Substack is certified under the EU-U.S. Data Privacy Framework, which provides a mechanism for legally transferring personal data from Europe to the US, and EU users have access to a free dispute resolution process and ultimately binding arbitration if they have unresolved privacy complaints.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
For EU, UK, and Swiss users, DPF certification means Substack is committed to a set of data protection principles that govern how their data is handled in the US, and they have access to a structured dispute resolution process independent of Substack if those principles are violated.
Interpretive note: The legal stability of the EU-U.S. Data Privacy Framework remains subject to potential judicial challenge in European courts, which could affect the adequacy of this transfer mechanism prospectively.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Severity elevated from 'low' to 'medium', and clarifying language '(each, a "DPF")' was added for definitional purposes.
View full change record →EU, UK, and Swiss users benefit from DPF protections that require Substack to handle their data according to specified principles, and they have access to a free external dispute resolution mechanism and binding arbitration as a last resort for unresolved complaints.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Substack complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Substack has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.— Excerpt from Substack's Substack Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages the EU-U.S. Data Privacy Framework administered by the U.S. Department of Commerce and subject to FTC enforcement, as explicitly acknowledged in the policy. The DPF is the primary cross-border data transfer mechanism used by Substack for EU, UK, and Swiss personal data, replacing earlier Standard Contractual Clauses or Privacy Shield reliance. The European Commission's adequacy decision for the DPF remains subject to potential legal challenge, and compliance teams should monitor developments in this area. UK adequacy arrangements are governed by the UK Extension rather than the main EU DPF adequacy decision. GOVERNANCE EXPOSURE: Medium. DPF certification creates binding obligations on Substack's onward transfers and sub-processor arrangements. The policy states that DPF Principles govern in the event of conflict with policy terms, which provides a protective floor for EU and UK users but also means that any policy provision inconsistent with DPF Principles may be unenforceable for those users. The FTC's investigatory and enforcement powers over DPF compliance are explicitly acknowledged. JURISDICTION FLAGS: This provision applies specifically to EU, UK, and Swiss users. Non-DPF jurisdictions (including much of the rest of the world) would not benefit from these protections. Compliance teams should confirm that DPF certification is current and verified at dataprivacyframework.gov. Any lapse in certification would require an alternative transfer mechanism such as Standard Contractual Clauses. CONTRACT AND VENDOR IMPLICATIONS: The policy states that onward transfers under the DPF are made only under agreements providing the same protections as the DPF, which imposes a contractual obligation on sub-processor agreements. B2B customers relying on Substack to process EU personal data should verify this commitment in their own data processing agreements. COMPLIANCE CONSIDERATIONS: DPF certification status should be verified periodically at dataprivacyframework.gov. Internal sub-processor agreements should be audited to confirm they satisfy DPF onward transfer requirements. Legal teams should maintain a contingency plan for alternative transfer mechanisms in case DPF adequacy is challenged or revoked.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
For EU, UK, and Swiss users, DPF certification means Substack is committed to a set of data protection principles that govern how their data is handled in the US, and they have access to a structured dispute resolution process independent of Substack if those principles are violated.
EU, UK, and Swiss users benefit from DPF protections that require Substack to handle their data according to specified principles, and they have access to a free external dispute resolution mechanism and binding arbitration as a last resort for unresolved complaints.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.