Documents

Privacy Policy

Last Updated: October 24th, 2024

Changes in the Last Update

  • Incorporate the Data Privacy Framework


About this Privacy Policy

Substack Inc. knows you care about how your personal information is used and shared, and we take your privacy seriously. This Privacy Policy outlines how we collect, use, and share your personally identifiable information ("Personal Information") through our website (www.substack.com) and our services. Please read it carefully.

Remember that your use of Substack is at all times subject to the Terms of Use, which incorporates this Privacy Policy. Any terms we use in this Privacy Policy without defining them have the definitions given to them in the Terms of Use.

This Privacy Policy includes additional notices that may apply to you if you are a California consumer. Please see the section further below titled "Additional Notices for California Residents" for more details.

What does this Privacy Policy cover?

This Privacy Policy details how we collect, receive, use, store, share, transfer and process your Personal Information. It also describes the choices you have regarding the use of your Personal Information, as well as your rights and how you execute these rights.

This Privacy Policy only applies to the processing of your Personal Information by Substack as a data controller, meaning where we process your Personal Information for our purposes. This Privacy Policy does not apply to any processing of your Personal Information by Substack as a data processor on behalf of a Creator. Creators will have their own privacy practices governing their use of Personal Information as outlined in their own terms of use and/or privacy policies.

Will Substack ever change this Privacy Policy?

We’re constantly trying to improve our services, so we may need to change this Privacy Policy from time to time as well, but we will alert you to changes by placing a notice on our site, by sending you an email, and/or by some other means.

Please note that if you’ve opted not to receive legal notice emails from us (or you haven’t provided us with your email address), those legal notices will still govern your use of Substack, and you are still responsible for reading and understanding them.

What Information does Substack collect?

We collect and process Personal Information about you when you interact with us and our services, as well as when you subscribe to any of our paid or unpaid services. This may include:

  • your first and last name;

  • your email address;

  • your phone number;

  • your payment details (including billing address, credit card details, where you make a purchase from us);

  • your location and/or mailing address;

  • your photograph;

  • your marketing preferences, including any consents you have given us;

  • information related to the browser or device you use to access our website (including your IP address);

  • any information we collect online from you and maintain in association with your account, such as your username and password;

  • your subscription status with Substack publications;

  • public information about the social media accounts you associate with your Substack account;

  • your direct message contents and metadata;

  • information from integrated third-party services that you choose to use on Substack — for example, if you use Substack to upload video content to YouTube, we collect  account identifiers (including the email address associated with the account), video identifiers, and upload status information associated with the YouTube account you use to upload video content to YouTube; and

  • any other information you provide us when communicating with us.

We may also collect information about you when one of our users syncs their address book information with our app for contact syncing purposes. This information collection is strictly limited to email addresses and phone numbers, and any information collected in this manner is securely stored only as hashed values.

Finally, we also collect information on the use of our website via Cookies. Please view the section “Cookies” below for more information.

How does Substack use your Personal Information?

We process this Personal Information for the following purposes:

  • To establish and fulfill a contract with you, for example when you subscribe to a subscription Service. This may include verifying your identity, taking payments, communicating with you, providing customer service;

  • As required by Substack to enable our business and pursue our legitimate interests. In particular we use your Personal Information for the following purposes:

    • to provide services you have requested, and respond to any communications, comments or complaints you send us;

    • to monitor the use of our services and to help us monitor, improve and protect our services, content and website;

    • allow you to create, maintain, customize and secure your account with us;

    • to personalize our services for you and provide recommendations;

    • to monitor any user accounts to prevent, investigate and/or report fraud, misrepresentation, terrorism, security incidents or crime in accordance with applicable law;

    • to invite you to take part in surveys or market research;

    • to facilitate contact syncing between users who opt in to our app’s contact syncing functionality;

    • Where our use of Personal Information is made pursuant to a balancing of our legitimate interests with your privacy interest, we will provide more information about our balancing analysis and process on request. Please send any such requests to privacy@substackinc.com.

  • Compliance with applicable laws and protection of Substack’s legitimate business interests and legal rights, including but not limited to use in connection with legal claims, compliance, regulatory, investigative purposes (including disclosure of such information in connection with legal process or litigation).

