Substack is certified under the EU-U.S. Data Privacy Framework, which provides a mechanism for legally transferring personal data from Europe to the US, and EU users have access to a free dispute resolution process and ultimately binding arbitration if they have unresolved privacy complaints.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
For EU, UK, and Swiss users, DPF certification means Substack is committed to a set of data protection principles that govern how their data is handled in the US, and they have access to a structured dispute resolution process independent of Substack if those principles are violated.
Interpretive note: The legal stability of the EU-U.S. Data Privacy Framework remains subject to potential judicial challenge in European courts, which could affect the adequacy of this transfer mechanism prospectively.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitati…
EU, UK, and Swiss users benefit from DPF protections that require Substack to handle their data according to specified principles, and they have access to a free external dispute resolution mechanism and binding arbitration as a last resort for unresolved complaints.
How other platforms handle this
YOU AND UNITY AGREE THAT ANY DISPUTE, CLAIM OR CONTROVERSY ARISING OUT OF OR RELATING TO THESE TERMS OR THE BREACH, TERMINATION, ENFORCEMENT, INTERPRETATION OR VALIDITY THEREOF OR THE USE OF THE SERVICES (COLLECTIVELY, "DISPUTES") WILL BE SETTLED BY BINDING ARBITRATION, EXCEPT THAT EACH PARTY RETAIN...
PLEASE READ THIS SECTION CAREFULLY. IT AFFECTS YOUR LEGAL RIGHTS. IT PROVIDES FOR RESOLUTION OF MOST DISPUTES THROUGH INDIVIDUAL ARBITRATION INSTEAD OF COURT TRIALS AND CLASS ACTIONS. YOU HAVE A RIGHT TO OPT OUT OF THIS ARBITRATION AGREEMENT, AS DESCRIBED BELOW. By agreeing to these Terms, you agree...
You and OpenAI agree to resolve any claims arising out of or relating to these Terms or our Services through final and binding arbitration, except that you may bring claims in small claims court if they qualify. You may opt out of arbitration within 30 days of agreeing to these Terms by writing to u...
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Substack complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Substack has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.— Excerpt from Substack's Substack Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages the EU-U.S. Data Privacy Framework administered by the U.S. Department of Commerce and subject to FTC enforcement, as explicitly acknowledged in the policy. The DPF is the primary cross-border data transfer mechanism used by Substack for EU, UK, and Swiss personal data, replacing earlier Standard Contractual Clauses or Privacy Shield reliance. The European Commission's adequacy decision for the DPF remains subject to potential legal challenge, and compliance teams should monitor developments in this area. UK adequacy arrangements are governed by the UK Extension rather than the main EU DPF adequacy decision. GOVERNANCE EXPOSURE: Medium. DPF certification creates binding obligations on Substack's onward transfers and sub-processor arrangements. The policy states that DPF Principles govern in the event of conflict with policy terms, which provides a protective floor for EU and UK users but also means that any policy provision inconsistent with DPF Principles may be unenforceable for those users. The FTC's investigatory and enforcement powers over DPF compliance are explicitly acknowledged. JURISDICTION FLAGS: This provision applies specifically to EU, UK, and Swiss users. Non-DPF jurisdictions (including much of the rest of the world) would not benefit from these protections. Compliance teams should confirm that DPF certification is current and verified at dataprivacyframework.gov. Any lapse in certification would require an alternative transfer mechanism such as Standard Contractual Clauses. CONTRACT AND VENDOR IMPLICATIONS: The policy states that onward transfers under the DPF are made only under agreements providing the same protections as the DPF, which imposes a contractual obligation on sub-processor agreements. B2B customers relying on Substack to process EU personal data should verify this commitment in their own data processing agreements. COMPLIANCE CONSIDERATIONS: DPF certification status should be verified periodically at dataprivacyframework.gov. Internal sub-processor agreements should be audited to confirm they satisfy DPF onward transfer requirements. Legal teams should maintain a contingency plan for alternative transfer mechanisms in case DPF adequacy is challenged or revoked.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Coinbase's User Agreement includes a mandatory arbitration clause that most users may not have reviewed. Here is what the clause states and how the opt-out process works.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
For EU, UK, and Swiss users, DPF certification means Substack is committed to a set of data protection principles that govern how their data is handled in the US, and they have access to a structured dispute resolution process independent of Substack if those principles are violated.
EU, UK, and Swiss users benefit from DPF protections that require Substack to handle their data according to specified principles, and they have access to a free external dispute resolution mechanism and binding arbitration as a last resort for unresolved complaints.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.