HomeAI Therapy › Is AI Therapy Private? Data, Confidentiality, and What to Check

Is AI Therapy Private? Data, Confidentiality, and What to Check

AI therapy chats are not protected by the same confidentiality rules that bind a licensed therapist. Here is what actually happens to your data and how to protect yourself.

SF Reviewed by Seph Fontane Pennock·9 min read··
AI therapy privacy and data confidentiality

In short

No, AI therapy is not automatically private or confidential the way a session with a licensed therapist is. A human therapist is legally bound by confidentiality and, in most cases, privilege. Most consumer AI therapy apps are not. Your messages can be stored, reviewed by staff, used to train models, and shared with third parties, and many of these apps are not covered by HIPAA because they are not healthcare providers. Treat anything you type as data a company holds, look for encryption, a no-training option, data deletion, and a clear policy, and avoid sharing identifying or highly sensitive details.

Is AI therapy confidential? The short answer

When you talk to a licensed therapist, the law protects what you say. Therapists are bound by professional confidentiality, and in most legal settings your communications are also covered by therapist-patient privilege, which limits when they can be used in court. There are narrow exceptions, such as an imminent risk of harm to yourself or others or a court order, but the default is strong, enforceable protection.

AI therapy is different. A chatbot is software run by a company, not a clinician who owes you a professional duty. Nothing about typing into an app automatically makes the conversation confidential or privileged. What protects your data is the company's privacy policy and its security practices, not a professional or legal obligation to keep your secrets. That is a meaningful gap, and it is the single most important thing to understand before you share anything personal.

This does not mean every AI tool is careless with your data. Some are genuinely privacy-forward. It means the protection is a business promise you have to verify, not a legal guarantee you can assume.

What actually happens to your data

When you message an AI therapy app, your text is usually sent to a server, processed, and stored. From there, several things can happen, depending on the company. Your conversations may be retained on the company's systems, sometimes indefinitely, so they can power features like history and personalization.

Human review is common. Many companies allow employees or contractors to read a sample of conversations to improve the product, check quality, or moderate for safety. Your messages may also be used to train or fine-tune AI models, which means fragments of what you wrote can become part of how the system behaves for everyone, unless the company offers and you choose an opt-out.

Third parties are often in the loop too. Apps frequently rely on outside services for hosting, analytics, crash reporting, and advertising, and your data, or signals derived from it, can be shared with those providers. Some apps have shared or sold sensitive information for marketing. Regulators have taken action against mental-health and health apps for exactly this kind of undisclosed data sharing, so it is not a hypothetical risk.

Finally, stored data can be exposed in a breach or requested through legal process. The more sensitive the information you put in, and the longer a company keeps it, the more there is to lose if something goes wrong.

Is AI therapy HIPAA compliant?

HIPAA, the US Health Insurance Portability and Accountability Act, is the rule people assume protects all health information. It does not. HIPAA only applies to covered entities, which are health plans, healthcare clearinghouses, and healthcare providers that bill electronically, along with the business associates that handle data on their behalf. It governs how those specific organizations use and disclose protected health information.

Most consumer AI therapy apps are not covered entities. They are technology companies selling a wellness or self-help product directly to you, not providers billing insurance. Because of that, the sensitive emotional information you share with them generally falls outside HIPAA's protection, even though it feels exactly like health data. A privacy policy that says the app is not a covered entity, or that simply never mentions HIPAA, is telling you that HIPAA's safeguards do not apply.

There are exceptions. If an app connects you to licensed clinicians, operates inside a healthcare system, or partners with providers and handles their patient data, parts of it may be HIPAA-bound. Some apps voluntarily describe themselves as HIPAA-compliant or use HIPAA-aligned security even when they are not legally required to. That can be reassuring, but read carefully, because a marketing claim is not the same as a legal obligation, and 'HIPAA-compliant infrastructure' can describe the hosting while the app still shares data in ways HIPAA would not allow for a provider.

Privacy features to look for

A trustworthy AI therapy tool makes its data practices easy to find and easy to control. Look for encryption, both in transit and at rest, so your messages are protected as they travel and while they sit on the company's servers.

Look for a clear way to opt out of model training, ideally on by default, so your conversations are not used to train AI systems unless you agree. Look for real data deletion: the ability to delete individual chats and your whole account, with a statement that deletion actually removes your data rather than just hiding it.

Anonymity helps. Apps that let you start without an email, real name, or phone number reduce how easily your conversations can be tied back to you. Minimal data collection is a good sign in general: the less an app gathers, the less there is to leak or misuse.

Most important is a clear, specific privacy policy. It should plainly state what is collected, how long it is kept, whether humans review conversations, whether data is used for training or advertising, and which third parties receive it. A short, readable policy that answers those questions is a stronger signal than a long, vague one full of 'we may share with partners' language.

Red flags to watch for

Some signals should make you pause before sharing anything personal. A missing or hard-to-find privacy policy is the biggest one: if a company will not tell you clearly what it does with your data, assume the worst.