  • In addition, we will send you, based on your consent (if required), direct marketing communication in relation to our relevant services, or other services provided by us, our affiliates and carefully selected partners. You can withdraw your consent at any time ("opt out"); see the section "What are your rights?" below. In case of electronic direct marketing you can opt out by following the instructions in the communication.

  • In certain cases, we may also share some Personal Information with third parties, but only as described in this Privacy Policy.

How will Substack share the Personal Information it receives?

We may share your Personal Information with third parties as described below:

  • Affiliates: We may disclose your Personal Information to our subsidiaries and/or corporate affiliates for the purposes as described above.

  • Creators: when you subscribe to a Creator’s publication, we provide them the information necessary (including your name and email address) to provide you their publication(s). Please note that Creators control their own publications; accordingly, when you interact with a Creator’s publication in a way that requires your personal information, including when commenting on a publication that you have not subscribed to, that personal information is provided directly to the Creator.

  • Our Service Providers: We share your Personal Information with third-party service providers that provide services on our behalf; for example, we use Stripe (a third party payment provider) to receive and process your credit card transactions for us. Such third parties further include, but are not limited to, providers of: website hosting; maintenance services; email services; security services; content delivery networks; customer support operations and software services; traffic and usage analytics services; and cloud storage and computing services.

  • Third-Party Data Controllers: We provide integrations with third-party services for you to use at your option. When we do, we only use the Personal Information we collect from the integrated third-party service for the purpose of providing the integration to you, and do not disclose that information except where required by law or as directed by the third-party service. Please keep in mind that you may use an integrated third-party service to send your Personal Information or content to the provider of the integrated third-party service, in which case you should refer to the privacy policy of the applicable third-party service provider to understand how your Personal Information is used. For instance, you may use Substack to upload content to YouTube, in which case the Google privacy policy governs how YouTube uses your Personal Information.

  • Other users: If your user profile allows it, you may choose to populate certain user profile information, including, without limitation, your name, subscriptions, publications, location, and any image content. Any user profile information uploaded may be displayed to other users to facilitate user interaction within the services (including when you post comments or upload images or videos through the services). Your account privacy settings may allow you to limit the other users who can see the Personal Information in your user profile and/or what information in your user profile is visible to others. Your username and user profile may also be displayed to other users when you interact with a publication post, for instance, by “liking” the post or leaving a comment. You may have the option to allow Substack to share information on what you’ve read or are reading on Substack with the public, or with other accounts socially connected to your own, such as your social media followers. If you opt into contact syncing through our app, your profile information will be shared with any user who has (i) also opted into contact syncing, and who (ii) identified you as a contact.

  • Prospective sellers or buyers: We may share and/or transfer customer information in connection with the sale or merger of our business or assets (subject to local laws). Also, if we go out of business, enter bankruptcy, or go through some other change of control.

  • Government authorities, law enforcement officials, and court-ordered disclosures: If required for the purposes as described in this Privacy Policy, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws we may share Personal Information with competent regulatory, prosecuting, tax or governmental authorities, courts or other tribunals, or with litigants entitled by law to receive personal information, in any jurisdiction or markets, domestic or foreign.

In certain cases, we may anonymize your Personal Information in such a way that you can no longer be identified as an individual, and we reserve the right to use and share such anonymized information to trusted partners not specified here. However, we never disclose aggregated or de-identified information in a manner that could identify you as an individual.

Where will we send your Personal Information?

Substack is established in the US and uses service providers established both in the US and in other countries to process Personal Information as described in this Privacy Policy. As such, your Personal Information may be shared internationally.

Does Substack participate in the Data Privacy Framework?

To facilitate the lawful import of Personal Information from the European Union, the United Kingdom, and the Swiss Confederation, Substack participates in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) (each, a “DPF”). To verify our participation, please consult the Data Privacy Framework List.

When we receive Personal Information under a DPF, the DPF Principles apply to our processing of that information. Under any DPF, we are accountable for the onward transfer of Personal Information, and only transfer Personal Information received pursuant to a DPF under agreements that provide the same protections as the DPF. Our adherence to the DPFs specified above is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

In the event of a dispute between you and us regarding our use of Personal Information under a DPF, we ask that you first raise the dispute with us directly at privacy@substackinc.com. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint. These dispute resolution services are provided at no cost to you.

