Open the App Store and search for "mood tracker." You will get hundreds of apps. Most of them are free. Some have ten million downloads. Almost all of them ask you to create an account, store your entries on a server somewhere, and have a privacy policy you have not read.

A short thought experiment. Picture, for a moment, that every mood entry you have ever written in one of these apps is now sitting in a database. Picture the company that owns the database. Picture the analytics vendor they pay. Picture the third-party SDK their developer plugged in three years ago to track conversion events. Picture the data broker that has been buying their outputs.

Now picture your boss seeing it. Your custody lawyer. Your insurance company's data partner. A future employer's background check vendor. Someone you have not met yet, in a job you have not applied for, in a context you cannot predict.

This is not paranoia. It is the documented business model of a meaningful slice of the consumer wellness app industry. And it is the reason I built The Observing Ego the way I did.

The wellness app industry has a privacy problem

Over the past several years, the Federal Trade Commission has taken enforcement action against multiple high-profile mental health and wellness companies for sharing user data with advertising platforms, sometimes against the explicit terms of their own privacy policies. Researchers at the Mozilla Foundation's "Privacy Not Included" project have repeatedly flagged the mental health app category as one of the worst in their entire database, with apps in this category routinely earning their failing-grade warning label.

The mechanics are mundane. A founder ships a free app, picks up tens or hundreds of thousands of users, runs out of runway, and adds a third-party SDK to monetize the install base. The SDK is supposed to help with analytics or crash reporting or growth. It also, often quietly, transmits identifiers, timestamps, and behavioral events to a company you have never heard of, which sells the aggregated data to companies you have also never heard of.

The user is not informed in a meaningful sense. The privacy policy gets updated. The developer's blog post calls it an "improvement to our personalization engine." The user keeps logging their depression scores.

I do not name specific apps here, partly because the list changes every year, and partly because the problem is structural. It is what happens when a category that should have been treated as health care got treated as a free consumer app instead.

Why mood data is uniquely sensitive

Mood data is not like email metadata or shopping history. Three things make it different.

First, it is a record of you at your worst. Most mood entries get written in the bad moments, because the bad moments are when people reach for the app. A retrospective look at any individual's mood history will overrepresent the dark patches. The data is more negative than the life it summarizes.

Second, it is decontextualized. A note that says "wanted to disappear" is one thing in the context of a stable life and a grieving week, and an entirely different thing in the context of a custody hearing or an immigration screening. Mood data does not carry its own context with it. Stripped of context, it is uniquely vulnerable to being misread.

Third, it is permanent in a way that other data is not. Financial records can be paid off. Browsing history can be cleared. A mood log written in 2021, with a particular date attached and a particular intensity slider position, becomes part of a record that no future you can revise or delete from a third party's archive.

The combination matters. A leaked mood history is more damaging than a leaked credit card, because the credit card can be replaced and the mood history cannot. We treat the credit card like the more serious thing. We have the categories reversed.

What "on-device" actually means

If you have read any consumer-tech marketing recently, you have seen the phrase "on-device" thrown around in ways that range from rigorous to outright misleading. Worth pinning down what it actually means.

A piece of data is on-device when it lives only on the hardware in your hand or on your wrist, and when no copy of it exists on a server that the developer or any third party controls. The app may read it, compute on it, and show you results, but the data itself never leaves your possession.

A piece of data is end-to-end encrypted when it does travel through someone else's infrastructure, but only in a form that the infrastructure operator cannot read. Apple's iCloud private database, for example, encrypts certain categories of data with a key derived from your device, which means Apple's own servers cannot read the contents. They store an opaque blob.

These two postures together can give you something close to absolute privacy: the data either does not move, or moves only in a form that no intermediate party can decrypt. This is the architecture The Observing Ego uses, and it is the architecture I think every mood tracking app should use.

The opposite posture, which is the default in most of the industry, is server-side storage with TLS in transit and at-rest encryption. This is what almost everyone means by "we encrypt your data." It sounds reassuring. It is not the same as end-to-end encryption. The server operator holds the keys. So does anyone with a subpoena, anyone who breaches the server, anyone who buys the company, and anyone the company hires.

How The Observing Ego handles your data

I will be concrete, because the field deserves concrete.

  • Mood logs, journal entries, habit data, medication records, and assessment results are stored on your device. They use iOS's Complete Protection encryption class, which means the file system key is derived from your device passcode. When the phone is locked, the data is mathematically unreadable.
  • CloudKit sync, if you enable it, uses Apple's private database with end-to-end encryption. Apple cannot read what is stored there. We cannot either. There is no server we operate, no database we administer, and no admin account that could be compromised to expose your entries.
  • Apple Health data stays on your device and is never transmitted. If you allow the app to read your sleep, heart rate variability, or other health metrics from Apple Health, those readings stay on your device for on-device correlation, are excluded from CloudKit sync, and never reach any external server. The only writes back to Apple Health are optional State of Mind entries you choose to save on iOS 18+.
  • Stress and motion data live in a separate local-only data store that is never synced to iCloud at all, by design. This is a more conservative posture than the rest of the app, because that category of data felt sensitive enough to warrant the extra layer.
  • All insight and correlation calculations run on your device. There is no machine learning model in the cloud, no AI analysis of your journal entries, and no aggregation of your data with other users' data. The pattern-finding is deterministic, rule-based code that executes locally.
  • There are no third-party analytics SDKs, no crash reporting services, no tracking pixels, no advertising identifiers, and no data brokers. I do not collect IP addresses or device fingerprints. I do not run a customer data platform. I do not know how many minutes you spent on the journal screen yesterday.
  • Biometric data, if you set up Face ID or Touch ID for the app, never leaves your device. Apple's Secure Enclave handles it. I do not see it, store it, or have any way to query it.
The Observing Ego About screen, listing what sets the app apart: clinically informed, whole-person tracking, pattern discovery, privacy first (all data stays on device and in your private iCloud), and safety without barriers.
The privacy posture made plain in the About screen.

