Table of Contents
Over the last few years I’ve seen a similar pattern repeat itself. A talented developer will share a new product or some cool new features and in the middle of the discussion about the cool new things someone will notice that the developer used Freemius. From that point the discussion takes a turn to be about Freemius privacy issues instead of the cool new product or features.
In this article we will answer the questions: what is Freemius, why do developers like it, and what have been the concerns? To their credit, in November 2022 Freemius released an update with privacy fixes and improvements that address some of these concerns and then again in early March 2023 they made some more privacy related changes. So, we will also look at these updates and try to answer the question, are these changes enough?
Note: Here is a link to the Freemius website if you want to check it out.
What is Freemius and Why Do Developers Like It?
Freemius is a platform that provides a number of sales and administrative related services to WordPress developers:
- Freemius sells themes and plugins for developers.
- Freemius provides buy button and payment forms that developers can use on their websites.
- Cart abandonment / recovery features help to increase sales and revenue.
- Subscription management features keep renewals going and disable updates when subscriptions expire.
- As the seller, Freemius handles the EU VAT payments.
After the sale, Freemius provides a number of other administrative services to developers:
- Freemius has a licensing system.
- Freemius servers provide automatic updates to users in their WordPress admin.
- Freemius provides an affiliate platform developers can use.
- There are automated email marketing features.
- Freemius provides analytics to developers so they have insights into plugin usage, sites where their plugins are installed, and user feedback when plugins are deactivated.
- The Freemius SDK provides an account page for account management and up-sales within the users’ WordPress admin.
For end users:
- On the Freemius platform there is a User Dashboard where users can download their purchases, check their licenses, and see the sites where the licenses are in use
The Freemius platform is a big simplification for developers as they don’t have to put together and maintain all of these features themselves on their own servers. In exchange, developers give Freemius a percentage of sales. This allows developers to launch their plugins more quickly and not spend several weeks figuring out how to provide all of the standard features that Freemius takes care of.
One thing developers should be aware of is that Freemius is the merchant on record, i.e. Freemius is the seller and it is the Freemius payment account that is used for sales. It is not possible to transfer the subscriptions from one payment account to another. This means that if developers want to move away from Freemius they must convince the buyers to re-subscribe or use two systems by continuing to use Freemius for previous subscribers.
What Were Some of the Freemius Issues?
While the many features of the Freemius platform are attractive for developers, there have been a number of long standing issues and concerns among end users. Here are some issues found which are discussed in sub-sections below. The changes are noted in parentheses.
- Questionable behavior to encourage opt-in:
- Confusing opt-in / out-out messaging to prompt the user to opt-in and remain so (fixed).
- Signing users up for email without telling them that opting in would do so (fixed).
- Hiding information about what data was being collected behind a non-obvious collapsible panel (improved).
- Having toggles for extra data collection on by default (now a developer option to default off).
- If the user did opt-in, messages implying that the plugin wasn’t activated unless they clicked a link in the email, when the plugin was actually fully functional (fixed).
- If the user clicked opt-in then sending data to Freemius before the user confirmed by clicking the button in the email (fixed).
- Adding iframes to the admin with sales pages and ecommerce functionality for selling pro versions and upgrades (now a developer option to not include).
- Users of free plugins who opt-in to “share some basic WordPress environment info” have an account created for them on the Freemius platform tied to their name and email that they are not informed of. Multiple Freemius plugins and / or multiple sites with the same opt-in email are collected together in that account (no change).
- Sending data to Freemius even before the user opted-in or skipped data sharing, even when they explicitly said they did not do this (fixed).
- The end user’s personal IP address is collected, in addition to the website’s IP address, and this was share with plugin developers (the IP address is no longer shared with developers).
- Freemius used to append a tracking parameter to all AJAX admin requests (fixed, but not shown below).
Tired of dealing with user questions, and recognizing themselves the need for improvement, developers also pressed Freemius for changes. In November 2022 and March 2023 there were some significant updates released in the Freemius SDK. Lets start by looking at the old process side-by-side with the new improved ones so that we can see some of the changes.
There was Incorrect and Confusing Wording Used on Freemius Screens and Emails
For a long time Freemius used incorrect and confusing wording on opt-in/opt-out screens for sharing data with Freemius. They recently improved some of this. For example, here is a comparison of some of the old and current screens using the free Stackable plugin:
The old opt-in screen from Stackable (free version)
The old version of the initial opt-in screen showed the Freemius icon. This was confusing to many users who had no idea about Freemius. The wording made it sound like you had to opt-in in order to be secure and get updates. After opting-in you got emails, but that was never mentioned. The link to open a panel to see what was being shared was not obvious.

