Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Substack is a US newsletter and online publishing platform that lets writers, journalists, and creators publish paid and free newsletters, podcasts, and notes. Substack embeds such as the subscribe form, post embeds, and the Notes widget can be added to third-party websites and load JavaScript and cookies from substack.com and substackcdn.com. The platform is hosted on AWS in the United States behind Cloudflare and integrates with Stripe for paid subscriptions. From a GDPR and ePrivacy perspective, embedding Substack widgets requires prior consent, transparent disclosure in the privacy policy, and a documented framework for data transfers to the United States based on Standard Contractual Clauses.
Substack is a newsletter and online publishing platform founded in 2017 and headquartered in San Francisco, United States. It enables writers, journalists, podcasters, and creators to publish free and paid newsletters, host podcasts, and share short form posts through the Notes feature. Substack handles email delivery, hosting of publication pages, payment processing through Stripe for paid subscriptions, and audience analytics. Publishers can also embed a subscribe form, a single post embed, or the Notes widget on third party websites, which causes the visitor browser to load scripts and set cookies from substack.com and substackcdn.com.
When a Substack embed loads on a website, the visitor browser establishes a direct connection with substack.com and substackcdn.com and may receive cookies such as substack.sid and connect.sid for session and authentication, AWSALB for AWS load balancing, and __cf_bm for Cloudflare bot management. Substack also receives the page URL, the IP address, the user agent, and any data the visitor submits in the subscribe form, typically an email address. Newsletter emails sent through Substack include a tracking pixel and rewritten links that record opens and clicks, which constitutes monitoring of subscriber behaviour. These elements together qualify as personal data under Art. 4(1) GDPR.
Because Substack embeds write and read cookies that are not strictly necessary to deliver a service explicitly requested by the user, Art. 5(3) of the ePrivacy Directive requires prior informed consent before the embed is loaded. The same logic applies to email tracking pixels, which are addressed by EDPB Guidelines 03/2022 on deceptive design and recital 32 of the ePrivacy Directive. The website operator and Substack act as independent controllers for distinct processing operations, and the operator remains responsible for lawfulness toward visitors under Art. 5 and Art. 26 GDPR. For paid subscriptions, the contractual relationship is between Substack and the subscriber, but the publisher must still inform subscribers about the data flow and the role of Stripe as payment processor.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Substack subscribe forms, post embeds, and the Notes widget must be blocked by default and only loaded after the visitor gives valid consent through a consent management platform. Consent must be freely given, specific, informed, and unambiguous, and it must be as easy to refuse as to accept. The consent banner should explicitly mention Substack, the categories of data collected, the transfer to the United States, and the retention period. A separate consent or opt in tick box is needed for the actual newsletter signup, in line with Art. 7 GDPR and national implementations of the ePrivacy Directive such as the German TDDDG or the French Data Protection Act.
Substack Inc. is based in California and hosts subscriber data on AWS infrastructure in the United States behind Cloudflare. Personal data of EU and UK residents is therefore transferred outside the European Economic Area. Transfers rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR, and in many cases on the EU US Data Privacy Framework when Substack and its sub processors are certified. Controllers should perform a Transfer Impact Assessment that addresses US surveillance laws such as FISA 702 and Executive Order 12333, document supplementary measures, and keep evidence in the record of processing activities under Art. 30 GDPR.
To use Substack lawfully on a website targeting EU users, block all Substack embeds before consent, deploy a consent management platform with a granular Substack toggle, and disclose Substack as a recipient and processor in the privacy policy together with the legal basis, retention period, and transfer mechanism. Sign or accept the Substack Data Processing Addendum where applicable, document Standard Contractual Clauses and the Transfer Impact Assessment, and review cookie inventories at least annually. For paid subscriptions, link to the Substack and Stripe privacy notices and ensure that marketing emails respect the right to object and to withdraw consent at any time.
