Therapy and life-coaching apps have been rapidly growing in number, flavors, and popularity. However, their users routinely share highly sensitive and personal information, such as traumas, fantasies, desires, relationship difficulties, and other mental health concerns. This prompts the need for an empirical analysis of privacy practices in this ecosystem, and particularly the alignment between these apps' privacy policies and their actual behavior. In this paper, we present a comprehensive analysis of 25 popular Android mental health and life-coaching apps, combining static analysis, dynamic network capture, and LLM-assisted privacy policy extraction validated against manual annotation. Our findings highlight serious concerns and substantial transparency gaps. First, every app embeds at least one tracker SDK that its privacy policy does not name, and 68% of apps fail to disclose at least half of the trackers detected in their APKs; Talkie alone embeds 20 while naming none. Second, we identify 16 permission-policy contradictions across 13 apps, i.e., a dangerous permission is declared in the manifest but omitted from the policy, including 6 apps that request camera or microphone access without disclosing photo, video, or audio collection. Third, 48% of apps disclose third-party AI processing (e.g., via OpenAI, Anthropic, Groq), with one app sending journal entries to all three simultaneously, while 7 apps use only generic language that leaves recipients unidentified. Taken together, our findings demonstrate that current disclosure practices fall short of the transparency required for meaningful informed consent. We argue for a significantly updated regulatory framework governing therapy apps in the spirit of the professional and ethical standards that bind licensed human therapists.

翻译：治疗与生活指导类应用的数量、种类和受欢迎程度正在迅速增长。然而，其用户常需分享高度敏感的个人信息，如创伤、幻想、欲望、人际关系困扰及其他心理健康问题。这促使我们需要对该生态系统中的隐私实践进行实证分析，特别是这些应用的隐私政策与其实际行为之间的一致性。本文对25款流行的安卓心理健康与生活指导应用进行了全面分析，结合了静态分析、动态网络捕获以及经人工标注验证的LLM辅助隐私政策提取。我们的研究结果揭示了严重的隐私问题和显著的透明度差距。首先，每款应用都嵌入了至少一个其隐私政策未提及的追踪器SDK，其中68%的应用未能披露其APK中检测到的至少一半追踪器；仅Talkie一款应用就嵌入了20个追踪器却无一在政策中提及。其次，我们在13款应用中发现16处权限-政策矛盾，即清单文件中声明了危险权限但政策中未予以说明，其中包括6款应用请求摄像头或麦克风权限却未披露照片、视频或音频收集行为。第三，48%的应用披露了第三方AI处理（例如通过OpenAI、Anthropic、Groq实现），其中一款应用同时将日志条目发送给所有三个服务商，而7款应用仅使用泛泛表述导致接收方身份不明。综合来看，我们的研究表明，当前的披露实践远未达到实现有意义知情同意所需的透明度。我们主张，应遵循约束持证人类治疗师的专业与伦理标准精神，对监管治疗类应用的规制框架进行显著更新。