What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages GDPR and UK GDPR for EU and UK users respectively, with Substack relying on the EU-U.S. Data Privacy Framework and its UK Extension as the cross-border transfer mechanism; the policy states that DPF Principles govern in the event of conflict with policy terms. The CCPA is explicitly engaged for California residents through a dedicated supplementary notice. The FTC holds investigatory and enforcement authority over Substack's DPF compliance as acknowledg…

How does Substack's Substack Privacy Policy affect users?

Substack collects personal information including payment details, location, device identifiers, and direct message contents, and shares this data with service providers, creators, and industry child safety organizations. Direct messages transmitted through the platform are accessible to Substack personnel and may be retained by recipients independent of the sender's account status. Users may exercise data subject rights by submitting requests to privacy@substackinc.com and may opt out of direct…

How often is Substack's Substack Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Substack updates this document?

Yes. Watcher subscribers ($9.99/month) can add Substack to their watchlist and receive same-day email alerts whenever this document or any other Substack document changes.

CA-D-000178

Substack Privacy Policy

Substack

Last change detected May 19, 2026 Privacy policy

SHA-256: bc3dd14b26e4b8c46be… 5 versions captured 5 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Substack ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

9 Total

1 High severity

4 Medium severity

4 Low severity

Summary

This privacy policy establishes Substack's data collection, use, and sharing practices for readers, writers, and subscribers. The policy authorizes Substack to access the contents of direct messages, which are not end-to-end encrypted, and specifies that messages may persist with recipients following account deletion. Users may request data access, correction, or deletion by submitting a privacy rights request to privacy@substackinc.com.

Technical / Legal Breakdown

This document is Substack Inc.'s Privacy Policy (last updated May 4, 2026), governing the collection, use, storage, and sharing of personal information across Substack's website and services, with Substack acting as data controller for its own processing purposes. The policy states that Substack collects a broad range of data including names, email addresses, phone numbers, dates of birth, payment details, IP addresses, direct message contents and metadata, and social media account information linked to user profiles; the terms authorize sharing this data with affiliates, service providers (including generative AI providers), creators, third-party data controllers, industry child safety consortia, and government authorities, and reserve the right to transfer data in connection with a merger or acquisition. Two operationally distinct provisions are notable: the policy explicitly discloses that direct messages are not end-to-end encrypted and that Substack personnel may access message contents to enforce terms or provide services; and the policy permits sharing account identifiers such as email addresses and usernames with child safety industry consortia for CSAM detection, a practice newly disclosed in this update. The policy asserts compliance with the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. DPF as mechanisms for transatlantic data transfers, engaging GDPR and UK GDPR obligations, with DPF Principles stated to govern in the event of conflict with policy terms; the policy also includes dedicated CCPA disclosures for California residents, engaging California Consumer Privacy Act obligations enforced by the California Privacy Protection Agency.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

5 important changes detected

5 versions captured · Last updated: May 2026

May 19, 2026

low

What changed The navigation footer of Substack's privacy policy page was updated on May 19, 2026 to include comparative product links. Specifically, 'Substack vs. beehiiv' and 'Substack vs. Patreon' navigation items were added to the footer menu. This is a navigation and site structure change with no material impact on the privacy policy terms themselves.

Why this matters This change is a site navigation and footer update with no substantive impact on privacy policy terms, data handling practices, or user rights. The addition of comparative product links does not modify what data Substack collects, how it processes data, or what rights users have. The privacy policy terms remain unchanged.

View full change record →

May 15, 2026

low

What changed Substack updated its privacy policy on May 15, 2026 to disclose that it shares account identifiers with child safety industry consortia and now receives information from those consortia to detect child sexual abuse material (CSAM). The policy also added language stating that Substack may obtain additional information from third parties, combine it with platform data, and use the combined information to provide safer experiences and improve the platform and analytics.

Why this matters The updated policy discloses that Substack shares account identifiers with child safety industry consortia and receives information from those consortia to detect CSAM. The policy now also states that Substack may obtain additional information from third parties and combine it with platform data to provide safer experiences and improve platform analytics. The updated terms treat combined information from other sources in accordance with the overall privacy policy. These are disclosures of existing or new data-handling practices rather than changes that grant users new control mechanisms.

View full change record →

May 6, 2026 low

Substack's privacy policy now discloses that the company shares account identifiers with child safety industry consortia to detect child sexual abuse material (CSAM). This is a new transparency disclosure added …

View change record →

May 5, 2026 medium

Substack updated its privacy policy on May 5, 2026 to disclose that it shares account identifiers with child safety organizations to detect child sexual abuse material, added a one-month deadline …

View change record →

April 19, 2026 medium

Substack's updated privacy policy removes language describing a one-month response timeline for certain privacy rights requests and eliminates explicit disclosure about sharing account identifiers with child safety consortia. The policy …

View change record →

High — 1 provision

Direct Messages Not End-to-End Encrypted

Your private messages on Substack are not encrypted end-to-end, meaning Substack can technically read them, and the people you message can keep copies of your messages permanently even if you delete them or close your account.

Added May 8, 2026 Rare

Medium — 4 provisions

Staff Access to Direct Message Contents

Substack employees can read your private messages for a range of reasons including enforcing rules, security, support, or simply as needed to operate the service, and automated systems also scan message content.

Added May 11, 2026 Rare
Generative AI Service Provider Data Sharing Compare →

Substack shares your personal information with third-party generative AI service providers as part of its normal operations, though the policy does not specify which AI providers are used or what data they receive.

Added May 8, 2026 Standard Seen across 246 platforms
Creator Data Sharing Compare →

When you subscribe to or comment on a publication on Substack, the creator of that publication receives your name and email address, and that creator then controls how they use your personal information according to their own privacy policies.

Added May 11, 2026 Standard Seen across 246 platforms
Cookie and Tracking Data Collection Compare →

Substack uses cookies to track your use of its website, and if another user syncs their contacts, your email address or phone number may be collected and stored as an encrypted value.

Added May 11, 2026 Standard Seen across 251 platforms

Low — 4 provisions

Account Identifier Sharing with Child Safety Consortia

Substack shares user account identifiers including email addresses and usernames with external child safety organizations to help detect and prevent child sexual abuse material online.

Added May 8, 2026 Rare
EU-U.S. Data Privacy Framework Compliance and Binding Arbitration Compare →

Substack is certified under the EU-U.S. Data Privacy Framework, which provides a mechanism for legally transferring personal data from Europe to the US, and EU users have access to a free dispute resolution process and ultimately binding arbitration if they have unresolved privacy complaints.

Added May 11, 2026 Standard Seen across 189 platforms
Privacy Rights and One-Month Response Commitment Compare →

You have rights to access, correct, delete, or transfer your personal data held by Substack depending on where you live, and Substack commits to responding to these requests within one month.

Added May 11, 2026 Standard Seen across 262 platforms
Data Transfer on Business Sale or Merger Compare →

If Substack is sold, merges with another company, or goes bankrupt, your personal information may be transferred to the new owner as part of that transaction.

Added May 11, 2026 Standard Seen across 246 platforms