shared with and what kind of data is shared. 

D. Rights under DPDPA

Observations:

  1. There are no timelines set by Calm to facilitate user’s data protection rights.

Readability:

The text in Privacy Policy reads as a legal document however it is easy to comprehend, with the exception of usage of Phrases like “among other things” or “other reasonable purposes” are vague, leaving room for broad interpretation.

F. Data Protection Score

Data Protection Score: 2/7

Observations: 

  1. Lawfulness, transparency and fairness: The Privacy Policy of Calm details the types of data collected and the reasons for collection. However, the app does not explicitly collect consent for the Privacy Policy or the data collected.
  2. Storage Limitation: No fixed retention timelines are given which means retention could be broad or indefinite.
  3. Purpose limitation:Calm explains how it uses different kinds of personal data collected through various sources as well as the reasons behind such collection. However certain data points seem unnecessary and irrelevant for providing services.
  4. Data minimisation: Calm’s approach to data collection goes beyond what is strictly necessary for a meditation and wellness service. While some categories (direct input, certain device data) are reasonably justified, the reliance on inferred attributes, consumer databases, and broad third-party data access raises proportionality concerns. This suggests Calm is not limiting itself to data minimisation principles, potentially prioritising business and advertising insights over strict necessity for service delivery.
  5. Accuracy: The privacy policy does not clearly emphasize the importance of data accuracy. However, Calm provides mechanisms for users to correct personal information if required. 
  6. Integrity and Confidentiality:The policy states that “reasonable security measures” are in place, including technical, administrative, and physical safeguards. However no details on encryption standards, access controls, pseudonymization, or anonymization of consultation data are provided. 
  7. Accountability: Calm has requisite policies in place i.e., Privacy Policy, Terms of Service, Cookie Policy, etc. Calm has also appointed a grievance officer to address privacy-related concerns.
Talkspace  

Talkspace is an online therapy platform that connects users with licensed therapists through text, audio, and video messaging. It offers individual therapy, couples therapy, psychiatry services, and teen therapy, aiming to make mental health support accessible and flexible by allowing users to communicate with their therapist anytime, from anywhere. Talkspace operates on a paid subscription model, with different plans based on therapy type and communication frequency.

However, Talkspace has faced significant scrutiny over its handling of user data. In August 2024, a class action lawsuit (Mitchener v. Talkspace Network LLC) alleged that Talkspace secretly shared user data with TikTok through tracking software on its website, including device details, location, and even URLs visited, without obtaining proper consent  potentially violating California privacy laws. Earlier reports also raised concerns that Talkspace allegedly mined portions of users’ therapy transcripts and shared anonymized data with its marketing team to refine advertising efforts. Although Talkspace denies improper use of personal information, these allegations highlight ongoing risks around confidentiality, transparency, and the protection of sensitive mental health data on digital platforms.

Let’s analyse Talkspace’s Privacy Policy in detail.

