Transparency and protection for Substack writers
Thoughts on protecting our subscribers and ourselves & our newsletters from risks due to missing written policies and links
Why writers here on Substack should define their own terms of service (TOS) and other policies; how to do it; why Substack needs to include links to our custom policies in more places; and what we can do in the meantime to be more transparent with our readers and to protect ourselves.
Although this article is mostly of interest to Substack writers, I’m sharing it to all of my readers so you’ll know the background for some small changes you’ll see.
Note: I am not a lawyer and this article is not legal advice. If you have concerns about the risks discussed in this article, or other legal aspects of running a newsletter, consult a lawyer who is competent in your jurisdiction.
What’s The Problem?
caught my attention in February with her notes and articles pointing out an important gap: Substack’s “Terms of Service” do not protect us writers — they only protect Substack.
Why Does This Matter?
First reason: Being transparent with our readers about expectations, what we offer, and use of their data.
One sentiment I’ve heard repeatedly in my 50+ “AI, Software, & Wetware” interviews is that people want transparency from companies and people they interact with, especially about their data and how it will be used. Some folks also want transparency in whether AI was or is used in creating what we’re presenting for them to consume or use. (Long-time readers know I advocate that we all should write & share our AI usage policy; here’s mine.)
As publishers, we should write down what readers can expect from us (what we do & don’t do), and what we expect from them on our newsletter site — and we should make that information available to readers and subscribers.
I’ve been surprised a few times when a newsletter I subscribed to here was quietly migrated to a different email platform (like beehiiv or ghost). That means the email address I used to subscribe on Substack is now stored in another platform’s system. If you as a newsletter publisher are going to use subscribers’ addresses elsewhere, your custom Privacy policy ought to let people know that their email address will be used outside of Substack. People should be able to make informed decisions about whether they want those sites to have & host their information.
Second reason: Running a newsletter can be awesome but can also bring some potential headaches for newsletter publishers. Here are three.
Being sued by someone claiming they relied on your written advice on the site and were harmed by it. Noemi calls out this risk in her article “Protect your Substack, build on a solid foundation”.
A small percentage of people have maliciously started paid subscriptions with activists, just so they can then contest the charge through Stripe or their credit card issuer. Fraud allegations cost the writer valuable time to fight back - AND a penalty fee. As one example, Black writer was recently attacked by a coordinated activity exploiting this loophole to try to shut her down; see this article. But any of us could be unfairly penalized if someone made a mistake, or changes their mind, and they don’t bother or know how to unsubscribe or request cancellation properly. The root cause of this harm to writers clearly needs to be addressed. In parallel, though, we need to empower writers to better defend themselves from this kind of bad behavior. Most writers don’t make buckets of money or have excess time, and undeserved penalties bite.
Other writers have reported dealing with problems common to social media sites, such as people who are rude or inappropriate in comments on articles or Notes, or in subscriber chats. Substack’s policies on ‘free speech’ don’t preclude this. Many writers want their newsletters, notes, and chats to be safe places for ‘their people’ to engage. Most people in our communities behave well and are supportive, but some aren’t. We shouldn’t have to say in custom TOS that people need to be decent humans, yet here we are. Many writers have resorted to limiting comments and chats to subscribers only. Others are even regretfully paywalling their comments and chats, limiting them to paid subscribers only, to gain more control over troll volumes.
What Can We Do?
Substack’s policies don’t protect us from these (and likely other) problems. That’s understandable; their job is to protect the company. We need to protect ourselves. And it’s on us to meet our subscribers’ interests in transparency on the policies we control. So there are (at least) two parts to a solution.
Part One: DEFINING Custom Policies
As Noemi recommends, writers can define their own Terms of Service to mitigate these risks. Setting clear expectations for readers in our Publisher TOS may deter some bad behavior and will support writers in enforcing violations.
In the interests of transparency, I recommend also writing your own Privacy Policy (really a Privacy ‘Notice’).
If you’re interested in writing your own AI usage policy as well, feel free to take inspiration from mine and riff on it to reflect what you do & don’t choose to do.
Substack directly provides a mechanism in Settings
for showing a Publisher’s custom TOS and Privacy policy to readers. They don’t provide a mechanism for additional policies like AI usage, but we can always put links to these additional policies in our custom TOS.
Part Two: SHOWING Custom Policies
Writing policies (‘notices’, really) is necessary, but not sufficient. We should also make sure people have a fair chance to see our Terms of Service before they subscribe or engage.
Custom Publisher policies are currently only shown in a few places in Substack, like in the tiny print footer of an article.
Someone who subscribes, but can’t be proven to have read or seen an article, could claim they never saw the custom Terms of Service that spell out the Publisher’s terms, which may include their refund (or ‘no refund’) policy.
Someone who comments, even in subscriber-only areas of the newsletter site, may claim they’re unaware of a Publisher’s custom policy barring abusive or inappropriate behavior in comments or chats.
Recent studies have proven that the vast majority of people, over 90%, never read websites terms and conditions. In some younger age brackets, the rate is over 94%. So yes, most people may not actually read our custom Publisher policies.
But logically, if not legally [I am not a lawyer], a writer’s position in the face of these kinds of challenges should be stronger when the publication’s policies have been written and presented. Whether people read our Publisher policies, or Substack’s, remains up to them and shouldn’t weaken our defensive position.
What Substack Offers
Substack provides some guidance on defining custom policies for newsletters (how, not what). That support article calls out two key limitations to be aware of:
If you publish your articles under your profile, and not from an official newsletter publication, you don’t currently have the option to define custom TOS for them. The URLs are
your.substack.com/privacy
andyour.substack.com/tos
. Those don’t work with a profile-based ‘newsletter’.The article says that custom policies are only supported on the web at present - not in the Substack app. To address this, it recommends linking custom policies to your About page to display them in the app. I’ve checked in the app for the
About
pages for some newsletters I subscribe to. The article is correct that there are no policy links in footers - not even Substack’s. On the web, as of today, the About page already has both custom policy links in the footer, e.g.
Hopefully Substack will address these additional gaps soon.
How To Do Part One: Defining Custom Policies
Again, I am not a lawyer, but we shouldn't need to be one to protect ourselves. Thankfully,
didn’t just point out the problem; she shared some helpful tips. Look in thePrivacy
section of your newsletter Settings
for these ‘Customize
’ buttons: 
and follow Noemi’s tips on defining your Custom Terms of Service
: “Protect your Substack, build on a solid foundation”.
Noemi is also now piloting a tool she created to help writers define their own custom Terms of Service. (I’m one of the lucky pilot users - looking forward to trying it out!)
How To Do Part Two: Showing Custom Policies
While creating my own TOS and testing where my Publisher policy links show up, I noticed 3 related gaps in the Substack UI.
1. Post Footers
Substack links the custom Publisher TOS at the bottom of posts (see example below). But they do not link custom privacy policies. Here’s an example post footer:

