For our Publishers, Substack generally considers itself to be the data processor as we process personal personal data on behalf of the controller who we’ve provided tools and features to control and determine their relationship with their subscribers.
We’ve done this in a few ways: (i) Publishers maintain a direct relationship between themselves and their readers; (ii) Publishers have the ability, through several settings and features, to moderate their reader’s comments and reactions; (iii) Publishers have the ability to import custom reader/subscription lists, (iv) Publishers have the ability to export these reader/subscription lists at any time; and (v) Publishers have the ability to communicate with their readers/subscribers off Substack. Substack Publishers are the data controllers of that audience, and they should ensure that they are in compliance with applicable Data Regulations.
In other instances, Substack may be the controller of personal data where we are responsible for determining the purposes and means of the processing of personal data. Specifically, this includes instances where we may collect personal data outside, and independent, of the relationship between a Publisher and their readers/subscribers. Where Substack is the controller, our use of that data will be used as provided in our Privacy Documents.