Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Patreon is a US based membership platform headquartered in San Francisco that lets creators run paid recurring memberships, drip content and patron only communities. Creators set up tiers on patreon.com and either link to their public Patreon page or embed a join button and tier widgets on their own site. The embed sets non strictly necessary cookies, and Patreon acts as the merchant of record for digital memberships in the EU, collecting EU VAT on the creator's behalf. EU sites must gate the embed behind consent and document the US transfer.
Patreon is a US based membership platform incorporated as Patreon Inc., founded in 2013 by Jack Conte and Sam Yam, with headquarters in San Francisco. Creators (musicians, podcasters, illustrators, news outlets, software developers) set up a Patreon page, define monthly or annual tiers and publish exclusive posts, audio, video or downloads for their paying patrons. Patreon hosts the public page, the patron portal, the messaging and the audio/video player.
For most EU patrons paying for digital memberships, Patreon is the merchant of record: Patreon collects the EU VAT, issues the receipt and pays the creator the net revenue. Payments are routed through Stripe and PayPal.
When a Patreon embed is on the creator''s own site, JavaScript loads from c.patreon.com or c10.patreonusercontent.com. The embed opens an iframe to patreon.com that sets first party Patreon cookies (session, csrf, patreon device id, patreon language preference) and Cloudflare bot management cookies. Stripe and PayPal flows during checkout add __stripe_mid, __stripe_sid, m and paypal_* cookies. Patreon itself runs Google Analytics 4, Optimizely, Sentry and Segment on patreon.com.
Loading the Patreon embed sets non strictly necessary cookies before the visitor acts, which triggers Art. 5(3) ePrivacy and requires prior consent in the EU. Once the visitor joins on patreon.com, the membership processing is on contract performance and Patreon acts as a separate controller for the VAT and tax data. Patreon also processes patron messages, posts and rewards on the creator''s behalf, with creators acting as joint controllers for that content.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For EU traffic, replace the embed by a plain link to the public Patreon page until the visitor has accepted the functional or marketing category in your CMP. Once consent is given, the Patreon embed and the join button can load. Once on patreon.com, the patron is subject to Patreon''s own privacy notice and cookie controls.
Patreon processes EU patron data on Google Cloud US and AWS US East. The Patreon DPA includes the EU Standard Contractual Clauses (modules 2 and 3) and the UK IDTA, and Patreon is self certified under the EU US Data Privacy Framework. Onward transfers happen to Stripe and PayPal, which apply their own SCCs and DPF certifications.
Sign the Patreon DPA from your creator settings. Gate the embed behind a CMP. List Patreon, Stripe and PayPal in your privacy notice and Article 30 record. Document the US transfer with SCCs and DPF. Update your terms so refunds, VAT receipts and disputes go through Patreon as merchant of record for digital memberships in the EU.
Websites using Patreon must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not normally required for a creator with a small Patreon. It can become relevant for media operations using Patreon alongside extensive analytics, profiling, course completion tracking and AI driven content delivery on the same audience.
Sample consent text
Memberships on this site are powered by Patreon (Patreon Inc., United States), our merchant of record for digital memberships in the EU. The Patreon embed sets functional and analytics cookies, opens a page on patreon.com, processes payments through Stripe and PayPal and remits EU VAT on our behalf. International transfers to the US are covered by Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
patreon.comc.patreon.comc10.patreonusercontent.comjs.stripe.comwww.paypal.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| session_id | third_party | 2 weeks | Patreon functional session cookie set on patreon.com to keep an authenticated patron session and the in progress membership flow. |
| csrf_token | third_party | Session | CSRF protection token for Patreon API calls during the membership and payment flow. |
| patreon_device_id | third_party | 1 year | Persistent Patreon device identifier used to recognise the same browser across sessions and to detect suspicious sign in attempts. |
| __cf_bm | third_party | 30 minutes | Cloudflare bot management cookie set on patreon.com to distinguish humans from automated traffic. |
| __stripe_mid | third_party | 1 year | Stripe machine identifier loaded during the Patreon Stripe checkout step for fraud prevention. |
| __stripe_sid | third_party | 30 minutes | Stripe session identifier loaded during the Patreon Stripe checkout step for fraud detection. |
Patreon uses cookies for user preferences — inform visitors with a consent banner.
When the Patreon embed loads, it sets first party Patreon cookies on patreon.com (session_id, csrf_token, patreon_device_id, locale) and Cloudflare bot management cookies (__cf_bm, _cfuvid). The Stripe checkout adds __stripe_mid, __stripe_sid and m; PayPal adds paypal_* cookies. Patreon's own site runs Google Analytics 4, Optimizely, Sentry and Segment.
Yes. The embed sets non strictly necessary cookies before any visitor action, so Art. 5(3) ePrivacy requires prior consent in the EU. Use a CMP to gate the embed and rely on a plain link to the public Patreon page until consent is given.
Consent (Art. 6(1)(a) GDPR and Art. 5(3) ePrivacy) for the embed cookies. Contract performance (Art. 6(1)(b)) for the membership processing on patreon.com. Legal obligation (Art. 6(1)(c)) for EU VAT collection, since Patreon is the merchant of record for digital memberships in the EU.
Yes. Patreon Inc. is established in the United States and processes EU patron data on Google Cloud US and AWS US East. The Patreon DPA incorporates the EU Standard Contractual Clauses and the UK IDTA, and Patreon is self certified under the EU US Data Privacy Framework. Stripe and PayPal apply their own SCCs and DPF certifications.
A DPIA is not normally required for a small creator using Patreon as a tip jar. It can become appropriate for media operations using Patreon alongside extensive analytics, profiling, course completion tracking and AI content delivery on the same audience.
Sign the Patreon DPA, gate the embed behind a CMP, list Patreon, Stripe and PayPal in your privacy notice and Article 30 record, document the US transfer with SCCs and DPF, and direct refund, VAT receipt and dispute requests to Patreon as merchant of record.
EU friendly alternatives include Steady (Germany), Tipeee (France), Liberapay (France, non profit), Ko fi (UK), Buy Me a Coffee (US), Substack (US with DPF), Beehiiv (US with DPF) and self managed setups based on Stripe Billing or Mollie subscriptions.
List the Patreon, Cloudflare, Stripe and PayPal cookies in your cookie policy with their categories and durations. In your privacy notice describe Patreon as your membership platform and merchant of record, the embed, the iframe to patreon.com, the US transfer with SCCs and DPF and the role of Stripe and PayPal as separate processors.