Is Freemius Spyware?

Everything You Need to Know About Freemius Data Collection

If you’re considering using Freemius for your plugin or theme and are concerned about privacy, we want to be clear that we do not collect any data without your permission, and we definitely do not sell data or use it for any nefarious intentions whatsoever.

My team and I have been putting our blood, sweat, and tears into building Freemius — a platform to benefit the whole WordPress community. We are very proud of what we have built and lucky to witness the impact it has had on plugin and theme developers’ lives across the globe. Yet, from time to time, some critics rush into unfounded conclusions that sound like conspiracy theories and publicly accuse us and our partners as if we are some sort of evil spyware software, without checking the facts behind their claims. Not only is that the last thing we are doing — it’s simply not true.

Vova Feldman, CEO

While Freemius does have a Privacy Policy that explains how we collect, process, and use data, we thought it would be useful for the WordPress community to be able to read through the frequently asked privacy-related questions and concerns, openly and transparently. We would like to clarify any misconceptions you may have about Freemius and the plugins and themes using the platform.

What Is Freemius?

Freemius is a managed eCommerce platform for selling WordPress plugins and themes, and an all-in-one SaaS solution that helps you run and grow a prosperous, sustainable product business. With Freemius, you can securely accept payments and subscriptions, handle license keys, serve software updates, take care of EU VAT, optimize cart abandonment recovery, and more.

We are avid fans of data and strongly believe that developing a product without knowing its users and customers is a bad practice. Instead of relying on gut feelings, guesses, and “loud” customers, Freemius, by design, helps plugin and theme companies and indie developers make data-driven decisions for their business.

We work closely with our selling partners community, making sure to develop a best-in-class product that brings value to both sides — buyers and sellers (plugin and theme developers). It’s that simple.

We don’t have any hidden agenda and we’ve been transparent about it from Day One.

This is what we have to say in response to conspiracy theorists or anyone who has reasonable expectations for their privacy: Our goal is to deliver a platform that gives you a great experience whether you buy or sell WordPress products — nothing more than that.

Do I Have to Share Data With Freemius?

If you have installed a free plugin or theme that’s integrated with the Freemius SDK, you’ll be given a clear ‘opt-in’ form to choose whether or not to share data. If you don’t agree, you can simply skip data-sharing altogether. None of your data will be shared without your explicit consent — that is completely optional and up to you to decide.

If you purchase a paid plugin or theme that is sold through Freemius, your email address, first and last name, and billing information will be securely stored in our system to complete the purchase. Once you activate the paid product on a WordPress site, you’ll be prompted to enter a license key for activation if it’s integrated with the Freemius WordPress SDK, . The license key offers security to both you and the seller by confirming that the use of the product is genuine. By entering the license key, some information about the site will be shared and stored on Freemius for two reasons:

  1. Management: We want to give you transparency about the sites where your new product license has been activated, including the version of the product and additional details described in the table below. This protects you against unauthorized activation of your paid license.
  2. Software updates: Ongoing connectivity with the licensing engine is essential for receiving automatic security and feature updates for the paid product directly within the WordPress Admin dashboard. To receive these updates, data like your license key, product version, and WordPress version is periodically sent to the server to check for updates.

This data collection and validation practice is the market standard in the WordPress product space, and similar details are collected when purchasing and activating a license for themes, plugins, and add-ons that are sold through other eCommerce solutions like WooCommerce and EDD (Easy Digital Downloads).

Why Would I Share Any Data With Freemius?

When you share data with Freemius, you are basically sharing data with the product’s team. We are the data processor that acts on behalf of the plugin or theme developer. Think of Freemius as Google Analytics for WordPress plugins and themes, but instead of storing data about website traffic, the data is about the use of a plugin or theme.

Why Would I Share Any Data With the Developer of the Plugin or Theme I’m Using?

By sharing your data with the talent behind the plugin/theme you’re using, you’re helping them meet your unique needs in a better, more personalized way. With Freemius, our partners have more time to focus on their products and deliver better features for your website while making strategic business decisions that are based on the data you are willing to share as a consumer.

They can also use the data to figure out optimum pricing strategies for their customers and their companies. This promotes business sustainability and offers you long-term support and reliability for your plugin or theme purchase.

Does Freemius Sell My Data?​

Absolutely not! We are not in the business of selling data — our business model is revenue sharing. We partner with plugin and theme developers and make money by taking a percentage of the sales processed through our system.