Websites using Substack must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Substack is the primary newsletter and audience platform for a controller targeting EU residents, given the systematic collection of email addresses, subscription data, and engagement metrics combined with cross border transfers to the United States. The assessment should cover the legal basis for marketing communications, retention of subscriber records, profiling through open and click tracking, the use of Stripe for paid plans, and supplementary measures around AWS hosting and Cloudflare in line with EDPB Recommendations 01/2020.
Sample consent text
This page includes a Substack subscribe form that loads content from substack.com and substackcdn.com and sets cookies for session, authentication, and bot protection. Your email address and engagement data will be processed by Substack Inc. in the United States. Do you accept the loading of Substack embeds?
Third-party domains contacted
substack.com*.substack.comsubstackcdn.combucketeer-*.s3.amazonaws.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| substack.sid | HTTP cookie | Session | Session and authentication cookie for Substack publishers and subscribers, used to keep users signed in to substack.com and to identify the current session when an embed is loaded. |
| connect.sid | HTTP cookie | Session | Express.js session identifier set by the Substack backend to maintain the server side session state when interacting with substack.com and with Substack embeds. |
| substack_email | Tracking pixel and cookie | Up to 2 years | Email tracking identifier set when a recipient opens a newsletter email or clicks a rewritten link, used by Substack to measure opens, clicks, and subscriber engagement. |
| __cf_bm | HTTP cookie | 30 minutes | Cloudflare bot management cookie placed in front of substack.com to distinguish humans from automated traffic and protect the service from abusive bots. |
| AWSALB | HTTP cookie | 7 days | AWS Application Load Balancer stickiness cookie that routes the visitor requests to the same backend instance for the duration of a session. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
A Substack subscribe form, post embed, or Notes widget typically sets substack.sid and connect.sid for session and authentication, AWSALB for AWS Application Load Balancer stickiness, and __cf_bm for Cloudflare bot management. The embed also exposes the visitor IP address, user agent, and page URL to substack.com and substackcdn.com.
Yes. Substack embeds set cookies that are not strictly necessary, so Art. 5(3) of the ePrivacy Directive requires prior informed consent. The embed must be blocked by default and only loaded once the visitor has accepted through a consent management platform that explicitly mentions Substack and the transfer to the United States.
For embeds and marketing newsletters, the legal basis is consent under Art. 6(1)(a) GDPR combined with Art. 5(3) ePrivacy. For paid subscriptions, processing of subscriber data is necessary for the performance of the subscription contract under Art. 6(1)(b) GDPR. Legitimate interest is generally not appropriate for marketing cookies or tracking pixels in newsletters.
Yes. Substack Inc. is based in San Francisco and stores subscriber data on AWS infrastructure in the United States behind Cloudflare. Transfers rely on Standard Contractual Clauses under Art. 46(2)(c) GDPR, complemented by the EU US Data Privacy Framework where Substack and its sub processors are certified, and must be documented in a Transfer Impact Assessment.
A DPIA is recommended whenever Substack is the primary newsletter and audience platform for EU residents, because it combines systematic collection of personal data, engagement profiling through open and click tracking, and international transfers. The DPIA should cover legal basis, retention, supplementary measures for US hosting, and the role of Stripe for paid subscriptions.
Block all Substack embeds before consent, configure a granular Substack toggle in your consent management platform, disclose Substack as recipient and processor in the privacy policy, document Standard Contractual Clauses and a Transfer Impact Assessment, and provide a clear opt in for the newsletter itself. Honour withdrawal of consent and the right to object at any time.
Common alternatives include Beehiiv and ConvertKit for creator newsletters, Ghost as an open source self hostable publishing platform, Mailchimp for general email marketing, and Buttondown for minimalist paid newsletters. Twitter Revue has been retired and is no longer available. Hosting region, default data flows, and DPA terms vary widely between providers and should be assessed before migration.
List Substack as a third party recipient, name the cookies set by its embeds, indicate their duration and purpose, declare the transfer to the United States with the relevant safeguards, and link to the Substack privacy policy and cookie policy. If you use paid subscriptions, also mention Stripe as the payment processor and describe the legal basis for marketing emails.