If Substack is sold, merges with another company, or goes bankrupt, your personal information may be transferred to the new owner as part of that transaction.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This clause establishes the operational framework for customer data continuity during corporate restructuring events. It permits data transfer without requiring individual customer consent as a prerequisite condition, subject to legal constraints by jurisdiction.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →In the event of a sale, merger, or bankruptcy, your Substack personal data including subscription history, payment details, and message metadata could become an asset transferred to a new owner whose privacy practices you have not agreed to.
How other platforms handle this
If you are a resident in the EEA, Switzerland or the UK, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. We may transfer Personal Information from the EEA, Switzerland or the UK to the U.S. and other third countries ...
We may share or transfer personal information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business by another company.
We may share your personal information with third parties in the following circumstances: with service providers who perform services on our behalf; with advertising and analytics partners; with business partners with whom we jointly offer products or services; with other parties with your consent; ...
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Prospective sellers or buyers: We may share and/or transfer customer information in connection with the sale or merger of our business or assets (subject to local laws). Also, if we go out of business, enter bankruptcy, or go through some other change of control.— Excerpt from Substack's Substack Privacy Policy
REGULATORY LANDSCAPE: This provision is standard in commercial privacy policies but engages GDPR Article 6 requirements that any data transfer to a new controller following a business sale must have a valid legal basis. Under GDPR, data subjects should generally be informed of a change in data controller. The FTC has previously taken enforcement action in cases where companies transferred user data to acquirers in ways inconsistent with original privacy representations. The CCPA also requires that acquirers honor the privacy choices made by California users prior to acquisition. GOVERNANCE EXPOSURE: Low to Medium. This is a standard commercial provision, but the absence of a user notification commitment prior to data transfer creates practical uncertainty for users who may wish to delete their data before a change of ownership. The parenthetical 'subject to local laws' acknowledges that jurisdictional requirements may constrain the scope of permissible transfers. JURISDICTION FLAGS: EU and UK users have GDPR rights to be informed of changes in data controller identity. California users may have CCPA rights to have their prior opt-out preferences honored by an acquirer. The policy does not specify notification obligations in advance of a transfer. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers relying on Substack for communications infrastructure should include change of control notification provisions in any applicable contractual arrangements, as the current policy does not guarantee advance notice. COMPLIANCE CONSIDERATIONS: Legal teams should evaluate whether the current policy language satisfies GDPR Article 13/14 transparency obligations regarding potential future controllers. A data subject notification protocol for business combination scenarios should be considered as a precautionary governance measure.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This clause establishes the operational framework for customer data continuity during corporate restructuring events. It permits data transfer without requiring individual customer consent as a prerequisite condition, subject to legal constraints by jurisdiction.
In the event of a sale, merger, or bankruptcy, your Substack personal data including subscription history, payment details, and message metadata could become an asset transferred to a new owner whose privacy practices you have not agreed to.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.