This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This clause establishes the operational mechanics for a contact discovery feature that requires dual opt-in from both the user syncing their address book and the user being identified as a contact. The use of hashed storage limits the form in which this contact data is retained in Substack's systems.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Users who enable contact syncing authorize Substack to process their address book data and share their profile information with other opted-in users who list them as contacts. Users who do not enable contact syncing are not subject to address book collection, though their profile information may still be shared if another user has enabled the feature and identified them as a contact.
How other platforms handle this
Your use of the Services is also governed by our Privacy Policy, which is incorporated into these Terms by reference. By using the Services, you consent to the data collection and use practices described in the Privacy Policy. Roblox collects information you provide directly, information collected a...
We collect information about you in a variety of ways depending on how you interact with us and our products and services. This includes information you provide directly, information we collect automatically when you use our services, and information we receive from third parties. We may collect ide...
Tabnine may collect and use technical data and related information, including but not limited to technical information about your device, system and application software, and usage data regarding your use of the Services (including code completion statistics and plugin interaction data), to facilita...
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We may also collect information about you when one of our users syncs their address book information with our app for contact syncing purposes. This information collection is strictly limited to email addresses and phone numbers, and any information collected in this manner is securely stored only as hashed values. ... to facilitate contact syncing between users who opt in to our app's contact syncing functionality; ... If you opt into contact syncing through our app, your profile information will be shared with any user who has (i) also opted into contact syncing, and who (ii) identified you as a contact.— Excerpt from Substack's Substack Privacy Policy
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This clause establishes the operational mechanics for a contact discovery feature that requires dual opt-in from both the user syncing their address book and the user being identified as a contact. The use of hashed storage limits the form in which this contact data is retained in Substack's systems.
Users who enable contact syncing authorize Substack to process their address book data and share their profile information with other opted-in users who list them as contacts. Users who do not enable contact syncing are not subject to address book collection, though their profile information may still be shared if another user has enabled the feature and identified them as …
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.