You have rights to access, correct, delete, or transfer your personal data held by Substack depending on where you live, and Substack commits to responding to these requests within one month.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The one-month response commitment, newly added in this policy update, gives users a concrete service level expectation for privacy rights requests, which is aligned with GDPR Article 12 requirements and provides an enforceable benchmark for EU users.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitati…
Users who submit data access, correction, or deletion requests to Substack can expect a response within one month under this policy, though the policy notes that applicable law may limit the scope of these rights in certain circumstances.
How other platforms handle this
If you are a California resident, you may have certain rights under the California Consumer Privacy Act (CCPA). These rights may include: the right to know about personal information collected, disclosed, or sold; the right to delete personal information collected from you; the right to opt-out of t...
Depending on where you live, you may have certain rights with respect to your personal information. These rights may include: The right to know what personal information we have collected about you, including the categories of personal information, the categories of sources from which we collected i...
If you are located in the European Economic Area or the United Kingdom, you have certain rights under applicable data protection laws, including the right to access, correct, or delete your personal data, the right to object to or restrict processing, and the right to data portability. You may also ...
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Depending on applicable local laws, you may be entitled to ask Substack for a copy of your Personal Information, to correct it, erase or restrict its processing, or to ask us to transfer some of this information to other organizations. You may also have rights to object to some processing activities or to request restriction of some processing activities. Where we have asked for your consent to process your Personal Information, you may also have the right to withdraw this consent. These rights may be limited in some situations or in accordance with applicable law – for example, we cannot delete your Personal Information when we can demonstrate that we have a legal obligation to retain it. We will respond to any request to exercise your rights within one month of receipt.— Excerpt from Substack's Substack Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Article 12 (response timelines), Article 15 (access), Article 16 (rectification), Article 17 (erasure), Article 18 (restriction), Article 20 (portability), and Article 21 (objection). The one-month response timeline is consistent with GDPR Article 12 requirements, with a two-month extension available for complex requests. The CCPA similarly requires response to verified consumer requests within 45 days. The right to object to profiling-based processing, referenced later in the policy, directly engages GDPR Article 21. GOVERNANCE EXPOSURE: Medium. The one-month commitment creates an operational SLA that requires adequate internal intake, verification, and fulfillment processes. Failure to meet this timeline for EU users could constitute a GDPR violation enforceable by relevant data protection authorities. The provision's caveat that rights may be limited by applicable law, while accurate, means the scope of what Substack will fulfill may vary by jurisdiction. JURISDICTION FLAGS: EU and UK users have the most robust enforceable rights under GDPR and UK GDPR, with supervisory authority oversight. California residents have CCPA rights with a 45-day response window enforced by the California Privacy Protection Agency. Other US users' rights depend on applicable state law, which varies significantly. CONTRACT AND VENDOR IMPLICATIONS: Organizations using Substack in an enterprise context should verify that Substack's privacy rights fulfillment processes can accommodate requests from employees or customers whose data may flow through the platform. B2B contracts may need to address data subject request forwarding obligations. COMPLIANCE CONSIDERATIONS: Internal privacy rights request intake and tracking processes should be reviewed to ensure the one-month SLA is operationally achievable at scale. The right to object to profiling-based personalization, referenced in the policy, should be supported by a clearly documented opt-out mechanism. Data deletion processes should account for the policy's acknowledgment that some data may be retained due to legal obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The one-month response commitment, newly added in this policy update, gives users a concrete service level expectation for privacy rights requests, which is aligned with GDPR Article 12 requirements and provides an enforceable benchmark for EU users.
Users who submit data access, correction, or deletion requests to Substack can expect a response within one month under this policy, though the policy notes that applicable law may limit the scope of these rights in certain circumstances.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.