The new opt-in screen from Stackable (free version)
The new opt-in screen just shows the icon for the current product. The headline still implies that opting-in gives access to updates, but the subsequent text is much clearer and the user is informed they will be getting emails. By underlining the link and adding an arrow to the expanding panel, they make it clearer that it is a link.

Experience after opting-in (old version)
If you opted-in you would see a notice to complete the plugin activation. “Please make sure you click the activation button in that email to complete the install.” This was misleading as the plugin was already activated and fully functional. If you ignored the email your site data would still be sent to Freemius! Also, in the past, you would still get emails, though that was fixed at some point.

Also, in the admin area, there is an upgrade link and when you click on that you get a pricing table and a Freemius iframe within the admin to purchase. See the YASR plugin example below.
Experience after opting-in (new version)
In the current version of this message it is clear that you are being sent a confirmation email to confirm your opt-in. “Please make sure you click the button in that email to complete the opt-in.” Your information isn’t sent to Freemius until / unless you confirm the opt-in by clicking the button in the email.

Stackable set the upgrade link to go to the Stackable website where they show you the packages available for purchase.
When you expand the panel you see that the sharing of info about the plugins and themes installed on the site was turned on by default.

The wording about the information being shared is clearer and more complete. Stackable has disabled by default the sharing of info about installed plugins and themes.

The misleading and confusing nature of the old version immediately put many users on edge and engendered distrust.
While I wouldn’t say the new wording is perfect, this is a night and day improvement.
Note: Freemius Has Given Developers More Options
The new Stackable screenshots above are not a default that you will now see for all free Freemius installs. It turns out that Freemius gave developers options and that Stackable picked the less intrusive ones. To show this, I also tested the latest free version of the YASR plugin (Yet Another Star Rating). YASR also uses Freemius. For example, here is the YASR opt-in-screen where the developer has enabled by default the additional information sharing about installed themes and plugins.

And here is the pricing page in the WordPress admin. Note that on this site the user has not opted-in.

If the user clicks one of the buy buttons then a payment form loads within the WordPress admin. Some people find this intrusive as a third party store has been integrated into the site’s admin area.

Users Who Opt-In to Freemius Sharing for a Free Plugin or Theme Have Accounts Created in the Freemius System
People expect when they purchase a product that a customer account is created for them. The customer account allows the seller to manage the attempted up-sell process and provide promised services. Also, the customer account allows the buyer access to their purchased product, license keys, and support.
For paying customers an account based on the email address means that all Freemius products purchased are collected under the same account. This can be a convenience to the user as there is one source for downloads and licenses. This one account for multiple products reflects the fact that you are purchasing from Freemius and not the individual developers.
End users likely don’t know that when they opt-in to Freemius data sharing for free plugins and themes that an account is created for them on the Freemius platform. If the user has the same email address on more than one WordPress instance and activates another Freemius product on that other WordPress instance then it is also associated with that user’s account.
Freemius creates accounts for users who opt-in based on their email address. I don’t know if this is an issue or not, but I am not aware of another service that creates accounts for users without their knowledge and explicit permission. Freemius is collecting information about people across WordPress sites and products and they may not know that.
When you opt-in to data sharing with a free plugin or theme then Freemius shows an account page in the WordPress admin. Note the user account id in the screenshot. If you use the same email on another Freemius site then the same user account id is used.

