This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
EU, UK, and Swiss users can rely on DPF protections for their data transferred to Substack in the US, but the DPF's political and legal stability has been contested, and any future invalidation would affect data transfer legality.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitati…
Substack collects a wide range of personal data including payment details, location, device identifiers, and direct message contents, and shares this data with service providers including generative AI services, creators, and industry child safety organizations. The lack of end-to-end encryption on direct messages is a meaningful privacy limitation for users who may assume private communications are protected, as Substack personnel may access message content and recipients can retain messages indefinitely even after deletion requests. You can request access to, correction of, or deletion of your personal data by emailing privacy@substackinc.com, and you can opt out of direct marketing through the unsubscribe mechanism in any marketing communication.
How other platforms handle this
Datadog complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Datadog has certified to the U.S. Department of Commerce that it adheres to the EU-...
Zendesk complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. When Zendesk transfers personal data from the EU, UK, or Switzerland to the United ...
In addition to the above rights, your local laws (including those in the EU, UK, Japan, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Virginia, or Utah) may afford you f...
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Substack complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (each, a "DPF") as set forth by the U.S. Department of Commerce. Substack has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. ... Our adherence to the DPFs specified above is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.— Excerpt from Substack's Substack Privacy Policy
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
EU, UK, and Swiss users can rely on DPF protections for their data transferred to Substack in the US, but the DPF's political and legal stability has been contested, and any future invalidation would affect data transfer legality.
ConductAtlas has identified this type of provision across 3 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.