Documents

California Privacy Notice

Last updated: January 2024

Changes in the Last Update

  • Provide privacy information about our new direct messaging features


About this California Privacy Notice

This California Privacy Notice is an important part of Substack’s Privacy Policy. While the framework used here is based in the provisions of the California Consumer Privacy Act of 2018 (“CCPA”), we provide the rights described here to all our users. If you are a California resident, please note that the processing of certain personal data about you may be subject to the California Consumer Privacy Act (“CCPA”) and other applicable California state privacy laws. Any capitalized terms not defined in this California Privacy Notice have the same meaning given to them in our Privacy Policy, Terms of Use, and/or the CCPA.

Your Privacy Rights

Individual Rights

The CCPA provides California consumers with several individual rights with respect to Personal Information. Note that these rights apply to individual consumers, not to companies. This section describes those rights in detail and provides information on how to exercise them.

Exercising Your Rights

To exercise any of the rights described in this section, please contact us at privacy@substackinc.com with (i) a complete description of your request, including the specific right(s) you wish to exercise and (ii) sufficient information about you so we can confirm that your request is a verifiable customer request, including at a minimum your name and email address. Once we have received your verifiable consumer request, we will respond consistent with applicable law.

You may also make a request by mail by sending the information specified above to:

Substack CCPA Requests

111 Sutter Street, 7th Floor

San Francisco, CA, 94104

Please note that you may also designate an authorized agent to make a request on your behalf. In order for us to process a request from your authorized agent, we must (i) confirm that the agent is a natural person or business entity registered with the Secretary of State that you have authorized to act on your behalf, (ii) receive from you a copy of the written authorization that provides the authorized agent to act on your behalf, and (iii) verify your identity by asking you to provide us sufficient information in order to do so.

Using Your Substack Account to Exercise Privacy Rights

If you have an account with us, you may also access, edit, or delete much of the Personal Information we have collected about you through your account settings. Please review our Privacy Policy, in the section titled “What Personal Information can I access?,” for more details.

Your Right to Know

You have a right to know what Personal Information we have collected about you, including details about the nature of the information, the purpose for which it was gathered, and how we disclose that information to others.. We provide that information here in our CCPA policy as well as in our privacy policy.

Access and Data Portability Rights

You have a right to request information about our collection, use, and disclosure of your Personal Information over the prior 12 months, and ask that we provide you with the following information:

  1. Categories of and specific pieces of Personal Information we have collected about you.

  2. Categories of sources from which we collect Personal Information.

  3. Purposes for collecting, using, selling, or sharing Personal Information.

  4. Categories of third parties to which we disclose Personal Information.

  5. Categories of Personal Information disclosed about you for a business purpose.

  6. If applicable, categories of Personal Information sold or shared about you and the categories of third parties to which the Personal Information was sold or shared, by category or categories of Personal Information for each third party to which the Personal Information was sold or shared.

Your Deletion Rights

You have the right to request that we delete the Personal Information that we have collected about you, subject to certain exceptions.

Your Right to Correct Inaccurate Personal Information

If we maintain Personal Information about you that is inaccurate, you have the right to see that inaccurate information corrected.

Your Right to Limit Use and Disclosure of Sensitive Personal Information

In some cases, you have the right to limit our use of your Sensitive Personal Information, so that we are only able to use that information as is necessary to provide our services. At this time, we only use your Sensitive Personal Information as is necessary to provide our services.

Your Right to Opt Out

You have the right to opt out of the sale of your Personal Information and the sharing of your Personal Information for the purpose of cross-context behavioral advertising. Were we ever to sell Personal Information or share it for cross-context behavioral advertising, we would provide information on our opt out process here.

Your Non-Discrimination Rights

You have the right not to receive discriminatory treatment for the exercise of your rights under the CCPA.

Publicly Available and Public Interest Information

The rights and disclosures in this notice do not apply to Publicly Available Information or to lawfully obtained, truthful information that is a matter of public concern. Please note that you may choose to use our services to release Personal Information to the general public, in which case it may become Publicly Available Information.

Information Collection Notice and Disclosures

No Sale of Personal Information

We do not sell your Personal Information, and we do not share your information with third parties for the purpose of cross-context behavioral advertising.

Our Use of Sensitive Personal Information

We do not use or disclose Sensitive Personal Information for any purpose other than the purpose(s) for which that information is collected.

Sensitive Personal Information Collected

Details on the Sensitive Personal Information that we collect, or have collected in the last 12 months, follow below:


Category: Account login information

We collect: The log-in details (username together with password) that you select for your Substack account

Purpose(s): To create, maintain, customize, and secure your account with us

How long we keep the information: For as long as your account is active with us

How we disclose this information: We do not disclose this information

Source(s): You


Category: Credit card information

We collect: Your credit card number, expiration date, and security code

Purpose(s): To process your requests, purchases, transactions, and payments and prevent transactional fraud

How long we keep the information: For as long as your account is active with us

How we disclose this information: To the service providers we use in providing our service

Service Providers that process this information: payment processing service providers

Source(s): You


Please note that CCPA “Sensitive Personal Information” is different from the “special categories of personal data” addressed under the EU’s GDPR. We do not intentionally collect any of the GDPR special categories of personal data — such as government identification numbers, information on racial or ethnic origin, political opinions, genetic data, biometric data, or health data — from or about our users.