Watch for language that permits broad sharing or selling, such as sharing data with 'partners,' 'affiliates,' or 'for marketing purposes,' especially without a way to opt out. Be cautious when an app uses your conversations to train AI with no opt-out, when it requires more personal information than the service needs, or when it shows targeted ads, which usually means data is being shared with ad networks.

Other warning signs include no clear way to delete your data, vague or contradictory statements about human review, and marketing that leans on the word 'confidential' or 'private' without explaining what that means in practice. A history of regulatory action or a publicized data breach is worth a quick search before you commit. None of these guarantees harm, but together they tell you how seriously a company takes your trust.

Practical advice: protect yourself while using AI therapy

You can get value from AI support while limiting your exposure. The simplest rule is to treat the chat as something a company can read and keep, and to share accordingly. Avoid putting in details that identify you, such as your full name, address, employer, or the names of other people involved in your situation.

Be careful with highly sensitive specifics: things tied to your legal situation, immigration status, substance use, or anything that could harm you if it were exposed or subpoenaed. You can still describe how you feel and work through a problem using general terms instead of identifying particulars. Where the app allows it, sign up with a minimal account, turn off model training, and delete conversations you no longer need.

Read the privacy policy before you start, not after. Spend two minutes on the sections about data retention, training, human review, and sharing. And remember the limits of the tool itself: AI therapy apps are self-help aids, not crisis services and not a replacement for a licensed clinician. If you are in crisis or thinking about suicide, call or text 988 in the US to reach the Suicide and Crisis Lifeline, available 24 hours a day. For genuine confidentiality and protected, privileged conversations, a licensed therapist remains the right choice.

Key takeaways

  • AI therapy is not automatically confidential. Licensed therapists are legally bound by confidentiality and usually privilege. Consumer AI apps are not.
  • What protects your data is the company's privacy policy and security, not a professional or legal duty, so it has to be verified rather than assumed.
  • Your messages can be stored, reviewed by staff, used to train models, and shared with third parties, including for advertising.
  • HIPAA only covers healthcare providers, plans, and their partners. Most consumer AI therapy apps are not covered entities, so HIPAA does not protect what you tell them.
  • Look for encryption, a no-training opt-out, real data deletion, anonymous sign-up, minimal data collection, and a clear, specific privacy policy.
  • Do not share identifying or highly sensitive details, read the policy first, and use a licensed therapist when you need true confidentiality.

Want true confidentiality?

Licensed therapists are bound by confidentiality. Browse our directory.

Find a therapist

Frequently asked questions

Is AI therapy confidential?

Not in the way a licensed therapist is. A human therapist is legally bound by confidentiality and, in most cases, privilege. An AI therapy app is software run by a company, and nothing about typing into it automatically makes the conversation confidential. The only protection is the company's privacy policy and security practices, which you have to read and trust rather than assume.

Is an AI therapist confidential like a real one?

No. A real therapist owes you a professional and legal duty of confidentiality, with narrow exceptions like imminent risk of harm. An AI therapist has no such duty. Your conversations may be stored, reviewed by staff, used to train models, or shared with third parties, so treat them as data a company holds, not as a privileged conversation.

Is AI therapy HIPAA compliant?

Usually not. HIPAA only applies to covered entities such as healthcare providers, health plans, and their business associates. Most consumer AI therapy apps are technology companies selling a wellness product directly to you, so they fall outside HIPAA. Some apps that connect you to licensed clinicians or operate inside a healthcare system may be partly HIPAA-bound, but read the policy carefully, because a marketing claim of being HIPAA-compliant is not the same as a legal obligation.

What happens to my AI therapy data?

It is typically sent to a server, processed, and stored, sometimes indefinitely. Depending on the company, staff or contractors may review samples of conversations, your messages may be used to train AI models, and data may be shared with third parties for hosting, analytics, or advertising. Stored data can also be exposed in a breach or requested through legal process, which is why minimizing what you share matters.

What privacy features should an AI therapy service offer?

Look for encryption in transit and at rest, a clear opt-out from using your chats to train AI, real account and conversation deletion, the ability to sign up anonymously without your real name or phone number, minimal data collection, and a clear, specific privacy policy that states what is collected, how long it is kept, who reviews it, and which third parties receive it.

What are the privacy concerns with AI therapy?

The main concerns are that conversations are not legally confidential, that sensitive emotional data may be stored long-term, reviewed by humans, used to train models, or shared with or sold to third parties, and that most apps are not covered by HIPAA. There is also breach and legal-disclosure risk. To reduce exposure, avoid identifying or highly sensitive details, read the privacy policy, turn off training where possible, and use a licensed therapist when you need true confidentiality.

Related AI therapy guides

References

  1. U.S. Department of Health and Human Services. Summary of the HIPAA Privacy Rule. HHS.gov.
  2. U.S. Department of Health and Human Services, Office for Civil Rights. Covered Entities and Business Associates. HHS.gov.
  3. Federal Trade Commission. Protecting Consumers' Health Information: FTC Health Breach Notification Rule and enforcement guidance. FTC.gov.
Important: This article is educational information about AI mental-health tools, not a substitute for professional care or a diagnosis. AI tools are not crisis services. If you are struggling, reach out to a licensed mental-health professional. In an emergency, call your local emergency number or, in the US, call or text 988.