The policy discloses that direct messages on Substack are not end-to-end encrypted and that Substack personnel may access message contents for enforcement, security, support, or service purposes. Automated scanning of direct messages for spam, malicious content, and child abuse material is also disclosed.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that direct message content is accessible to Substack personnel under defined operational circumstances and is subject to automated scanning, which is a material disclosure for users who may treat the direct messaging feature as a confidential communication channel. The terms also state that recipients may retain messages regardless of sender deletion requests, which affects the practical scope of any erasure rights asserted.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Severity downgraded from 'high' to 'medium', content remains identical.
View full change record →Under this clause, direct messages sent through Substack are not protected by end-to-end encryption and may be accessed by platform personnel for enforcement, security, or support purposes, as well as scanned by automated systems. The agreement states that deleting messages or a Substack account does not obligate recipients to delete copies of messages they have received.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Please note that, at this time, direct messages are not end-to-end encrypted, and are not a substitute for secure messaging services. Direct messaging contents are disclosed to their intended recipients. The platform may restrict your access to direct messages received from other users when those users delete messages or block your account. Nevertheless, please note that — regardless of platform functionality or policy — recipients of direct messages may keep those messages even if you request their deletion, and even if you delete your Substack account.— Excerpt from Substack's Substack Privacy Policy
1. REGULATORY LANDSCAPE: This provision engages GDPR Article 5 (data security and confidentiality principles) and Article 6 (lawful basis for processing), as the policy asserts legitimate interests as the basis for personnel access to message contents. The Electronic Communications Privacy Act (ECPA) may be relevant for US-based users regarding stored communications access. The FTC Act applies to consumer-facing disclosures about data security practices. 2. GOVERNANCE EXPOSURE: Medium. The policy discloses personnel access to message content and automated scanning under defined circumstances, which is operationally relevant for organizations whose employees use Substack direct messaging for professional communications. The lawful basis claimed for this access (legitimate interests) may require a documented balancing test under GDPR to satisfy regulatory scrutiny. 3. JURISDICTION FLAGS: EU/EEA users may have heightened exposure given GDPR confidentiality requirements and the requirement that legitimate interests processing be documented and defensible. The UK ICO has published guidance on employee and user communications monitoring that may be relevant. US state privacy laws vary in their treatment of platform-level access to stored messages. 4. CONTRACT AND VENDOR IMPLICATIONS: Organizations using Substack as a business communication tool should assess whether reliance on Substack direct messaging for sensitive communications is consistent with their own data governance obligations, given the explicit non-encryption disclosure and personnel access reservation. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should evaluate whether internal policies governing employee use of third-party communication platforms address the non-encryption and personnel access disclosures in this provision. Organizations subject to GDPR or sector-specific confidentiality requirements (legal, financial, healthcare) may need to restrict use of Substack direct messaging for sensitive communications.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that direct message content is accessible to Substack personnel under defined operational circumstances and is subject to automated scanning, which is a material disclosure for users who may treat the direct messaging feature as a confidential communication channel. The terms also state that recipients may retain messages regardless of sender deletion requests, which affects the practical scope …
Under this clause, direct messages sent through Substack are not protected by end-to-end encryption and may be accessed by platform personnel for enforcement, security, or support purposes, as well as scanned by automated systems. The agreement states that deleting messages or a Substack account does not obligate recipients to delete copies of messages they have received.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.