This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The clause establishes a data controller relationship where Creators assume independent responsibility for personal information provided through publication interactions. This operationally means Substack's privacy commitments do not extend to Creator-controlled processing, requiring users to reference separate Creator privacy policies to understand information handling practices.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Users' subscriber information is shared with Creators as a necessary operational function of publication delivery. Users are subject to each Creator's independent privacy practices and terms rather than Substack's stated privacy policy when their information is held by Creators.
How other platforms handle this
We may share personal information with third-party service providers and partners who support our business operations, including identity verification providers, payment processors, analytics providers, marketing partners, and blockchain analytics companies.
We may share information about you and your transactions with Card Networks and our financial services partners. By accepting this agreement, you authorize Stripe to share your information with these entities for purposes including facilitating your use of the Services, complying with applicable law...
Uber may share data about users, including personal information, with law enforcement officials, government authorities, and private parties as required by law, and in response to legal process, court orders, or government requests, including national security or law enforcement requirements.
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"when you subscribe to a Creator's publication, we provide them the information necessary (including your name and email address) to provide you their publication(s). Please note that Creators control their own publications; accordingly, when you interact with a Creator's publication in a way that requires your personal information, including when commenting on a publication that you have not subscribed to, that personal information is provided directly to the Creator. ... This Privacy Policy does not apply to any processing of your Personal Information by Substack as a data processor on behalf of a Creator. Creators will have their own privacy practices governing their use of Personal Information as outlined in their own terms of use and/or privacy policies.— Excerpt from Substack's Substack Privacy Policy
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The clause establishes a data controller relationship where Creators assume independent responsibility for personal information provided through publication interactions. This operationally means Substack's privacy commitments do not extend to Creator-controlled processing, requiring users to reference separate Creator privacy policies to understand information handling practices.
Users' subscriber information is shared with Creators as a necessary operational function of publication delivery. Users are subject to each Creator's independent privacy practices and terms rather than Substack's stated privacy policy when their information is held by Creators.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.