What Does Freemius Do With My Data and Who Can Access It?

If you opted into usage tracking or activated a license key for a paid product, the data collected by Freemius is securely stored on our servers and is only available to:

You, the user/buyer of the product (through the User Dashboard)

The product’s team (through the Developer Dashboard)

In certain situations, the Freemius support team may assist the plugin or theme developer with their account or specific customer situations. In these cases, our technical support team members, who are legally bound to protect all data at Freemius, may have limited access to some information temporarily to help resolve support issues.

Will Product Updates Continue Working if I Skip the Opt-In?

Yes — free product updates will continue working even if you skip the opt-in as these updates have nothing to do with Freemius. Premium product updates require license key activation and ‘opt-in’, as described above.

What Information Is Collected by Freemius if I Opt-in and Why?

When opting into usage tracking, the only personal data collected is the first and last name and email address of the opted-in WordPress user. Except for that, no other personal or business-critical data from you or your website’s users is tracked.

When opting in by activating a license key, no personal data will be collected at all, as we already have the details of the license owner from the payment process.

The name and email address are stored to allow the product’s team to get in touch regarding potential security updates, feature announcements, and promotions, etc.

Here is a list of all the data we collect, followed by a comprehensive breakdown of why we collect it.

User Information

Important: The user information is not collected when activating a license key.

Let’s start with the most important reason we collect this information — security.

Security issues are inevitable in the software world. Whether developers like it or not, one day they will release a version that has a security issue. The issue could be directly in the code, a third-party library/framework used in the product, a WordPress core method that provides unexpected results, or several other scenarios.

If the plugin or theme developer has no way to communicate with their users, how will you know about the security vulnerability that is putting your site at risk of being hacked? The only way you might find out is if the developer was to release a public announcement or an update/patch in the hopes that you’ll notice it before any hackers do. That’s super risky because it raises awareness and creates an opportunity for hackers to exploit the situation. Therefore, it’s essential for product developers to be able to communicate with their users in a private manner.

There are many other valid reasons to maintain a direct communication channel between you and the product developer. Here is a short list of possible use cases:

  • Thanking you for being a loyal user or for purchasing.
  • Asking for your feedback on the product or a new feature for ongoing product improvement.
  • Apologizing for making some kind of mistake. Maybe a release accidentally contained a major bug and took down your entire website, or any other number of problems that can be caused by bugs or code conflicts.
  • Letting you know about special promotions or discounts like Black Friday / Cyber Monday / Giving Tuesday.
  • Inviting you to special events or conferences, such as a ‘Meet the Team’ invitation to a WordCamp.
  • Inviting you to the product’s beta access so that you can test releases before they are officially published in return for rewards.
  • Advising you about the ending of a trial period.
  • Sending you general company news and updates.
  • Letting you know about new feature releases.
  • Running user surveys to get your feedback on which new features you’d like to see in the product.
  • Inviting you to join the product’s affiliates’ program.
  • Informing you about newly published educational content or a blog post/article.

And, should the day eventually come, notifying you that support, updates, or maintenance for the plugin or theme will be ending 😔

As you can see, some of the reasons are more valuable to you as a user/customer while others benefit the developer.

At the end of the day, both sides rely on each other. Product developers build products for you, the user, and if they rely on guesswork without actually knowing what their users need, the quality of the product, features, and service will never realize its full potential. In order to create great products and offer excellent support, the developer of the product needs to understand their users’ needs and continue making sales to sustain product development and support.

Customers and License Holders

When you activate a paid product that’s using the Freemius WordPress SDK, the first thing you’ll be prompted with is a license activation screen. By activating the license — regardless of who the logged-in user that activates it is — the opt-in is triggered on behalf of the license owner. So no information about the logged-in user, or any other user, will be collected. The license owner’s information will have been collected during the purchase process and will not be changed if another user activates the license under a different email address than the one that was used for the original purchase.

Product Information

Knowing the plugin/theme version that’s being used is super important for many reasons. Here are two examples:

  1. We’ve already mentioned security, but if the developer finds that there’s a security vulnerability in a specific plugin or theme version, they can easily identify which users need to be notified. Without knowing what version you have installed, the developer would normally have to reach out to all of their users, unnecessarily bothering a portion of them with information they don’t need to know.
  2. What if the product’s team decides to stop supporting PHP versions older than 5.6 in the next release and your hosting provider is still using it? Wouldn’t you want to be notified about this potentially website-breaking problem before you hit the update button when the new version’s released? This is not just an ‘edge-case’ scenario to justify collecting the product version either — this is a real issue that plugin and theme developers have to deal with in the WordPress ‘data-less’ ecosystem, a real issue that puts your website at risk.

