The policy discloses that Substack shares Personal Information with third-party service providers including generative AI services, analytics providers, and cloud computing services. The policy does not identify specific generative AI providers or describe which categories of Personal Information are shared with AI service providers.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision authorizes sharing of Personal Information with generative AI service providers as part of Substack's service provider relationships. The absence of specific provider names and data category limitations for AI services creates uncertainty about the scope of Personal Information that may be processed by third-party AI systems on Substack's behalf.
Interpretive note: The policy does not specify which categories of Personal Information are shared with generative AI service providers or identify the specific providers involved, creating interpretive uncertainty about the scope of this sharing.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Provision remains materially identical with no changes to content or severity.
View full change record →Under this clause, Personal Information collected by Substack may be shared with generative AI service providers as part of Substack's third-party service provider relationships. The policy does not specify which AI providers receive Personal Information or which data categories are involved.
How other platforms handle this
We may share your personal information with: Service providers who perform services on our behalf. Financial partners, such as banks, payment processors, and financial institutions. Professional advisors, such as lawyers, auditors, and insurers. Business partners with whom we jointly offer products ...
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
We may also share your personal information with third parties that assist us in providing our services, or where we are under an obligation to report to. But rest assured: we will only ever share your personal information in the limited circumstances described in this Policy.
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Our Service Providers: We share your Personal Information with third-party service providers that provide services on our behalf; for example, we use Stripe (a third party payment provider) to receive and process your credit card transactions for us. Such third parties further include, but are not limited to, providers of: website hosting; maintenance services; email services; security services; generative AI services; content delivery networks; customer support operations and software services; traffic and usage analytics services; and cloud storage and computing services.— Excerpt from Substack's Substack Privacy Policy
1. REGULATORY LANDSCAPE: This provision engages GDPR Article 28 (data processing agreements with processors), GDPR Article 13 transparency requirements regarding third-party recipients, and emerging EU AI Act obligations that may apply to AI systems processing personal data. The CCPA requires disclosure of categories of service providers and the business purposes for sharing. The FTC has issued guidance on AI-related data practices that may be relevant. 2. GOVERNANCE EXPOSURE: Medium. The inclusion of generative AI services in the service provider list without specific provider identification or data category limitations creates a due diligence gap. GDPR Article 28 requires documented processing agreements with processors, and the adequacy of those agreements for AI-specific processing is a compliance consideration. 3. JURISDICTION FLAGS: EU/EEA users have heightened exposure given GDPR requirements for specific identification of processor categories and the potential application of EU AI Act obligations. California residents may have CCPA rights to know which service providers receive their Personal Information. 4. CONTRACT AND VENDOR IMPLICATIONS: Procurement and legal teams assessing Substack as a platform for business use should request information about which generative AI service providers receive Personal Information and the contractual terms governing that sharing. This is particularly relevant for organizations whose employees or customers submit personal data through Substack that may be processed by AI systems. 5. COMPLIANCE CONSIDERATIONS: A vendor assessment should be conducted to identify specific generative AI providers, the data categories shared, the purposes of processing, and the data processing agreement terms in place. Organizations subject to GDPR, CCPA, or sector-specific AI governance requirements should evaluate whether Substack's disclosure meets applicable transparency obligations for AI-related data processing.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision authorizes sharing of Personal Information with generative AI service providers as part of Substack's service provider relationships. The absence of specific provider names and data category limitations for AI services creates uncertainty about the scope of Personal Information that may be processed by third-party AI systems on Substack's behalf.
Under this clause, Personal Information collected by Substack may be shared with generative AI service providers as part of Substack's third-party service provider relationships. The policy does not specify which AI providers receive Personal Information or which data categories are involved.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.