Cerebral

Warning: *Privacy Not Included with this product

Mental Health Apps Online Therapy

Cerebral

Cerebral Inc
Wi-Fi

Review date: April 25, 2023

|
Mozilla researched 8 hours
|

Mozilla says

|
People voted: Super creepy

Feeling anxious, depressed, can't sleep? Cerebral says it can help you with a variety of plans that offer medication and management, medication and therapy, or just therapy. Hop on their website, create an account (there's no getting started without creating an account), take their questionnaire, and pay up. Off you'll go with a video or phone call with a mental health provider or a chat with a counselor. Cerebral even says you could get your medications within days. All this is well and good. What's not good AT ALL is the fact that Cerebral admitted to sharing the private personal health information of over 3.1 million patients with social media sites like Facebook and TikTok! That's not likely going to help your anxiety much.

What could happen if something goes wrong?

We’d expect an app called “Cerebral” to be, uh, smarter about protecting your personal data. Especially because it handles protected health information covered by the US’s stronger health privacy law, HIPAA. So, being conscientious should be a no-brainer… Right? Cue the sad trumpet sound. The short answer is no.

Cerebral could go head-to-head with your doctor and your dog on the topic of intimate knowledge about you. Now, a lot of that information is given by you to get treatment, like your medical history, your Social Security number, and even your feelings – or “emotional characteristics” as their privacy policy puts it. And while it makes sense for them to have access to that in the context of care, handing it over means granting them a lot of trust. And considering earlier in 2023 Cerebral says they revealed that they shared the private mental health information of millions -- yes, millions, 3.1 million to be exact -- of their users, well, trust isn't something we'd say they are worthy of right now. As TechCrunch pointed out, according to a list put together by the U.S. Department of Health and Human Services, Cerebral's big data oopsy was the one of the largest breaches of Americans’ health data so far in 2023.

On top of what you tell them about yourself, Cerebral may collect information about how you use the services, like which products you’re using, when, and from what computer. Okay, if you must. But here’s where they may be getting a little greedy. Cerebral leaves the door open to collect information about you elsewhere, like social media sites and public sources, and combine it with what they already know about you. Plus, your lovely privacy researcher identified a heck of a lot of tracking going on, detecting 799 points of contact with different ad platforms during one minute of app activity. Why are you so obsessed with us, Cerebral?

They promise that the intimate knowledge will help them to “to better understand your interests and needs,” but it’s not clear whether that actually benefits you or not. They also mention “measuring the effectiveness of advertising and content we serve to you and others to deliver and customize relevant advertising and content to you” but that part definitely feels like that’s more like a benefiting-them-thing.

Here’s where we can share a little silver lining on an otherwise gray matter: they say that they “do not ‘sell’ your personal information and have not done so in the prior 12 months from the effective date of this Policy.” So your data’s not for sale! Not exactly cause for celebration, but we’ll take it.

Now scurrying back to the bad news. It’s worth mentioning that they’ve given themselves carte blanche to do what they want with your information so long as it’s de-identified or “no longer reasonably capable of being associated with you.” And we’ve got a two-pronged beef with that. The first is, studies have found “anonymized data” can be hard to make truly anonymous . But even if it was, most people probably don’t mean to agree to be a guinea pig when they click “accept” on a single checkbox as they’re signing up to seek help. Indeed, Cerebral says in their privacy policy that once they anonymize the data they can use it "for any purpose, including for research and marketing purposes, and we may also share such information for any purpose with any third parties, at our discretion." Uh..yikes.

So what if you change your mind and want to take back ownership of all that super-intimate information you shared with Cerebral? Well, it’s not clear whether all users have the right to have their data deleted. Indeed, if you don't live under stricter privacy laws like California's CCPA, you might be out of luck trying to get your data deleted according to Cerebral's privacy policy.

In Cerebral’s case, it’s not too tough to imagine what could go wrong when you share your most sensitive personal information with them -- it already happened when they admitted they shared millions of their customers personal information, including potentially some pretty sensitive mental health information, for their own marketing purposes without permission. Yup, that's bad.

Tips to protect yourself

- Do not give access to your photos and video
- Do not log in using third-party accounts
- Do not connect to any third party via the app, or at least make sure that a third party employs decent privacy practices
- Do not give consent for sharing of personal data for marketing and advertisement.
- Chose a strong password! You may use a password control tool like 1Password, KeePass etc
- Do not use social media plug-ins.
- Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
- Keep your app regularly updated
- Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
- Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
- When starting a sign-up, do not agree to tracking of your data if possible."