As mentioned, there are many valid reasons to maintain a direct communication channel between you and the product developer. For example, if you’ve opted in to usage tracking and then later uninstalled the product, the developer has no way of knowing if the product is no longer in use. This means that you may continue receiving feature announcements and other direct email communications that most likely aren’t relevant to you anymore.

When opting in during license activation for a paid product, the product state becomes even more important. For example, wouldn’t you want to reuse a license? If Freemius is unaware of a product’s deactivation/uninstall, the system would have on record that the license is still in use by the site, hence you wouldn’t be able to reuse the license on another website of yours.

Knowing the product’s state helps developers understand the status of the product on your site. This allows for transparency at all levels, including if there is a refund request or payment dispute. A log of activations, deactivations, and uninstallations keeps everyone honest about whether or not refunds are possible or justified given the circumstances.

Site information

The environment versions are important data points for the ongoing development of a plugin or theme. For example, let’s say that a developer is thinking of dropping support for PHP 5.3. Maybe they even require PHP 7.0 as the minimum-required PHP version to take advantage of the modern syntax of programming language for better code maintenance. Without knowing how many sites are using older PHP versions and having no way to contact those site owners in advance, the product will always get ‘stuck’ at the oldest PHP version that WordPress core supports. The same reasoning applies to the WordPress and MySQL versions.

These data points are even more important for users of paid product(s) as part of the software update mechanism. For example, if a developer wants to introduce a new paid version that uses a core WordPress function that was only added in version 5.3, they have to know the WordPress version that is installed on user sites.  If they don’t, an update like this could potentially generate fatal errors. On the other hand, when the installed WP version is known, and if it is older than the minimum-required version, the update won’t be served until the WP version on that site is updated to avoid any issues.

WordPress is used all over the world and fully translated into dozens of languages. Plugin and theme developers have an interest in expanding their reach and making their products accessible to as many users as possible. With limited information and resources, one option is shooting in the dark and trying to get the product translated into the most widely used global languages. However, the better approach is to identify the top countries and languages (the locale) of the sites on which the product is installed, and then focus translation efforts on the actual languages and dialects that the users of the product need.

As an example, Joe Dolson, WP accessibility expert and the developer of the WP to Twitter plugin, has discovered that almost 30% of the sites using the plugin are in Japanese:

The first thing I learned is about internationalization. While the most common language group using this plug-in is English (not surprising), the second most common appears to be Japanese – by a significant margin. I wasn’t expecting that, and it’s very interesting. It’ll definitely be relevant in focusing my efforts on reaching out to translators to improve the internationalization of WP to Twitter.

Knowing the website URL allows developers to learn how people are using their product in the wild. Being able to see what types of websites are using their product helps with prioritizing the development of new capabilities while accommodating the needs of users based on real use cases.

The IP of the website server enables the identification of the ISP (Internet Service Provider) and hosting company. Combined with the other collected data points, problematic patterns can be identified and solved in scale. For example, if a particular host consistently uses unsupported PHP versions and doesn’t have the PHP cURL extension enabled by default, we can contact the host directly and encourage them to enable cURL by default and upgrade the default PHP version.

While sharing a list of installed plugins and themes is super valuable, its collection is absolutely optional. You can control whether to share it or not when activating a license key or even when opting in. Simply click the ‘What permissions are being granted?’ option shown in the opt-in/license-activation screen, and turn off the ‘Plugins & Themes’ tracking by clicking the switch next to the relevant permission:

Knowing the plugins and themes that are most commonly used in parallel with a product can help developers in multiple ways:

Testing and Compatibility

WordPress.org has nearly 60,000 plugins and over 8,000 themes (as of writing). It is literally impossible to test your product with all of those, and that’s not to mention the tens of thousands of plugins and themes hosted outside of the WordPress.org repository. By knowing the plugins and themes that are most commonly used alongside the product, developers can focus their testing efforts on compatibility with those plugins and themes. Basically, they are given more information to prevent unexpected conflicts.

Collaborations and Partnerships

If a product developer knows that their plugin/theme is typically used in combination with pluginX, they can collaborate with pluginX’s team to make sure both products are compatible and working smoothly. There are also opportunities for plugin and theme businesses to cooperate on content marketing and educational content, helping the users of both products get the most out of them.

