Substack · Substack Privacy Policy · View original document ↗

Contact Syncing and Address Book Data Collection

Medium severity High confidence Explicitdocumentlanguage Unique · 0 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity Substack recorded 5 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for Substack Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

The policy discloses that Substack may collect email addresses and phone numbers of individuals who have not created Substack accounts if a Substack user syncs their address book through the app. Collected contact information is stored as hashed values and is used to facilitate contact syncing between opted-in users.

This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision discloses data collection about non-Substack users through address book syncing, which may occur without the knowledge of the individuals whose contact information is collected. The policy limits collection to email addresses and phone numbers stored as hashes, and limits use to contact syncing purposes.

Recent Activity

This document changed recently

Medium May 5, 2026

Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.

View change record →
Medium Apr 19, 2026

The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.

View change record →

Change history

modified Jun 5, 2026

Severity upgraded from 'medium' to 'medium' (unchanged), but cookie/tracking language was removed and separated into distinct provision; title changed from generic to address-book-specific.

View full change record →

Consumer impact (what this means for users)

Under this clause, Substack may collect and store hashed versions of email addresses and phone numbers from address book uploads by other users, even for individuals who do not have Substack accounts. The policy states this data is used solely for contact syncing and is stored in hashed form.

How other platforms handle this

Ledger Medium

At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.

Strava Medium

If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.

eBay Medium

We collect your personal data when you use our Services, create a new eBay account, provide us with information via a web form, add or update information in your eBay account, participate in online community discussions or otherwise interact with us.

See all platforms with this clause type →

Monitoring

Substack has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
We may also collect information about you when one of our users syncs their address book information with our app for contact syncing purposes. This information collection is strictly limited to email addresses and phone numbers, and any information collected in this manner is securely stored only as hashed values.

— Excerpt from Substack's Substack Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

1. REGULATORY LANDSCAPE: This provision engages GDPR Articles 13 and 14 transparency requirements, as individuals whose data is collected via address book syncing may not receive a direct privacy notice. CCPA may similarly require disclosure to California residents whose contact information is collected through this mechanism. Illinois BIPA may be relevant if hashed identifiers are treated as biometric-adjacent under that statute, though this is unlikely given the data types involved. 2. GOVERNANCE EXPOSURE: Medium. Collection of personal data about non-users raises questions about lawful basis under GDPR, particularly regarding transparency obligations to individuals who have not interacted with Substack directly. 3. JURISDICTION FLAGS: EU/EEA and UK users whose contact information may appear in others' address books face potential GDPR exposure given the transparency requirements for third-party collected data. California residents have CCPA rights that may apply to contact information collected through this mechanism. 4. CONTRACT AND VENDOR IMPLICATIONS: This provision is relevant for organizational assessments of employee data exposure, as employee email addresses and phone numbers may be collected through colleagues' address book syncs without organizational knowledge. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether Substack's hashing approach and use limitation adequately address GDPR Article 14 obligations for third-party collected personal data, and whether the absence of direct notice to non-users is defensible under applicable law.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has jurisdiction over consumer data collection practices including collection of contact information from individuals who have not directly interacted with the platform
    File a complaint →

Applicable regulations

CCPA/CPRA
California, USA
Connecticut Data Privacy Act Amendments
US-CT
CAN-SPAM
United States Federal
FTC Act Section 5
United States Federal
GDPR
European Union
Indiana Consumer Data Protection Act
US-IN
Kentucky Consumer Data Protection Act
US-KY
UK GDPR
United Kingdom
Universal Opt-Out Mechanism Expansion 2026
US
VPPA
United States Federal

Provision details

Document information
Document
Substack Privacy Policy
Entity
Substack
Document last updated
May 5, 2026
Tracking information
First tracked
May 21, 2026
Last verified
May 21, 2026
Record ID
CA-P-006890
Document ID
CA-D-00178
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
a4d2324534904f4fe245001d53f247ef46d8942c06d9e1fa0c0ef9aa893a52ee
Analysis generated
May 21, 2026 04:18 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Substack
Document: Substack Privacy Policy
Record ID: CA-P-006890
Captured: 2026-05-21 04:18:30 UTC
SHA-256: a4d2324534904f4f…
URL: https://conductatlas.com/platform/substack/substack-privacy-policy/contact-syncing-and-address-book-data-collection/
Accessed: July 4, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Substack's Contact Syncing and Address Book Data Collection clause do?

This provision discloses data collection about non-Substack users through address book syncing, which may occur without the knowledge of the individuals whose contact information is collected. The policy limits collection to email addresses and phone numbers stored as hashes, and limits use to contact syncing purposes.

How does this clause affect you?

Under this clause, Substack may collect and store hashed versions of email addresses and phone numbers from address book uploads by other users, even for individuals who do not have Substack accounts. The policy states this data is used solely for contact syncing and is stored in hashed form.

Is ConductAtlas affiliated with Substack?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.