If you have a “residual claim” regarding our use of your Personal Information under a DPF that is unresolved after (i) direct contact with us; (ii) your use of the independent dispute resolution mechanism identified above; and (iii) your raising the issue with your data protection authority, you have the the right to seek redress through binding arbitration in accordance with the applicable DPF.

Is Personal Information about you secure?

Your account is protected by a password for your privacy and security. You must prevent unauthorized access to your account and Personal Information by selecting and protecting your password appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.

We endeavor to protect the privacy of your account and other Personal Information we hold in our records, but unfortunately, we cannot guarantee complete security. Unauthorized entry or use, failure of the services, or other factors may compromise the security of user information at any time.

Privacy and your direct messages

You can use Substack to send direct messages to other Substack users, and to receive direct messages from other Substack users. Please note that, at this time, direct messages are not end-to-end encrypted, and are not a substitute for secure messaging services. Direct messaging contents are disclosed to their intended recipients. Recipients of direct messages may keep those messages even if you request their deletion, and even if you delete your Substack account. Keep in mind that recipients of your direct messages do not necessarily have any obligation to keep them private.

We will only disclose direct message contents to people other than the intended recipients in very limited circumstances where allowed or required by law, for example, in response to valid court orders or in emergency situations involving danger of death or serious physical injury. While we maintain strict internal access controls on direct messaging content, keep in mind that Substack personnel may access the contents of direct messages to enforce our Terms of Use, ensure the security of our platform, to provide user support, or as otherwise necessary to provide our services. We may also use automated means to ensure the safety of direct messaging content, including scanning for spam, malicious content, and child abuse material.

Privacy and SMS Services

If you provide us with your phone number, we may use a third-party service provider to verify your phone number with an SMS text message. Information regarding this SMS verification is used only for verification purposes, and is not shared with third parties/affiliates for marketing/promotional purposes.

What are your rights?

Depending on applicable local laws, you may be entitled to ask Substack for a copy of your Personal Information, to correct it, erase or restrict its processing, or to ask us to transfer some of this information to other organizations. You may also have rights to object to some processing activities or to request restriction of some processing activities. Where we have asked for your consent to process your Personal Information, you may also have the right to withdraw this consent. These rights may be limited in some situations or in accordance with applicable law – for example, we cannot delete your Personal Information when we can demonstrate that we have a legal obligation to retain it. In some instances, this may mean that we are able to retain data even if you withdraw your consent or you delete your account.

Where we require Personal Information to comply with legal or contractual obligations, then provision of such information is mandatory: if such information is not provided, then we will not be able to manage our contractual relationship, or to meet obligations placed on us. In all other cases, provision of requested personal data is optional. Please note we will always inform you where the provision of your Personal Information is mandatory or optional.

We hope that we can satisfy any queries you may have about the way we process your Personal Information. If you have any concerns about how we process your Personal Information, or would like to opt out of marketing, you can get in touch at privacy@substackinc.com.

If you are a California consumer, please see the section further below titled “Additional Notices for California Residents” for more notices regarding your Personal Information.

You can access, edit, or delete some personal information by yourself

Through your account settings, you may access, and, in some cases, edit or delete the following information you’ve provided to us:

  • name and password

  • email address

  • user profile information, including images you may have uploaded to the site

The information you can view, update, and delete may change as the services change. If you'd like to delete your account, you can do so from your account page.

Where you have directed third-party services to provide Personal Information to us, you can direct those third-party service providers to stop providing us your Personal Information. For example, you can use your Google security settings page to revoke our access to information from your YouTube account.

If you have any questions about viewing or updating information we have on file about you, please contact us at privacy@substackinc.com.

You can unsubscribe from our marketing communications

You may unsubscribe from our marketing communications by clicking on the “unsubscribe” link located on the bottom of our e-mails, updating your communication preferences or by contacting us at privacy@substackinc.com.

