Substack · Substack Privacy Policy · View original document ↗

Right to access, correct, erase, or restrict personal information

High severity High confidence Explicitdocumentlanguage Common · 291 of 352 platforms
Share 𝕏 Share in Share 🔒 PDF
Recent governance activity Substack recorded 4 documented changes in the last 30 days.
Start monitoring updates
Monitor governance changes for Substack Create a free account to receive the weekly governance digest and monitor one platform for governance changes.
Create free account No credit card required.

This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The use of 'may be entitled' conditions these rights on unstated eligibility criteria, meaning they are not guaranteed to every user in every circumstance.

Interpretive note: The phrase 'may be entitled' is a significant legal qualifier indicating that these rights are conditional, not universal. This qualifier is preserved across all fields.

Recent Activity

This document changed recently

Medium May 5, 2026

Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.

View change record →
Medium Apr 19, 2026

The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.

View change record →

Consumer impact (what this means for users)

Depending on applicable entitlements, users may have rights to access, correct, erase, restrict, or transfer their Personal Information held by Substack.

How other platforms handle this

Tinder Medium

If you choose to reveal any personal information about yourself to other users, you do so at your own risk. We strongly encourage you to use caution in disclosing any personal information online.

Skillshare Medium

The right to request restriction of processing of Personal Data or object to processing of Personal Data carried out pursuant to (i) a legitimate interest...or (ii) performance of a task in the public interest

Discord Medium

Right to the portability of your personal data

See all platforms with this clause type →

Monitoring

Substack has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Get Monitor Or create a free account →
▸ View Original Clause Language DOCUMENT RECORD
"
you may be entitled to ask Substack for a copy of your Personal Information, to correct it, erase or restrict its processing, or to ask us to transfer some of this information to other organizations.

— Excerpt from Substack's Substack Privacy Policy

Applicable regulations

CCPA/CPRA
California, USA
Connecticut Data Privacy Act Amendments
US-CT
CAN-SPAM
United States Federal
FTC Act Section 5
United States Federal
GDPR
European Union
Indiana Consumer Data Protection Act
US-IN
Kentucky Consumer Data Protection Act
US-KY
UK GDPR
United Kingdom
Universal Opt-Out Mechanism Expansion 2026
US
VPPA
United States Federal

Provision details

Document information
Document
Substack Privacy Policy
Entity
Substack
Document last updated
May 5, 2026
Tracking information
First tracked
May 21, 2026
Last verified
May 21, 2026
Record ID
CA-P-028139
Document ID
CA-D-00178
Evidence Provenance
Source URL
Wayback Machine
Content hash (SHA-256)
a4d2324534904f4fe245001d53f247ef46d8942c06d9e1fa0c0ef9aa893a52ee
Analysis generated
May 21, 2026 04:18 UTC
Methodology
Evidence
✓ Snapshot stored   ✓ Hash verified
Citation Record
Entity: Substack
Document: Substack Privacy Policy
Record ID: CA-P-028139
Captured: 2026-05-21 04:18:30 UTC
SHA-256: a4d2324534904f4f…
URL: https://conductatlas.com/platform/substack/substack-privacy-policy/provision/CA-P-028139/right-to-access-correct-erase-or-restrict-personal-information/
Accessed: July 12, 2026
Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.
Classification
Severity
High
Categories

Other risks in this policy

Related Analysis

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies
Get Compliance

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Substack's Right to access, correct, erase, or restrict personal information clause do?

The use of 'may be entitled' conditions these rights on unstated eligibility criteria, meaning they are not guaranteed to every user in every circumstance.

How does this clause affect you?

Depending on applicable entitlements, users may have rights to access, correct, erase, restrict, or transfer their Personal Information held by Substack.

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 291 platforms. See the full comparison.

Is ConductAtlas affiliated with Substack?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.