Substack · Substack Privacy Policy · View original document ↗

Data Transfer on Business Sale or Merger

Low severity High confidence Explicitdocumentlanguage Unique · 0 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity Substack recorded 5 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for Substack Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

If Substack is sold, merges with another company, or goes bankrupt, your personal information may be transferred to the new owner as part of that transaction.

This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

Your personal data could be transferred to a different company with potentially different privacy practices if Substack undergoes a change of ownership, and the policy does not guarantee notice to users before such a transfer occurs.

Recent Activity

This document changed recently

Medium May 5, 2026

Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.

View change record →
Medium Apr 19, 2026

The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.

View change record →

Consumer impact (what this means for users)

In the event of a sale, merger, or bankruptcy, your Substack personal data including subscription history, payment details, and message metadata could become an asset transferred to a new owner whose privacy practices you have not agreed to.

How other platforms handle this

Character.AI Medium

We may disclose certain information, in connection with or during negotiations or closing of any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

Discord Medium

We may share your information in connection with, or during negotiations of, any merger, sale of company assets, financing, acquisition, or dissolution, transaction, or proceeding involving all or a portion of our business.

MetaMask Medium

We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.

See all platforms with this clause type →

Monitoring

Substack has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
Prospective sellers or buyers: We may share and/or transfer customer information in connection with the sale or merger of our business or assets (subject to local laws). Also, if we go out of business, enter bankruptcy, or go through some other change of control.

— Excerpt from Substack's Substack Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision is standard in commercial privacy policies but engages GDPR Article 6 requirements that any data transfer to a new controller following a business sale must have a valid legal basis. Under GDPR, data subjects should generally be informed of a change in data controller. The FTC has previously taken enforcement action in cases where companies transferred user data to acquirers in ways inconsistent with original privacy representations. The CCPA also requires that acquirers honor the privacy choices made by California users prior to acquisition. GOVERNANCE EXPOSURE: Low to Medium. This is a standard commercial provision, but the absence of a user notification commitment prior to data transfer creates practical uncertainty for users who may wish to delete their data before a change of ownership. The parenthetical 'subject to local laws' acknowledges that jurisdictional requirements may constrain the scope of permissible transfers. JURISDICTION FLAGS: EU and UK users have GDPR rights to be informed of changes in data controller identity. California users may have CCPA rights to have their prior opt-out preferences honored by an acquirer. The policy does not specify notification obligations in advance of a transfer. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers relying on Substack for communications infrastructure should include change of control notification provisions in any applicable contractual arrangements, as the current policy does not guarantee advance notice. COMPLIANCE CONSIDERATIONS: Legal teams should evaluate whether the current policy language satisfies GDPR Article 13/14 transparency obligations regarding potential future controllers. A data subject notification protocol for business combination scenarios should be considered as a precautionary governance measure.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC has authority to evaluate whether data transfers in business combination scenarios are consistent with prior privacy representations made to consumers.
    File a complaint →

Applicable regulations

CCPA/CPRA
California, USA
Connecticut Data Privacy Act Amendments
US-CT
CAN-SPAM
United States Federal
FTC Act Section 5
United States Federal
GDPR
European Union
Indiana Consumer Data Protection Act
US-IN
Kentucky Consumer Data Protection Act
US-KY
UK GDPR
United Kingdom
Universal Opt-Out Mechanism Expansion 2026
US
VPPA
United States Federal

Provision details

Document information
Document
Substack Privacy Policy
Entity
Substack
Document last updated
May 5, 2026
Tracking information
First tracked
May 11, 2026
Last verified
May 11, 2026
Record ID
CA-P-010314
Document ID
CA-D-00178
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
69d115f06fc1e4f75cab0566ca01b279d70be9b2c99c4c197c67a2922d1622b7
Analysis generated
May 11, 2026 04:34 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Substack
Document: Substack Privacy Policy
Record ID: CA-P-010314
Captured: 2026-05-11 04:34:06 UTC
SHA-256: 69d115f06fc1e4f7…
URL: https://conductatlas.com/platform/substack/substack-privacy-policy/data-transfer-on-business-sale-or-merger/
Accessed: July 4, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Low
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Substack's Data Transfer on Business Sale or Merger clause do?

Your personal data could be transferred to a different company with potentially different privacy practices if Substack undergoes a change of ownership, and the policy does not guarantee notice to users before such a transfer occurs.

How does this clause affect you?

In the event of a sale, merger, or bankruptcy, your Substack personal data including subscription history, payment details, and message metadata could become an asset transferred to a new owner whose privacy practices you have not agreed to.

Is ConductAtlas affiliated with Substack?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.