Substack shares your personal information with third-party generative AI service providers as part of its normal operations, though the policy does not specify which AI providers are used or what data they receive.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The inclusion of generative AI services in the list of data-sharing recipients is a notable disclosure that may not have been expected by users, and raises questions about what personal data specifically flows to AI systems and for what purposes.
Interpretive note: The provision does not specify which generative AI providers receive personal data or what categories of data are shared, creating ambiguity about the practical scope of AI-related data processing.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitati…
Personal data you provide to Substack, potentially including content you create, account details, or usage data, may be processed by third-party generative AI services, with the specific AI providers and data categories involved not identified in this provision.
How other platforms handle this
We may share your personal data with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf and require access to such information to do that work. We may also share your personal data with advertising partners to display relevant advertising to y...
We may share your personal information with third-party vendors and service providers that perform services on our behalf, such as payment processing, data analysis, email delivery, hosting services, customer service, and marketing assistance.
We may share your information with third-party advertising partners to provide you with targeted advertising. We also work with third-party analytics providers who help us understand how users interact with our Services. These third parties may use cookies, web beacons, and similar tracking technolo...
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Our Service Providers: We share your Personal Information with third-party service providers that provide services on our behalf; for example, we use Stripe (a third party payment provider) to receive and process your credit card transactions for us. Such third parties further include, but are not limited to, providers of: website hosting; maintenance services; email services; security services; generative AI services; content delivery networks; customer support operations and software services; traffic and usage analytics services; and cloud storage and computing services.— Excerpt from Substack's Substack Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Article 28, which requires written data processing agreements with any third-party processor handling personal data on behalf of a controller. The identification of 'generative AI services' as a sub-processor category without naming specific providers may create a documentation gap under GDPR. The EU AI Act, which establishes obligations for deployers and providers of AI systems, may also be relevant depending on how personal data is used by the AI service. The FTC's guidance on AI and data practices is a relevant enforcement consideration in the US context. GOVERNANCE EXPOSURE: Medium. The policy discloses AI service provider data sharing but does not specify which providers, what data categories are shared, or for what purposes. This level of generality may be insufficient for GDPR Article 13/14 transparency obligations, which require that data subjects be informed of the identity of recipients or categories of recipients and the purposes of processing. JURISDICTION FLAGS: EU and UK users have specific rights under GDPR and UK GDPR to know the identity of data processors and the specific purposes for which their data is shared. California residents have CCPA rights regarding disclosures of personal information to service providers. The use of AI processing of personal data may trigger additional requirements under emerging state AI laws in Colorado, Connecticut, and other US jurisdictions. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams reviewing Substack as a platform should request a list of generative AI sub-processors and verify that adequate GDPR Article 28 data processing agreements are in place with each. The policy's 'but are not limited to' language means the list of sub-processors may expand without specific notice, which may be inconsistent with GDPR sub-processor change notification obligations. COMPLIANCE CONSIDERATIONS: A sub-processor register documenting all generative AI service providers, the data categories shared, and the purposes of processing should be maintained. Legal teams should assess whether current user consent or legitimate interests documentation covers AI-related processing. The policy should be evaluated for whether it meets GDPR transparency obligations regarding AI processing.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The inclusion of generative AI services in the list of data-sharing recipients is a notable disclosure that may not have been expected by users, and raises questions about what personal data specifically flows to AI systems and for what purposes.
Personal data you provide to Substack, potentially including content you create, account details, or usage data, may be processed by third-party generative AI services, with the specific AI providers and data categories involved not identified in this provision.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.