Documents

Privacy Policy

Last Updated: February 23, 2024

Changes in the Last Update

  • Update cookie disclosures


About this Privacy Policy

Substack Inc. knows you care about how your personal information is used and shared, and we take your privacy seriously. This Privacy Policy outlines how we collect, use, and share your personally identifiable information ("Personal Information") through our website (www.substack.com) and our services. Please read it carefully.

Remember that your use of Substack is at all times subject to the Terms of Use, which incorporates this Privacy Policy. Any terms we use in this Privacy Policy without defining them have the definitions given to them in the Terms of Use.

This Privacy Policy includes additional notices that may apply to you if you are a California consumer. Please see the section further below titled "Additional Notices for California Residents" for more details.

What does this Privacy Policy cover?

This Privacy Policy details how we collect, receive, use, store, share, transfer and process your Personal Information. It also describes the choices you have regarding the use of your Personal Information, as well as your rights and how you execute these rights.

This Privacy Policy only applies to the processing of your Personal Information by Substack as a data controller, meaning where we process your Personal Information for our purposes. This Privacy Policy does not apply to any processing of your Personal Information by Substack as a data processor on behalf of a Publisher. Publishers will have their own privacy practices governing their use of Personal Information as outlined in their own terms of use and/or privacy policies.

Will Substack ever change this Privacy Policy?

We’re constantly trying to improve our services, so we may need to change this Privacy Policy from time to time as well, but we will alert you to changes by placing a notice on our site, by sending you an email, and/or by some other means.

Please note that if you’ve opted not to receive legal notice emails from us (or you haven’t provided us with your email address), those legal notices will still govern your use of Substack, and you are still responsible for reading and understanding them.

What Information does Substack collect?

We collect and process Personal Information about you when you interact with us and our services, as well as when you subscribe to any of our paid or unpaid services. This may include:

  • your first and last name;

  • your email address;

  • your phone number;

  • your payment details (including billing address, credit card details, where you make a purchase from us);

  • your location and/or mailing address;

  • your photograph;

  • your marketing preferences, including any consents you have given us;

  • information related to the browser or device you use to access our website (including your IP address);

  • any information we collect online from you and maintain in association with your account, such as your username and password;

  • your subscription status with Substack newsletters;

  • public information about the social media accounts you associate with your Substack account;

  • your direct message contents and metadata;

  • any other information you provide us when communicating with us.

We may also collect information about you when one of our users syncs their address book information with our app for contact syncing purposes. This information collection is strictly limited to email addresses and phone numbers, and any information collected in this manner is securely stored only as hashed values.

Finally, we also collect information on the use of our website via Cookies. Please view the section “Cookies” below for more information.

How does Substack use your Personal Information?

We process this Personal Information for the following purposes:

  • To establish and fulfill a contract with you, for example when you subscribe to a subscription Service. This may include verifying your identity, taking payments, communicating with you, providing customer service;

  • As required by Substack to enable our business and pursue our legitimate interests. In particular we use your Personal Information for the following purposes:

    • to provide services you have requested, and respond to any communications, comments or complaints you send us;

    • to monitor the use of our services and to help us monitor, improve and protect our services, content and website;

    • allow you to create, maintain, customize and secure your account with us;

    • to personalize our services for you;

    • to monitor any user accounts to prevent, investigate and/or report fraud, misrepresentation, terrorism, security incidents or crime in accordance with applicable law;

    • to invite you to take part in surveys or market research;

    • to facilitate contact syncing between users who opt in to our app’s contact syncing functionality;

    • Where our use of Personal Information is made pursuant to a balancing of our legitimate interests with your privacy interest, we will provide more information about our balancing analysis and process on request. Please send any such requests to privacy@substackinc.com.

  • Compliance with applicable laws and protection of Substack’s legitimate business interests and legal rights, including but not limited to use in connection with legal claims, compliance, regulatory, investigative purposes (including disclosure of such information in connection with legal process or litigation).

  • In addition, we will send you, based on your consent (if required), direct marketing communication in relation to our relevant services, or other services provided by us, our affiliates and carefully selected partners. You can withdraw your consent at any time ("opt out"); see the section "What are your rights?" below. In case of electronic direct marketing you can opt out by following the instructions in the communication.

  • In certain cases, we may also share some Personal Information with third parties, but only as described in this Privacy Policy.

How will Substack share the Personal Information it receives?

We may share your Personal Information with third parties as described below:

  • Affiliates: We may disclose your Personal Information to our subsidiaries and/or corporate affiliates for the purposes as described above.

