Substack
Legal Bases for AI
The policy explicitly mentions 'generative AI services' and 'automated systems' for profiling, content flagging, and scanning direct messages, indicating clear disclosure of AI usage.
Such third parties further include, but are not limited to, providers of: ... generative AI services;
We may use the information we collect to profile you in order to suggest content on our platform that is relevant to your interests.
We also use automated systems to help flag content that may violate our Content Guidelines or our Terms of Use.
We may also use automated means to ensure the safety of direct messaging content, including scanning for spam, malicious content, and child abuse material.
Providing generative AI services through third-party service providers.
generative AI services;
Profiling users to suggest content relevant to their interests.
We may use the information we collect to profile you in order to suggest content on our platform that is relevant to your interests.
Suggesting content on the platform based on user profiling.
We may use the information we collect to profile you in order to suggest content on our platform that is relevant to your interests.
Using automated systems to flag content that may violate content guidelines or terms of use.
We also use automated systems to help flag content that may violate our Content Guidelines or our Terms of Use.
Automated scanning of direct messages for spam, malicious content, and child abuse material.
We may also use automated means to ensure the safety of direct messaging content, including scanning for spam, malicious content, and child abuse material.
The policy explicitly discusses 'Automated individual decision-making, including profiling' and states that user information is used to profile them for content suggestions. Additionally, automated scanning of direct messages for various types of content represents a significant privacy impact, even with human review for final moderation decisions.
The policy describes the *usage* of personal data for profiling and automated systems but does not explicitly state that personal data is used for *training* AI/ML models.
The policy describes the *usage* of user interactions for profiling and automated systems but does not explicitly state that these interactions are used for *training* AI/ML models.
The policy mentions automated systems flagging content, which could include public content, but does not explicitly state that public content is used for *training* AI/ML models.
While third-party generative AI services are used, the policy does not explicitly state that data is shared with these third parties specifically for the purpose of *training* their AI models.
Substack demonstrates strong privacy practices with a comprehensive policy, explicit support for GDPR and CCPA, and a dedicated privacy contact. While data collection and sharing are extensive due to the platform's nature (e.g., with Creators and other users), these practices are clearly disclosed. The primary area for improvement is the absence of a self-service data request form.
Recommended Actions
Carefully review Substack's privacy policy, especially sections on data sharing with Creators and other users, to understand how your information is utilized.
Actively manage your privacy settings and personal information through your account settings to control what is visible or shared.
For specific data access or deletion requests, contact privacy@substackinc.com directly, as there is no self-service form available.
Be mindful of the content shared in direct messages, as this data is collected and subject to the privacy policy.