All of the above data is collected with the intention of making plugins and themes better and more secure. We help plugin and theme businesses do that by tracking how their users are using the product, learning why they abandon it, identifying which environments are needed to continue supporting it, and much more. These valuable data points are key to making data-driven decisions and lead to better UX (user experience), new features, better documentation, and other benefits for the customer.

How Frequently Is Data Being Collected After Opting In?

Tracking data is automatically sent to our servers once you opt-in or activate a license key. After that, as long as the product is active and you haven’t opted out, an asynchronous WP-Cron will sync the data once every 24 hours, but only if there have been any changes in the collected data points (e.g. a change in the WordPress version).

Can I Opt Out From Usage Tracking After Opting In?

If at some point after opting in or activating a license you wish to opt out to stop sharing any further data in the background, follow these instructions:

How Do I Stop Sharing Plugins and Themes Data?

If you’ve opted in to usage tracking or activated a license key without turning off the ‘Plugins & Themes’ tracking switch, all SDK versions after 2.3.2 allow you to easily opt out from sharing updates of plugin and theme data by following the opt-out instructions in the section above. However, instead of totally opting out from Freemius, you can simply turn off the ‘Plugins & Themes’ tracking switch in the dialog box that shows up after clicking the ‘Opt Out’ option. This way you maintain all the benefits while restricting the privacy of the other products installed on your site.

Does Freemius Usage Tracking Impact Performance?

The SDK is optimized to only use the minimum amount of resources and we continue to make it more performant as we go. Of course, like any additional PHP code it requires some processing resources. The usage tracking for opted-in users is executed once a day via a WP-Cron, and only if there have been changes in the tracked data points, which means that the usage tracking doesn’t impact the performance of the site itself.

How Can I Have My Data Completely Removed From Freemius?

You can sign into the User Dashboard with your email and password. If you’ve yet to receive a password, click on the ‘Never received your password?’ link on the login page to create one. Once logged in, go to the ‘My Profile’ page and you’ll be able to close your account. If there are reasons why the account can’t be closed, they will be explicitly specified there.

How Can I Hide Sensitive Information From the Account Page?

To simplify the management of your account, one of the features included with the Freemius SDK is an Account section that is automatically added to the product’s settings in the WP Admin dashboard. This allows you and other users to manage your accounts from within the comfort of the developer’s website, without ever leaving the WP Admin.

While this feature is great, it can be a bit problematic when you are installing a product on a client’s site and not on yours, as the Account page may reveal your email address, license key, and billing information. It will allow any admin of that site to trigger different actions that are related to your account. To overcome that tricky situation, we introduced a special option to flag a license for ‘White-labeling’ which will hide all sensitive information related to you and the product from the WP Admin, including:

Flagging a license for ‘White-labeling’ can be done easily from the User Dashboard. Simply locate the relevant license in the Licenses section, click the license to open the license options, and then check the relevant box in the License Security section.

Can I Hide the Pricing Page and Add-on Prices From My Client Sites?

The Freemius SDK adds a pricing page directly into the product’s settings section within the WP Admin, simplifying the buying experience for you. When it comes to client sites, in many cases, you may not be interested in revealing the prices of the products you purchased for the project to your client. By setting a license for ‘White-labeling’, just as described in the previous section, all prices generated through the SDK will be hidden from your client within the WP Admin dashboard.

I’m Using the Product on My Clients’ Sites, Will Freemius Collect Their Information?

If you install a free plugin or theme integrated with Freemius on your client’s site and you are not sure whether they are willing to share any data for usage tracking, click the Skip button, and no data about your client’s site or your WP admin user will be tracked.

If you are installing a paid product that is integrated with Freemius and you activate a license key, no information about the client or the logged-in WP admin user will be collected. The license key and the other data mentioned in the table above (website URL, PHP & WP versions, etc.) will be securely collected.

Is Freemius GDPR Compliant?

Absolutely! One of the biggest markets for plugin and theme sellers is within the European Union (EU), so we abide by all economic and data regulations in the region. Since we are considered a ‘reseller’ of our partners’ WordPress products, it is vital to our continued operation in Europe that we responsibly meet these regulations on behalf of our selling partners. Please find more information about our GDPR compliance on the blog post we released announcing GDPR readiness.

Do you still have questions regarding our data collection? 

Reach us at [email protected]