Substack · Substack Privacy Policy · View original document ↗

EU-U.S. Data Privacy Framework Certification

Medium severity High confidence Explicitdocumentlanguage Rare · 3 of 343 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity Substack recorded 5 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for Substack Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.
Document Record

What it is

The policy states that Substack has certified compliance with the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. DPF for transatlantic personal data transfers, and that DPF Principles govern where they conflict with this policy. Dispute resolution for DPF-related complaints is available through TRUSTe at no cost, with binding arbitration available for unresolved residual claims.

This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision establishes the legal mechanism Substack relies on for transferring personal data from the EU, UK, and Switzerland to the US. DPF certification is subject to FTC enforcement, and the policy provides a tiered dispute resolution process for DPF-related complaints, including binding arbitration as a final recourse mechanism.

Recent Activity

This document changed recently

Medium May 5, 2026

Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.

View change record →
Medium Apr 19, 2026

The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.

View change record →

Consumer impact (what this means for users)

Under this clause, EU, UK, and Swiss users' Personal Information transferred to Substack in the US is governed by DPF Principles, which take precedence over this policy in the event of conflict. The policy provides a specific dispute resolution pathway through TRUSTe and, ultimately, binding arbitration for unresolved DPF-related complaints.

How other platforms handle this

Ledger Medium

At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.

Garmin Medium

If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...

Strava Medium

We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...

See all platforms with this clause type →

Monitoring

Substack has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
Substack complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (each, a "DPF") as set forth by the U.S. Department of Commerce. Substack has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. ... Our adherence to the DPFs specified above is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

— Excerpt from Substack's Substack Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

1. REGULATORY LANDSCAPE: This provision engages GDPR Chapter V (international data transfers), UK GDPR international transfer requirements, and the EU-U.S. DPF adequacy decision issued by the European Commission. The FTC is the named enforcement authority for Substack's DPF commitments. The validity of the EU-U.S. DPF adequacy decision is subject to ongoing legal and political risk, and organizations relying on DPF-based transfers should monitor its status. 2. GOVERNANCE EXPOSURE: Medium. DPF certification provides a current lawful basis for EU-to-US data transfers, but the mechanism's continued validity depends on the adequacy decision remaining in force. Organizations processing EU employee or customer data through Substack should document DPF reliance in their transfer impact assessments and monitor for changes. 3. JURISDICTION FLAGS: EU/EEA, UK, and Swiss users have direct exposure to this provision. Organizations with Swiss operations should note the separate Swiss-U.S. DPF certification. UK users should note that the UK Extension to the EU-U.S. DPF governs UK data transfers. 4. CONTRACT AND VENDOR IMPLICATIONS: Organizations using Substack as a data processor for EU personal data should verify that Substack's DPF certification covers the relevant data categories and processing activities. The policy's statement that onward transfers are conducted under agreements providing the same protections as the DPF is relevant for vendor assessment of sub-processor chains. 5. COMPLIANCE CONSIDERATIONS: Legal teams should maintain a record of Substack's DPF certification status (verifiable at dataprivacyframework.gov) and include monitoring of adequacy decision validity in their data transfer compliance programs. If the EU-U.S. DPF adequacy decision is invalidated, alternative transfer mechanisms such as Standard Contractual Clauses may need to be implemented.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

  • FTC
    The FTC is the named enforcement authority for Substack's DPF commitments and has jurisdiction over compliance with DPF Principles
    File a complaint →

Applicable regulations

CCPA/CPRA
California, USA
Connecticut Data Privacy Act Amendments
US-CT
CAN-SPAM
United States Federal
FTC Act Section 5
United States Federal
GDPR
European Union
Indiana Consumer Data Protection Act
US-IN
Kentucky Consumer Data Protection Act
US-KY
UK GDPR
United Kingdom
Universal Opt-Out Mechanism Expansion 2026
US
VPPA
United States Federal

Provision details

Document information
Document
Substack Privacy Policy
Entity
Substack
Document last updated
May 5, 2026
Tracking information
First tracked
May 21, 2026
Last verified
May 21, 2026
Record ID
CA-P-006887
Document ID
CA-D-00178
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
a4d2324534904f4fe245001d53f247ef46d8942c06d9e1fa0c0ef9aa893a52ee
Analysis generated
May 21, 2026 04:18 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Substack
Document: Substack Privacy Policy
Record ID: CA-P-006887
Captured: 2026-05-21 04:18:30 UTC
SHA-256: a4d2324534904f4f…
URL: https://conductatlas.com/platform/substack/substack-privacy-policy/eu-us-data-privacy-framework-certification/
Accessed: July 4, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
Medium
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Substack's EU-U.S. Data Privacy Framework Certification clause do?

This provision establishes the legal mechanism Substack relies on for transferring personal data from the EU, UK, and Switzerland to the US. DPF certification is subject to FTC enforcement, and the policy provides a tiered dispute resolution process for DPF-related complaints, including binding arbitration as a final recourse mechanism.

How does this clause affect you?

Under this clause, EU, UK, and Swiss users' Personal Information transferred to Substack in the US is governed by DPF Principles, which take precedence over this policy in the event of conflict. The policy provides a specific dispute resolution pathway through TRUSTe and, ultimately, binding arbitration for unresolved DPF-related complaints.

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 3 platforms. See the full comparison.

Is ConductAtlas affiliated with Substack?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.