Transparency and protection for Substack writers

Thoughts on protecting our subscribers and ourselves & our newsletters from risks due to missing written policies and links

Why writers here on Substack should define their own terms of service (TOS) and other policies; how to do it; why Substack needs to include links to our custom policies in more places; and what we can do in the meantime to be more transparent with our readers and to protect ourselves.

Although this article is mostly of interest to Substack writers, I’m sharing it to all of my readers so you’ll know the background for some small changes you’ll see.

Note: I am not a lawyer and this article is not legal advice. If you have concerns about the risks discussed in this article, or other legal aspects of running a newsletter, consult a lawyer who is competent in your jurisdiction.

What’s The Problem?

Noemi Apetri 🇩🇰

caught my attention in February with her notes and articles pointing out an important gap: Substack’s “Terms of Service” do not protect us writers — they only protect Substack.

How to Protect your Substack Business

Why Does This Matter?

First reason: Being transparent with our readers about expectations, what we offer, and use of their data.

One sentiment I’ve heard repeatedly in my 50+ “AI, Software, & Wetware” interviews is that people want transparency from companies and people they interact with, especially about their data and how it will be used. Some folks also want transparency in whether AI was or is used in creating what we’re presenting for them to consume or use. (Long-time readers know I advocate that we all should write & share our AI usage policy; here’s mine.)

As publishers, we should write down what readers can expect from us (what we do & don’t do), and what we expect from them on our newsletter site — and we should make that information available to readers and subscribers.

I’ve been surprised a few times when a newsletter I subscribed to here was quietly migrated to a different email platform (like beehiiv or ghost). That means the email address I used to subscribe on Substack is now stored in another platform’s system. If you as a newsletter publisher are going to use subscribers’ addresses elsewhere, your custom Privacy policy ought to let people know that their email address will be used outside of Substack. People should be able to make informed decisions about whether they want those sites to have & host their information.

Second reason: Running a newsletter can be awesome but can also bring some potential headaches for newsletter publishers. Here are three.

1. Being sued by someone claiming they relied on your written advice on the site and were harmed by it. Noemi calls out this risk in her article “Protect your Substack, build on a solid foundation”.

2. A small percentage of people have maliciously started paid subscriptions with activists, just so they can then contest the charge through Stripe or their credit card issuer. Fraud allegations cost the writer valuable time to fight back - AND a penalty fee. As one example, Black writer

   Zuri Stevens
   was recently attacked by a coordinated activity exploiting this loophole to try to shut her down; see this article. But any of us could be unfairly penalized if someone made a mistake, or changes their mind, and they don’t bother or know how to unsubscribe or request cancellation properly. The root cause of this harm to writers clearly needs to be addressed. In parallel, though, we need to empower writers to better defend themselves from this kind of bad behavior. Most writers don’t make buckets of money or have excess time, and undeserved penalties bite.

3. Other writers have reported dealing with problems common to social media sites, such as people who are rude or inappropriate in comments on articles or Notes, or in subscriber chats. Substack’s policies on ‘free speech’ don’t preclude this. Many writers want their newsletters, notes, and chats to be safe places for ‘their people’ to engage. Most people in our communities behave well and are supportive, but some aren’t. We shouldn’t have to say in custom TOS that people need to be decent humans, yet here we are. Many writers have resorted to limiting comments and chats to subscribers only. Others are even regretfully paywalling their comments and chats, limiting them to paid subscribers only, to gain more control over troll volumes.

What Can We Do?

Substack’s policies don’t protect us from these (and likely other) problems. That’s understandable; their job is to protect the company. We need to protect ourselves. And it’s on us to meet our subscribers’ interests in transparency on the policies we control. So there are (at least) two parts to a solution.

Part One: DEFINING Custom Policies

As Noemi recommends, writers can define their own Terms of Service to mitigate these risks. Setting clear expectations for readers in our Publisher TOS may deter some bad behavior and will support writers in enforcing violations.

In the interests of transparency, I recommend also writing your own Privacy Policy (really a Privacy ‘Notice’).

If you’re interested in writing your own AI usage policy as well, feel free to take inspiration from mine and riff on it to reflect what you do & don’t choose to do.

Substack directly provides a mechanism in Settings for showing a Publisher’s custom TOS and Privacy policy to readers. They don’t provide a mechanism for additional policies like AI usage, but we can always put links to these additional policies in our custom TOS.

Part Two: SHOWING Custom Policies

Writing policies (‘notices’, really) is necessary, but not sufficient. We should also make sure people have a fair chance to see our Terms of Service before they subscribe or engage.

Custom Publisher policies are currently only shown in a few places in Substack, like in the tiny print footer of an article.

• Someone who subscribes, but can’t be proven to have read or seen an article, could claim they never saw the custom Terms of Service that spell out the Publisher’s terms, which may include their refund (or ‘no refund’) policy.

• Someone who comments, even in subscriber-only areas of the newsletter site, may claim they’re unaware of a Publisher’s custom policy barring abusive or inappropriate behavior in comments or chats.