  • Publishers: when you subscribe to a Publisher’s newsletter, we provide them the information necessary (including your name and email address) to provide you their newsletter(s). Please note that Publishers control their own newsletters; accordingly, when you interact with a Publisher’s newsletter in a way that requires your personal information, including when commenting on a newsletter that you have not subscribed to, that personal information is provided directly to the Publisher.

  • Our Service Providers: We share your Personal Information with third party service providers that provide services on our behalf; for example, we use Stripe (a third party payment provider) to receive and process your credit card transactions for us. Such third parties further include, but are not limited to, providers of: website hosting; maintenance services; email services; security services; content delivery networks; customer support operations and software services; traffic and usage analytics services; and cloud storage and computing services.

  • Other users: If your user profile allows it, you may choose to populate certain user profile information, including, without limitation, your name, subscriptions, publications, location, and any image content. Any user profile information uploaded may be displayed to other users to facilitate user interaction within the services (including when you post comments or upload images or videos through the services). Your account privacy settings may allow you to limit the other users who can see the Personal Information in your user profile and/or what information in your user profile is visible to others. Your username and user profile may also be displayed to other users when you interact with a newsletter post, for instance, by “liking” the post or leaving a comment. You may have the option to allow Substack to share information on what you’ve read or are reading on Substack with the public, or with other accounts socially connected to your own, such as your social media followers. If you opt into contact syncing through our app, your profile information will be shared with any user who has (i) also opted into contact syncing, and who (ii) identified you as a contact.

  • Prospective sellers or buyers: We may share and/or transfer customer information in connection with the sale or merger of our business or assets (subject to local laws). Also, if we go out of business, enter bankruptcy, or go through some other change of control.

  • Government authorities and/or law enforcement officials: If required for the purposes as described in this Privacy Policy, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws we may share Personal Information with competent regulatory, prosecuting, tax or governmental authorities, courts or other tribunals in any jurisdiction or markets, domestic or foreign.

In certain cases, we may anonymize your Personal Information in such a way that you can no longer be identified as an individual, and we reserve the right to use and share such anonymized information to trusted partners not specified here. However, we never disclose aggregated or de-identified information in a manner that could identify you as an individual.

Where will we send your Personal Information?

Substack is established in the US and uses service providers established both in the US and in other countries to process Personal Information as described in this Privacy Policy. As such, your Personal Information may be shared internationally.

Is Personal Information about you secure?

Your account is protected by a password for your privacy and security. You must prevent unauthorized access to your account and Personal Information by selecting and protecting your password appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.

We endeavor to protect the privacy of your account and other Personal Information we hold in our records, but unfortunately, we cannot guarantee complete security. Unauthorized entry or use, failure of the services, or other factors may compromise the security of user information at any time.

Privacy and your direct messages

You can use Substack to send direct messages to other Substack users, and to receive direct messages from other Substack users. Please note that, at this time, direct messages are not end-to-end encrypted, and are not a substitute for secure messaging services. Direct messaging contents are disclosed to their intended recipients. Recipients of direct messages may keep those messages even if you request their deletion, and even if you delete your Substack account. Keep in mind that recipients of your direct messages do not necessarily have any obligation to keep them private.

We will only disclose direct message contents to people other than the intended recipients in very limited circumstances where allowed or required by law, for example, in response to valid court orders or in emergency situations involving danger of death or serious physical injury. While we maintain strict internal access controls on direct messaging content, keep in mind that Substack personnel may access the contents of direct messages to enforce our Terms of Use, ensure the security of our platform, to provide user support, or as otherwise necessary to provide our services. We may also use automated means to ensure the safety of direct messaging content, including scanning for spam, malicious content, and child abuse material.

What are your rights?

Depending on applicable local laws, you may be entitled to ask Substack for a copy of your Personal Information, to correct it, erase or restrict its processing, or to ask us to transfer some of this information to other organizations. You may also have rights to object to some processing activities or to request restriction of some processing activities. Where we have asked for your consent to process your Personal Information, you may also have the right to withdraw this consent. These rights may be limited in some situations or in accordance with applicable law – for example, we cannot delete your Personal Information when we can demonstrate that we have a legal obligation to retain it. In some instances, this may mean that we are able to retain data even if you withdraw your consent or you delete your account.

Where we require Personal Information to comply with legal or contractual obligations, then provision of such information is mandatory: if such information is not provided, then we will not be able to manage our contractual relationship, or to meet obligations placed on us. In all other cases, provision of requested personal data is optional. Please note we will always inform you where the provision of your Personal Information is mandatory or optional.

We hope that we can satisfy any queries you may have about the way we process your Personal Information. If you have any concerns about how we process your Personal Information, or would like to opt out of marketing, you can get in touch at privacy@substackinc.com.

