← Creator Apps
D

Patreon

Serious concerns
Patreon, · 🏳️ United States
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: Patreon (iOS/Android)
Manufacturer: Patreon, Inc.

⚠️ The bottom line

Patreon left a debugging tool on its production server — the kind whose own manual says "never use this in production." Hackers dumped 16 gigabytes: 2.3 million email addresses, millions of private messages between creators and their supporters, home addresses, billing details, and the entire source code. Every private conversation on the platform — published online. Patreon says it never sells your data. Then it shares your information with advertising partners for "personalised advertising" and ignores your browser's Do Not Track signal. An independent privacy audit gave Patreon 32 out of 100 — Grade F.

Legal jurisdiction
🇺🇸 United States (data storage)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
0/4 N/A
Is someone spying on me?
Data Sharing
2/4 MODERATE
Who gets my data?
Security
4/4 EXTREME
Is it actually secure?
Honesty
2/4 MODERATE
Can I trust what they say?
REPLACE Extreme risk. Look for alternatives or lock down hard.
9Contradictions
1Critical
4High
4Medium
14Sources
Findings by concern
Data Sharing 2/4 MODERATE 1 finding
⚡ highpolicy vs app
Patreon says it never sells your data. Then it shares your information with advertising partners for "personalised advertising" and ignores your browser's Do Not Track signal. An independent privacy audit gave Patreon 32 out of 100 — Grade F.

What they claim: Patreon claims it "never sells your information to third parties"

What we found: Data shared with advertising partners, analytics providers, and affiliated companies. Uses cookies for "personalised advertising (online behavioural advertising)." Explicitly does not respond to Do Not Track browser signals. Privacy Watchdog score: 32/100 (Grade F).

Security 4/4 EXTREME 5 findings
⚠️ criticalpolicy vs third party
Patreon left a debugging tool on its production server — the kind whose own manual says "never use this in production." Hackers dumped 16 gigabytes: 2.3 million email addresses, millions of private messages between creators and their supporters, home addresses, billing details, and the entire source code. Every private conversation on the platform — published online.

What they claim: Patreon: "Safety and security are our priority"

What we found: 2015 breach: Werkzeug Debugger (documentation warns "must never be used on production machines") left exposed to the public internet. 16GB dumped including 2.3M email addresses, millions of private messages between creators and patrons, shipping addresses, billing addresses, and full source code.

⚡ highpolicy vs policy
Stop using Patreon and your data sits there for a decade. Ten years of private messages, donation history, and shipping addresses — stored by a company that already had one catastrophic breach. Even if you explicitly delete, they "may continue to retain some information." A platform holding your home address and private messages for 10 years after you leave.

What they claim: Patreon allows account deletion via support request

What we found: Account info retained for 10 years after last activity unless explicit deletion requested. Even after deletion, they "may continue to retain some information" for legal compliance. Financial records kept 7 years minimum. Deletion takes 30 days.

⚡ highpolicy vs app
Pledge for a creator's merch on Patreon and your home address and phone number go directly to the creator. The only protection is a "Privacy Promise" — a contract with no enforcement. The creator can hand your address to any fulfilment service they choose. After the 2015 breach already exposed shipping addresses, this is still the system.

What they claim: Patreon positions itself as a safe platform for supporting creators

What we found: When patrons pledge for physical rewards, full shipping address including home address and phone number shared directly with creators. Only protection: a contractual "Privacy Promise" with no enforcement mechanism. Creators can share patron data with third-party fulfilment services.

⚫ mediumpolicy vs regulatory
Patreon received 13 law enforcement requests in 2025 and said yes to every one. 100% compliance. Not a single request challenged. This is the same platform that stores private messages, donation histories, and home addresses — and already had one catastrophic breach.

What they claim: Patreon holds private messages, donation histories, and home addresses

What we found: 13 law enforcement requests in 2025, responded to every single one (100% compliance rate). For a platform holding private messages, donation histories, and home addresses, a 100% compliance rate raises questions about how rigorously requests are challenged.

⚫ mediumpolicy vs third party
Patreon's official WordPress plugin had a CVSS 8.8 vulnerability — that's "high severity." Any creator who connected Patreon to their WordPress site was exposed to cross-site request forgery and authentication bypass. Your supporters' data, accessible through a known security hole in Patreon's own code.

What they claim: Patreon provides official WordPress integration for creators to connect their sites

What we found: Official WordPress plugin had CSRF vulnerability (CVSS 8.8, high severity) through v1.8.6 and Authentication Bypass by Spoofing through v1.9.0. Creators integrating Patreon with WordPress were exposed to account takeover risks.

Honesty 2/4 MODERATE 3 findings
⚡ highmarketing vs policy
Patreon changed its fee structure overnight without consulting creators. A $1 pledge suddenly cost $1.38. Patrons cancelled. Creators lost income. CEO Jack Conte eventually reversed it, admitting "No apology will make up for that." The company whose mission is "serving creators" cost them money without asking.

What they claim: Patreon: "Creators are our mission"

What we found: 2017: unilaterally shifted costs to patrons (2.9% + $0.35 per pledge), making $1 pledges cost $1.38. Patrons unsubscribed en masse. CEO Jack Conte reversed course saying "Many of you lost patrons, and you lost income. No apology will make up for that."

⚫ mediummarketing vs policy
Apple demanded 30% of every iOS pledge. Patreon's response: automatically increase what patrons pay by 30% — opt-out, not opt-in. If a creator didn't notice the setting, their patrons' costs jumped overnight. The "creator-first" platform didn't absorb the cost, didn't make it opt-in, and didn't fight it — just passed it through.

What they claim: Patreon: "Creator-first platform" where creators keep the majority of earnings

What we found: Apple forced in-app purchases on iOS starting Nov 2024, taking 30%. Patreon enabled a 30% iOS price increase by default (opt-out, not opt-in) — patrons' costs rose unless creators noticed and disabled it. Deadline shifted three times, now Nov 2026.

⚫ mediumpolicy vs third party
Patreon reviewed 103,000 creators in 2025 — nearly tripling from 2023. What gets you flagged? Unclear. Off-platform behaviour, Discord links, external site content — all fair game. Creators who built livelihoods on the platform discover the rules are vague, enforcement inconsistent, and decisions feel arbitrary.

What they claim: Patreon provides a platform for creators to build sustainable businesses

What we found: 103,041 creators reviewed in 2025 (up from 38,324 in 2023). Vague enforcement, unclear citations, inconsistent decisions. Off-platform activity (Discord links, external content) can trigger account action. 2018 Sargon of Akkad deplatforming caused cascade of departures from both political sides.

Sources