8 Total
0 High severity
6 Medium severity
2 Low severity
Summary

This is Substack's Privacy Policy, covering how the platform collects and uses Personal Information from readers, subscribers, and creators across its writing, video, and podcast publishing services. The policy authorizes collection of name, email, phone number, date of birth, payment details, location, device identifiers, direct message contents and metadata, and third-party account identifiers (such as YouTube credentials), and permits sharing with service providers including generative AI services, analytics providers, and industry child safety organizations for CSAM detection. The policy also discloses that direct messages are not end-to-end encrypted and may be accessed by Substack personnel for enforcement, security, and support purposes.

Technical / Legal Breakdown

This document is Substack Inc.'s Privacy Policy (last updated May 14, 2026), governing the collection, use, storage, and sharing of Personal Information by Substack as a data controller across its media and publishing platform; it does not govern processing performed by Creators acting as independent data controllers. The policy states that Substack collects name, email, phone number, date of birth, payment details, location, device and IP information, direct message contents and metadata, social media account identifiers, and third-party integration data (including YouTube account and video identifiers), and authorizes use of this information for service provision, fraud prevention, personalization, and direct marketing (with consent where required). Two provisions are operationally distinct relative to commonly observed practice: the policy discloses sharing of account identifiers (email addresses and usernames) with industry child safety consortia for CSAM detection, and explicitly states that direct messages are not end-to-end encrypted and may be accessed by Substack personnel for Terms of Use enforcement, security, user support, and automated scanning. The policy asserts compliance with the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. DPF, and references CCPA-specific notices in a separate section; GDPR, UK GDPR, and applicable state privacy laws (including California) create compliance obligations that may constrain or supplement the terms as written. Material compliance considerations include the scope of Creator data controller independence (requiring separate lawful basis analysis), the DPF certification and its FTC enforceability, and the one-month response commitment for privacy rights requests added in the most recent update.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

8 important changes detected

8 versions captured · Last updated: June 2026

What changed Substack's privacy policy included a navigation menu item referencing 'For media founders' in its updated version published June 28, 2026. This appears to be a navigation or product offering update rather than a substantive change to privacy practices, data handling, or user rights. The change does not materially alter what data Substack collects, how it uses user information, or what privacy protections apply.
Why this matters This change does not materially affect consumer privacy rights or data handling practices. The updated policy adds a navigation menu item referencing 'For media founders' in its landing page structure, but this is a menu or product categorization change rather than a modification to privacy disclosures, data collection practices, or user protections. Privacy terms and practices remain substantively unchanged.
View full change record →
What changed Substack updated its privacy policy footer on June 16, 2026 to add a reference to 'Brand Partnerships' in the navigation section. The change adds a link to a new resource or section called 'Brand Partnerships' where previously this link did not appear in the footer menu. This appears to be a navigation and resource disclosure change rather than a substantive modification to privacy terms or data practices.
Why this matters This change introduces a navigation link to 'Brand Partnerships' information in the privacy policy footer. The change does not modify privacy practices, data collection, retention, or user rights. Users who encounter the privacy policy will see an additional footer link available.
View full change record →

June 5, 2026 low

Substack replaced one third-party tracking vendor with another in their privacy policy. The policy previously listed AdQuick as a persistent tracking pixel for third-party analytics; this vendor reference has been …

View change record →
May 19, 2026 low

The navigation footer of Substack's privacy policy page was updated on May 19, 2026 to include comparative product links. Specifically, 'Substack vs. beehiiv' and 'Substack vs. Patreon' navigation items were …

View change record →
May 15, 2026 low

Substack updated its privacy policy on May 15, 2026 to disclose that it shares account identifiers with child safety industry consortia and now receives information from those consortia to detect …

View change record →
May 6, 2026 low

Substack's privacy policy now discloses that the company shares account identifiers with child safety industry consortia to detect child sexual abuse material (CSAM). This is a new transparency disclosure added …

View change record →
May 5, 2026 medium

Substack updated its privacy policy on May 5, 2026 to disclose that it shares account identifiers with child safety organizations to detect child sexual abuse material, added a one-month deadline …

View change record →
April 19, 2026 medium

Substack's updated privacy policy removes language describing a one-month response timeline for certain privacy rights requests and eliminates explicit disclosure about sharing account identifiers with child safety consortia. The policy …

View change record →

Recent Provision Changes Jun 28, 2026

8 provisions unchanged.

View full change record →
Medium — 6 provisions
Low — 2 provisions

Monitoring

Substack has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Account Identifier Sharing with Child Safety Consortia and similar clauses.

Compare across platforms →

Mapped Governance Frameworks

CCPA/CPRA
California, USA
View official text ↗
Connecticut Data Privacy Act Amendments
US-CT
View official text ↗
CAN-SPAM
United States Federal
View official text ↗
FTC Act Section 5
United States Federal
View official text ↗
GDPR
European Union
View official text ↗
Indiana Consumer Data Protection Act
US-IN
View official text ↗
Kentucky Consumer Data Protection Act
US-KY
View official text ↗
UK GDPR
United Kingdom
View official text ↗
Universal Opt-Out Mechanism Expansion 2026
US
View official text ↗
VPPA
United States Federal
View official text ↗
Archival ProvenanceSource & Archival Record
Last Captured June 28, 2026 00:24 UTC
Capture Method Automated scheduled archival capture
Document ID CA-D-000178
Version ID CA-V-004273
SHA-256 71ddc259e5c57fb2e20d0374b0d56f85464085af02f0c9571bdde6b9270b442a
✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

Governance Monitoring

Monitor governance changes across the platforms you rely on.

Structured alerts for policy changes, governance events, and provision updates across 318+ platforms.

Create free account Compare plans