diff --git a/admin/server/billing.go b/admin/server/billing.go
index 61c7b04c191..25d011c01c7 100644
--- a/admin/server/billing.go
+++ b/admin/server/billing.go
@@ -36,19 +36,19 @@ func (s *Server) GetBillingSubscription(ctx context.Context, req *adminv1.GetBil
 	}
 
 	if org.BillingCustomerID == "" {
-		return &adminv1.GetBillingSubscriptionResponse{Organization: organizationToDTO(org)}, nil
+		return &adminv1.GetBillingSubscriptionResponse{Organization: organizationToDTO(org, true)}, nil
 	}
 
 	sub, err := s.admin.Biller.GetActiveSubscription(ctx, org.BillingCustomerID)
 	if err != nil {
 		if errors.Is(err, billing.ErrNotFound) {
-			return &adminv1.GetBillingSubscriptionResponse{Organization: organizationToDTO(org)}, nil
+			return &adminv1.GetBillingSubscriptionResponse{Organization: organizationToDTO(org, true)}, nil
 		}
 		return nil, status.Error(codes.Internal, err.Error())
 	}
 
 	return &adminv1.GetBillingSubscriptionResponse{
-		Organization:     organizationToDTO(org),
+		Organization:     organizationToDTO(org, true),
 		Subscription:     subscriptionToDTO(sub),
 		BillingPortalUrl: sub.Customer.PortalURL,
 	}, nil
@@ -135,7 +135,7 @@ func (s *Server) UpdateBillingSubscription(ctx context.Context, req *adminv1.Upd
 			}
 
 			return &adminv1.UpdateBillingSubscriptionResponse{
-				Organization: organizationToDTO(updatedOrg),
+				Organization: organizationToDTO(updatedOrg, true),
 				Subscription: subscriptionToDTO(sub),
 			}, nil
 		}
@@ -220,7 +220,7 @@ func (s *Server) UpdateBillingSubscription(ctx context.Context, req *adminv1.Upd
 	}
 
 	return &adminv1.UpdateBillingSubscriptionResponse{
-		Organization: organizationToDTO(org),
+		Organization: organizationToDTO(org, true),
 		Subscription: subscriptionToDTO(sub),
 	}, nil
 }
@@ -419,7 +419,7 @@ func (s *Server) RenewBillingSubscription(ctx context.Context, req *adminv1.Rene
 	}
 
 	return &adminv1.RenewBillingSubscriptionResponse{
-		Organization: organizationToDTO(org),
+		Organization: organizationToDTO(org, true),
 		Subscription: subscriptionToDTO(sub),
 	}, nil
 }
@@ -563,12 +563,12 @@ func (s *Server) SudoUpdateOrganizationBillingCustomer(ctx context.Context, req
 
 	if sub == nil {
 		return &adminv1.SudoUpdateOrganizationBillingCustomerResponse{
-			Organization: organizationToDTO(org),
+			Organization: organizationToDTO(org, true),
 		}, nil
 	}
 
 	return &adminv1.SudoUpdateOrganizationBillingCustomerResponse{
-		Organization: organizationToDTO(org),
+		Organization: organizationToDTO(org, true),
 		Subscription: subscriptionToDTO(sub),
 	}, nil
 }
diff --git a/admin/server/organizations.go b/admin/server/organizations.go
index c794c28b0e5..e7c05632bcd 100644
--- a/admin/server/organizations.go
+++ b/admin/server/organizations.go
@@ -45,7 +45,7 @@ func (s *Server) ListOrganizations(ctx context.Context, req *adminv1.ListOrganiz
 
 	pbs := make([]*adminv1.Organization, len(orgs))
 	for i, org := range orgs {
-		pbs[i] = organizationToDTO(org)
+		pbs[i] = organizationToDTO(org, false)
 	}
 
 	return &adminv1.ListOrganizationsResponse{Organizations: pbs, NextPageToken: nextToken}, nil
@@ -60,13 +60,23 @@ func (s *Server) GetOrganization(ctx context.Context, req *adminv1.GetOrganizati
 	}
 
