This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision establishes a mechanism for data sharing that operates outside the named partner disclosures in the privacy policy, conditioned on the anonymization standard described. The operational significance turns on whether Substack's anonymization process meets the stated threshold of preventing individual re-identification, and whether the universe of 'trusted partners' is defined elsewhere or remains subject to Substack's determination.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Users' anonymized data may be shared with partners not listed in the privacy policy, provided the anonymization prevents individual re-identification. The terms do not require advance notice of which partners receive such data or establish a process for users to access or object to specific sharing arrangements with unnamed entities.
How other platforms handle this
We may share your personal information with third parties in the following circumstances: With service providers who perform services on our behalf, such as data analytics, marketing, customer service, and technology services. With financial partners, including banks, brokerage firms, and payment pr...
Sending you information about Adobe products and services, special offers and similar information, and sharing your information with third parties for their own marketing purposes, where your consent is not required; In some cases, in order to show you more relevant ads, we disclose with social medi...
We may share your information with third parties that perform services on our behalf, such as payment processing, data analysis, email delivery, hosting services, customer service, and marketing assistance. We may also share your information with business partners who offer products or services that...
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"In certain cases, we may anonymize your Personal Information in such a way that you can no longer be identified as an individual, and we reserve the right to use and share such anonymized information to trusted partners not specified here. However, we never disclose aggregated or de-identified information in a manner that could identify you as an individual.— Excerpt from Substack's Substack Privacy Policy
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision establishes a mechanism for data sharing that operates outside the named partner disclosures in the privacy policy, conditioned on the anonymization standard described. The operational significance turns on whether Substack's anonymization process meets the stated threshold of preventing individual re-identification, and whether the universe of 'trusted partners' is defined elsewhere or remains subject to Substack's determination.
Users' anonymized data may be shared with partners not listed in the privacy policy, provided the anonymization prevents individual re-identification. The terms do not require advance notice of which partners receive such data or establish a process for users to access or object to specific sharing arrangements with unnamed entities.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.