Running an internet service costs money. Servers, bandwidth, engineers, support, compliance, security audits — none of it is free. An app that charges you nothing has to fund those costs somewhere. The question is: from where?
There are essentially four revenue models for consumer software: advertising, data monetization, subscription, and charitable funding (donations or grants). Each has different implications for privacy. Understanding which model an app uses — and what that model structurally incentivizes — is more predictive of its long-term behavior than any privacy policy.
The Advertising Model
Advertising is the dominant revenue model of the consumer internet. Google, Meta, Twitter, TikTok, and thousands of smaller services are funded primarily by selling ad impressions — and the value of those impressions is proportional to how precisely they can be targeted.
Precise targeting requires data. Not just "this user is in California" — that's not worth much. The valuable data is behavioral: what you search for, what you buy, who you talk to, what you're worried about, what you're about to buy. The more intimate the data, the more accurately an ad can be placed, the higher the CPM (cost per thousand impressions), the more revenue the platform earns.
This creates a structural conflict with privacy that no privacy policy can resolve:
An ad-funded app that doesn't collect data earns less. An ad-funded app that collects more data earns more. The financial incentive is permanently pointed toward surveillance, not away from it.
This doesn't mean every advertising-funded app is maximally invasive — regulation, public relations risk, and competition create some pressure in the other direction. But the baseline incentive is always toward more collection, more sharing, less user control. Good intentions don't change the incentive structure; they just fight against it.
Data Monetization (The Subtler Version)
Some apps don't show ads but still monetize user data — selling anonymized (or pseudonymized) datasets to data brokers, research firms, financial institutions, or insurers. The business model sounds more benign than advertising but can be more invasive in practice.
"Anonymized" data is routinely de-anonymized. A dataset with location history, age range, household size, and purchase categories is trivially linkable to specific individuals — researchers have demonstrated this repeatedly with telecom, mobility, and health datasets. The word "anonymized" in a privacy policy does meaningful legal work but limited practical work.
Apps in health, wellness, finance, and communication categories are particularly valuable for data monetization because those categories generate the most personally sensitive signals. A period-tracking app knows something about you that you might not want your employer or insurer to know. A communication app knows your social graph and communication patterns. These aren't academic risks.
The Nonprofit Model: Good, But Not Sufficient
Signal is the most prominent example of a privacy-focused app funded by nonprofit status and donations rather than advertising or data sales. This model genuinely removes the advertising incentive conflict — Signal Foundation has no financial reason to collect your data.
The limitations:
- Dependency on donors and grants — Signal received a large founding grant from Brian Acton (former WhatsApp co-founder, $50 million in 2018). This bought years of runway, but nonprofit sustainability requires ongoing funding. The history of privacy tools includes many excellent projects that ran out of money and shut down or were acquired.
- Mission drift is possible — nonprofits have boards, and boards change over time. The current Signal Foundation is well-governed; whether that continues over a decade or two is not guaranteed.
- Scale limitations — subscription revenue scales linearly with users; donation revenue does not. Large user bases on nonprofit models face structural capacity challenges.
None of this is a knock on Signal specifically — it's one of the best-run nonprofit technology organizations in existence. The point is that "nonprofit" is not a permanent solution to the funding problem; it's a temporary alignment of incentives that requires active maintenance.
The Subscription Model: Aligned Incentives
A paid subscription aligns the service's financial interest with the user's interest in a way no other model does. If you pay for the product, the service needs to be good enough that you keep paying. If the service starts using your data in ways you don't like, you leave. The business needs you to be happy, not just present.
This is why subscription is the model that privacy advocates consistently recommend: it's not because paying for things is noble — it's because paying creates accountability. The service's survival depends on users choosing to continue, not on maximizing data extraction from users who have no practical exit.
Advertising-funded services often deliberately increase switching costs to trap users — contact lock-in, data hoarding, proprietary formats. A subscription service doesn't benefit from switching costs; it benefits from being worth keeping. These incentives push in opposite directions over time.
The common objection is that paid services are inaccessible to users who can't afford them. This is a genuine tension. Most privacy-focused subscription services address it through free tiers with meaningful features or income-sensitive pricing. But it's worth being honest: a truly sustainable privacy service that pays its engineers and keeps its servers running has to come from somewhere. Subscriptions are the most honest source.
Venture Capital and the Exit Problem
Many apps that launch with strong privacy commitments are venture-backed — meaning investors have taken equity stakes in exchange for funding, and those investors expect a return. The typical return mechanisms are acquisition or IPO.
Acquisition is where privacy commitments historically collapse. WhatsApp had a strong privacy-first culture before the Facebook acquisition. Instagram had one too. Tumblr, Waze, Nest — the pattern repeats: a product with genuine values gets acquired by a company with different values, and the privacy commitments are revised over time through policy updates and feature changes.
Venture-backed apps aren't necessarily bad privacy choices in their early years. The problem is that a VC-backed company has an exit as its terminal state, and you can't predict at download time whether that exit will preserve or undermine the privacy model you're relying on.
What to Look For
When evaluating a privacy-focused app, the business model questions worth asking:
- What is the primary revenue source? Subscriptions, advertising, data sales, or donations? Subscriptions are the best alignment. Advertising is the worst.
- Is there VC backing? If so, what are the investor expectations for exit? Who are the investors, and what are their portfolio companies?
- If nonprofit, how is it funded? Ongoing donation base, or a single large grant? How transparent is the foundation's governance?
- What happens to user data if the company is acquired? Some services include explicit change-of-control provisions in their privacy policies. Most don't.
- Is the business model sustainable at the current user count and price? An unsustainable model is a future pivot waiting to happen.
None of these questions provide certainty — any company can change, any founder can sell, any nonprofit can drift. But they give you a probability distribution. A bootstrapped subscription service with no VC backing and no advertising is structurally more likely to maintain privacy commitments over a decade than a venture-backed free app looking for an exit.
The goal isn't to find a perfect business model. It's to choose services where the business model's interests run in the same direction as yours — not against them.