Writing on Substack? Watch Out for Subscriber Data: A Guide to Privacy Policy and Terms of Service

Table of Contents
How to set up Privacy Policy and Terms of Service on Substack?
To protect subscriber data on Substack, you need a clear Privacy Policy explaining how you collect, use, and store personal data (e.g., email, IP). The Terms of Service must define newsletter usage rules, liability limitations, and withdrawal rights. Substack offers basic tools, but compliance is your responsibility.
If you run a newsletter on Substack, you're a publisher, not just a content creator. Your subscribers entrust you with their personal data, like email addresses, names, and sometimes reading preferences. The law, especially Europe's GDPR and California's CCPA, requires you to handle this data with care. This guide walks you through setting up a Privacy Policy and Terms of Service (ToS) for your Substack publication, without losing your mind.
First, why is this important? A Privacy Policy isn't just a legal obligation—it's a trust signal for your readers. If you don't explain what you do with their data, you risk hefty fines and losing subscribers. Terms of Service, on the other hand, protect you: they define what subscribers can do with your content, how you manage subscriptions, and how you resolve disputes. On Substack, the platform provides a generic Privacy Policy, but it doesn't cover your specific activities, like using analytics or sharing with third parties.
Here are practical steps to create solid documents. For the Privacy Policy, include: what data you collect (email, browsing data), how you use it (sending newsletters, analysis), who you share it with (Substack, any email marketing services), how long you keep it, and subscriber rights (access, deletion, portability). Use simple language, avoid legalese. Substack lets you add a custom page: go to 'Settings' > 'Pages' and create a new page titled 'Privacy Policy'.
For the Terms of Service, define: subscription terms (free or paid), intellectual property of your content, liability limitations (e.g., for post errors), refund policies, and applicable law (e.g., Italian or European). Substack has its own ToS, but yours must complement them for specific aspects, like comment management or moderation. Create a separate 'Terms of Service' page and link it in the newsletter footer.
A common mistake is copying documents from other sites. Every newsletter is unique: if you use tools like Google Analytics or integrate payments with Stripe, you must mention them. Substack, by default, collects data like IP addresses and browser types for security reasons, but you need to state this. Additionally, if you have subscribers in Europe, you must comply with GDPR: obtain explicit consent for sending the newsletter (double opt-in) and include an unsubscribe link in every email.
Transparency is key. Add a 'Contact' section for privacy questions. Substack doesn't provide an automatic policy generator, but you can use free templates online, customizing them. Remember to update the documents whenever your practices change, for example, if you start selling paid subscriptions or collaborating with sponsors.
Finally, don't forget to communicate the policies to your subscribers. Send a notification email when you update them, and ask for consent for any new data uses. Substack offers an 'announcements' system for this. By following these steps, you reduce legal risks and build a trust-based relationship with your community.
The Italian and European situation is stricter than the American model: GDPR requires explicit consent and detailed documents, while California's CCPA/CPRA focuses on the right to opt out of data sales. On Substack, many American publishers overlook these aspects, but as a European publisher, you must be more rigorous. Always compare your policies with GDPR to avoid fines of up to 20 million euros or 4% of annual turnover.

NakedPact Editorial Committee
Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.
Sources and Legal References

Do you own a website?
Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.
Recommended Readings
Your Smartwatch Is Spilling Your Secrets: Why Most Fitness Trackers Fail Privacy 101

The Hidden Contract in Cookies: How Social Media Steals Your Data (and Privacy) with One Click

The Intellectual Property Trap in Software Development Contracts: Who Really Owns Your Code?
🛡️ Protect your rights with one click
Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.
Don't trust, verify.
Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.
Analyze Your Contract Now