2. Welcome Page and Subscribe ‘Embed’
Below is what the Substack-provided ‘embed’ shows on the welcome page for my AI6P newsletter. (We can also put this embed on our own websites if we wish.)

Only the Substack TOS and privacy policy are included. My TOS and privacy policy are not. Check the welcome pages on your publications (your.substack.com/welcome)
… you’ll likely see the same thing. (If you do see your custom policy links, let me know!)
WE don’t control the links in the subscribe embed. Substack fully controls the format and content of the embed and the welcome page. The embed incorporates only a few Settings
we can control (an image, visibility of a few texts defined elsewhere in Settings, and custom ‘skip’ text). For the welcome page, Substack also uses a Setting
for whether to show recommendation blurbs.

I opened a support ticket on March 6 through Substack’s support bot to ask Substack to include links to our custom TOS and custom Privacy Policy in the embeds.1
ASK: If you also care about fixing this gap — missing links for Publisher policies — please boost this message and tag humans who can help prioritize it. It should be quick for them to fix.
I’ll post an update here if I hear back from the support team about this concern.
3. Other Subscribe Buttons and Pages
On further investigation after making the support request, I realized that the Subscribe
button we can insert in articles also has no policy links, e.g.:

This would be ok if the policy links are shown on the page the ‘Subscribe now
’ buttons take you to. They aren’t. This Subscribe
button, and the one at the top right of the UI for an article page, brings up the your.substack.com/subscribe
page. That page also doesn’t have the policy links; it just prompts you to choose a plan. If you choose Free, you’re done - no policy links.
When choosing a paid subscription, the page prompts for a credit card and has a Subscribe button - again, no policy links. I’m not sure if that’s the end of the flow at present? (If you’ve done this recently and know, or can test it, please share!)
But Wait, There’s More!
The next day, I realized that there are also no links to Publisher TOS or Privacy Policy (or Substack policies, for that matter!) in these 2 additional places:
4. Comment dialogs
This is where readers add comments, at the end of posts or podcast episodes. (The “Leave a comment
” button we can add to an article brings up a similar page view.) Here’s a screen shot showing what is visible on the article page (example) or its comment page (example), at the point of adding to discussion on an article:

