Why Substack Writers Need a Privacy Policy
When someone subscribes to your Substack newsletter, you collect their email address at a minimum. If you offer paid subscriptions, you also gain access to payment-related data. Substack provides writers with analytics on open rates, click rates, and subscriber locations. All of this triggers privacy law obligations under GDPR, email collection laws, and CAN-SPAM.
Substack has its own platform-level privacy policy, but it does not cover how individual writers use subscriber data. If you export your email list, share analytics with sponsors, or use subscriber data for any purpose beyond sending your newsletter, you need your own privacy policy. This is similar to the requirements for newsletter privacy policies in general.
Free vs Paid Subscriber Data
Free Subscribers
For free subscribers, you collect email addresses, names (if provided), and engagement data such as open rates and click rates. You also see approximate geographic locations and subscription dates. While no payment data is involved, you still hold personal data that requires disclosure under GDPR and CCPA.
Paid Subscribers
Paid subscribers generate additional data including payment method details (processed by Stripe), billing cycles, subscription amounts, and transaction history. Substack handles payment processing, but you can see revenue data and subscriber payment status. Your privacy policy must explain this financial data processing.
Do free Substack newsletters need a privacy policy?
Yes. Collecting email addresses alone is enough to trigger GDPR requirements. Add open rate tracking and geographic data on top of that, and you have a clear obligation to disclose your data practices regardless of whether your newsletter is monetized.
Substack vs Writer Responsibility
There is an important distinction between what Substack is responsible for and what falls on you as the writer. Understanding this split is essential for drafting your privacy policy correctly.
Substack (Platform) Handles
Payment processing through Stripe, platform-level cookies, account authentication, infrastructure security, and their own privacy policy disclosures for site visitors.
Writers (You) Must Disclose
How you use subscriber emails, whether you export subscriber lists, what analytics you review, how you handle paid subscriber data, whether you share data with sponsors or advertisers, and how subscribers can exercise their privacy rights.
Shared Responsibility
Data retention practices, responding to subscriber deletion requests, and ensuring compliance with international privacy laws like GDPR when you have subscribers in the EU. This is similar to the shared model on platforms like Patreon.
Email Analytics and Tracking
Substack automatically tracks email engagement for every newsletter you send. This includes open rates (via tracking pixels), link click tracking, and per-subscriber activity history. Your privacy policy needs to disclose this tracking even though Substack handles it at the platform level, because you benefit from and access the resulting data.
Open tracking: Substack embeds invisible tracking pixels to detect when subscribers open your emails
Click tracking: All links in your newsletter are routed through Substack's tracking system before redirecting to the destination
Subscriber activity: You can see which subscribers are most engaged, who has not opened recent emails, and individual reading patterns
Aggregate analytics: Total views, subscriber growth trends, and geographic distribution of your audience
This is comparable to the tracking used by platforms like Mailchimp, but with a key difference: on Substack, the tracking is built into the platform and cannot be disabled by writers.
Paid Subscriptions and Payment Data
If you offer paid subscriptions on Substack, payment processing is handled entirely by Stripe. You never see full credit card numbers, but you do have access to subscriber payment status, subscription amounts, billing frequency, and revenue reports. Your privacy policy must explain this arrangement.
Stripe as processor: Disclose that Stripe handles payment processing on behalf of Substack and link to Stripe's privacy policy
Revenue data access: Explain that you can see who pays, how much, and when their subscription renews or cancels
Refund handling: Note that refund requests go through Substack/Stripe and what data is retained during that process
Tax reporting: For US-based writers earning above the threshold, Substack may share tax-related information as required by law
Can subscribers see what payment data I have access to?
Your subscribers cannot see your Substack dashboard. This is exactly why a privacy policy matters: it tells subscribers what information you can view about them, creating the transparency that privacy laws require.
Substack API and RSS
Substack provides an RSS feed for every publication and offers API-like functionality for data exports. If you use these features, they may affect your privacy obligations.
