Substack

Newsletter publishing platform. Free to publish, 10% commission on paid subscribers. Built-in social network and recommendation algorithm.

Publishing

Adequate

https://substack.com · Reviewed 2026-04-02 · Editorial assessment by Mike Schneider — not an independent security audit

What should journalists know about Substack?

Substack made newsletter publishing accessible, and over 5 million paid subscriptions prove the model works. The economics are clear: free until you charge, then 10% forever. That 10% gets expensive fast — a writer earning $100K/year pays Substack $10K plus ~$3K in Stripe fees, while Ghost or Buttondown would cost under $1K/year for the same list size. What you get for that 10%: a recommendation algorithm, a built-in social network (Notes), an app with 47+ million monthly visitors, and zero infrastructure management. The tradeoff is real platform dependency. Substack controls your email deliverability, app distribution, and algorithmic visibility. The 2024 Nazi content controversy revealed something deeper: Substack's co-founders view themselves as free-speech absolutists, and that philosophical commitment shapes moderation decisions. Nearly 1,000 creators migrated to Beehiiv in Q1 2025 alone. High-profile departures include Alison Roman (343K subscribers, moved to Ghost) and Anne Helen Petersen (moved to Patreon). The counter-argument: Substack's network effects remain unmatched for discovery, and the subscriber export works — you can leave with your email list. You just can't take the algorithm with you.

Best for

Solo journalists launching an independent newsletter with zero upfront cost. Writers who want built-in discovery and are willing to trade revenue share for network effects. Reporters whose audience skews toward the Substack app's engaged reader base.

Not for

Publications earning $50K+ in annual subscription revenue — the 10% cut becomes hard to justify vs. flat-fee alternatives. Journalists who need API access, webhooks, or custom integrations (Brad Hargreaves left for Ghost specifically for this). Writers who object to Substack's content moderation philosophy. Organizations that need white-label branding without Substack's identity.

Security & Privacy

Encryption in transit Yes

Data is scrambled while being sent to their servers

Encryption at rest Yes

Data is scrambled when stored on their servers

Data jurisdiction United States. Substack Inc. is headquartered in San Francisco. Data processed and stored on US infrastructure via AWS and Cloudflare. No EU data residency option.

Where servers are located — affects which governments can request your data

Security rating Adequate

Substack collects account data, reading behavior, IP addresses, device identifiers, and payment information via Stripe. Direct messages are not end-to-end encrypted — Substack personnel can access them. The platform uses first-party analytics (visit tracking, anonymous IDs) and third-party trackers including Google, Facebook, Parse.ly, FullStory, and Datadog. When you subscribe to a publication, Substack shares your name and email with the writer. Substack now shares data with generative AI service providers (added to privacy policy). Privacy Watchdog scored Substack 40/100 (grade C), citing subscriber data used for network recommendations. Contact syncing uploads hashed email addresses and phone numbers from your address book. Account deletion removes posts but public content 'may remain available' and Substack cannot guarantee removal from backups.

How to protect yourself:

Export your subscriber list regularly — CSV export includes emails, subscription dates, status, and plan type. Use a custom domain so your URL is portable if you migrate. Back up all posts via Settings > Exports. Understand that Substack controls email deliverability and app algorithmic placement. Ghost, Beehiiv, and Buttondown all accept Substack imports. Do not use Substack DMs for sensitive communications — they are not encrypted. Disable contact syncing if you don't want address book data uploaded. Test a migration path before your list gets too large to move.

Standard web platform security with TLS and encrypted storage. The risk is not data breach — it is platform dependency and data practices. Substack controls email deliverability, app distribution, and algorithmic visibility. DMs are not end-to-end encrypted. The privacy policy now includes data sharing with AI service providers. Subscriber data is exportable (emails, dates, status), which is the critical safety valve. The real question for journalists is not security but governance: Substack can terminate any writer at any time, and its content moderation philosophy has proven divisive. For journalists covering sensitive topics, the lack of encrypted messaging and the platform's data collection (IP, device, reading behavior, contact syncing) warrant caution.

Who Owns This

Owner Substack Inc. (United States). Co-founded in 2017 by Chris Best (CEO, ex-Kik Messenger), Hamish McKenzie (ex-PandoDaily journalist), and Jairaj Sethi (ex-Kik engineer). All three studied or worked in Canada before relocating to San Francisco.

Funding VC-funded. Raised ~$200M total: $2M seed (2018), $15.3M Series A (2019, Y Combinator), $65M Series B (2021, Andreessen Horowitz, valuation $650M), $100M Series C (July 2025, Bond and Chernin Group, valuation $1.1B). Other investors include Rich Paul (Klutch Sports), Jens Grede (Skims CEO). Reached positive cash flow in Q1 2025.

Business model Platform takes 10% of all paid subscription revenue. At ~$450M in annualized gross writer revenue (2025), that generates ~$45M/year for Substack. No advertising revenue. Previously ran Substack Pro (advance payments to select writers, typically $10K–$300K+, in exchange for higher revenue share) — formally ended 2022 but custom deals reportedly still exist for high-profile writers. Substack does not disclose which writers have special arrangements. Notes and social features drive engagement and discovery but are not separately monetized.

Known issues

Content moderation controversy (2024): The Atlantic found 16+ newsletters with overt Nazi symbols on the platform. 247 Substack writers signed an open letter. Substack removed 5 of 6 flagged accounts but refused to change its content policy or proactively moderate extremist content. CEO Chris Best defended the stance as anti-censorship. This triggered a sustained writer exodus — nearly 1,000 creators moved to Beehiiv in Q1 2025. Alison Roman (343K subscribers) moved to Ghost in September 2025. Anne Helen Petersen moved to Patreon. Journalist Lyz Lenz cited bot subscribers tanking engagement while the algorithm prioritized 'rage, Nazis, transphobia, and conspiracies.' Separately: Substack's publisher agreement grants a 'worldwide, nonexclusive, sublicensable, royalty-free' license to use writer content for marketing. Substack can terminate any writer 'at any time, for any reason' and halt distribution at their discretion. Writers bear all refund obligations if they leave mid-subscription cycle. The platform's shift toward social features (Notes, app, recommendation engine) means Substack increasingly controls distribution in ways that mirror the social media platforms many journalists joined Substack to escape.

Pricing

Free to publish. Substack takes 10% of paid subscription revenue, plus Stripe processing fees (~2.9% + 30 cents). No monthly fee. No cap on free subscribers. Custom domain included at no cost.

This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.

Something wrong or outdated? Report it.