Recent studies have proven that the vast majority of people, over 90%, never read websites terms and conditions. In some younger age brackets, the rate is over 94%. So yes, most people may not actually read our custom Publisher policies.

But logically, if not legally [I am not a lawyer], a writer’s position in the face of these kinds of challenges should be stronger when the publication’s policies have been written and presented. Whether people read our Publisher policies, or Substack’s, remains up to them and shouldn’t weaken our defensive position.

What Substack Offers

Substack provides some guidance on defining custom policies for newsletters (how, not what). That support article calls out two key limitations to be aware of:

1. If you publish your articles under your profile, and not from an official newsletter publication, you don’t currently have the option to define custom TOS for them. The URLs are your.substack.com/privacy and your.substack.com/tos. Those don’t work with a profile-based ‘newsletter’.

2. The article says that custom policies are only supported on the web at present - not in the Substack app. To address this, it recommends linking custom policies to your About page to display them in the app. I’ve checked in the app for the About pages for some newsletters I subscribe to. The article is correct that there are no policy links in footers - not even Substack’s. On the web, as of today, the About page already has both custom policy links in the footer, e.g.

   

   March 6, 2025 screen shot from karensmiley.substack.com/about footer, showing the links to my custom policies

Hopefully Substack will address these additional gaps soon.

How To Do Part One: Defining Custom Policies

Again, I am not a lawyer, but we shouldn't need to be one to protect ourselves. Thankfully,

Noemi Apetri 🇩🇰

didn’t just point out the problem; she shared some helpful tips. Look in the Privacy section of your newsletter Settings for these ‘Customize’ buttons:

Screen shot of the Privacy section of newsletter Settings, where the Publisher TOS and custom Privacy Policy can be customized

and follow Noemi’s tips on defining your Custom Terms of Service: “Protect your Substack, build on a solid foundation”.

Protect your Substack, build on a solid foundation.

Noemi is also now piloting a tool she created to help writers define their own custom Terms of Service. (I’m one of the lucky pilot users - looking forward to trying it out!)

How To Do Part Two: Showing Custom Policies

While creating my own TOS and testing where my Publisher policy links show up, I noticed 3 related gaps in the Substack UI.

1. Post Footers

Substack links the custom Publisher TOS at the bottom of posts (see example below). But they do not link custom privacy policies. Here’s an example post footer:

Example screen shot from footer of an article published on sixpeas.substack.com, showing the Substack TOS and Privacy links and the Publisher TOS link that Substack embeds. There is no link to my custom Privacy Policy.

2. Welcome Page and Subscribe ‘Embed’

Below is what the Substack-provided ‘embed’ shows on the welcome page for my AI6P newsletter. (We can also put this embed on our own websites if we wish.)

Screen shot of the Substack-provided subscribe ‘embed’ that is on my Welcome page. It has Substack’s 3 links, but neither of mine.

Only the Substack TOS and privacy policy are included. My TOS and privacy policy are not. Check the welcome pages on your publications (your.substack.com/welcome) … you’ll likely see the same thing. (If you do see your custom policy links, let me know!)

WE don’t control the links in the subscribe embed. Substack fully controls the format and content of the embed and the welcome page. The embed incorporates only a few Settings we can control (an image, visibility of a few texts defined elsewhere in Settings, and custom ‘skip’ text). For the welcome page, Substack also uses a Setting for whether to show recommendation blurbs.

Example showing Settings controls for Welcome pages: an optional image, whether to show name or short description (defined elsewhere), and optional custom ‘skip button’ text. That’s it.

I opened a support ticket on March 6 through Substack’s support bot to ask Substack to include links to our custom TOS and custom Privacy Policy in the embeds.¹

ASK: If you also care about fixing this gap — missing links for Publisher policies — please boost this message and tag humans who can help prioritize it. It should be quick for them to fix.

I’ll post an update here if I hear back from the support team about this concern.

3. Other Subscribe Buttons and Pages

On further investigation after making the support request, I realized that the Subscribe button we can insert in articles also has no policy links, e.g.:

How the Subscribe button in a newsletter article looks to a non-subscriber. No policy links (publisher or Substack).

This would be ok if the policy links are shown on the page the ‘Subscribe now’ buttons take you to. They aren’t. This Subscribe button, and the one at the top right of the UI for an article page, brings up the your.substack.com/subscribe page. That page also doesn’t have the policy links; it just prompts you to choose a plan. If you choose Free, you’re done - no policy links.

When choosing a paid subscription, the page prompts for a credit card and has a Subscribe button - again, no policy links. I’m not sure if that’s the end of the flow at present? (If you’ve done this recently and know, or can test it, please share!)

But Wait, There’s More!

The next day, I realized that there are also no links to Publisher TOS or Privacy Policy (or Substack policies, for that matter!) in these 2 additional places:

4. Comment dialogs

This is where readers add comments, at the end of posts or podcast episodes. (The “Leave a comment” button we can add to an article brings up a similar page view.) Here’s a screen shot showing what is visible on the article page (example) or its comment page (example), at the point of adding to discussion on an article:

Screen shot of the dialog box for commenting on a published article. No terms of service in sight, mine or Substack’s. They are WAY at the bottom of the post page.

