Documents
CCPA Policy
California Privacy Notice
Last updated: July, 2023
This California Privacy Notice is an important part of Substack’s Privacy Policy. While the framework used here is based in the provisions of the California Consumer Privacy Act of 2018 (“CCPA”), we provide the rights described here to all our users. If you are a California resident, please note that the processing of certain personal data about you may be subject to the California Consumer Privacy Act (“CCPA”) and other applicable California state privacy laws. Any capitalized terms not defined in this California Privacy Notice have the same meaning given to them in our Privacy Policy, Terms of Use, and/or the CCPA.
Your Privacy Rights
Individual Rights
The CCPA provides California consumers with several individual rights with respect to Personal Information. Note that these rights apply to individual consumers, not to companies. This section describes those rights in detail and provides information on how to exercise them.
Exercising Your Rights
To exercise any of the rights described in this section, please contact us at [email protected] with (i) a complete description of your request, including the specific right(s) you wish to exercise and (ii) sufficient information about you so we can confirm that your request is a verifiable customer request, including at a minimum your name and email address. Once we have received your verifiable consumer request, we will respond consistent with applicable law.
You may also make a request by mail by sending the information specified above to:
Substack CCPA Requests
111 Sutter Street, 7th Floor
San Francisco, CA, 94104
Please note that you may also designate an authorized agent to make a request on your behalf. In order for us to process a request from your authorized agent, we must (i) confirm that the agent is a natural person or business entity registered with the Secretary of State that you have authorized to act on your behalf, (ii) receive from you a copy of the written authorization that provides the authorized agent to act on your behalf, and (iii) verify your identity by asking you to provide us sufficient information in order to do so.
Using Your Substack Account to Exercise Privacy Rights
If you have an account with us, you may also access, edit, or delete much of the Personal Information we have collected about you through your account settings. Please review our Privacy Policy, in the section titled “What Personal Information can I access?,” for more details.
Your Right to Know
You have a right to know what Personal Information we have collected about you, including details about the nature of the information, the purpose for which it was gathered, and how we disclose that information to others.. We provide that information here in our CCPA policy as well as in our privacy policy.
Access and Data Portability Rights
You have a right to request information about our collection, use, and disclosure of your Personal Information over the prior 12 months, and ask that we provide you with the following information:
Categories of and specific pieces of Personal Information we have collected about you.
Categories of sources from which we collect Personal Information.
Purposes for collecting, using, selling, or sharing Personal Information.
Categories of third parties to which we disclose Personal Information.
Categories of Personal Information disclosed about you for a business purpose.
If applicable, categories of Personal Information sold or shared about you and the categories of third parties to which the Personal Information was sold or shared, by category or categories of Personal Information for each third party to which the Personal Information was sold or shared.
Your Deletion Rights
You have the right to request that we delete the Personal Information that we have collected about you, subject to certain exceptions.
Your Right to Correct Inaccurate Personal Information
If we maintain Personal Information about you that is inaccurate, you have the right to see that inaccurate information corrected.
Your Right to Limit Use and Disclosure of Sensitive Personal Information
In some cases, you have the right to limit our use of your Sensitive Personal Information, so that we are only able to use that information as is necessary to provide our services. At this time, we only use your Sensitive Personal Information as is necessary to provide our services.
Your Right to Opt Out
You have the right to opt out of the sale of your Personal Information and the sharing of your Personal Information for the purpose of cross-context behavioral advertising. Were we ever to sell Personal Information or share it for cross-context behavioral advertising, we would provide information on our opt out process here.
Your Non-Discrimination Rights
You have the right not to receive discriminatory treatment for the exercise of your rights under the CCPA.
Publicly Available and Public Interest Information
The rights and disclosures in this notice do not apply to Publicly Available Information or to lawfully obtained, truthful information that is a matter of public concern. Please note that you may choose to use our services to release Personal Information to the general public, in which case it may become Publicly Available Information.
Information Collection Notice and Disclosures
No Sale of Personal Information
We do not sell your Personal Information, and we do not share your information with third parties for the purpose of cross-context behavioral advertising.
Our Use of Sensitive Personal Information
We do not use or disclose Sensitive Personal Information for any purpose other than the purpose(s) for which that information is collected.
Sensitive Personal Information Collected
Details on the Sensitive Personal Information that we collect, or have collected in the last 12 months, follow below:
Category: Account login information
We collect: The log-in details (username together with password) that you select for your Substack account
Purpose(s): To create, maintain, customize, and secure your account with us
How long we keep the information: For as long as your account is active with us
How we disclose this information: We do not disclose this information
Source(s): You
Category: Credit card information
We collect: Your credit card number, expiration date, and security code
Purpose(s): To process your requests, purchases, transactions, and payments and prevent transactional fraud
How long we keep the information: For as long as your account is active with us
How we disclose this information: To the service providers we use in providing our service
Service Providers that process this information: payment processing service providers
Source(s): You
Please note that CCPA “Sensitive Personal Information” is different from the “special categories of personal data” addressed under the EU’s GDPR. We do not intentionally collect any of the GDPR special categories of personal data — such as government identification numbers, information on racial or ethnic origin, political opinions, genetic data, biometric data, or health data — from or about our users.