The policies are only in small font in the post footer, well below this dialog. On posts with a lot of existing comments below the dialog, there’s a good chance a new commenter won’t notice those policy links. And on the main article page, Substack includes links to other recent articles by the author, which pushes the footer farther below the commenting point.
5. Newsletter chats
There are no Substack or Publisher links at the top or in the drop-down menu: the only options are Copy link
, Pin
, and Leave
.
What Substack Needs To Do
Substack needs to add these “missing links” in the UI (browser and app). Substack and Publisher terms of use / service and privacy links should be included:
in post footers (Publisher TOS is there; Publisher Privacy policy is not),
in the
Subscribe
widgets,Welcome
page, andAbout
page (app or browser)with
Subscribe
buttons and onSubscribe
pages (however one gets there),right under the “
Discussion about this episode
” caption on a post, andat the top of a Subscriber chat window and/or under the “
…
” dropdown menu.
In short, anywhere that people can subscribe or engage with our newsletters, they ought to be shown our custom TOS and privacy links.
Not presenting our custom Terms of Service at signup or at engagement points makes it harder for readers to know what they’re agreeing to, and harder for writers to protect or defend themselves against these risks.
In the Meantime, What Can We Do?
I recommend writing custom policies and I’m working on mine. And here are 5 specific steps I’m taking to make them more visible for my own newsletters.
Add my custom policy links in the custom TOS and in my newsletter email footers. [This is done; so if you’re an email subscriber, you’ll see the links in the footer of this article’s email.]
Go to
your.substack.com/publish/settings/preamble
to define your headers and footers
Add my custom policy links to the “homepage links” that are shown on my newsletter home pages. [I already link my AI policies here, so TOS and privacy seem like natural additions.]
Go to
https://your.substack.com/publish/settings/homepage_links
to edit the list of links
Create a special thread with links to my Publisher TOS and Privacy Policy, and pin it at the top of my Subscriber Chat. (Will do after this article goes out.)
Add my custom policy links to my publication About pages. (Needed for visibility in the app, at least for now.)
On my new author website, add my policy links under
Subscribe
buttons and Substack’s ‘embed’ widgets. I’ll also include links to Substack’s policies. This will help to ensure people are presented with the links before they sign up. (Site will be going live soon, hopefully this month.)
For #5, I’m taking the opportunity to highlight on my website other policies I’ve created for my newsletters, i.e. on AI images, AI usage, and Donations. Here’s a mockup from my website test page with two potential “missing link” formats:

Which do you prefer - option 1 without, or option 2 with, the AI policy links?
Any other feedback?
Your Thoughts?
Those are my ideas on protecting ourselves and handling the “missing links”. What do you think of them, or what advice do you have?
My conversation on March 6 with substack.com/support about the ‘missing links’:
powered by decagon.ai
The welcome page for a publication does not include telling the new subscriber that they are consenting to the custom Publisher Terms of Service and Privacy Policy - only Substack policies. This needs to be fixed ASAP. Otherwise newsletter writers are vulnerable to subscribers who cancel and claim they were not notified of the publisher's terms..
The Welcome page is automatically created with standard elements, and while some aspects can be customized, the consent notifications cannot be modified.
Your custom Terms of Service and Privacy Policy are displayed in the footer of your posts and accessible via dedicated URLs (read more).
Would you like me to explain how to set up your custom Terms of Service and Privacy Policy?
No, I already have them set up. My point is that links to MY Terms of Service and MY Privacy Policy need to be included on the Welcome page automatically, just like in the footer of my posts. This affects all writers who define their own terms. Please open a ticket to get that fixed.
Got it! I've sent this conversation to our team of specialists. If this is about a payment or another urgent issue, you'll hear back from us within a few days. Otherwise please note that due to incoming volume, we aren't able to guarantee a timely response.
Anywhere that people can subscribe, they ought to be shown those links.
Please know our support team is working on responding as quickly as possible and will reach out to you with a response via email as soon as they can! We don't yet support live chat from here.
If you found this article helpful, please heart, restack, or share it so others can benefit too!
What an article! I love how deep you went in your research. Thanks for referencing my article. That’s very kind! I have one comment after reading this piece. It is common practice for websites to have TOS in the bottom footer and that’s about it. I do get your point, especially relating to the subscribe button and the Substack App. Following your additional recommendations would make Substack publications more thorough than All the big social media platforms 😛