This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The disclosure informs users that direct message content is not protected by end-to-end encryption, meaning it may be accessible to parties other than the sender and recipient.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Users who send direct messages on Substack should be aware that those messages are not end-to-end encrypted and do not carry the protections of a dedicated secure messaging service.
How other platforms handle this
Any non-binding quotes provided by the Zillow Companies for Third-Party Providers' financial products are not intended to be official Loan Estimates as defined in the Real Estate Settlement Procedures Act or the Truth in Lending Act...
If you would like to submit a legally binding request to demand someone else's Personal Data (for example, if you have a subpoena or court order), please review our Guidelines for Legal Requests.
YOU UNDERSTAND THAT FAIRE DOES NOT SCREEN OR INQUIRE INTO THE BACKGROUND OF ANY USERS OF THE SERVICES, NOR DOES FAIRE MAKE ANY ATTEMPT TO VERIFY THE STATEMENTS OF USERS OF THE SERVICES.
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"direct messages are not end-to-end encrypted, and are not a substitute for secure messaging services.— Excerpt from Substack's Substack Privacy Policy
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The disclosure informs users that direct message content is not protected by end-to-end encryption, meaning it may be accessible to parties other than the sender and recipient.
Users who send direct messages on Substack should be aware that those messages are not end-to-end encrypted and do not carry the protections of a dedicated secure messaging service.
ConductAtlas has identified this type of provision across 275 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.