Other Personal Information Collected
The list below describes the category of Personal Information we collect, or have collected in the last 12 months:
Category: Identifiers
We collect: Your name; IP address; email address; Twitter handle (if provided); Google account information (if provided)
Purpose(s): To provide, support, and develop our website, products, and services; to create, maintain, customize, and secure your account with us; to process your requests, purchases, transactions, and payments and prevent transactional fraud; to directly respond to your requests or inquiries, including to investigate and address your concerns and monitor and improve our responses, or to otherwise meet the reason for which you provided the information; to help maintain the safety, security, and integrity of our website, products and services, databases and other technology assets, and business; to communicate with you about our products and services
How long we keep the information: We keep most identifiers for as long as you maintain your account with us, however, IP address information is retained only for a limited time consistent with our evolving security needs
How we disclose this information: To the Publishers you subscribe to (email address only); to the service providers we use in providing our service; to other Substack users consistent with your account privacy settings
Service Providers that process this information: email, hosting, payment processing, security, customer support software, cloud storage and computing, and analytics service providers
Source(s): You; automatic collection (IP address only); Substack writers who migrate subscribers to our platform (email address only)
Category: Customer Record Information
We collect: Your name; your email address; your user bio; your subscriptions, unsubscriptions, and related metadata; your settings and preferences with our service; reactions you submit to posts and comments (“likes”), user comments and related metadata; user profile information; and publication and authorship information. For Publishers, we may also collect information on city or country of residence and mailing address.
Purpose: To provide, support, and develop our website, products, and services; to create, maintain, customize, and secure your account with us; to process your requests, purchases, transactions, and payments and prevent transactional fraud; to directly respond to your requests or inquiries, including to investigate and address your concerns and monitor and improve our responses, or to otherwise meet the reason for which you provided the information; to help maintain the safety, security, and integrity of our website, products and services, databases and other technology assets, and business
How long we keep the information: For as long as you maintain an account with us
How we disclose this information: to the Publishers you subscribe to (email address, subscription information, and comments information only); to the service providers we use in providing our service; to other Substack users consistent with your account privacy settings
Service Providers that process this information: email, hosting, payment processing, security, customer support software, cloud storage and computing, and analytics service providers
Source(s): You; Twitter (if you connect your account)); Google (if you connect your account)
Category: Commercial information
We collect: Records of products/services purchased by you on the Website
Purpose: to provide, support, and develop our website, products, and services; to process your requests, purchases, transactions, and payments and prevent transactional fraud; to directly respond to your requests or inquiries, including to investigate and address your concerns and monitor and improve our responses, or to otherwise meet the reason for which you provided the information; to communicate with you about our products and services
How long we keep the information: For as long as you maintain an account with us or in order to comply with a legal obligation.
How we disclose this information: To our service providers
Service Providers that process this information: hosting, payment processing, security, customer support software, cloud storage and computing, and analytics service providers
Source(s): You
Category: Internet or other network activity
We collect: Browsing history, search history, and interaction data on your use of our Website and from links in Substack emails
Purpose: To provide, support, and develop our website, products, and services; to create, maintain, customize, and secure your account with us; to process your requests, purchases, transactions, and payments and prevent transactional fraud; to directly respond to your requests or inquiries, including to investigate and address your concerns and monitor and improve our responses, or to otherwise meet the reason for which you provided the information; to help maintain the safety, security, and integrity of our website, products and services, databases and other technology assets, and business; to communicate with you about our products and services.
How long we keep the information: When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it.
How we disclose this information: To our service providers
Service Providers that process this information: hosting, payment processing, security, customer support software, cloud storage and computing, and analytics service providers
Source(s): You; automatic collection
Category: Geolocation data
We collect: Your IP address
Purpose: To provide, support, and develop our website, products, and services; to create, maintain, customize, and secure your account with us; to process your requests, purchases, transactions, and payments and prevent transactional fraud; to help maintain the safety, security, and integrity of our website, products and services, databases and other technology assets, and businessHow long we keep the information: for a limited time consistent with our evolving security needs.
How we disclose this information: To our service providers
Service Providers that process this information: hosting, payment processing, security, cloud storage and computing, and analytics service providers
Source(s): You; Automatic collection (see our Privacy Policy for more information on tracking technologies we use for automatic data collection)
Please see our Privacy Policy for more information on tracking technologies we use for automatic data collection. We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing notice.
Compliance, Internal, and Extraordinary Disclosures of Personal Information
We may further disclose each category of Personal Information to our affiliates, to our professional advisors, in connection with our compliance and protection activities, and in connection with business transfers as described in our Privacy Policy.
Finally, we disclose the Personal Information we collect where we have a legal obligation to do so, or where a disclosure is necessary to maintain the security or integrity of our services (in either case, an “Extraordinary Disclosure”). In the last 12 months, we have made the following kinds of Extraordinary Disclosures: Personal Information, available on our platform, such as individual name, email, and IP address in compliance with legal directives by Federal Agencies and Courts of Law.
Category of Extraordinary Disclosure: DMCA complaint information
Recipient(s): Senders of copyright notices; recipients of copyright notices
Categories: Identifiers; Customer Record Information
Reason: The notice and takedown provisions of the United States’ Digital Millennium Copyright Act require us to provide a copy of any counter-notification received under our Copyright Dispute Policy to the party that sent the copyright notice.
Category of Extraordinary Disclosure: Court ordered disclosures
Recipient(s): Law enforcement
Categories: Identifiers
Reason: Substack responds to valid court orders consistent with our legal obligations and, wherever possible, with notice to the identified user(s).
Changes to this California Privacy Notice
We may amend or update this California Privacy Notice at any time. When we make changes to this California Privacy Notice, we will post the updated notice on the Website and update the California Privacy Notice effective date at the top of the page.
Contact Us
You may contact us with questions, concerns, or privacy requests by emailing us at [email protected].