Freemius asked me to include in this section that they are looking into addressing the issue of account creation without disclosure when opting in for free products.
Freemius doesn’t tell you when you opt-in that an account was created for you. However, if you go to the Freemius website and try to login with the user email used when opting in, then you can use the password reset to get a password and access your account. Then in the “My Profile” area there is a place were you can close your account. When you click on the button to close the account you see a popup showing you the plugins or themes using Freemius that they think you still have installed on that site.

There is the option to “Close account” which says your data will no longer be available. It doesn’t say to whom the data isn’t available (you, the plugin developer, and/or Freemius), but in any event it is apparently not removed and there may be the option to reactivate it, because the second option is to “Permanently delete” the account. The warnings instilled trepidation for me, even though I had checked twice that this was a test account that had no paid items associated with it. But if you have the courage to permanently delete the account then you must first check the box next to each product to confirm that it is not installed and active. That is odd for a free product and the warning that there may be unexpected issues also causes pause. I permanently deleted the account and was no longer able to log in to Freemius with that email address.

I was curious what this looked like on an account that had paid products, so I logged in to one. I had thought that the wording on the Close Account screen was a mistake and intended for users with premium products. However, I found if you have paid products you aren’t able to click the “Close account” button until you “cancel all of your active subscriptions.” Lol, I don’t have any subscriptions as I only have lifetime products on this account. For what it is worth, I clicked the “subscriptions” link and I was taken to the Renewals and Billing screen, which was blank. Here is a screenshot showing that the button is grayed out.

Of course, you don’t want to and shouldn’t close the account if you have active paid products. My point is that Freemius knows when you are closing an account that doesn’t have any premium products attached, and the screens are unnecessarily cautionary.
Privacy and What Data Does Freemius Collect?
A Freemius selling point is that Freemius gives developers more analytic data about plugin usage and end users than they had before. This naturally raises privacy questions in users’ minds: what data is being collected? Freemius is aware of these questions and has an article titled Is Freemius Spyware? The subtitle of the article is “Everything You Need to Know About Freemius Data Collection.” In that article Freemius says “we do not collect any data without your permission”, so let’s see what data they say they collect.

Free Plugins and Themes: The article says that if you install a free plugin or theme using Freemius you will be given a clear opt-in form to choose. If you opt-in then this is the data they say they collect:
- Opted-in user’s first and last name
- Opted-in user’s email address
- Product version
- Product state (active, inactive, uninstalled)
- WordPress version
- PHP version
- Site language
- Website URL
- List of installed plugins and themes (optional – additional toggle)
However, if you do not opt-in then no data should be sent to Freemius.
To test to see what information Freemius collects with free plugins, I started with a fresh install of WordPress. I removed the free plugins installed by default, installed the free Kadence theme, and I then installed the Log HTTP Requests plugin. This plugin captures the http data sent to Freemius.

Stackable Blocks is a top tier Gutenberg addon that has a free version in the WordPress directory that uses Freemius.

In order to try to see what data is shared with Freemius, we’ll step through the install process of the free and the pro versions of Stackable.
Before the March Update: Free Stackable Plugin Version 3.6.3 P Was Sending Data Before Opt-in or Skip
After installing and clicking activate we go to the Freemius opt-in screen.

Before clicking either the “Allow & Continue” or the “Skip” button, I go and check the HTTP request log and find that a call has already been made to Freemius when the plugin was activated.

