You have rights to access, correct, delete, or transfer your personal data held by Substack depending on where you live, and Substack commits to responding to these requests within one month.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The one-month response commitment, newly added in this policy update, gives users a concrete service level expectation for privacy rights requests, which is aligned with GDPR Article 12 requirements and provides an enforceable benchmark for EU users.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Provision renamed from 'Privacy Rights and One-Month Response Commitment' to 'Privacy Rights Request and One-Month Response Commitment' with identical content.
View full change record →Users who submit data access, correction, or deletion requests to Substack can expect a response within one month under this policy, though the policy notes that applicable law may limit the scope of these rights in certain circumstances.
How other platforms handle this
If you are a California resident, you may have the right to: Know what personal information we collect, use, disclose, sell, or share. Correct inaccurate personal information. Delete your personal information. Opt out of the sale or sharing of your personal information. Limit the use and disclosure ...
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Depending on applicable local laws, you may be entitled to ask Substack for a copy of your Personal Information, to correct it, erase or restrict its processing, or to ask us to transfer some of this information to other organizations. You may also have rights to object to some processing activities or to request restriction of some processing activities. Where we have asked for your consent to process your Personal Information, you may also have the right to withdraw this consent. These rights may be limited in some situations or in accordance with applicable law – for example, we cannot delete your Personal Information when we can demonstrate that we have a legal obligation to retain it. We will respond to any request to exercise your rights within one month of receipt.— Excerpt from Substack's Substack Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Article 12 (response timelines), Article 15 (access), Article 16 (rectification), Article 17 (erasure), Article 18 (restriction), Article 20 (portability), and Article 21 (objection). The one-month response timeline is consistent with GDPR Article 12 requirements, with a two-month extension available for complex requests. The CCPA similarly requires response to verified consumer requests within 45 days. The right to object to profiling-based processing, referenced later in the policy, directly engages GDPR Article 21. GOVERNANCE EXPOSURE: Medium. The one-month commitment creates an operational SLA that requires adequate internal intake, verification, and fulfillment processes. Failure to meet this timeline for EU users could constitute a GDPR violation enforceable by relevant data protection authorities. The provision's caveat that rights may be limited by applicable law, while accurate, means the scope of what Substack will fulfill may vary by jurisdiction. JURISDICTION FLAGS: EU and UK users have the most robust enforceable rights under GDPR and UK GDPR, with supervisory authority oversight. California residents have CCPA rights with a 45-day response window enforced by the California Privacy Protection Agency. Other US users' rights depend on applicable state law, which varies significantly. CONTRACT AND VENDOR IMPLICATIONS: Organizations using Substack in an enterprise context should verify that Substack's privacy rights fulfillment processes can accommodate requests from employees or customers whose data may flow through the platform. B2B contracts may need to address data subject request forwarding obligations. COMPLIANCE CONSIDERATIONS: Internal privacy rights request intake and tracking processes should be reviewed to ensure the one-month SLA is operationally achievable at scale. The right to object to profiling-based personalization, referenced in the policy, should be supported by a clearly documented opt-out mechanism. Data deletion processes should account for the policy's acknowledgment that some data may be retained due to legal obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The one-month response commitment, newly added in this policy update, gives users a concrete service level expectation for privacy rights requests, which is aligned with GDPR Article 12 requirements and provides an enforceable benchmark for EU users.
Users who submit data access, correction, or deletion requests to Substack can expect a response within one month under this policy, though the policy notes that applicable law may limit the scope of these rights in certain circumstances.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.