This posture means I know less about my own users than essentially any other developer in the App Store. I know how many people have downloaded the app, and that is because Apple tells me. Everything else, I do not have.

The trade-offs are real

I am not going to pretend this architecture has no costs. It has several, and you should know them before you choose any mood tracker on this basis.

There is no web dashboard. You cannot log in from a browser on a friend's laptop and see your data. The data is on your phone. If you want it on another device, the other device must be signed into your Apple ID, and the data syncs through Apple's encrypted channel.

There is no cloud account. You do not have a username and password with us, because there is no us-side account to log into. If you lose your phone and have not enabled iCloud sync, the data on that phone is unrecoverable. This is an inherent property of the privacy posture, not a bug.

There is no "share with my therapist" cloud link. The closest equivalent is the PDF export, which generates a report on your device that you can email, print, or hand over in any way you choose. The control stays with you.

There is no multi-user account. No families sharing logins. No couples comparing entries. The app is single-user by design, because the alternative requires a server-side account model, which requires server-side data, which is the thing we are trying to avoid.

There are fewer analytics for us. I cannot tell you which features are most used, because I do not measure that. I cannot run A/B tests in the conventional way. Product decisions come from direct user feedback, from my own clinical judgment, and from the small structured invitations to comment that the app offers. This is slower. It is also honest.

These are not limitations I am embarrassed about. They are the price of doing the thing I think the category should have been doing all along.

How to evaluate any mood tracker for privacy

If you are shopping for a mood tracker and you do not want to take any single developer's word for it, here is a checklist you can use on any app in the category. It is the same checklist I would use as a consumer.

  1. Read the App Store privacy label first, not the marketing page. Apple requires every app to disclose what categories of data it collects and what it uses them for. Look at the "Data Linked to You" section. If you see anything in there for a mood app, ask why.
  2. Look for the words "end-to-end encryption" or "on-device storage." If the privacy policy says only "we encrypt your data" or "industry-standard security," that is not the same thing. They are storing it on a server they control.
  3. Search the company name plus "FTC" and "Mozilla Privacy Not Included." These two sources will tell you if there has been enforcement action or independent review. Both surface real signal.
  4. Find the third-party SDK list. Most modern App Store privacy policies disclose the third-party services they use. Common ones to flag include Facebook SDK, Google Analytics, Mixpanel, Amplitude, and Segment. Any of these on a mental health app is a yellow flag at minimum.
  5. Check the business model. If the app is free, has no in-app purchases, and is well-designed, ask where the revenue comes from. There are exceptions, but the default assumption should be that the user is the product.
  6. Look for HealthKit integration on iOS or Health Connect on Android. Apps that read from those frameworks are subject to stricter rules about how that specific data is handled, including a prohibition on using HealthKit data for advertising. This is not a guarantee of good behavior elsewhere in the app, but it is a structural improvement.
  7. Look for active development by a real person or company. A long-dead app with your mood data on a server is one acquisition away from a privacy posture change. The more durable the company, the more durable the policy.
  8. Read at least one entry of the developer's public writing. Blog, About page, App Store description, anything. A developer who treats privacy as a marketing line will sound different from one who treats it as an architectural commitment. You can usually tell.

The right answer is rarely a single binary. Most apps are partial fits. The point is to know what you are agreeing to.

The bigger argument

The deeper claim I want to make is not technical. It is this. Your inner life is not a marketing surface. The thoughts you write down in a bad moment are not a customer journey to be optimized. The fact that you have been more anxious this month than last is not a signal for an advertising algorithm.

Mental health data exists in a category that the privacy law of the last twenty years has failed. HIPAA does not apply to consumer apps. The GDPR has reach in Europe but uneven enforcement. State-level health privacy laws are a patchwork. Federal action is sporadic. The market has, in the absence of meaningful regulation, sorted itself into companies that take this seriously and companies that do not.

The only data that cannot be sold, leaked, subpoenaed, scraped, repurposed, or quietly funneled to an ad-tech partner is data that does not exist on a server in the first place. Everything else is a question of how long the protection holds.

This is why The Observing Ego is built the way it is. Not because the architecture is fashionable, or because Apple's marketing rewards privacy claims, or because it is a useful differentiator (though it is one). Because I do not want to be the developer who, three years from now, has to write the apology blog post.

There is a version of this category that treats mood data with the same reverence that clinicians are trained to treat patient files. Locked office, locked cabinet, locked notes. The patient leaves the room and the record stays. It is not a complicated standard. It is just the standard.

In summary

  • The wellness app industry has not earned the trust users have given it. Enforcement actions and independent reviews make this clear.
  • Mood data is uniquely sensitive because it overrepresents your worst moments, is decontextualized, and is permanent in a way other data is not.
  • "On-device" and "end-to-end encrypted" are the two architectural commitments worth holding any app to. Most apps offer neither.
  • The trade-offs of doing it right are real (no web dashboard, no cloud account, no multi-user). They are intentional, not limitations.
  • A short consumer checklist will let you evaluate any mood tracker in five minutes.

The Observing Ego is one app that takes this posture. There will be others over time, and the more there are, the better. The standard is what matters. The standard is that your inner life stays yours.