A. Categories of Data Collected: Talkspace allows users to log an extensive range of personal details, including:


Data collected as per Privacy Policy based on User Input


Data collected as per Privacy Policy through other sources


Data collected as per Privacy Policy through other sources
  1. Registration:
    • Name (or the name of users’ parent/guardian);
    • Address;
    • Country;
    • Date of birth;
    • Phone number;
    • Gender and the preferred gender of therapist;
    • Email;
    • Relationship status;
    • Organization/Employer (if applicable);
    • Payment information and transaction history;
    • Information on the type of subscription  chosen;
    • Insurance information (including an image of that information);
    • Referral source;
    • Information on why Talkspace’s Services are being accessed including what users are hoping to get from therapy;
    • Notification preferences.
  2. When Website visitors contact Talkspace:
    • Talkspace collects information when users communicate with it via email or online support service. This includes information that users provide when they contact Talkspace, any information users share through the online chat support feature as well as their email address.
  1. Use of the Services:
    • Information users disclose in chat data and their chat sharing preferences (transcripts);
    • Audio/Video communication;
    • Documents users share with their therapist via Talkspace’s chat functionality;
    • Information collected via Talkspace’s symptom tracker and information on users’ clinical progress;
    • Information collected via chat, telephone, or email support channels;
    • Messages that users “star”;
    • Information on friends users refer;
    • Information users provide as part of treatment intake including emergency contact details, information on their health and mental health and medical history, images (optional);
    • If users use couples therapy, sharing of contact details and some communications will be conducted jointly;
    • If users choose to admit another individual to a therapy “room” for a session, their contact information will be collected and used for that purpose;
    • Information shared through the online chat support feature and users’ email address.
  2. Peer Support Services:
    • Public username;
    • Public posts or comments;
    • The date and time users submit the post or comment.
  3. Technical Data:
    • Information on the device operating system or Talkspace environment;
    • Metrics on system or App feature use;
    • Information on system events and status.
  4. Persistent Identifiers:
    • Internet protocol (IP) addresses;
    • Device ID;
    • Browser type;
    • Internet service provider (ISP);
    • Referrer URL;
    • Geolocation information (derived from IP Address);
    • Exit pages, the pages and files viewed on our Website (e.g., HTML pages, graphics, etc.);
    • Operating system;
    • Date/time stamp

(Table 5)

Observations:

Talkspace’s privacy policy is clear and comprehensive, outlining what data is collected (including therapy notes, chat transcripts, and technical data), how it is used, and with whom it is shared. It complies with HIPAA in the U.S. and offers rights for EU/UK users under GDPR. The policy is transparent about third-party sharing for analytics and advertising, though some users may find this concerning given the sensitivity of mental health data. It explains retention, minors’ access, and security steps, though details on “advanced data processing” and tracking limitations are somewhat broad. Overall, it balances transparency and compliance but may raise concerns over advertising-related data sharing and international data transfers.

B. Third-Party Apps/Devices that Maya can access:

Talkspace’s privacy policy provides clear information on data sharing and user choices. It shares data with service providers (hosting, analytics, payments), advertising and analytics partners (using cookies, device IDs), legal authorities when required, and research partners – often with de-identified data unless explicit user authorization is given. Importantly, it states that protected health information  is not sold and that advertising trackers are limited once a user becomes a patient, though the extent of this limitation is not deeply detailed.

C. Third-Party under DPDPA

Observations:

  1. It does not specify timelines for handling requests, which may create uncertainty, and there is limited detail on how users are informed of denials or if appeals are possible. 
  2. Greater clarity on how consent withdrawal affects therapy records would strengthen user trust.
  3. Opt-in/out Feature: Users can unsubscribe from marketing emails via links or email, limit cookies and tracking technologies, and request access, correction, or deletion of their data. U.S. residents can opt out of the “sale” or “sharing” of data for targeted advertising, and EU/UK users can exercise GDPR rights. However, some restrictions may not be granted if they interfere with treatment or legal obligations, and cookie controls are not very granular. Overall, Talkspace offers reasonable transparency and user control, but the presence of advertising-related data sharing and jurisdiction-specific rights means users outside the U.S. or EU may have fewer privacy protections and limited ability to opt out of certain tracking

D. Readability:

Talkspace’s privacy policy is relatively well-structured and written in plain language, making it more readable than many legal documents. It uses clear headings, tables, and bullet points to explain what data is collected, how it is used, and user rights, which improves comprehension.

E. Data Protection Score:

Data Protection Score: 2/7

Observations: 

