The policy establishes that when Substack processes subscriber Personal Information on behalf of a Creator, that processing falls outside the scope of this Privacy Policy and is instead governed by the Creator's own privacy practices. Subscribers who interact with Creator publications are directed to the Creator's own terms and privacy policies for information about how that data is used.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes a data controller boundary that places responsibility for subscriber data governance on individual Creators when Substack acts as a processor on their behalf. The practical implication is that subscriber privacy rights and data handling practices vary across publications, and Substack's policy does not govern those interactions, which may require subscribers to review multiple separate privacy policies.
Interpretive note: The operational boundary between Substack as controller and Substack as processor on behalf of Creators may be subject to regulatory interpretation under GDPR and CCPA, particularly where Substack infrastructure processes subscriber data in ways that benefit both Substack and Creators simultaneously.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →This new provision clarifies the scope limitations of Substack's privacy policy and transfers responsibility for Creator data practices to individual creators, potentially reducing Substack's liability.
View full change record →Under this clause, Personal Information provided when subscribing to or interacting with a Creator's publication is governed by that Creator's own privacy policy rather than Substack's, meaning the protections and rights described in this policy may not apply to Creator-level data processing. The agreement states that when commenting on a publication the user has not subscribed to, that personal information is provided directly to the Creator.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"This Privacy Policy only applies to the processing of your Personal Information by Substack as a data controller, meaning where we process your Personal Information for our purposes. This Privacy Policy does not apply to any processing of your Personal Information by Substack as a data processor on behalf of a Creator. Creators will have their own privacy practices governing their use of Personal Information as outlined in their own terms of use and/or privacy policies.— Excerpt from Substack's Substack Privacy Policy
1. REGULATORY LANDSCAPE: This provision engages GDPR Articles 4, 26, 28, and 29 regarding the delineation of controller and processor roles. Where Substack processes EU subscriber data on behalf of Creators, GDPR Article 28 requires a documented data processing agreement. The extent to which individual Creators (many of whom may be individuals or small businesses) satisfy their own GDPR controller obligations is a separate compliance question not addressed by this policy. The CCPA similarly distinguishes between businesses and service providers in ways that this provision implicates. 2. GOVERNANCE EXPOSURE: High for institutional compliance teams assessing subscriber data flows. The policy does not describe what contractual requirements Substack imposes on Creators acting as data controllers, which creates uncertainty about the data governance framework governing subscriber personal information across the platform. 3. JURISDICTION FLAGS: EU/EEA users face heightened exposure because GDPR requires identifiable controllers to fulfill transparency and rights obligations, and Creator-level compliance with these obligations is outside Substack's stated policy scope. California residents may find that Creator-specific data practices are not captured in Substack's CCPA policy. 4. CONTRACT AND VENDOR IMPLICATIONS: Organizations subscribing to Substack publications through enterprise or institutional accounts should assess whether Creators they subscribe to have adequate privacy frameworks in place, as Substack's policy expressly disclaims responsibility for Creator-level processing. Publisher Agreement review may be warranted to assess what data governance obligations Substack imposes on Creators contractually. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should conduct a data mapping exercise to identify which Personal Information flows to Creators versus Substack, and assess whether Creator privacy policies meet applicable legal standards for relevant jurisdictions. Substack's Publisher Agreement (referenced in the document navigation) may contain relevant data processing obligations that supplement this policy.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes a data controller boundary that places responsibility for subscriber data governance on individual Creators when Substack acts as a processor on their behalf. The practical implication is that subscriber privacy rights and data handling practices vary across publications, and Substack's policy does not govern those interactions, which may require subscribers to review multiple separate privacy policies.
Under this clause, Personal Information provided when subscribing to or interacting with a Creator's publication is governed by that Creator's own privacy policy rather than Substack's, meaning the protections and rights described in this policy may not apply to Creator-level data processing. The agreement states that when commenting on a publication the user has not subscribed to, that personal information …
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.