 	claims := auth.GetClaims(ctx)
-	if !claims.OrganizationPermissions(ctx, org.ID).ReadOrg && !claims.Superuser(ctx) {
-		return nil, status.Error(codes.PermissionDenied, "not allowed to read org")
+	perms := claims.OrganizationPermissions(ctx, org.ID)
+	if !perms.ReadOrg && !claims.Superuser(ctx) {
+		ok, err := s.admin.DB.CheckOrganizationHasPublicProjects(ctx, org.ID)
+		if err != nil {
+			return nil, err
+		}
+		if !ok {
+			return nil, status.Error(codes.PermissionDenied, "not allowed to read org")
+		}
+
+		perms.ReadOrg = true
+		perms.ReadProjects = true
 	}
 
 	return &adminv1.GetOrganizationResponse{
-		Organization: organizationToDTO(org),
-		Permissions:  claims.OrganizationPermissions(ctx, org.ID),
+		Organization: organizationToDTO(org, perms.ManageOrg),
+		Permissions:  perms,
 	}, nil
 }
 
@@ -119,7 +129,7 @@ func (s *Server) CreateOrganization(ctx context.Context, req *adminv1.CreateOrga
 	}
 
 	return &adminv1.CreateOrganizationResponse{
-		Organization: organizationToDTO(org),
+		Organization: organizationToDTO(org, true),
 	}, nil
 }
 
@@ -211,7 +221,7 @@ func (s *Server) UpdateOrganization(ctx context.Context, req *adminv1.UpdateOrga
 	}
 
 	return &adminv1.UpdateOrganizationResponse{
-		Organization: organizationToDTO(org),
+		Organization: organizationToDTO(org, true),
 	}, nil
 }
 
@@ -873,7 +883,7 @@ func (s *Server) SudoUpdateOrganizationQuotas(ctx context.Context, req *adminv1.
 	}
 
 	return &adminv1.SudoUpdateOrganizationQuotasResponse{
-		Organization: organizationToDTO(updatedOrg),
+		Organization: organizationToDTO(updatedOrg, true),
 	}, nil
 }
 
@@ -914,12 +924,12 @@ func (s *Server) SudoUpdateOrganizationCustomDomain(ctx context.Context, req *ad
 	}
 
 	return &adminv1.SudoUpdateOrganizationCustomDomainResponse{
-		Organization: organizationToDTO(org),
+		Organization: organizationToDTO(org, true),
 	}, nil
 }
 
-func organizationToDTO(o *database.Organization) *adminv1.Organization {
-	return &adminv1.Organization{
+func organizationToDTO(o *database.Organization, privileged bool) *adminv1.Organization {
+	res := &adminv1.Organization{
 		Id:           o.ID,
 		Name:         o.Name,
 		DisplayName:  o.DisplayName,
@@ -933,12 +943,17 @@ func organizationToDTO(o *database.Organization) *adminv1.Organization {
 			OutstandingInvites:             int32(o.QuotaOutstandingInvites),
 			StorageLimitBytesPerDeployment: o.QuotaStorageLimitBytesPerDeployment,
 		},
-		BillingCustomerId: o.BillingCustomerID,
-		PaymentCustomerId: o.PaymentCustomerID,
-		BillingEmail:      o.BillingEmail,
-		CreatedOn:         timestamppb.New(o.CreatedOn),
-		UpdatedOn:         timestamppb.New(o.UpdatedOn),
+		CreatedOn: timestamppb.New(o.CreatedOn),
+		UpdatedOn: timestamppb.New(o.UpdatedOn),
+	}
+
+	if privileged {
+		res.BillingCustomerId = o.BillingCustomerID
+		res.PaymentCustomerId = o.PaymentCustomerID
+		res.BillingEmail = o.BillingEmail
 	}
+
+	return res
 }
 
 func valOrEmptyString(v *int) string {
diff --git a/admin/server/users.go b/admin/server/users.go
index 738b8d75ac9..b61f749dfe8 100644
--- a/admin/server/users.go
+++ b/admin/server/users.go
@@ -240,7 +240,7 @@ func (s *Server) SudoGetResource(ctx context.Context, req *adminv1.SudoGetResour
 		if err != nil {
 			return nil, err
 		}
-		res.Resource = &adminv1.SudoGetResourceResponse_Org{Org: organizationToDTO(org)}
+		res.Resource = &adminv1.SudoGetResourceResponse_Org{Org: organizationToDTO(org, true)}
 	case *adminv1.SudoGetResourceRequest_ProjectId:
 		proj, err := s.admin.DB.FindProject(ctx, id.ProjectId)
 		if err != nil {