Therapy and life-coaching apps have been rapidly growing in number, flavors, and popularity. However, their users routinely share highly sensitive and personal information, such as traumas, fantasies, desires, relationship difficulties, and other mental health concerns. This prompts the need for an empirical analysis of privacy practices in this ecosystem, and particularly the alignment between these apps' privacy policies and their actual behavior. In this paper, we present a comprehensive analysis of 25 popular Android mental health and life-coaching apps, combining static analysis, dynamic network capture, and LLM-assisted privacy policy extraction validated against manual annotation. Our findings highlight serious concerns and substantial transparency gaps. First, every app embeds at least one tracker SDK that its privacy policy does not name, and 68% of apps fail to disclose at least half of the trackers detected in their APKs; Talkie alone embeds 20 while naming none. Second, we identify 16 permission-policy contradictions across 13 apps, i.e., a dangerous permission is declared in the manifest but omitted from the policy, including 6 apps that request camera or microphone access without disclosing photo, video, or audio collection. Third, 48% of apps disclose third-party AI processing (e.g., via OpenAI, Anthropic, Groq), with one app sending journal entries to all three simultaneously, while 7 apps use only generic language that leaves recipients unidentified. Taken together, our findings demonstrate that current disclosure practices fall short of the transparency required for meaningful informed consent. We argue for a significantly updated regulatory framework governing therapy apps in the spirit of the professional and ethical standards that bind licensed human therapists.

翻译：治疗与生活指导类应用在数量、种类和受欢迎程度上均快速增长。然而，其用户常分享高度敏感的个人信息，如创伤、幻想、欲望、关系困扰及其他心理健康问题。这促使人们有必要对该生态系统中的隐私实践进行实证分析，特别是这些应用的隐私政策与其实际行为之间的一致性。本文对25款流行的Android心理健康与生活指导应用进行了全面分析，结合了静态分析、动态网络捕获以及经人工标注验证的LLM辅助隐私政策提取方法。我们的研究结果揭示了严重问题与显著透明度差距。首先，每款应用至少嵌入了一个其隐私政策未提及的追踪器SDK，且68%的应用未能披露其APK中检测到的至少一半追踪器；仅Talkie一款应用就嵌入了20个追踪器，但未披露任何一项。其次，我们在13款应用中识别出16项权限-政策矛盾，即在清单文件中声明了危险权限，但政策中未提及，其中包括6款应用在未披露照片、视频或音频采集的情况下请求摄像头或麦克风访问权限。第三，48%的应用披露了第三方AI处理（例如通过OpenAI、Anthropic、Groq），其中一款应用将日记条目同时发送给上述三家AI提供商，而7款应用仅使用泛化表述，未明确说明接收方。综合来看，我们的研究结果表明，当前的披露实践远未达到实现有意义知情同意所需的透明度。我们认为，有必要依据约束持证人类治疗师的专业和伦理标准，对管理治疗应用的监管框架进行重大更新。