Here is that URL with the variables highlighted. Note that “1748” is the Stackable product ID number in the Freemius system.
https://api.freemius.com/v1/<mark class="kt-highlight">plugins/1748</mark>/ping.json?uid=0c9fce50999b0e4284f7b30287babb81&is_update=false&<mark class="kt-highlight">version=3.6.3</mark>&<mark class="kt-highlight">sdk=2.5.3</mark>&<mark class="kt-highlight">is_admin=true</mark>&<mark class="kt-highlight">is_ajax=false</mark>&<mark class="kt-highlight">is_cron=false</mark>&<mark class="kt-highlight">is_gdpr_test=0</mark>&<mark class="kt-highlight">is_http=true</mark>&<mark class="kt-highlight">sdk_version=2.5.3</mark>If we expand the packet by clicking on it we see more information on what was sent to Freemius.

What we see is that even before we opt-in or skip, Freemius had sent information to itself. Some of the information sent included:
- The Stackable product ID number
- The plugin version
- The Freemius SDK number
- The site’s domain name
- The date and time the request was made, which in this case is when the plugin was activated
All of the information sent to Freemius would allow them to log which, when, and where a free plugin was installed.
If you opt-in then all of the above information will be sent to Freemius anyway, but if you clicked “Skip” and expected that nothing would be sent, as Freemius says, then you would have been surprised.
OK, now I am going to click the Allow & Continue button. Checking the HTTP log, I see that 4 more connections were made to Freemius.

After March Update: Free Stackable Plugin Version 3.7.2 No Unauthorized Information was sent.
The Freemius SDK update in March 2023 removed the unauthorized sending of data. No connection to Freemius was made until after I clicked the Allow & Continue button AND clicked the button in the email. Here is the email I received:

After clicking the “Confirm your email” button then there was communication with Freemius from my site.

Here is some of the information I see when examining those URLs and packets:
- The site domain name
- The site title
- The Freemius site id
- WordPress version
- PHP version
- Country code: US
- Language: en-US
- The email of the user who opted-in
- The first name of the user who opted-in
- The last name of the user who opted-in
- The Freemius user id
- Creation date and time
- The Freemius plugin id
- Is beta: false
- The Stackable plan id on Freemius
- Name: Free
- Is free localhost: true
- The license id: null
- The trial plan id: null
- Trial ends: null
- Subscription id: null
- Support email
- Support KB
- Gross: null
I had not opted into sharing information about themes and plugins, and none of that was sent.
Most of the information about the site that is sent to Freemius when you opt-in is in line with what was listed on the opt-in screen. The other items are IDs that Freemius creates for the site and user.
What About the Paid Version?
Paid Plugin: If you purchase a paid plugin or theme that is sold through Freemius then the purchaser’s email address, first and last name, billing information and IP address will be collected and stored by Freemius. This is standard.
When you install a Freemius plugin or theme on a site then Freemius associates the purchaser’s account with the site and not the user account of the currently logged in user. Freemius says it collects this information from the websites where a paid plugin or theme is installed:
- Product version
- Product state (active, inactive, uninstalled)
- WordPress version
- PHP version
- Site language
- Website URL
- List of installed plugins and themes
In their November update Freemius said that they used to share the end user’s IP address, i.e. the IP address of the person activating the premium plugin or theme, but they now discontinued sharing that with the developers. They also said that they added more options for those using premium products to limit data sharing. Previously it was not possible for those using a premium product to opt out of “Diagnostic” data sharing, but that is now an option. Here is the opt-out dialog from the current premium version of Stackable. Note that having the toggles off by default is an option, so some plugins may have them on by default.