Other Personal Information Collected

The list below describes the category of Personal Information we collect, or have collected in the last 12 months:

Category: Identifiers

We collect: Your name; IP address; email address; Twitter handle (if provided); Google account information (if provided); phone number

Purpose(s): To provide, support, and develop our website, products, and services; to create, maintain, customize, and secure your account with us; to process your requests, purchases, transactions, and payments and prevent transactional fraud; to directly respond to your requests or inquiries, including to investigate and address your concerns and monitor and improve our responses, or to otherwise meet the reason for which you provided the information; to help maintain the safety, security, and integrity of our website, products and services, databases and other technology assets, and business; to communicate with you about our products and services; to facilitate contact syncing between users who opt in to our app’s contact syncing functionality (email address and phone number only)

How long we keep the information: We keep most identifiers for as long as you maintain your account with us, however, IP address information is retained only for a limited time consistent with our evolving security needs

How we disclose this information: To the Publishers you subscribe to (email address only); to the service providers we use in providing our service; to other Substack users consistent with your account privacy settings

Service Providers that process this information: email, hosting, payment processing, security, customer support software, cloud storage and computing, and analytics service providers

Source(s): You; automatic collection (IP address only); Substack writers who migrate subscribers to our platform (email address only); users who opt in to our app’s contact syncing functionality (email address and phone number only, with contact syncing identifiers stored exclusively as one-way hashed values)


Category: Customer Record Information

We collect: Your name; your email address; your user bio; your subscriptions, unsubscriptions, and related metadata; your settings and preferences with our service; reactions you submit to posts and comments (“likes”), user comments and related metadata; user profile information; direct message contents and metadata; and publication and authorship information. For Publishers, we may also collect information on city or country of residence and mailing address.

Purpose: To provide, support, and develop our website, products, and services; to create, maintain, customize, and secure your account with us; to process your requests, purchases, transactions, and payments and prevent transactional fraud; to directly respond to your requests or inquiries, including to investigate and address your concerns and monitor and improve our responses, or to otherwise meet the reason for which you provided the information; to help maintain the safety, security, and integrity of our website, products and services, databases and other technology assets, and business

How long we keep the information: For as long as you maintain an account with us; direct message information will be kept for as long as any message recipient maintains an account with us

How we disclose this information: to the Publishers you subscribe to (email address, subscription information, and comments information only); to the service providers we use in providing our service; to other Substack users consistent with your account privacy settings. Direct message contents are only disclosed only to their intended recipients.

Service Providers that process this information: email, hosting, payment processing, security, customer support software, cloud storage and computing, and analytics service providers

Source(s): You; Twitter (if you connect your account)); Google (if you connect your account)


Category: Commercial information

We collect: Records of products/services purchased by you on the Website

Purpose: to provide, support, and develop our website, products, and services; to process your requests, purchases, transactions, and payments and prevent transactional fraud; to directly respond to your requests or inquiries, including to investigate and address your concerns and monitor and improve our responses, or to otherwise meet the reason for which you provided the information; to communicate with you about our products and services

How long we keep the information: For as long as you maintain an account with us or in order to comply with a legal obligation.

How we disclose this information: To our service providers

Service Providers that process this information: hosting, payment processing, security, customer support software, cloud storage and computing, and analytics service providers

Source(s): You


Category: Internet or other network activity

We collect: Browsing history, search history, and interaction data on your use of our Website and from links in Substack emails

Purpose: To provide, support, and develop our website, products, and services; to create, maintain, customize, and secure your account with us; to process your requests, purchases, transactions, and payments and prevent transactional fraud; to directly respond to your requests or inquiries, including to investigate and address your concerns and monitor and improve our responses, or to otherwise meet the reason for which you provided the information; to help maintain the safety, security, and integrity of our website, products and services, databases and other technology assets, and business; to communicate with you about our products and services.

How long we keep the information: When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it.

How we disclose this information: To our service providers

Service Providers that process this information: hosting, payment processing, security, customer support software, cloud storage and computing, and analytics service providers

Source(s): You; automatic collection


Category: Geolocation data

We collect: Your IP address

Purpose: To provide, support, and develop our website, products, and services; to create, maintain, customize, and secure your account with us; to process your requests, purchases, transactions, and payments and prevent transactional fraud; to help maintain the safety, security, and integrity of our website, products and services, databases and other technology assets, and business

How long we keep the information: for a limited time consistent with our evolving security needs.

How we disclose this information: To our service providers

Service Providers that process this information: hosting, payment processing, security, cloud storage and computing, and analytics service providers

Source(s): You; Automatic collection


Please see our Privacy Policy for more information on tracking technologies we use for automatic data collection. We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing notice.

Compliance, Internal, and Extraordinary Disclosures of Personal Information

We may further disclose each category of Personal Information to our affiliates, to our professional advisors, in connection with our compliance and protection activities, and in connection with business transfers as described in our Privacy Policy.

Finally, we disclose the Personal Information we collect where we have a legal obligation to do so, or where a disclosure is necessary to maintain the security or integrity of our services (in either case, an “Extraordinary Disclosure”). In the last 12 months, we have made the following kinds of Extraordinary Disclosures:


Category of Extraordinary Disclosure: DMCA complaint information

Recipient(s): Senders of copyright notices; recipients of copyright notices

Categories: Identifiers; Customer Record Information

Reason: The notice and takedown provisions of the United States’ Digital Millennium Copyright Act require us to provide a copy of any counter-notification received under our Copyright Dispute Policy to the party that sent the copyright notice.


Category of Extraordinary Disclosure: Court ordered disclosures

Recipient(s): Law enforcement; civil litigants

Categories: Identifiers

Reason: Substack responds to valid court orders consistent with our legal obligations and, wherever possible, with notice to the identified user(s).


Changes to this California Privacy Notice

We may amend or update this California Privacy Notice at any time. When we make changes to this California Privacy Notice, we will post the updated notice on the Website and update the California Privacy Notice effective date at the top of the page.

Contact Us

You may contact us with questions, concerns, or privacy requests by emailing us at privacy@substackinc.com.