When you subscribe to or comment on a publication on Substack, the creator of that publication receives your name and email address, and that creator then controls how they use your personal information according to their own privacy policies.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Your personal data does not stay within Substack's control once you engage with a creator's publication; the creator receives it and handles it under their own terms, which users may not have separately reviewed.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →This detailed provision explaining creator data sharing was replaced with the more general 'Creator as Independent Data Controller' provision, potentially reducing transparency around specific data sharing scenarios.
View full change record →Subscribing to or commenting on any Substack publication transfers your name and email address to the individual creator, who operates under their own privacy practices that may differ significantly from Substack's policy and may not offer equivalent protections.
How other platforms handle this
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Loyalty and partner program companies. We share information with our loyalty and partner program companies, like Ulta Beauty and Marriott.
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Creators: when you subscribe to a Creator's publication, we provide them the information necessary (including your name and email address) to provide you their publication(s). Please note that Creators control their own publications; accordingly, when you interact with a Creator's publication in a way that requires your personal information, including when commenting on a publication that you have not subscribed to, that personal information is provided directly to the Creator.— Excerpt from Substack's Substack Privacy Policy
REGULATORY LANDSCAPE: This provision is operationally significant under GDPR because it designates creators as separate data controllers, not processors, for the personal data they receive. Under GDPR, this means Substack and the creator may each be independently responsible for their respective data processing activities, and Substack's data protection obligations to EU users may not extend to the creator's downstream processing. The policy explicitly states that creators have their own privacy practices, which means users bear the burden of reviewing those practices independently. GOVERNANCE EXPOSURE: Medium. The practical consequence of creator-as-independent-controller status is that Substack's privacy commitments, including its DPF certification and CCPA compliance, do not extend to the creator's use of subscriber data. This creates a gap in user protection that may not be obvious at the point of subscription. The policy's disclosure that even commenting on an unsubscribed publication results in personal data transfer to the creator is a broader disclosure trigger than many users would anticipate. JURISDICTION FLAGS: EU users should note that creator-controlled data processing falls outside Substack's GDPR responsibilities; the creator becomes an independent controller and the user's GDPR rights must be exercised directly against the creator. This may be practically difficult for users who do not know the legal identity of the creator entity. CONTRACT AND VENDOR IMPLICATIONS: Enterprise or institutional subscribers using Substack publications in professional contexts should review whether creator data handling practices meet their own internal data governance requirements. The absence of standardized creator privacy terms creates variable risk across the platform. COMPLIANCE CONSIDERATIONS: Legal teams advising EU users should flag that GDPR rights regarding creator-held subscriber data must be exercised against the creator, not Substack. Substack may wish to consider whether a minimum privacy standard for creators would reduce platform-level regulatory exposure, though the current policy does not establish such a standard.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Your personal data does not stay within Substack's control once you engage with a creator's publication; the creator receives it and handles it under their own terms, which users may not have separately reviewed.
Subscribing to or commenting on any Substack publication transfers your name and email address to the individual creator, who operates under their own privacy practices that may differ significantly from Substack's policy and may not offer equivalent protections.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.