TL;DR: You have nothing to worry about. This is something the Hexbear developers have already considered.

To explain in full:

So as I understand it, a cookie is a part of the header of an HTTP request and response. To really sort of simplify things, this means that a cookie is basically just a little string of data that a website sends to you, which is then saved to your computer so that it can get sent back to the website the next time your computer requests something from that website. This can be used to store information long-term, so common uses of cookies include shopping carts, user preferences, saving progress in browser games, keeping users logged into websites, and so forth. Websites can at any time choose to stop recognizing your cookies and you can choose to delete your cookies through your browser’s settings at any time. Cookies are not shared between apps, so any cookies on your phone’s browser will not be seen by the therapy app. So all in all there’s no way that a website or app can magically know from its own cookies what other cookies that somebody has.

For cookies to be used for tracking across websites, i.e. the therapy app to know you were on Hexbear, your phone would need to be on Hexbear while also requesting a resource (e.g. an image) from the therapy app’s central server — or in other words, you would’ve had to have seen the ad for the app on Hexbear, and even this is assuming that (1) the ad was a third-party request and (2) your browser has third-party cookies enabled. More and more web browsers are disabling or heavily restricting third-party cookies by default, including Firefox and I think Chrome is planning on doing that soon. All the other forms of cross-site tracking that I know of and would be relevant here, like checking your IP address and user-agent string, would also require your phone to make a request to the unscrupulous website while browsing Hexbear. But these methods are less reliable than a cookie.

I do remember when I first joined Lemmy (this was when Blåhaj was my main instance) that there were two popular images that freaked people out because they SoMeHoW kNeW the users’ locations and what browser/app they were using. This was because the images were stored on third-party websites which had been programmed to serve anyone attempting to load that image, a different image depending on their IP address and user-agent string. This trick becomes a bit less magical when you toy around with a user-agent string editor and have a VPN, so that you can tell the third-party websites that you live in Bali and your web browser is called Ligma.

These two images did raise concerns with Lemmy users about privacy: the trick was only possible because Lemmy instances, at least as of four months ago, by default did not proxy images, and this very well could be used in more unscrupulous ways.

At the same time, Hexbear is unique among Lemmy instances I’ve seen by blocking third-party images in comments sections. This makes me think that the Hexbear staff are already aware of the possibilities of tracking on Lemmy and have acted accordingly to protect users’ privacy, and this seems to have been confirmed by opening up Firefox’s web developer tools and going to the “network” tab and browsing Hexbear: the only requests that Hexbear makes to other websites are to other Lemmy instances, which have been pre-approved. Nothing else.

So all in all, who knows you’re using Hexbear? Probably God, whoever handles your DNS requests (probably your ISP or mobile data provider), and if you’re using Google Chrome… Uhm, don’t?