If you are a California consumer, please see the section further below titled “Additional Notices for California Residents” for more notices regarding your Personal Information.

You can access, edit, or delete some personal information by yourself

Through your account settings, you may access, and, in some cases, edit or delete the following information you’ve provided to us:

  • name and password

  • email address

  • user profile information, including images you may have uploaded to the site

The information you can view, update, and delete may change as the services change. If you'd like to delete your account, you can do so from your account page.

If you have any questions about viewing or updating information we have on file about you, please contact us at privacy@substackinc.com.

You can unsubscribe from our marketing communications

You may unsubscribe from our marketing communications by clicking on the “unsubscribe” link located on the bottom of our e-mails, updating your communication preferences or by contacting us at privacy@substackinc.com.

We remind you that this Privacy Policy does not apply to any processing of your Personal Information by Substack as a data processor on behalf of a Publisher. A Publisher’s own terms and policies govern its use of Personal Information it collects on the Publisher’s subdomain on the services, including their own marketing emails and other communications.

You have the right to complain to your local data protection authority

In the event you have unresolved concerns, please note that you have the right to complain to a data protection authority. Contact details for data protection authorities in the EEA, Switzerland and certain non-European countries are available here.

How long will Substack retain your data?

We retain information about you only for as long as reasonably necessary to fulfill the purposes for which it was collected. We may retain your Personal Information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

Automated individual decision-making, including profiling

We do not process your Personal Information for automated individual decision-making, including profiling.

Cookies

We use cookies on our website. Cookies are small text files sent by a web server to your web browser and saved locally on your computer. The cookie allows the server to uniquely identify the browser on each page. Cookies do not cause any harm to your computer and do not contain viruses.

We use the following categories of cookies on our website:

Category 1: Strictly Necessary Cookies

These cookies are essential in order to enable you to move around the website and use its features. Without these cookies, services you have asked for such as remembering your login details or data provided for a purchase cannot be provided.

Category 2: Performance Cookies

These cookies collect information on how people use our website. The data stored by these cookies never shows personal details from which your individual identity can be established.

Category 3: Functionality Cookies

These cookies remember choices you make such as the country you visit our website from, language and search parameters. These can then be used to provide you with an experience more appropriate to your selections and to make the visits more tailored and pleasant.

Necessary Cookies 

| Created with Datawrapper
Create interactive, responsive & beautiful charts — no code required.

Performance Cookies

| Created with Datawrapper
Create interactive, responsive & beautiful charts — no code required.

Functionality Cookies

| Created with Datawrapper
Create interactive, responsive & beautiful charts — no code required.

Publisher cookies

In addition to the cookies Substack uses, Publishers on Substack may choose to set certain tracking and analytics cookies, subject to the Publisher’s own terms and policies. These Publisher cookies may include cookies set by third parties such as Twitter, Facebook, Google, and Parse.ly.

Disabling and opting-out of cookies

Substack is rolling out a detailed cookie management system for users in select jurisdictions that can be used to disable all cookies except for necessary cookies. If you do not see this system, please note that current versions of web browsers offer enhanced user controls regarding the placement and duration of both first and third party cookies. Search for "cookies" under your web browser's “Help menu” for more information on cookie management features available to you. You can enable or disable cookies by modifying the settings in your browser. You can also find out how to do this, and find more information on cookies at www.allaboutcookies.org. However, if you choose to disable cookies in your browser, you may be unable to complete certain activities on our websites or to correctly access certain parts of it. If you would like more information about interest-based advertising, including how to opt-out of these cookies, please visit http://youronlinechoices.eu/.

Information Collected From Other Websites and Do Not Track Policy

Through cookies we place on your browser or device, we may collect information about your online activity after you leave our website. Just like any other usage information we collect, this information allows us to improve the services and customize your online experience, and otherwise as described in this Privacy Policy. Your browser may offer you a “Do Not Track” option, which allows you to signal to operators of websites and web applications and services (including behavioral advertising services) that you do not wish such operators to track certain of your online activities over time and across different websites. Our services do not support Do Not Track requests at this time, which means that we collect information about your online activity both while you are using the services and after you leave our services.

Questions about this policy?

The data controller for this processing is Substack, Inc.

If you have any questions or concerns regarding our privacy policies, please send us a detailed message to privacy@substackinc.com or contact us at:

Substack Inc.

111 Sutter Street, 7th Floor

San Francisco CA 94104

USA

T +1 (415) 592-7299

We will try to resolve your concerns.

Additional Notices for California Residents

Substack has prepared additional disclosures and notices consistent with the California Consumer Privacy Act (CCPA). Our CCPA Policy, the terms of which are incorporated by reference into this Privacy Policy, can be found here.