This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause establishes a mechanism by which customer data may be transferred to a successor entity or acquirer upon certain corporate events, ensuring continuity of data management during ownership transitions while conditioning disclosure on legal compliance.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →The provision notifies users that their information may be transferred to a new entity operating the service in the event of sale, merger, or similar transaction. Users remain subject to the successor entity's privacy practices unless they affirmatively opt out or terminate service before such transfer occurs.
How other platforms handle this
In the event of a merger, acquisition, reorganization, bankruptcy, or other sale of all or a portion of our assets, any information we hold may be transferred to the acquiring entity or successor. You will be notified via email and/or a prominent notice on our website of any change in ownership or u...
In the event of a merger, acquisition, reorganization, bankruptcy, or other sale of all or a portion of our assets, your personal information may be transferred to the acquiring entity or successor as part of that transaction. We will notify you of any such change in ownership or control of your per...
Since 2016, we have upheld multilateral standards to provide assurance for how we manage our cross-border privacy and data protection obligations and to support our certifications under the following frameworks recognized by regulators: EU-U.S. Privacy Shield (2016), Swiss-U.S. Privacy Shield (2017)...
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We may share and/or transfer customer information in connection with the sale or merger of our business or assets (subject to local laws). Also, if we go out of business, enter bankruptcy, or go through some other change of control.— Excerpt from Substack's Substack Privacy Policy
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause establishes a mechanism by which customer data may be transferred to a successor entity or acquirer upon certain corporate events, ensuring continuity of data management during ownership transitions while conditioning disclosure on legal compliance.
The provision notifies users that their information may be transferred to a new entity operating the service in the event of sale, merger, or similar transaction. Users remain subject to the successor entity's privacy practices unless they affirmatively opt out or terminate service before such transfer occurs.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.