As mental wellbeing takes center stage, the demand for mental health apps has surged. A Deloitte study reports that interest in these apps has grown by over 500%, driving rapid market expansion.
But with this growth comes a pressing concern: the data privacy of mental health apps. In 2024, the U.S. Federal Trade Commission fined BetterHelp $7.8 million after it was found to have shared users’ sensitive mental health data with third parties for advertising despite assurances of confidentiality.
Mental health apps often collect deeply personal information—such as users’ moods, triggers, anxieties, and stressors—makin data privacy non-negotiable. Yet, this remains a glaring gap in the industry, and BetterHelp is far from an isolated case.
Poor privacy of mental health apps
In 2022, a study found that 74% of the mental health apps analysed were rated as Critical Risk, and 15% as High Risk in the App Security Score. The researchers highlighted a widespread issue of information disclosure threats, primarily caused by insecure coding practices.
That same year, the *Privacy Not Included report by the independent watchdog Mozilla Foundation revealed that most popular mental health apps had weak privacy and security protections. Among the issues flagged:
- Users could create accounts using weak passwords or via third-party platforms like Facebook or Gmail, increasing vulnerability.
- Privacy policies were often overly brief, omitting critical details about data collection and sharing. In some cases, policies only applied to websites—not the apps themselves.
- Personal information was sometimes shared with third parties, such as advertisers or health insurers, often without proper consent.
Worryingly, the situation worsened in 2023. When Mozilla conducted the same study a year later, 59% of the top apps received Privacy Not Included warning labels—an increase from 2022—and 40% of the apps had deteriorated in terms of privacy and security standards.
How Intellect ensures privacy
As mental health apps grow in popularity, more organisations are adopting them to support employee wellbeing. In these cases, the stakes of inadequate data privacy are even greater.
“If you talk about employees’ concerns, their fear is if we are sharing details with HR managers; it can affect their career progression,” says Intellect’s Chief Technology Officer Anurag Chutani
More than half of employees are afraid to talk to their managers about mental health, fearing they could be fired, furloughed, or passed over for a promotion. The result of tiptoeing around the issue? Lower employee motivation, morale, productivity, and higher stress.
Confidentiality is a top priority when selecting a mental health app for your organisation, which is why Intellect stands by two key commitments.
1. Zero-Knowledge Encryption
The most important feature is our Zero-Knowledge Encryption technology, which encrypts employees’ data, including their state of mental health, on their device. This protects their information not only from their employers, but also the engineers behind Intellect’s services.
“We are not sharing any individual reports with any of the managers or the HR of the company which we are dealing with.”
According to an article by Website Rating, this level of security means that only you have the keys to access your stored data. This ensures that individuals can engage with Intellect safely without any risk of leakage, allowing them to access mental health support without hesitation.
2. GDPR Compliance
In Q1 2025, Intellect achieved compliance with the European Union General Data Protection Regulation (GDPR), which governs how organisations collect, use, and protect the personal data of individuals in the EU.
At Intellect, GDPR compliance means we have implemented strict controls around the handling of personal data—such as names, email addresses, IP addresses, and browsing behaviour. Our compliance framework includes:
- Clear consent: Users must give informed consent before their data is collected or processed.
- Purpose limitation: Data is collected only for specified, legitimate purposes.
- Data minimisation: Only the necessary data is collected.
- Right to access and erasure: Individuals can request to access, modify, or delete their data at any time (“right to be forgotten”).
- Data security: Strong technical (e.g. Zero-Knowledge Encryption) and organisational measures must be in place to prevent breaches.
- Third-party safeguards: Data processing agreements with third parties that may handle the data (like cloud providers).
What this means for users:
For individuals in the EU, this means greater transparency, autonomy, and assurance over how their data is collected, processed, and stored. This protection also extends to employees onboarded through Intellect EAP, as Intellect does not share any identifiable mental health data with employers—only aggregated and anonymised insights, such as usage trends or overall wellbeing scores.
3. HIPAA Compliance
As of June 2025, Intellect is fully compliant with the Health Insurance Portability and Accountability Act (HIPAA), a United States Act of Congress that ensures the protection of patients’ health information.
At Intellect, this milestone was reached by carefully controlling the visibility and handling of Protected Health Information (PHI) across our systems, processes, and partnerships. Key steps included:
- Signing Business Associate Agreements (BAAs) with all partners handling PHI within the United States.
- Implementing a comprehensive PHI Data Breach Notification Policy and Procedure.
- Requiring mandatory HIPAA training via Sprinto for relevant teams.
- Ongoing completion and review of Sprinto checklists and security workflows to maintain compliance.
- Updating our Privacy Policy to fully align with HIPAA standards.
What this means for users:
For individuals in the US, this means their Protected Health Information (PHI) is only accessed by authorised personnel, never shared with employers, and safeguarded through robust policies and legal agreements. Users are informed about how their data is used, and in the event of a breach, they will be notified promptly.
On top of the GDPR and HIPAA, Intellect also complies with Singapore’s Personal Data Protection Act (PDPA), which Chutani describes as “one of the strictest data privacy laws in the region. Created to protect personal data from misuse and foster trust between individuals and organisations, it has helped Intellect build trust between employers and employees.
Prioritising privacy and employee wellbeing
When it comes to data privacy in mental health apps, users should pay close attention to two key factors: the type of personal data being collected, and how that data is used. The Mozilla Foundation also highlights the importance of responsive user support—how quickly and effectively a company addresses privacy concerns.
That’s why partnering with a provider like Intellect, which prioritizes transparency in data privacy practices, is essential.
“Users can reach out or access our privacy policy and basically go through our methods, what we are doing and how we are doing it,” says Chutani of Intellect’s efforts to provide assurance on data privacy.
Start building a safer, more supportive work environment with Intellect today.
