Substack employees can read your private messages for a range of reasons including enforcing rules, security, support, or simply as needed to operate the service, and automated systems also scan message content.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The 'as otherwise necessary to provide our services' language is a broad catch-all that extends staff access to direct message contents beyond specific safety or legal scenarios, which may not align with user expectations of private messaging.
Interpretive note: The scope of 'as otherwise necessary to provide our services' is operationally ambiguous and may be interpreted more or less broadly depending on enforcement context or applicable law.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitation and abuse. The policy also establishes that Substack will respond to privacy rights requests within one month, or up to three months for complex requests, providing more certainty about response timelines. Additionally, the policy clarifies that direct message recipients may retain messages even if you request deletion or delete your account, which is now explicitly stated rather than implied.
View change record →The updated policy no longer commits to responding to privacy rights requests within one month or within three months for complex requests. This removes a procedural timeline that previously bound Substack's response obligations. Additionally, the explicit disclosure that Substack shares account identifiers with child safety consortia to detect online child sexual exploitation has been removed from the policy, though the practice itself is not stated to have ended. The direct message retention language is now framed more directly: recipients may retain messages even if you request deletion or close your account.
View change record →Removal of explicit disclosure about staff access to direct message contents may obscure internal monitoring practices from users.
View full change record →This provision means your Substack direct messages are subject to human review by company staff and automated scanning, across a range of operational purposes, which users treating the platform as a private messaging service should carefully consider.
How other platforms handle this
Content that you share with other users through our messaging tools (see Filtering of messages sent via our messaging tools under section 11. Other important information regarding data protection for more information).
We process the information you share with us when you create your profile or send messages. This includes photos, videos, messages, and other content you share on the platform. We may use this content to improve our services, ensure safety, and comply with legal obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"While we maintain strict internal access controls on direct messaging content, keep in mind that Substack personnel may access the contents of direct messages to enforce our Terms of Use, ensure the security of our platform, to provide user support, or as otherwise necessary to provide our services. We may also use automated means to ensure the safety of direct messaging content, including scanning for spam, malicious content, and child abuse material.— Excerpt from Substack's Substack Privacy Policy
REGULATORY LANDSCAPE: This provision implicates GDPR Article 6 legal basis requirements for processing personal data (specifically message content) and Article 5 data minimization principles. The open-ended 'as otherwise necessary to provide our services' basis may require additional specification to satisfy GDPR's requirement that processing purposes be explicit and legitimate. The Electronic Communications Privacy Act (ECPA) in the US context may also be relevant to the interception or access of stored electronic communications. GOVERNANCE EXPOSURE: High. The catch-all access authorization ('as otherwise necessary to provide our services') is operationally broad. While internal access controls are referenced, no specifics are provided about what those controls entail, making it difficult to assess whether they constitute adequate technical and organizational measures under GDPR Article 32. JURISDICTION FLAGS: EU and UK users have enforceable rights under GDPR and UK GDPR to know the specific legal basis for processing their communications content. California residents may invoke CCPA rights regarding message content as personal information. The breadth of the access authorization may face scrutiny under stricter European data protection frameworks. CONTRACT AND VENDOR IMPLICATIONS: The use of automated scanning tools, potentially involving third-party providers, for content moderation on private messages should be documented in a data processing agreement. The policy does not specify which automated scanning vendors are used, which may create a gap in third-party risk management documentation. COMPLIANCE CONSIDERATIONS: Compliance teams should document the specific legal basis for each staff access scenario under GDPR Article 6, and should assess whether the current policy language is sufficiently specific. Internal access logs for direct message content should be maintained and auditable. The automated scanning systems used should be assessed for compliance with applicable AI and content moderation regulations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The 'as otherwise necessary to provide our services' language is a broad catch-all that extends staff access to direct message contents beyond specific safety or legal scenarios, which may not align with user expectations of private messaging.
This provision means your Substack direct messages are subject to human review by company staff and automated scanning, across a range of operational purposes, which users treating the platform as a private messaging service should carefully consider.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.