Security Problems

No zero-knowledge encryption - Google scans and accesses your files

Google Drive does not offer zero-knowledge encryption. Google holds the encryption keys, meaning employees or authorities can access your data. Google openly acknowledges scanning uploads. For users with truly private documents, this is a fundamental privacy concern that cannot be resolved.

Gemini AI caught scanning private files without user permission

In 2024, Google's Gemini AI was caught scanning private Drive files without explicit permission. Security researcher Kevin Bankston reported Gemini generated summaries of private tax returns without consent. Users trying to disable Gemini access found Google's directions pointed to non-existent settings. This raised major privacy alarms.

History of security issues and misleading encryption claims

In 2020, 500,000+ Zoom accounts were compromised via credential stuffing. The FTC found Zoom misleading users about end-to-end encryption. 'Zoombombing' became widespread. While security has improved, the FTC settlement and past issues raise trust concerns for sensitive meetings.

Data sharing with Facebook and third parties

Zoom has faced criticism for sharing user data with Facebook when users log in with Facebook credentials. The FTC found Zoom stored meeting recordings unencrypted longer than necessary. Privacy-conscious users may prefer alternatives with stricter data practices.

Privacy concerns - PC scanning and data collection

Users express extreme discomfort about Discord scanning their PC and linking software to their account without permission. Discord collects extensive data including IP addresses, device identifiers, friends list, server participation, and usage analytics. CNIL (French data authority) has fined Discord for GDPR violations.

Data breaches and security incidents

Multiple security incidents have affected Discord users. In 2023, Discord.io suffered a breach affecting 760,000 members. In 2025, 620 million users' messages were scraped. Users report spam bots posing significant security risks, and invite-only server links can be guessed.

No end-to-end encryption - Notion can read your notes

Due to the lack of end-to-end encryption, Notion has access to all user content. This is a dealbreaker for privacy-conscious users, regulated businesses, or anyone handling sensitive information. Users wanting local-first, encrypted solutions are increasingly switching to alternatives like Obsidian or Anytype.

No end-to-end encryption - data breaches have exposed sensitive messages

Slack encrypts data in transit and at rest but does NOT provide end-to-end encryption. Customer-managed keys are only available via Enterprise Key Management (EKM) on Enterprise+. In July 2024, a significant data breach exposed PII including names, email addresses, user IDs, internal messages, and shared files. Analysis found 17,000+ Slack credentials being sold on hacking forums. 1 in 166 Slack messages contains confidential information.

Insufficient permission controls for teams

Capterra reviews note that 'security controls and permission settings are insufficient for sensitive data and complex team structures.' Users report difficulty configuring access to comment on cards or view them by teams. One reviewer stated 'the permission management is a bit nascent' and 'hard to follow if many people use same board because no way to see who changed what.'

Attachments and forms publicly accessible without authentication

Users discovered that 'attachments, clips, and forms are all completely publicly accessible' because 'they have a link that anyone can access, even without a ClickUp account with no authentication required.' This is a serious security concern for teams handling sensitive data.

Account deletion and spam email issues

Users report difficulty getting accounts deleted - receiving only data download options instead of actual deletion. After providing email addresses, users experience an 'unstoppable barrage of spam' with no easy unsubscribe option and no one to contact about the issue.

Data export is extremely difficult - notes held hostage

Users report being unable to export notes, with the export feature crashing for large note collections. Export can only be done from desktop (not web/mobile), limited to 100 notes at a time. Evernote's proprietary ENEX format requires third-party tools to convert. Many users feel trapped with their data.

Proprietary format makes data export problematic

Roam stores notes in a proprietary format in someone else's cloud, unlike Obsidian or Logseq which use plain Markdown. Exporting as JSON gives a format that is not importable back, with errors on re-import. Data portability is limited.

No iCloud sync option - data on company servers

Some users want a choice of syncing options and would prefer iCloud sync instead of company-managed servers. Data is stored on Craft's servers rather than user-controlled storage. For privacy-conscious users, this is a concern.

