Substack uses cookies to track your use of its website, and if another user syncs their contacts, your email address or phone number may be collected and stored as an encrypted value.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision establishes data collection mechanisms across multiple sources—contact syncing and cookie-based tracking—and specifies the storage format (hashed values) for address book data, defining the scope of permissible information gathering.
Interpretive note: The full cookies section is referenced but not reproduced in the provided document text, meaning the complete scope of tracking practices cannot be fully assessed from this provision alone.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Non-users' email addresses and phone numbers may be collected without their direct interaction with Substack if an existing user syncs their address book, a practice with implications for individuals who have not consented to Substack data collection.
How other platforms handle this
Your use of the Services is also governed by our Privacy Policy, which is incorporated into these Terms by reference. By using the Services, you consent to the data collection and use practices described in the Privacy Policy. Roblox collects information you provide directly, information collected a...
We collect information about you in a variety of ways depending on how you interact with us and our products and services. This includes information you provide directly, information we collect automatically when you use our services, and information we receive from third parties. We may collect ide...
Tabnine may collect and use technical data and related information, including but not limited to technical information about your device, system and application software, and usage data regarding your use of the Services (including code completion statistics and plugin interaction data), to facilita...
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We may also collect information about you when one of our users syncs their address book information with our app for contact syncing purposes. This information collection is strictly limited to email addresses and phone numbers, and any information collected in this manner is securely stored only as hashed values. Finally, we also collect information on the use of our website via Cookies. Please view the section "Cookies" below for more information.— Excerpt from Substack's Substack Privacy Policy
REGULATORY LANDSCAPE: The collection of non-user contact information through address book syncing engages GDPR and ePrivacy Directive obligations, as the individuals whose data is collected have not directly consented to Substack processing their personal data. Under GDPR, Substack would need a valid legal basis for this processing, and Article 14 requires informing data subjects whose data is obtained from sources other than the data subject themselves. The FTC has taken enforcement action against platforms that collected non-user contact data without adequate disclosure. The ePrivacy Directive's cookie consent requirements are relevant to cookie-based tracking. GOVERNANCE EXPOSURE: Medium. The address book syncing practice affects individuals who are not Substack users and have not agreed to its privacy policy, which creates a third-party data subject exposure. While the policy states data is stored only as hashed values, the collection itself may require a documented legal basis under GDPR. Cookie consent compliance varies by jurisdiction and the adequacy of consent mechanisms should be verified. JURISDICTION FLAGS: EU and UK users and non-users have specific rights under GDPR and the ePrivacy Directive regarding cookie consent and third-party data collection. California non-users whose data is collected through contact syncing may have CCPA rights regarding data collected about them. The Illinois Biometric Information Privacy Act (BIPA) is not directly implicated here as the data is limited to email and phone, but state AG offices in various jurisdictions may scrutinize non-user data collection. CONTRACT AND VENDOR IMPLICATIONS: The policy's reference to the separate Cookies section (which is not fully reproduced in this document) means a complete compliance assessment requires review of that section as well. Cookie audit tools and consent management platform adequacy should be assessed for EU and UK compliance. COMPLIANCE CONSIDERATIONS: A GDPR Article 14 disclosure mechanism for non-user data subjects whose contact information is collected through address book syncing should be evaluated. Cookie consent mechanisms should be audited for compliance with applicable ePrivacy and GDPR requirements. The hashing of contact data should be documented as a privacy-enhancing technical measure.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Netflix updated its Privacy Statement on April 18, 2026, disclosing voice recording collection and expanded household ad profiling for the first time.
Google's Privacy Policy covers Search, Gmail, YouTube, Maps, and every site running Google Analytics. Here is what it actually authorizes.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision establishes data collection mechanisms across multiple sources—contact syncing and cookie-based tracking—and specifies the storage format (hashed values) for address book data, defining the scope of permissible information gathering.
Non-users' email addresses and phone numbers may be collected without their direct interaction with Substack if an existing user syncs their address book, a practice with implications for individuals who have not consented to Substack data collection.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.