We remind you that this Privacy Policy does not apply to any processing of your Personal Information by Substack as a data processor on behalf of a Creator. A Creator’s own terms and policies govern its use of Personal Information it collects on the Creator’s subdomain on the services, including their own marketing emails and other communications.

You have the right to complain to your local data protection authority

In the event you have unresolved concerns, please note that you have the right to complain to a data protection authority. Contact details for data protection authorities in the EEA, Switzerland and certain non-European countries are available here.

How long will Substack retain your data?

We retain information about you only for as long as reasonably necessary to fulfill the purposes for which it was collected. We may retain your Personal Information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

Automated individual decision-making, including profiling

We may use the information we collect to profile you in order to suggest content on our platform that is relevant to your interests. We also use automated systems to help flag content that may violate our Content Guidelines or our Terms of Use. At this time, no final content moderation decisions are made without human review of any automated decisions.  

Cookies

We use cookies on our website. Cookies are small text files sent by a web server to your web browser and saved locally on your computer. The cookie allows the server to uniquely identify the browser on each page. Cookies do not cause any harm to your computer and do not contain viruses.

We use the following categories of cookies on our website:

Category 1: Strictly Necessary Cookies

These cookies are essential in order to enable you to move around the website and use its features. Without these cookies, services you have asked for such as remembering your login details or data provided for a purchase cannot be provided.

Category 2: Performance Cookies

These cookies collect information on how people use our website. The data stored by these cookies never shows personal details from which your individual identity can be established.

Category 3: Functionality Cookies

These cookies remember choices you make such as the country you visit our website from, language and search parameters. These can then be used to provide you with an experience more appropriate to your selections and to make the visits more tailored and pleasant.

Creator cookies

In addition to the cookies Substack uses, Creators on Substack may choose to set certain tracking and analytics cookies, subject to the Creator’s own terms and policies. These Creator cookies may include cookies set by third parties such as Twitter, Facebook, Google, and Parse.ly.

Disabling and opting-out of cookies

Substack is rolling out a detailed cookie management system for users in select jurisdictions that can be used to disable all cookies except for necessary cookies. If you do not see this system, please note that current versions of web browsers offer enhanced user controls regarding the placement and duration of both first and third party cookies. Search for "cookies" under your web browser's “Help menu” for more information on cookie management features available to you. You can enable or disable cookies by modifying the settings in your browser. You can also find out how to do this, and find more information on cookies at www.allaboutcookies.org. However, if you choose to disable cookies in your browser, you may be unable to complete certain activities on our websites or to correctly access certain parts of it. If you would like more information about interest-based advertising, including how to opt-out of these cookies, please visit http://youronlinechoices.eu/.

Information Collected From Other Websites and Do Not Track Policy

Through cookies we place on your browser or device, we may collect information about your online activity after you leave our website. Just like any other usage information we collect, this information allows us to improve the services and customize your online experience, and otherwise as described in this Privacy Policy. Your browser may offer you a “Do Not Track” option, which allows you to signal to operators of websites and web applications and services (including behavioral advertising services) that you do not wish such operators to track certain of your online activities over time and across different websites. Our services do not support Do Not Track requests at this time, which means that we collect information about your online activity both while you are using the services and after you leave our services.

Questions about this policy?

The data controller for this processing is Substack, Inc.

If you have any questions or concerns regarding our privacy policies, please send us a detailed message to privacy@substackinc.com or contact us at:

Substack Inc.

111 Sutter Street, 7th Floor

San Francisco CA 94104

USA

T +1 (415) 592-7299

If you are located in the EEA or the United Kingdom and have questions about your personal data or would like to request to access, update, or delete it, you may contact our local representatives at:

Bird & Bird GDPR Representative Services

Zuid-Hollandplein 22

2596 AW The Hague

The Netherlands

EUrepresentative.Substack@twobirds.com 

or

Bird & Bird GDPR Representative Services UK

12 New Fetter Lane

London

EC4A 1JP

United Kingdom

UKrepresentative.Substack@twobirds.com 

Additional Notices for California Residents

Substack has prepared additional disclosures and notices consistent with the California Consumer Privacy Act (CCPA). Our CCPA Policy, the terms of which are incorporated by reference into this Privacy Policy, can be found here.