  1. Lawfulness, transparency and fairness: Clearly explains what data is collected, why, and under which laws (HIPAA, GDPR, CCPA). Provides user rights and contact details. Slightly vague on legal basis for “advanced data processing” and sharing for marketing.
  2. Storage Limitation:  It is stated that data is kept as long as an account is active or required by law. Does not specify retention periods for different data types (e.g., chat transcripts, cookies), which may reduce predictability for user
  3. Purpose limitation:  Lists specific purposes (treatment, billing, analytics, research, legal compliance). Broad terms like “service improvement” and “advanced processing” leave some ambiguity about potential future uses.
  4. Data minimisation: Collects necessary medical and account data but also tracks device information, cookies, and analytics, which may exceed strict “minimum necessary” for therapy.
  5. Accuracy:Allows users to access, correct, and update data. Can deny corrections if records are deemed accurate or must be preserved by law. No guaranteed timeframe mentioned for processing requests
  6. Integrity and Confidentiality:  States compliance with HIPAA Security Rule, annual third-party audits, and “commercially reasonable” safeguards. Does not disclose encryption standards or breach response timelines, which could reassure users. Additionally, Talkspace also has pending lawsuits concerning the confidentiality of user data.
  7. Accountability Talkspace has requisite policies in place i.e., Privacy Policy including a separate policy for children below 18, Terms of Service, etc. Talkspace has also appointed a grievance officer to address privacy-related concerns.

HERE’S WHAT WE FOUND:

  • Data Protection Score: Scores varied widely — Wysa scored highest at 6/7, while Talkspace scored the lowest at 1/7. Headspace, YourDost, and Calm each scored 2/7, revealing significant shortcomings in data protection practices.
  • Data Protection Principles : Most apps failed to comply with the principle of ‘Data Minimisation’, collecting far more personal and sensitive information than is necessary for providing mental health support. Apps like Headspace and Calm gather demographic details, health history, and even inferred data such as browsing patterns without clear justification.
  • Data Protection Rights: All 5 apps reference user rights under laws like the DPDP Act or GDPR (withdraw consent, access, erasure, correction, grievance redressal). However, timelines for responding to requests are often missing, and enforcement is unclear. Wysa goes further by offering additional rights, such as pausing data collection and preventing marketing use of data.
  • Consent Practices: Several apps rely on implied consent by assuming that continued use equals acceptance of their policies (Headspace, Calm, Talkspace). Wysa, in contrast, places stronger emphasis on explicit consent.
  • Third-Party Data Sharing: All apps share data with third parties, often for analytics, hosting, or advertising. Headspace and Calm share data with advertising platforms like Google and Facebook, while Talkspace has faced lawsuits over undisclosed data sharing. Wysa provides the clearest list of its third-party service providers.
  • Anonymity & Sign-In Requirements: Only Wysa offers meaningful anonymity by allowing users to use the chatbot without mandatory sign-in. Other apps require registration, limiting user control over sensitive disclosures.
  • Readability: While policies for Calm and YourDost read like legal documents, Headspace and Wysa present their policies in clearer, more user-friendly formats. Talkspace stands out for structured and plain language explanations.

TAKEAWAYS

In our analysis, it was observed that all Mental Health Wellbeing Applications collect several streams of personal data across a broad and interconnected range of services. While a user might not object against processing of their health data, it remains critical that one is fully aware of whether such processing is necessary to fulfil the use cases of the application. Therefore, users can choose to be more mindful of their digital privacy by considering the following factors –

For users choosing between or using these apps, consider the following:

  • Review Privacy Policies Carefully: Look for clear explanations of what data is collected, why it is needed, and how it is shared, especially concerning third-party vendors.
  • Beware Extensive Data Collection: Prefer platforms that limit data to what is essential for the service, especially avoiding apps that collect automatic or third-party data without explicit, granular consent.
  • Understand Your Rights: Confirm the app enables you to access, correct, delete, and withdraw consent for your data processing, and understand any exceptions that may apply.
  • Evaluate Security Safeguards: Seek apps that specify encryption, secure storage, and strict access controls to protect your data confidentiality and integrity.
  • Check Accountability Measures: Favour apps with designated privacy and security teams, transparent breach notification policies, and stated Data Protection Officers or equivalent roles.
  • Consider Your Anonymity Preferences: Apps like Wysa that allow usage without mandatory sign-in provide better privacy in this regard.

PrintLinkedIn
SFLC.in Analysis of X Corp v Union of India Judgement

SFLC.in Analysis of X Corp v. Union of India Judgment in K’taka HC

Combating Misinformation: Practical Guide to Fact-Checking & Legal Resource

Mindfully Monitored? Privacy in Mental Health Apps