What are the institutional and regulatory implications of this document?

1. REGULATORY LANDSCAPE: This policy engages GDPR and UK GDPR (as the policy references EU-U.S. DPF certification and data subject rights including access, erasure, restriction, portability, and objection), the CCPA and California Privacy Rights Act (with a dedicated CCPA policy referenced), and the FTC Act (Substack's DPF participation is subject to FTC investigatory and enforcement powers). The policy's assertion that Creator-controlled data processing falls outside its scope may require eval…

How often is Substack's Substack Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Substack updates this document?

Yes. Monitor subscribers ($19/month) can add Substack to their watchlist and receive same-day email alerts whenever this document or any other Substack document changes.

CA-D-000178

Substack Privacy Policy

Substack

Last change detected June 5, 2026 Privacy policy

SHA-256: 821600e61efc66d17b5… 6 versions captured 6 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Substack ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

0 High severity

6 Medium severity

2 Low severity

Summary

This is Substack's Privacy Policy, covering how the platform collects and uses Personal Information from readers, subscribers, and creators across its writing, video, and podcast publishing services. The policy authorizes collection of name, email, phone number, date of birth, payment details, location, device identifiers, direct message contents and metadata, and third-party account identifiers (such as YouTube credentials), and permits sharing with service providers including generative AI services, analytics providers, and industry child safety organizations for CSAM detection. The policy also discloses that direct messages are not end-to-end encrypted and may be accessed by Substack personnel for enforcement, security, and support purposes.

Technical / Legal Breakdown

This document is Substack Inc.'s Privacy Policy (last updated May 14, 2026), governing the collection, use, storage, and sharing of Personal Information by Substack as a data controller across its media and publishing platform; it does not govern processing performed by Creators acting as independent data controllers. The policy states that Substack collects name, email, phone number, date of birth, payment details, location, device and IP information, direct message contents and metadata, social media account identifiers, and third-party integration data (including YouTube account and video identifiers), and authorizes use of this information for service provision, fraud prevention, personalization, and direct marketing (with consent where required). Two provisions are operationally distinct relative to commonly observed practice: the policy discloses sharing of account identifiers (email addresses and usernames) with industry child safety consortia for CSAM detection, and explicitly states that direct messages are not end-to-end encrypted and may be accessed by Substack personnel for Terms of Use enforcement, security, user support, and automated scanning. The policy asserts compliance with the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. DPF, and references CCPA-specific notices in a separate section; GDPR, UK GDPR, and applicable state privacy laws (including California) create compliance obligations that may constrain or supplement the terms as written. Material compliance considerations include the scope of Creator data controller independence (requiring separate lawful basis analysis), the DPF certification and its FTC enforceability, and the one-month response commitment for privacy rights requests added in the most recent update.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

6 important changes detected

6 versions captured · Last updated: June 2026

June 5, 2026

low

What changed Substack replaced one third-party tracking vendor with another in their privacy policy. The policy previously listed AdQuick as a persistent tracking pixel for third-party analytics; this vendor reference has been removed and replaced with muxData, which collects anonymous video metrics. The practical effect is a change in which vendor processes tracking data on Substack's platform, though both serve analytics purposes.

Why this matters The updated privacy policy replaces one analytics tracking vendor with another. Previously, Substack disclosed use of AdQuick, a pixel-based third-party analytics tracker. The revised policy now lists muxData as the vendor for video metric collection. Both vendors operate on the same persistent cookie basis and serve analytics functions, so the functional scope of data collection and use remains substantially similar in kind, though the specific vendor processing the data has changed.

View full change record →

May 19, 2026

low

What changed The navigation footer of Substack's privacy policy page was updated on May 19, 2026 to include comparative product links. Specifically, 'Substack vs. beehiiv' and 'Substack vs. Patreon' navigation items were added to the footer menu. This is a navigation and site structure change with no material impact on the privacy policy terms themselves.

Why this matters This change is a site navigation and footer update with no substantive impact on privacy policy terms, data handling practices, or user rights. The addition of comparative product links does not modify what data Substack collects, how it processes data, or what rights users have. The privacy policy terms remain unchanged.

View full change record →

May 15, 2026 low

Substack updated its privacy policy on May 15, 2026 to disclose that it shares account identifiers with child safety industry consortia and now receives information from those consortia to detect …

View change record →

May 6, 2026 low

Substack's privacy policy now discloses that the company shares account identifiers with child safety industry consortia to detect child sexual abuse material (CSAM). This is a new transparency disclosure added …

View change record →

May 5, 2026 medium

Substack updated its privacy policy on May 5, 2026 to disclose that it shares account identifiers with child safety organizations to detect child sexual abuse material, added a one-month deadline …

View change record →

April 19, 2026 medium

Substack's updated privacy policy removes language describing a one-month response timeline for certain privacy rights requests and eliminates explicit disclosure about sharing account identifiers with child safety consortia. The policy …

View change record →

Recent Provision Changes Jun 5, 2026

Added (1)

Creator as Independent Data Controller Medium

This new provision clarifies the scope limitations of Substack's privacy policy and transfers responsibility for Creator data practices to individual creators, potentially reducing Substack's liability.