The policies are only in small font in the post footer, well below this dialog. On posts with a lot of existing comments below the dialog, there’s a good chance a new commenter won’t notice those policy links. And on the main article page, Substack includes links to other recent articles by the author, which pushes the footer farther below the commenting point.

5. Newsletter chats

There are no Substack or Publisher links at the top or in the drop-down menu: the only options are Copy link, Pin, and Leave.

Screen shot of a newsletter chat dialog - no TOS or Privacy Policy links in sight here either.

What Substack Needs To Do

Substack needs to add these “missing links” in the UI (browser and app). Substack and Publisher terms of use / service and privacy links should be included:

• in post footers (Publisher TOS is there; Publisher Privacy policy is not),

• in the Subscribe widgets, Welcome page, and About page (app or browser)

• with Subscribe buttons and on Subscribe pages (however one gets there),

• right under the “Discussion about this episode” caption on a post, and

• at the top of a Subscriber chat window and/or under the “…” dropdown menu.

In short, anywhere that people can subscribe or engage with our newsletters, they ought to be shown our custom TOS and privacy links.

Not presenting our custom Terms of Service at signup or at engagement points makes it harder for readers to know what they’re agreeing to, and harder for writers to protect or defend themselves against these risks.

In the Meantime, What Can We Do?

I recommend writing custom policies and I’m working on mine. And here are 5 specific steps I’m taking to make them more visible for my own newsletters.

• Add my custom policy links in the custom TOS and in my newsletter email footers. [This is done; so if you’re an email subscriber, you’ll see the links in the footer of this article’s email.]

  • Go to your.substack.com/publish/settings/preamble to define your headers and footers

• Add my custom policy links to the “homepage links” that are shown on my newsletter home pages. [I already link my AI policies here, so TOS and privacy seem like natural additions.]

  • Go to https://your.substack.com/publish/settings/homepage_links to edit the list of links

    

    Screen shot of the Homepage links option in publication Settings

• Create a special thread with links to my Publisher TOS and Privacy Policy, and pin it at the top of my Subscriber Chat. (Will do after this article goes out.)

• Add my custom policy links to my publication About pages. (Needed for visibility in the app, at least for now.)

  • Go to your.substack.com/about to edit the page (1, 2)

• On my new author website, add my policy links under Subscribe buttons and Substack’s ‘embed’ widgets. I’ll also include links to Substack’s policies. This will help to ensure people are presented with the links before they sign up. (Site will be going live soon, hopefully this month.)

For #5, I’m taking the opportunity to highlight on my website other policies I’ve created for my newsletters, i.e. on AI images, AI usage, and Donations. Here’s a mockup from my website test page with two potential “missing link” formats:

Mockup of two options I’m considering for adding custom Publisher policy links below my newsletter subscribe buttons. The second option includes links to my AI policies. The first doesn’t. (Button is via substackapi.com)

Which do you prefer - option 1 without, or option 2 with, the AI policy links?
Any other feedback?

Your Thoughts?

Those are my ideas on protecting ourselves and handling the “missing links”. What do you think of them, or what advice do you have?

1

My conversation on March 6 with substack.com/support about the ‘missing links’:

powered by decagon.ai

The welcome page for a publication does not include telling the new subscriber that they are consenting to the custom Publisher Terms of Service and Privacy Policy - only Substack policies. This needs to be fixed ASAP. Otherwise newsletter writers are vulnerable to subscribers who cancel and claim they were not notified of the publisher's terms..

The Welcome page is automatically created with standard elements, and while some aspects can be customized, the consent notifications cannot be modified.

Your custom Terms of Service and Privacy Policy are displayed in the footer of your posts and accessible via dedicated URLs (read more).

Would you like me to explain how to set up your custom Terms of Service and Privacy Policy?

No, I already have them set up. My point is that links to MY Terms of Service and MY Privacy Policy need to be included on the Welcome page automatically, just like in the footer of my posts. This affects all writers who define their own terms. Please open a ticket to get that fixed.

Got it! I've sent this conversation to our team of specialists. If this is about a payment or another urgent issue, you'll hear back from us within a few days. Otherwise please note that due to incoming volume, we aren't able to guarantee a timely response.

Anywhere that people can subscribe, they ought to be shown those links.

Please know our support team is working on responding as quickly as possible and will reach out to you with a response via email as soon as they can! We don't yet support live chat from here.

---

If you found this article helpful, please heart, restack, or share it so others can benefit too!

Comments

[🎈Noemi Apetri 🎈]

What an article! I love how deep you went in your research. Thanks for referencing my article. That’s very kind! I have one comment after reading this piece. It is common practice for websites to have TOS in the bottom footer and that’s about it. I do get your point, especially relating to the subscribe button and the Substack App. Following your additional recommendations would make Substack publications more thorough than All the big social media platforms 😛