RSS feeds: Your public content is available via RSS, which means third-party services can aggregate and redistribute it. Disclose this if reader interactions flow through RSS readers.
CSV exports: Substack allows full subscriber list exports. Once exported, this data lives outside the platform and your privacy policy must cover how you store and protect it.
Third-party integrations: If you connect your Substack data to tools like Zapier, Google Sheets, or CRM platforms, each integration point needs disclosure.
Common Mistakes to Avoid
Relying on Substack's privacy policy alone
Substack's policy covers the platform, not your individual data practices. You need your own disclosure.
Not disclosing email tracking
Open rate and click tracking happen automatically on every email you send. Subscribers deserve to know about this.
Ignoring paid subscriber payment data
Even though Stripe processes payments, you access revenue and billing data that must be disclosed.
Forgetting about data exports
If you ever export your subscriber list, your privacy policy must cover how you store and protect that exported data.
Missing Notes and comment disclosures
Public interactions on Notes and in comment sections create data that your privacy policy should address.
How to Create Your Substack Privacy Policy
Audit your data collection
Review your Substack dashboard to identify all subscriber data you can access, including emails, names, subscription status, and analytics.
List third-party services
Document any external tools connected to your newsletter such as payment processors, analytics platforms, or social media integrations.
Draft your disclosure sections
Write clear sections covering what data you collect, why you collect it, how you use it, and who you share it with.
Address paid subscription data
If you offer paid subscriptions, explain how payment information is handled by Stripe through Substack and what billing data you can access.
Include subscriber rights
Explain how subscribers can unsubscribe, request data deletion, or exercise their GDPR and CCPA rights.
Publish and link your policy
Add your privacy policy to your Substack About page and include a link in your welcome email to new subscribers.
Want to skip the manual work? You can generate a privacy policy tailored to newsletter publishers in under 60 seconds.
Frequently Asked Questions
Do I need a privacy policy for my Substack newsletter?
Yes. If you collect subscriber email addresses, offer paid subscriptions, or use analytics to track opens and clicks, you need a privacy policy. GDPR, CCPA, and CAN-SPAM all require transparency about data collection.
Does Substack provide a privacy policy for writers?
Substack has its own platform privacy policy, but it only covers Substack's data practices. As a writer, you are responsible for disclosing how you personally use subscriber data, especially if you export emails or use third-party tools.
What subscriber data can Substack writers access?
Writers can access subscriber email addresses, names, subscription status (free or paid), email open rates, click rates, geographic data (approximate location), and for paid subscribers, payment information processed through Stripe.
Can I use Substack subscriber emails for other purposes?
You should only use subscriber emails for the purpose they were provided. Using them for unrelated marketing, selling them to third parties, or importing them into other platforms without consent may violate privacy laws and Substack's terms of service.
Do I need a separate privacy policy if I have a free Substack?
Yes. Even free Substack newsletters collect email addresses and track engagement metrics. Under GDPR, collecting any personal data requires a privacy disclosure regardless of whether money changes hands.
How do Substack Notes affect my privacy obligations?
Substack Notes creates additional public interactions including likes, reposts, and comments. Your privacy policy should mention that Notes activity is publicly visible and that engagement data from Notes may be tracked.
Where should I put my Substack privacy policy?
Link your privacy policy on your Substack About page, in your welcome email, and optionally in your newsletter footer. You can host the full policy on a separate page or link to it from your Substack settings.
Related Resources
Privacy Policy for Patreon
Creator platform compliance guide
Privacy Policy for Mailchimp
Email marketing privacy requirements
Newsletter Privacy Policy
General newsletter compliance guide
Email Collection Privacy
When collecting emails triggers obligations
Blog Privacy Policy
Privacy requirements for blog publishers
GDPR Privacy Policy Template
EU compliance guide and template structure
No Privacy Policy Risks
Consequences of missing a privacy policy
Policy Generator
Create your compliant privacy policy