bsky.social privacy policy — score 55/100 (medium risk)

Último análisis

El contenido del informe (resumen, hallazgos, citas) se generó en inglés y no está localizado.

Ejecutar un nuevo análisis en otra política

Bluesky Social, PBC · bsky.app

Detalles del informe

medium riesgo

Bluesky collects broad behavioral data and stores your direct messages unencrypted, but earns points for refusing to sell your data for targeted ads and providing solid GDPR rights infrastructure.

Bluesky Social, PBC's privacy policy presents a mixed compliance profile. On the positive side, the company explicitly disclaims selling or sharing personal data for targeted advertising, has appointed both a Data Protection Officer and EU/UK representatives, and provides a detailed supplemental notice for EU/UK GDPR subjects. However, significant concerns remain: direct messages are stored unencrypted and accessible internally for 'Trust & Safety,' behavioral tracking extends to posts viewed and links clicked, retention periods are determined on a vague 'case-by-case' basis without specific timelines, the policy is entirely silent on AI/model training use of user data, and international transfer safeguards are described only in generic terms without specifying which SCCs or adequacy decisions are actually relied upon. No subprocessor list is provided. The decentralized, public-by-design architecture also means most user activity is inherently public.

Último análisis
FuenteURL
Longitud39,003 caracteres

Evaluación por categoría

Desglose de la política en las principales áreas de cumplimiento. Bueno = sólido, regular = mixto, deficiente = preocupante.

Data Minimizationfair

Collects behavioral data beyond what is strictly necessary—such as posts viewed and links clicked—though it avoids ad-targeting data collection.

Transparencyfair

The policy is detailed with jurisdiction-specific supplemental notices, but remains vague on retention timelines, subprocessor identities, and AI training use.

Third-party Sharingfair

Explicitly does not sell data for targeted advertising, but shares broadly with unnamed service providers, business partners, and affiliates without enumeration.

International Transferspoor

Acknowledges worldwide transfers with only generic references to SCCs and no detail on actual safeguards, transfer destinations, or supplementary measures.

AI/Model Trainingpoor

The policy is entirely silent on whether user data is used for AI or machine learning model training, and provides no opt-out mechanism.

User Rightsgood

Comprehensive GDPR rights are described with a DPO, EU/UK representatives, clear response timelines (30/60 days), and supervisory authority contact information.

Hallazgos clave

Cláusulas destacadas, problemas o buenas prácticas detectadas (críticos primero)

Crítico

Unencrypted Direct Messages Accessible to Staff

Section 8(A)(4) explicitly states that direct messages are 'unencrypted and can be accessed for Trust & Safety purposes.' This means private communications between users are not protected by end-to-end encryption and can be read by Bluesky personnel, representing a significant privacy gap for a messaging feature.

Crítico

Broad Behavioral Tracking Beyond Service Necessity

Section 8(B)(1) discloses collection of 'the posts you view on Bluesky, the links you click within Bluesky, and the frequency and duration of your activities.' This goes well beyond what is necessary to provide a microblogging service and constitutes surveillance-level behavioral tracking without a clear necessity justification under GDPR Article 5(1)(c).

Advertencia

Vague Retention Periods Without Specific Timelines

Section 14 states retention is determined on a 'case-by-case' basis considering various criteria, but provides no concrete retention periods for any data category. Under GDPR Article 5(1)(e), personal data must not be kept longer than necessary, and the absence of defined periods makes compliance unverifiable.

Advertencia

Silent on AI/Model Training Use of User Data

The policy does not address whether personal data—including posts, DMs, and usage data—is used to train AI or machine learning models. Section 10(B) mentions 'research and development' and 'developing new products and services,' which could encompass AI training, but there is no explicit disclosure or opt-out mechanism.

Advertencia

International Transfer Safeguards Insufficiently Specified

Section 12 references Standard Contractual Clauses as a potential safeguard for EEA/UK/Brazil transfers but does not specify which SCC modules are used, which countries data is transferred to, or whether transfer impact assessments or supplementary measures are in place as required under Schrems II.

Advertencia

No Subprocessor List Provided

Section 11(A)(4) discloses sharing with 'third-party service providers and vendors' for IT support, hosting, payment processing, and customer service, but no subprocessor list is included or linked. GDPR Article 28(2) and transparency principles require data subjects to know who processes their data.

Info

Do Not Track Signals Not Honored

Section 13(A)(3) states Bluesky 'currently do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.' While DNT lacks a consistent standard, this signals a dismissive posture toward user privacy preferences expressed through browser settings.