No zero-knowledge encryption - Dropbox can access your files

Unlike competitors like Tresorit or Sync.com, Dropbox does not offer zero-knowledge encryption. Dropbox employees and systems can technically access your files. The company shares data with third parties as stated in their privacy policy. Privacy-conscious users find this unacceptable for sensitive documents.

Zero-knowledge encryption requires expensive KeySafe add-on

Box's standard offering doesn't include zero-knowledge or client-side encryption. For true privacy where Box cannot access your files, you need the KeySafe add-on which costs extra. Organizations with strict privacy requirements face additional costs.

Accounts suspended without clear explanation

Users report account suspensions without clear explanations or warnings. Authentication problems lock people out of their accounts. This creates business disruption when marketing campaigns suddenly stop.

GDPR compliance concerns with data deletion delays

Users in EU report concerns about GDPR compliance due to slow data deletion. Account deletion requests taking 6+ weeks violates GDPR's 30-day requirement. Raises legal concerns for EU-based creators.

Accounts suspended without warning or explanation

Users report accounts being suspended out of the blue with no warning, no explanation, and no support available to help. This leaves businesses unable to send marketing emails and can severely impact revenue during critical periods.

Accounts blocked without explanation or warning

Users report accounts being blocked for 'no reason' with no explanation, just told to 'go elsewhere.' Brevo is described as 'very strict on compliance' - more than any other platform - frequently shutting down accounts and requiring extensive proof.

Accounts suspended without warning for vague policy violations

Users report being suspended without warning, sometimes less than a month into a paid plan. Reasons given are generic 'anti-spam policy violations' with no specific campaign or clause identified despite repeated requests. Paying customers lost access to €250+ annual plans.

SSL certificate issues causing Google Ads suspension

GetResponse has SSL certificate issues they don't inform users about. One user's landing page caused Google to suspend their Ads account, costing thousands of dollars. Support admitted they knew about the issue.

No due diligence on merchants - fraud concerns

Shopify conducts no due diligence on its merchants and has no accountability. Consumers report unvetted merchants, potential fraud, non-delivery, and incorrect items with no support when things go wrong.

Personal info exposed in page source code

Users discovered that personal information from account profiles is automatically embedded in page source code without consent or control. This exposes identifying details publicly, raising privacy concerns that Squarespace hasn't adequately addressed.

GDPR compliance concerns

Some users report that Webflow is not GDPR compliant and actively ignores this issue. For European businesses or those serving EU customers, this creates legal risk and may require additional third-party tools or workarounds to achieve compliance.

92% of breaches come from plugins and themes

WordPress core is relatively secure, but 92% of successful breaches in 2025 came from vulnerable plugins and themes. November 2025 alone saw 108 new vulnerabilities disclosed, with 31 remaining unpatched. Popular plugins like King Addons, Database for Contact Form 7, and W3 Total Cache had critical CVEs exploited in mass attacks.

Content moderation controversy eroded trust

The 2024 Nazi content controversy damaged Substack's reputation. Initially refusing to remove Nazi newsletters, then partially reversing after backlash. Over 200 writers signed letters of concern. Some prominent writers left. The incident raised questions about platform values.

Spam and abuse reports go unaddressed

Users report serious spam issues with no response from beehiiv. One user reported domain impersonation with malware links hosted on beehiiv accounts - impossible to get human response without an account. Another had all advertising payouts wiped from their account.

No real protection for sellers against fraud

Sellers are advised to be 'extremely cautious' as they can lose both product and money. Disputed refunds often favor buyers with no seller safeguards. Chargebacks hit sellers hard. The platform doesn't adequately protect against scams.

Scammers exploit buyer protection loopholes

Common fraud tactics include overpayment schemes, fake invoice scams, and address manipulation. Friends & Family payments have no protection. Fake invoices designed to steal login credentials. Platform struggles with sophisticated scam operations.