Substack
Substack provides meaningful privacy rights and some clear disclosures, but the combination of broad data collection/sharing, cross-site tracking without Do Not Track support, broad content licensing, discretionary account termination, and mandatory arbitration makes the overall posture more company-favoring than user-favoring.
Substack’s legal terms are mixed. It offers useful privacy rights, self-service account deletion, and some transparency around data use and international transfers. But it also collects a broad range of personal data, allows tracking across websites, gives creators access to subscriber information, requires individual arbitration with a class-action waiver, and takes a perpetual irrevocable license to user content.
Points of interest
Most disputes must be resolved through individual arbitration in San Francisco County, and users waive the ability to bring class or representative actions. This can make claims harder and more expensive to pursue.
"Any dispute... shall be finally settled by arbitration in San Francisco County, California... only be brought in an individual capacity, and not as a plaintiff or class member"
You keep ownership of your posts, but Substack gets a royalty-free, perpetual, irrevocable, worldwide license to use and distribute them. That means rights you grant do not end just because you leave the platform.
"the licenses you grant are royalty-free, perpetual, irrevocable, and worldwide"
Substack collects extensive information including payment data, device and IP data, location, social account info, subscription status, and direct message contents and metadata. This creates a fairly comprehensive profile of users.
"This may include... payment details... location... IP address... subscription status... direct message contents and metadata"
Substack says it may collect information about your online activity after you leave its website, and it does not honor Do Not Track signals. Users who want minimal tracking may find this intrusive.
"we may collect information about your online activity after you leave our website... Our services do not support Do Not Track requests"
Substack says users may request access, correction, deletion, restriction, portability, and objection to some processing. It also commits to responding within one month, with limited extensions.
"you may be entitled to ask Substack for a copy... correct it, erase or restrict its processing... transfer... We will respond... within one month"
Substack can remove content or suspend accounts at its sole discretion, sometimes without notice. Users may have limited recourse if moderation or enforcement decisions affect their publication.
"We reserve the right to remove any content from Substack at any time, for any reason... in our sole discretion, and without notice"
Deleting your account does not guarantee full removal of public posts or backup copies. Content may also remain visible if others copied or stored it.
"any Post that you have made public may remain available... it may not be possible to completely delete your content from Substack’s records or backups"
When you subscribe to a publication, Substack shares your name and email with that creator, and creators govern their own downstream privacy practices. Your data protections may therefore vary by publication.
"when you subscribe to a Creator’s publication, we provide them... your name and email address"
Substack direct messages are not end-to-end encrypted, and staff may access them for safety, support, or enforcement purposes. Recipients may also keep messages even if you delete them or your account.
"direct messages are not end-to-end encrypted... Substack personnel may access the contents of direct messages"
Users can access, edit, or delete some profile information through account settings, and can delete their account from the account page. This gives users practical control without requiring manual support contact.
"Through your account settings, you may access, and, in some cases, edit or delete... If you'd like to delete your account, you can do so from your account page"
Substack says marketing messages are consent-based where required and can be unsubscribed from at any time. This limits unwanted promotional communications.
"You may unsubscribe from our marketing communications by clicking on the “unsubscribe” link"
Substack says it will alert users to material changes to the privacy policy and terms by site notice, email, or other means. That is more transparent than silent updates.
"we will alert you to material changes by placing a notice on our site, by sending you an email, and/or by some other means"
Other Publishing services on AIgree
Compare Substack with…
The 7 clauses that actually matter, the red flags to watch for, in 5 minutes.
Report a problem with this summary
Spot something wrong, missing, or misleading? Tell us — we review every report.
Spot something wrong, missing, or misleading? Tell us — we review every report.
Thanks — your report was submitted and will be reviewed.
Documents
Terms of Service
source ↗- •Using Substack means you accept these terms and related policies; you must be legally able to contract and cannot use Substack if under 16.
- •You must provide accurate account information, keep your account secure, and cannot transfer it or impersonate someone else through your username.
- •You keep ownership of content you post, but grant Substack a royalty-free, perpetual, irrevocable worldwide license to host, modify, display, and distribute it.
- •You must follow laws and Substack rules, and cannot infringe rights, scrape data, spam, reverse engineer, or compromise accounts or network security.
- •Substack may remove content or suspend or terminate accounts at its discretion, sometimes without notice, and public posts may remain available after account deletion.
- •Paid publication prices are set by creators, may change prospectively, and disputes over creator subscriptions are generally between readers and creators, not Substack.
- •Substack disclaims warranties, provides the service as-is, and limits its liability to indirect damages and generally to the greater of $100 or fees paid in 12 months.
- •You may need to indemnify Substack for claims related to your use or violations, including third-party claims and actions taken through your account.
- •Disputes are governed by California law and usually must go to individual arbitration in San Francisco County, with no class or representative actions.
- •Substack refers data handling to its Privacy Policy, may use your phone number for SMS verification, and says it does not knowingly collect personal information from children under 16.
Privacy Policy
source ↗- •Substack collects account, contact, payment, device, location, profile, message, subscription, and cookie data when you use its services.
- •It uses personal information to provide services, process payments, secure accounts, personalize content, run analytics, and comply with legal obligations.
- •Substack may send marketing messages with consent where required, and you can opt out at any time.
- •It shares data with affiliates, creators, service providers, integrated third-party services, other users, buyers in business transfers, and government authorities when required.
- •Substack shares account identifiers with child safety organizations to detect and prevent online child sexual exploitation and abuse.
- •Personal information may be transferred internationally, including to the United States, and Substack participates in the EU, UK, and Swiss Data Privacy Frameworks.
- •You may request access, correction, deletion, restriction, portability, or objection, and Substack says it will respond within one month, sometimes with a two-month extension.
- •Substack keeps data only as long as reasonably necessary, but may retain it longer for complaints, legal obligations, or possible litigation.
- •Direct messages are not end-to-end encrypted, may be accessed for safety or support, and recipients may keep them even if you delete them or your account.
- •Substack uses cookies for necessary, performance, and functionality purposes, does not support Do Not Track, and browser cookie settings may limit site features.