Removed (3)

Staff Access to Direct Message Contents

Removal of explicit disclosure about staff access to direct message contents may obscure internal monitoring practices from users.

Creator Data Sharing

This detailed provision explaining creator data sharing was replaced with the more general 'Creator as Independent Data Controller' provision, potentially reducing transparency around specific data sharing scenarios.

Cookie and Tracking Data Collection

The cookie and tracking disclosure language was removed from the contact syncing provision, potentially obscuring tracking practices from users who only review the address book section.

Modified (7)

Direct Messages Not End-to-End Encrypted

Severity downgraded from 'high' to 'medium', content remains identical.

Account Identifier Sharing with Child Safety Consortia

Severity escalated from 'low' to 'medium' and excerpt expanded to show additional context with more formal language structure.

Generative AI Service Provider Data Sharing

Provision remains materially identical with no changes to content or severity.

EU-U.S. Data Privacy Framework Compliance and Binding Arbitration

Severity elevated from 'low' to 'medium', and clarifying language '(each, a "DPF")' was added for definitional purposes.

Privacy Rights and One-Month Response Commitment

Provision renamed from 'Privacy Rights and One-Month Response Commitment' to 'Privacy Rights Request and One-Month Response Commitment' with identical content.

View full change record →

Medium — 6 provisions

Direct Messages Not End-to-End Encrypted Compare →

The policy discloses that direct messages on Substack are not end-to-end encrypted and that Substack personnel may access message contents for enforcement, security, support, or service purposes. Automated scanning of direct messages for spam, malicious content, and child abuse material is also disclosed.

Added May 8, 2026 Standard Seen across 284 platforms
Account Identifier Sharing with Child Safety Consortia Compare →

The policy discloses that Substack shares account identifiers including email addresses and usernames with industry child safety organizations and consortia for the purpose of detecting and preventing child sexual exploitation and abuse material (CSAM/OCSEA). This provision was added in the most recent policy update (May 14, 2026).

Added May 8, 2026 Standard Seen across 252 platforms
Creator as Independent Data Controller Compare →

The policy establishes that when Substack processes subscriber Personal Information on behalf of a Creator, that processing falls outside the scope of this Privacy Policy and is instead governed by the Creator's own privacy practices. Subscribers who interact with Creator publications are directed to the Creator's own terms and privacy policies for information about how that data is used.

Added May 21, 2026 Standard Seen across 284 platforms
Generative AI Service Provider Data Sharing Compare →

The policy discloses that Substack shares Personal Information with third-party service providers including generative AI services, analytics providers, and cloud computing services. The policy does not identify specific generative AI providers or describe which categories of Personal Information are shared with AI service providers.

Added May 8, 2026 Standard Seen across 252 platforms
EU-U.S. Data Privacy Framework Certification Compare →

The policy states that Substack has certified compliance with the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. DPF for transatlantic personal data transfers, and that DPF Principles govern where they conflict with this policy. Dispute resolution for DPF-related complaints is available through TRUSTe at no cost, with binding arbitration available for unresolved residual claims.

Added May 8, 2026 Standard Seen across 284 platforms
Contact Syncing and Address Book Data Collection Compare →

The policy discloses that Substack may collect email addresses and phone numbers of individuals who have not created Substack accounts if a Substack user syncs their address book through the app. Collected contact information is stored as hashed values and is used to facilitate contact syncing between opted-in users.

Added May 8, 2026 Standard Seen across 284 platforms

Low — 2 provisions

Privacy Rights Request and One-Month Response Commitment Compare →

The policy establishes that users may submit requests for access, correction, erasure, restriction, portability, and objection to processing, depending on applicable law. The most recent policy update added a one-month response commitment for certain privacy rights requests and the right to object to certain types of processing. Rights are subject to legal limitations including retention obligations.

Added May 21, 2026 Standard Seen across 284 platforms
Business Transfer and Asset Sale Data Sharing Compare →

The policy authorizes transfer of customer Personal Information to prospective buyers or sellers in connection with a business sale, merger, bankruptcy, or change of control, subject to applicable local laws.

Added May 21, 2026 Standard Seen across 252 platforms