Freemius collects the IP address of the end-user when they purchase a plugin or theme. This is standard practice for online sales. Note that in their documentation on how to dispute credit card chargebacks Freemius says that they use this event tracking to try and prevent fraud or abuse. They show an email template that has the purchaser’s IP address for a number of events, such as when the sale is made, the plugin is downloaded, the plugin is installed and activated, and the customer opens the renewal email. That seems to imply they know the IP address used for each of those actions.
When people purchase a premium product they expect there will be some data collection and that some level of verification will be needed to make sure the software license is valid. This is why most of the concerns I’ve raised focus on the use of Freemius in the free versions of plugins and themes. That said, it is good to see that Freemius is now providing options to limit data collection even for users of paid products. This has been a concern for site builders who create sites for clients where as a contractor they don’t feel they have permission to authorize additional data sharing.
Discussion and Conclusions
The Freemius Triangle
There are three parties or groups of people involved in the Freemius equation. There is the Freemius platform that provides services to developers and sells the software, there are developers who create the software and support the users, and there are end users who purchase and use the software. So, developers are Freemius customers and end users are the developers customers. Because Freemius is a platform for developers, it is not surprising that Freemius prioritizes the developer point of view over the end user point of view. I suspect this means that if there is something that end users would like to see changed that they need to address their requests to the developer. Since the developer is the Freemius customer, Freemius is more likely to make a change if the developer serves as the advocate for the end user.
Developers Now Have Options
Developers using Freemius with the free version of their plugins now have the option to toggle off collecting plugin and theme data as well as to not use the Freemius in-admin selling feature. For paid plugins and themes we see from looking at Stackable Pro that it is possible to limit Freemius to only require the minimum necessary for license management. It is good that developers have the option, at least, to offer a more streamlined and less intrusive experience for their users.
Freemius Creating Accounts for End Users of Free Products if They Opt-In to Data Collection
I am not an expert on GDPR or privacy law, so I don’t know if or how much of an issue not explicitly informing free users that an account is created for them might be. However, this practice seems like it could be problematic and it would be better to inform end users as that would remove possible issues.
Are the Fixes and Changes By Freemius Enough?
There have been long standing privacy concerns about Freemius. With the extensive list of fixes and improvements made in November 2022 and March 2023 Freemius acknowledged those issues and made improvements. Freemius is a large platform serving hundreds of developers. They should be applauded for improvements made, which are a benefit for Freemius, developers, and end users. There are further improvements that can be made.
My opinion, at this point and based on what I’m aware of, is that there is nothing to concern me about using Freemius for paid products. I am concerned about the account creation without disclosure when users opt-in on a free plugin or theme “to share some basic WordPress environment info.”
Many people who tried a Freemius product in the past will be relieved that these changes have been made and may feel that the changes sufficiently address concerns they had. It is my hope that Freemius continues improving the customer experience and one day becomes known as the company that goes the extra mile to protect customer privacy and security. They have made a good start. Are the steps that Freemius has taken enough? What do you think?







Over the last years my agency customers have become WAY MORE sensitive about what data is being captured in their WordPress backend.
They had LOT’s of concers about Freemius with their data capturing and hoarding practices lined out in the blog post. With their suspicious tactics Freemius has gambled away all of their trust.
We now have a policy to NOT BUY OR INSTALL any plugin that uses Freemius. We only buy plugins using self-hosted license management solutions like Easy Digital Downloads.
Sometimes we mail the plugin creators and ask if they know what’s going on with Freemius. Most developers are thankful because they did not see the big picture. Sometimes they even switched away from Freemius to EDD which is highly appreciated.
If they don’t care, we always find plenty of other Freemius-free solutions. I know other agency owners handling it the same way. So all developers staying with Freemius are cutting away their own business.
With WordPress being an Open Source platform and data privacy is getting more important every day there should be no room for any middlemen data collector like Freemius.
Let the WordPress spirit win!
Yes, I know of others who have the same policy. I think it is good that Freemius is improving, but a lot of people will be watching how it goes for a while before they win back trust. They will need to build up a history of good behavior.
My biggest concern with Freemius is that they continue to use autoloads for licensing needs, that are included with each PHP process and that his impacts a sites performance. I suspect this is linked to the data they collect from sites when they could use domain based activation of licenses that have little to no impact on performance in comparison.
Freemius should stop doing this asap.
In this review I was mainly looking at privacy issues in the free version. There are several performance issues. Thanks for letting me know about this one.