This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Direct messages on Substack are accessible to Substack personnel for defined operational and enforcement purposes, meaning they are not private from the platform operator.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Users' direct message contents may be read by Substack personnel for the stated purposes; direct messages are not confidential from Substack.
How other platforms handle this
In some cases we will seek your consent to send you marketing communications.
Where the law allows us to, we may use the content you and other users have posted for training or to help us to improve the way we filter content on our platform.
We also may use automatic scanning technology on messages to allow us to recognize patterns on our messaging platform to make your professional communications more efficient and informed...check links shared in messages for malicious sites and looks for blacklisted keywords to detect spam and fraud.
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Substack personnel may access the contents of direct messages to enforce our Terms of Use, ensure the security of our platform, to provide user support, or as otherwise necessary to provide our services.— Excerpt from Substack's Substack Privacy Policy
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Direct messages on Substack are accessible to Substack personnel for defined operational and enforcement purposes, meaning they are not private from the platform operator.
Users' direct message contents may be read by Substack personnel for the stated purposes; direct messages are not confidential from Substack.
ConductAtlas has identified this type of provision across 280 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.