This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The use of 'may be entitled' conditions these rights on unstated eligibility criteria, meaning they are not guaranteed to every user in every circumstance.
Interpretive note: The phrase 'may be entitled' is a significant legal qualifier indicating that these rights are conditional, not universal. This qualifier is preserved across all fields.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Depending on applicable entitlements, users may have rights to access, correct, erase, restrict, or transfer their Personal Information held by Substack.
How other platforms handle this
If you choose to reveal any personal information about yourself to other users, you do so at your own risk. We strongly encourage you to use caution in disclosing any personal information online.
The right to request restriction of processing of Personal Data or object to processing of Personal Data carried out pursuant to (i) a legitimate interest...or (ii) performance of a task in the public interest
Right to the portability of your personal data
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"you may be entitled to ask Substack for a copy of your Personal Information, to correct it, erase or restrict its processing, or to ask us to transfer some of this information to other organizations.— Excerpt from Substack's Substack Privacy Policy
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The use of 'may be entitled' conditions these rights on unstated eligibility criteria, meaning they are not guaranteed to every user in every circumstance.
Depending on applicable entitlements, users may have rights to access, correct, erase, restrict, or transfer their Personal Information held by Substack.
ConductAtlas has identified this type of provision across 291 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.