Substack employees can read your private messages for a range of reasons including enforcing rules, security, support, or simply as needed to operate the service, and automated systems also scan message content.
This analysis describes what Substack's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The 'as otherwise necessary to provide our services' language is a broad catch-all that extends staff access to direct message contents beyond specific safety or legal scenarios, which may not align with user expectations of private messaging.
Interpretive note: The scope of 'as otherwise necessary to provide our services' is operationally ambiguous and may be interpreted more or less broadly depending on enforcement context or applicable law.
Substack now discloses that it shares account identifiers, such as email addresses and usernames, with trusted industry child safety organizations to detect and prevent online child sexual exploitati…
This provision means your Substack direct messages are subject to human review by company staff and automated scanning, across a range of operational purposes, which users treating the platform as a private messaging service should carefully consider.
Cross-platform context
See how other platforms handle Staff Access to Direct Message Contents and similar clauses.
Compare across platforms →Monitoring
Substack has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"While we maintain strict internal access controls on direct messaging content, keep in mind that Substack personnel may access the contents of direct messages to enforce our Terms of Use, ensure the security of our platform, to provide user support, or as otherwise necessary to provide our services. We may also use automated means to ensure the safety of direct messaging content, including scanning for spam, malicious content, and child abuse material.— Excerpt from Substack's Substack Privacy Policy
REGULATORY LANDSCAPE: This provision implicates GDPR Article 6 legal basis requirements for processing personal data (specifically message content) and Article 5 data minimization principles. The open-ended 'as otherwise necessary to provide our services' basis may require additional specification to satisfy GDPR's requirement that processing purposes be explicit and legitimate. The Electronic Communications Privacy Act (ECPA) in the US context may also be relevant to the interception or access of stored electronic communications. GOVERNANCE EXPOSURE: High. The catch-all access authorization ('as otherwise necessary to provide our services') is operationally broad. While internal access controls are referenced, no specifics are provided about what those controls entail, making it difficult to assess whether they constitute adequate technical and organizational measures under GDPR Article 32. JURISDICTION FLAGS: EU and UK users have enforceable rights under GDPR and UK GDPR to know the specific legal basis for processing their communications content. California residents may invoke CCPA rights regarding message content as personal information. The breadth of the access authorization may face scrutiny under stricter European data protection frameworks. CONTRACT AND VENDOR IMPLICATIONS: The use of automated scanning tools, potentially involving third-party providers, for content moderation on private messages should be documented in a data processing agreement. The policy does not specify which automated scanning vendors are used, which may create a gap in third-party risk management documentation. COMPLIANCE CONSIDERATIONS: Compliance teams should document the specific legal basis for each staff access scenario under GDPR Article 6, and should assess whether the current policy language is sufficiently specific. Internal access logs for direct message content should be maintained and auditable. The automated scanning systems used should be assessed for compliance with applicable AI and content moderation regulations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The 'as otherwise necessary to provide our services' language is a broad catch-all that extends staff access to direct message contents beyond specific safety or legal scenarios, which may not align with user expectations of private messaging.
This provision means your Substack direct messages are subject to human review by company staff and automated scanning, across a range of operational purposes, which users treating the platform as a private messaging service should carefully consider.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Substack.