diff --git a/src/routes/appstore.js b/src/routes/appstore.js
index c7a95551b..b40c35be9 100644
--- a/src/routes/appstore.js
+++ b/src/routes/appstore.js
@@ -15,7 +15,9 @@ const appstore = require('../appstore.js'),
     BoxError = require('../boxerror.js'),
     HttpError = require('connect-lastmile').HttpError,
     HttpSuccess = require('connect-lastmile').HttpSuccess,
-    safe = require('safetydance');
+    safe = require('safetydance'),
+    users = require('../users.js'),
+    _ = require('underscore');
 
 async function getApps(req, res, next) {
     const [error, apps] = await safe(appstore.getApps());
@@ -70,5 +72,7 @@ async function getSubscription(req, res, next) {
     const [error, result] = await safe(appstore.getSubscription());
     if (error) return next(BoxError.toHttpError(error));
 
-    next(new HttpSuccess(200, result)); // { email, cloudronId, cloudronCreatedAt, plan, current_period_end, canceled_at, cancel_at, status, features }
+    // non-owners only get a stripped down version
+    if (users.compareRoles(req.user.role, users.ROLE_OWNER) < 0) next(new HttpSuccess(200, _.pick(result, 'plan', 'status')));
+    else next(new HttpSuccess(200, result)); // { email, cloudronId, cloudronCreatedAt, plan, current_period_end, canceled_at, cancel_at, status, features }
 }
diff --git a/src/server.js b/src/server.js
index ac997c1cd..75b9c5181 100644
--- a/src/server.js
+++ b/src/server.js
@@ -193,7 +193,7 @@ function initializeExpressSync() {
     // appstore and subscription routes
     router.post('/api/v1/appstore/register_cloudron',                    json, token, authorizeAdmin, routes.appstore.registerCloudron);
     router.post('/api/v1/appstore/user_token',                           json, token, authorizeAdmin, routes.appstore.createUserToken);
-    router.get ('/api/v1/appstore/subscription',                               token, authorizeAdmin, routes.appstore.getSubscription);
+    router.get ('/api/v1/appstore/subscription',                               token,                 routes.appstore.getSubscription);
     router.get ('/api/v1/appstore/apps',                                       token, authorizeAdmin, routes.appstore.getApps);
     router.get ('/api/v1/appstore/apps/:appstoreId',                           token, authorizeAdmin, routes.appstore.getApp);
     router.get ('/api/v1/appstore/apps/:appstoreId/versions/:versionId',       token, authorizeAdmin, routes.appstore.getAppVersion);