The policy authorizes transfer of customer Personal Information to prospective buyers or sellers in connection with a business sale, merger, bankruptcy, or change of control, subject to applicable local laws.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision reserves the right to transfer subscriber and user Personal Information as part of a business asset transaction, which could result in Personal Information being transferred to a new entity with different privacy practices. The provision notes that such transfers are subject to local laws but does not specify what protections apply to transferred data.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Provision title changed from 'Data Transfer on Business Sale or Merger' to 'Business Transfer and Asset Sale Data Sharing' with identical content.
View full change record →Under this clause, user Personal Information may be transferred to a third party in the event of a Substack business sale, merger, or bankruptcy. The policy conditions such transfers on applicable local laws but does not describe specific protections or notification obligations for affected users.
How other platforms handle this
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Loyalty and partner program companies. We share information with our loyalty and partner program companies, like Ulta Beauty and Marriott.
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Prospective sellers or buyers: We may share and/or transfer customer information in connection with the sale or merger of our business or assets (subject to local laws). Also, if we go out of business, enter bankruptcy, or go through some other change of control.— Excerpt from Substack's Substack Privacy Policy
1. REGULATORY LANDSCAPE: This provision engages GDPR Article 6 lawful basis requirements for data transfers in M&A contexts, as well as FTC guidance on the treatment of customer data in business transactions. CCPA requires disclosure of the categories of third parties to whom personal information is transferred. State AG offices have historically taken action regarding consumer data transfers in bankruptcy or acquisition contexts. 2. GOVERNANCE EXPOSURE: Low to Medium. Business transfer data sharing provisions are standard across the industry, but the absence of specific user notification procedures or data use limitation commitments for acquiring entities is a due diligence consideration. 3. JURISDICTION FLAGS: EU/EEA users may have heightened exposure if a business transfer results in personal data being transferred to an entity outside the adequacy framework. California users have CCPA rights that may apply to notification in the event of a business transfer affecting their data. 4. CONTRACT AND VENDOR IMPLICATIONS: Organizations using Substack for business-critical functions should be aware that platform ownership and data governance practices could change in the event of a merger, acquisition, or bankruptcy without specific notification requirements established in this policy. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should monitor for Substack corporate transactions that could trigger data transfer to new entities and assess whether updated data processing agreements or transfer impact assessments would be required in that event.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision reserves the right to transfer subscriber and user Personal Information as part of a business asset transaction, which could result in Personal Information being transferred to a new entity with different privacy practices. The provision notes that such transfers are subject to local laws but does not specify what protections apply to transferred data.
Under this clause, user Personal Information may be transferred to a third party in the event of a Substack business sale, merger, or bankruptcy. The policy conditions such transfers on applicable local laws but does not describe specific protections or notification obligations for affected users.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.