  • mobile

Can it snoop on me? information

Camera

Device: N/A

App: Yes

Microphone

Device: N/A

App: No

Tracks location

Device: N/A

App: Yes

What can be used to sign up?

Google sign-up available.

What data does the company collect?

How does the company use this data?

We ding this product as it may be combining collected data with data from third parties including advertisers.

"We may collect information about you if you use any of the other websites we operate or the other services we provide. We may collect information from public sources, advertisers, partners, and other third parties (such as third party intermediaries, including Providers and the Pharmacies). We may also collect information about you through a social media or other third-party account, such as Facebook or Google."

"We may use the information we collect in the following ways:
In accordance with applicable legal requirements, advertise and market our Services and those of our third-party partners to you, including on third-party websites (subject to any opt-out preferences you have communicated to us).
To personalize the Services, including engaging in analysis and research regarding use of the Services to better understand your interests and needs and measuring the effectiveness of advertising and content we serve to you and others to deliver and customize relevant advertising and content to you."

"Based on our understanding of the definition of “sell,” we do not “sell” your personal information and have not done so in the prior 12 months from the effective date of this Policy. "

"We have no control over how any third-party site uses or discloses the personal information it collects about you. We may combine information we receive from social media services and other sources with other information we collect from and about you."

"We may engage third parties to serve tailored advertisements for our Services on our behalf on third-party websites and applications. You have certain choices about how your information is used for this purpose."

How can you control your data?

It is not clear if all users regardless of location can get their data be deleted.

"Depending on your jurisdiction of residence, you may have certain rights to access, delete, or correct your information. Your rights will be subject to applicable exceptions, and we will need to verify your identity before processing your request. If you would like to submit a request relating to your data, please email us at [email protected]."

"We keep your information for the time necessary for the purposes for which it is processed. The length of time for which we retain information depends on the purposes for which we collected and use it and your choices, after which time we may delete and/or aggregate it. We may also retain and use this information as necessary to comply with our legal obligations, as necessary for our legitimate business interests, to resolve disputes, and to enforce our agreements."

What is the company’s known track record of protecting users’ data?

Needs Improvement

In 2023 Cerebral admitted to sharing the private personal health information of over 3.1 million patients to social media sites such as Facebook and TikTok.

Child Privacy Information

"Our Services are not directed to children under the age of eighteen (18) without parental consent. We do not knowingly collect information for individuals under the age of 18 (including, for children under the age of 13, “personal information” as defined in the U.S. Children’s Online Privacy Protection Act) without the verifiable consent of that child’s parent or guardian. If we learn that we have received any information for an individual under the age of 18, we process and delete that information as required by applicable law. If you are aware of a child providing personal information to us without parental consent, please contact us using the information below."

Can this product be used offline?

No

User-friendly privacy information?

No

Links to privacy information

Does this product meet our Minimum Security Standards? information

Yes

Encryption

Yes

Strong password

Yes

Security updates

Yes

Manages vulnerabilities

Yes

"Cerebral utilizes a vulnerability management process that leverages external vendor services, and a suite of security scanning and penetration testing tools to identify, validate, and prioritize remediation. If a vulnerability requiring remediation has been identified, it is logged and prioritized based on its severity, likelihood of risk, and impact.

If an individual has concerns they can be raised via phone (415-403-2156), in the patient and client portal, or to the Privacy or the Compliance functions of the company at [email protected] or [email protected]."

Privacy policy

Yes

Does the product use AI? information

Yes

The company representative shared with us that "We use machine learning models in various areas of the product to improve patient outcomes from optimizing patient-clinician matching to identifying patients potentially in crisis. These models help the patient, clinician or our operations teams see the most relevant, actionable information in a timely manner. These models do not make any decisions for users and the internal models are not accessible or controlled by users."

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Is the company transparent about how the AI works?

Can’t Determine

Does the user have control over the AI features?

N/A

*Privacy Not Included

Dive Deeper

  • Notice of HIPAA Privacy Breach
    Cerebral Link opens in a new tab
  • Cerebral admits to sharing patient data with Meta, TikTok, and Google
    The Verge Link opens in a new tab
  • Telehealth startup Cerebral shared millions of patients’ data with advertisers
    TechCrunch Link opens in a new tab
  • Mental health startup exposes the personal data of more than 3 million people
    CNN Link opens in a new tab
  • ‘Shut it off immediately’: The health industry responds to data privacy crackdown
    Politico Link opens in a new tab
  • Mental health app privacy language opens up holes for user data
    The Verge Link opens in a new tab

Comments

Got a comment? Let us hear it.