The policy establishes that users may submit requests for access, correction, erasure, restriction, portability, and objection to processing, depending on applicable law. The most recent policy update added a one-month response commitment for certain privacy rights requests and the right to object to certain types of processing. Rights are subject to legal limitations including retention obligations.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the procedural framework for user privacy rights requests, with a one-month response commitment added in the May 2026 update. The provision conditions the availability and scope of rights on applicable local law, meaning the rights available to a given user depend on their jurisdiction.
Interpretive note: The provision conditions rights on applicable local law without specifying which rights apply in which jurisdictions, and the right to object provision does not enumerate the specific processing activities subject to objection.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Under this clause, users in applicable jurisdictions may submit privacy rights requests to privacy@substackinc.com, and the policy commits to a one-month response timeline for certain requests. The agreement states that rights may be limited where Substack has a legal obligation to retain data, including after account deletion.
How other platforms handle this
If you are a California resident, you may have the right to: Know what personal information we collect, use, disclose, sell, or share. Correct inaccurate personal information. Delete your personal information. Opt out of the sale or sharing of your personal information. Limit the use and disclosure ...
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Depending on applicable local laws, you may be entitled to ask Substack for a copy of your Personal Information, to correct it, erase or restrict its processing, or to ask us to transfer some of this information to other organizations. You may also have rights to object to some processing activities or to request restriction of some processing activities. Where we have asked for your consent to process your Personal Information, you may also have the right to withdraw this consent. These rights may be limited in some situations or in accordance with applicable law – for example, we cannot delete your Personal Information when we can demonstrate that we have a legal obligation to retain it.— Excerpt from Substack's Substack Privacy Policy
1. REGULATORY LANDSCAPE: This provision engages GDPR Articles 15 through 22 (data subject rights including access, rectification, erasure, restriction, portability, and objection), UK GDPR equivalents, and CCPA/CPRA rights including the right to know, delete, correct, and opt out. The one-month response commitment is consistent with GDPR Article 12 timelines. The right to object to certain processing types was added in the most recent update and may reflect GDPR Article 21 compliance requirements. 2. GOVERNANCE EXPOSURE: Medium. The policy conditions rights availability on applicable local law, which may create inconsistent user experiences across jurisdictions. The policy does not specify which processing activities are subject to the newly added right to object, creating ambiguity in implementation. 3. JURISDICTION FLAGS: EU/EEA users have the most comprehensive rights under GDPR, including the right to object to legitimate interests processing. California residents have distinct CCPA/CPRA rights addressed in a separate policy. UK users' rights are governed by UK GDPR equivalents. Users in jurisdictions without comprehensive privacy laws may have limited rights under this provision. 4. CONTRACT AND VENDOR IMPLICATIONS: Organizations that have submitted personal data through Substack as part of business operations should establish internal procedures for routing privacy rights requests that involve Substack-held data to the privacy@substackinc.com contact point. 5. COMPLIANCE CONSIDERATIONS: The newly added right to object should be evaluated against the specific processing activities it covers, as the policy does not enumerate them. Compliance teams should assess whether Substack's documented legitimate interests balancing analyses are available on request as the policy states, and whether the one-month response commitment includes procedures for complex or high-volume requests as permitted under GDPR.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the procedural framework for user privacy rights requests, with a one-month response commitment added in the May 2026 update. The provision conditions the availability and scope of rights on applicable local law, meaning the rights available to a given user depend on their jurisdiction.
Under this clause, users in applicable jurisdictions may submit privacy rights requests to privacy@substackinc.com, and the policy commits to a one-month response timeline for certain requests. The agreement states that rights may be limited where Substack has a legal obligation to retain data, including after account deletion.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.