← Blog

Journaling as a Therapist's Companion — Confidentiality First

Journaling as a Therapist's Companion — Confidentiality First

Most journaling literature is written for the client side: how to journal between sessions, what to bring to therapy, how to track mood. This post takes the other angle — for clinicians who want to use a journaling tool either themselves or with clients, and for clients whose journaling crosses into territory their therapist will discuss.

Confidentiality is the thing that matters most here. Get the tool wrong and you've put session notes, client identifiers, or raw client thoughts onto a server you don't control. The good news is the right tool is unglamorous and easy to set up; the hard part is knowing what to look for.

This is not legal or compliance advice. HIPAA, GDPR, and clinical-board rules vary by jurisdiction and role. Talk to your supervisor and your professional body. The post below covers the principles that hold across regimes.

The threat model, briefly

For a therapist or client, the people you don't want reading the notes include:

• The journaling app's company.
• The cloud provider their backend runs on.
• A casual breach (database leak, lost laptop).
• A determined attacker with access to one device.
• In some cases, family members or coworkers who might pick up the device.

A privacy-first journal app addresses the first three by architecture. The last two are device-level concerns and require habits in addition to a tool.

The non-negotiables

Whatever tool you pick, confirm:

1. End-to-end encryption by default. Not as an upsell, not as a setting buried in advanced options. The app shouldn't have a path to read content even if it wanted to. (See What End-to-End Encryption Actually Means for Your Journal.)
2. Master key on device only. No "we'll keep a copy in case you forget your password." A real recovery flow is a phrase you saved at signup; if you lose it, the data is gone.
3. No server-side AI on entries. "Summarize this entry" or "auto-tag" features mean the entry was decrypted on a server. Even transient decryption can mean retained logs at the LLM provider.
4. Documented metadata. What does the server know? Account ID, entry IDs, dates, timestamps. That's roughly the minimum. No content-derived metadata.
5. Plain-text export. You should be able to leave with your data at any time, in a format that survives the app.

For therapists: a few use patterns

Personal practice. Many therapists journal themselves — for processing client work indirectly, for supervision prep, for personal continuity. The tool should be private from the company and from family members on a shared device. App-level passcode or biometric lock is non-negotiable.

Session preparation notes. Notes you write about a client — even pseudonymized — can have unique enough details to be re-identifiable. These need the same treatment as official records or stricter, depending on your regulatory regime. Consider:

• Do not put client names in the notes. Use initials, or a session-side codename you don't store anywhere.
• Pseudonymize before writing. Train yourself to write "client A noted recurring fear of abandonment around birthdays" rather than "Sarah said her mom's birthday triggers her."
• If your jurisdiction restricts where client-related data can live, verify the journaling app's data residency policy. E2EE makes this easier — the company stores only ciphertext — but compliance frameworks often require contractual assurances regardless of architecture.

Reflection on the practice itself. Therapist self-care, supervision themes, training takeaways. These are sensitive but rarely client-identifying. Standard E2EE journal practice applies.

For clients: writing for therapy without writing into it

Clients sometimes journal for therapy — a structured between-session log that gets discussed in session. A few practical notes:

• Keep it private from your therapist's tools. Don't write into a shared system. Bring relevant excerpts to session manually.
• You don't need to share everything. Journal honestly, share selectively. The point of the journal is honesty; the point of session is direction.
• Physical privacy matters too. A passcode'd app on a phone is more private than a paper notebook on a nightstand, for many household setups.
• Be aware of pattern recognition. Reading back entries from many weeks tends to surface things therapy was inching toward. That's useful — bring it.

The "shared device" trap

One of the most common breaches isn't a hack. It's a partner, parent, or roommate picking up an unlocked tablet and seeing the open journal app. Two habits prevent it:

• App-level lock, not just device lock. Most privacy-first apps support a separate biometric or passcode for opening the app itself.
• Don't rely on browser tabs. If you journal on the web, close the tab when you're done. Or use the desktop app, if available, with its own auth.

The cloud-AI risk for clinicians

In 2026, "AI productivity" features are common in productivity apps. For clinicians using journaling tools to process client material — even pseudonymized — these features represent real risk:

• Auto-summarization tools usually send full text to a cloud LLM.
• Some apps quietly index your content for "smart search" via embedding models.
• A privacy policy that says "we don't train on your data" doesn't always cover the LLM provider's policy.

For client-related content, the safest stance is: no server-side AI. None. (Background: Your Notes Are Training AI — How to Stop It.)

Why Jottii fits this use case

Jottii is built around exactly the constraints clinicians need:

• Default end-to-end encryption. Master key never leaves the device.
• No server-side AI features. By design — we couldn't add them without breaking the model.
• Minimal server-side metadata: entry IDs, dates, timestamps. No content-derived fields.
• Local SQLite as the primary store. Sync is encrypted-blob exchange.
• Plain-text export at any time.

We are not HIPAA-certified at the time of writing. If your role requires a Business Associate Agreement (BAA) or specific compliance attestations, you must verify directly with the vendor; ask us. Architecture is necessary but not sufficient for regulatory compliance.

A quick checklist before using any tool for clinically-adjacent work

• E2EE confirmed in writing.
• Master key on device only.
• App-level lock available and enabled.
• No server-side AI features, or all disabled.
• Plain-text export tested.
• Data residency confirmed if your jurisdiction requires it.
• Habit of pseudonymizing before writing.
• Device-level passcode (not just biometric).

If a tool checks these, the architecture is doing its job. The remaining work is yours.

Jottii is built for this kind of use — quietly, by being privacy-first from the foundation up.

• #therapy
• #confidentiality
• #mental-health
• #privacy