Top Mental Health and Prayer Apps Fail Spectacularly at Privacy, Security

Despite dealing with issues like depression, suicide, domestic violence, and PTSD, these apps share data freely and raise many security concerns

28 out of 32 apps receive Mozilla’s *Privacy Not Included warning label

(SAN FRANCISCO, CA | MONDAY, MAY 2) — When it comes to protecting people’s privacy and security, mental health and prayer apps are worse than any other product category Mozilla researchers have reviewed over the past six years, according to Mozilla's latest *Privacy Not Included guide.

Released today for May’s Mental Health Awareness Month, Mozilla investigated the privacy and security practices of 32 mental health and prayer apps, like Talkspace, Better Help, Calm, and Glorify. 28 of the 32 apps were slapped with a *Privacy Not Included warning label, indicating strong concerns over user data management. And 25 apps failed to meet Mozilla’s Minimum Security Standards, like requiring strong passwords and managing security updates and vulnerabilities.

Despite these apps dealing with incredibly sensitive issues — like depression, anxiety, suicidal thoughts, domestic violence, eating disorders, and PTSD — they routinely share data, allow weak passwords, target vulnerable users with personalized ads, and feature vague and poorly written privacy policies.

The apps that Mozilla investigated connect users with therapists; feature AI chat bots, community support pages, and prayers; offer mood journals and well-being assessment; and more. Mozilla researchers spent 255 hours — over eight hours per product — writing the guide.

Says Jen Caltrider, Mozilla’s *Privacy Not Included Lead: “The vast majority of mental health and prayer apps are exceptionally creepy. They track, share, and capitalize on users’ most intimate personal thoughts and feelings, like moods, mental state, and biometric data. Turns out, researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with our most intimate personal information.”

Says Misha Rykov, Mozilla Researcher who co-developed guide: “Hundreds of millions of dollars are being invested in these apps despite their flaws. In some cases, they operate like data-sucking machines with a mental health app veneer. In other words: A wolf in sheep’s clothing.”

Key findings include:

• There are six worst offenders. Apps with the very worst privacy and security are Better Help, Youper, Woebot, Better Stop Suicide, Pray.com, and Talkspace. Their flaws entail incredibly vague and messy privacy policies (Better Help, Better Stop Suicide); sharing personal information with third parties (Youper, Pray.com, Woebot); and even collecting chat transcripts (Talkspace).
• These companies are incredibly unresponsive. Mozilla emails all companies at least three times (at the privacy contact listed in their privacy policy) to try and get answers to our privacy and security related questions. And only a single company (Catholic prayer app Hallow) responded in a timely manner. Mozilla did finally hear back from two others (Calm and Wysa) after a third email to them.
• There are only two trustworthy apps. The “Best Of” category in this edition was woefully short — only two products did not fall short of basic privacy/security standards. PTSD Coach, an app made by the U.S. The Department of Veterans Affairs, had strong privacy policies and security practices. And the AI chatbot Wysa, seems to really value users’ privacy.
• Mental health apps are a data harvesting bonanza. Nearly all the apps reviewed gobble up users’ personal data — more than Mozilla researchers have even seen from apps and connected devices. Further, some apps harvest additional data from third-party platforms (like Facebook), elsewhere on users’ phones, or data brokers. Meanwhile, others are taking advantage of this. Silicon Valley investors are pouring hundreds of millions of dollars into these apps. Insurance companies get to collect extra data on the people they insure. And data brokers are enriching their databases with even more sensitive data.
• Security is sometimes laughable. Despite dealing with incredibly sensitive information, some apps’ security practices are akin to a flimsy lock on a diary. At least eight apps allowed weak passwords ranging from “1” to “11111111”. Moodfit only required one letter or digit as a password, which is concerning for an app that collects mood and symptom data. We also had trouble determining if many apps pushed security updates regularly or had a way to manage security vulnerabilities found in their apps.
• Teens are especially vulnerable. Parents of kids and teens using these apps should pay close attention to how their child’s privacy is handled. Many mental health and prayer apps target or market to young people, including teens — a demographic that suffers the most from mental health issues. When teens share information on these apps, it could be leaked, hacked, or used to target them with personalized ads and marketing for years to come.

Note: An earlier edition of this press release stated 29 out of 32 apps received Mozilla’s *Privacy Not Included warning label. Since publishing, Glorify has responded to Mozilla researchers and clarified their practices. In response, Mozilla removed the *Privacy Not Included mark, bringing the total to 28.

Press contacts:

North America: Patrick Kowalczyk, [email protected]

Europe: Tracy Kariuki, [email protected]

UK: Mark Thomson, [email protected]

Africa: Shandukani Mulaudzi, [email protected]