This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision establishes procedural obligations for Substack's handling of privacy rights requests and creates a documented timeline mechanism for request fulfillment. It operationalizes user objection rights to legitimate interest processing and requires transparency when processing timelines are extended.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Users can submit requests to exercise privacy rights with defined response expectations: initial response within one month, or extended response within three months total if the request is complex or multiple requests are made. Users may object to personal information processing conducted for legitimate interests, including behavioral profiling for content personalization, which Substack must accommodate upon request.
How other platforms handle this
If you are a California resident, you may have the right to: Know what personal information we collect, use, disclose, sell, or share. Correct inaccurate personal information. Delete your personal information. Opt out of the sale or sharing of your personal information. Limit the use and disclosure ...
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
If we collect health information from these integrations (such as heart rate), we will not sell or use it for advertising or other similar purposes; we do not disclose it to third parties without your prior consent; and we will only use it for the specific purposes described in this Policy.
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We will respond to any request to exercise your rights within one month of receipt. Where your request is complex or you have made a number of requests, we may extend this period by a further two months and will notify you of any such extension, together with the reasons for the delay, within one month of receipt of your request. In particular, where we process your Personal Information on the basis of our legitimate interests — including where we profile you in order to personalise content recommendations — you have the right to object to such processing at any time— Excerpt from Substack's Substack Privacy Policy
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision establishes procedural obligations for Substack's handling of privacy rights requests and creates a documented timeline mechanism for request fulfillment. It operationalizes user objection rights to legitimate interest processing and requires transparency when processing timelines are extended.
Users can submit requests to exercise privacy rights with defined response expectations: initial response within one month, or extended response within three months total if the request is complex or multiple requests are made. Users may object to personal information processing conducted for legitimate interests, including behavioral profiling for content personalization, which Substack must accommodate upon request.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.