Resumen para el usuario

Your posts and profile are public by design, your DMs are not encrypted and can be read by Bluesky staff, and the company tracks what you view and click—but at least they don't sell your data to advertisers.

Postura de cumplimiento

Partial GDPR compliance with structural elements in place (DPO, EU representative, rights disclosures) but substantive gaps in data minimization, retention specificity, transfer safeguards, and AI transparency.

Transferencias en la UE

The policy acknowledges international transfers from the EEA/UK/Brazil and references Standard Contractual Clauses as a potential safeguard, but provides no detail on which SCCs are actually in place, which countries data is transferred to, or whether supplementary measures are implemented. This is insufficiently specific under Schrems II requirements.

Señales detectadas

Datos y prácticas específicas identificadas en el texto

Datos recopilados
Email addressPhone numberProfile imagesBirth dateUsernamePosts and commentsDirect messagesIP addressDevice and browser informationUsage information (posts viewed, links clicked, activity frequency and duration)Cookie identifiersMobile carrierLocation data (if permitted)Payment informationJob application informationGovernment ID (via third-party age verification)
Finalidades del tratamiento
Service provision and account managementTrust and safety enforcementResearch and developmentAnalytics and measurementMarketing (with opt-out)Fraud prevention and securityLegal complianceDe-identified data creationNew product and service development
Cesión a terceros
Public posts and profiles shared by design on decentralized networkThird-party service providers (IT, hosting, payments, customer service)Business partners for joint products/servicesParent and subsidiary companiesLegal, financial, and insurance advisorsLaw enforcement and regulatory bodiesParties in merger, acquisition, or asset transfer events
Transferencias internacionales
Data may be transferred worldwideSCCs referenced for EEA/UK/Brazil transfersNo specific countries of transfer disclosedNo transfer impact assessment mentionedNo supplementary measures described
IA / Entrenamiento de modelos
Policy is silent on AI/model trainingResearch and development mentioned as a processing purposeDeveloping new products and services mentioned as a processing purposeNo opt-out for AI training providedDe-identified data creation mentioned

Fragmentos de evidencia

Citas directas de la política que respaldan estos hallazgos

Your Direct Messages. We store and process your direct messages so you can communicate directly with other users on the Bluesky App. These are unencrypted and can be accessed for Trust & Safety purposes.

We may also collect personal information about your use of Bluesky, including the posts you view on Bluesky, the links you click within Bluesky, and the frequency and duration of your activities.

We do not sell or share Personal Data for the purpose of displaying advertisements that are selected based on Personal Data from your activities on or use of Bluesky ('Targeted Advertising').

We may transfer, process, and store all personal information we collect anywhere in the world.

When determining the retention period, we make case-by-case determinations, taking into account various criteria, like the type of products and services requested by or provided to you, the nature and length of our relationship with you...

We currently do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers, as there is no consistent industry standard for compliance.

Ausente o poco claro

  • No subprocessor list or link to one
  • No specific data retention periods
  • No AI/model training disclosure
  • No end-to-end encryption for DMs
  • No detail on international transfer safeguards beyond generic SCC reference
  • No cookie consent banner or preference center described
  • No data breach notification procedure
  • No DPIA references
  • No Legitimate Interest Assessments disclosed

Preguntas que hacer

  • What specific third-party service providers and subprocessors currently process Bluesky user personal data, and where are they located?
  • Are user data—specifically posts, direct messages, and usage behavior—used to train AI or machine learning models, and if so, how can users opt out?
  • Which specific Standard Contractual Clause modules have been executed for EEA/UK data transfers, and have transfer impact assessments been conducted?
  • What are the concrete retention periods for each category of personal data, particularly for DMs, usage data, and IP addresses?
  • When will direct messages be protected with end-to-end encryption, given the current unencrypted access for Trust & Safety purposes?
  • How does Bluesky justify the collection of posts viewed and links clicked as necessary under GDPR's data minimization principle?
  • What is the process and timeline for responding to GDPR data subject access requests, and in what format is data typically provided?
Este análisis lo genera la IA y no constituye asesoramiento legal. Consulta siempre a un profesional jurídico cualificado para decisiones de cumplimiento.

Compartir este análisis

Cualquiera con este enlace puede ver el resultado anterior.

Creado por DentroChat

Chat de IA 100 % europeo para todos

Chatea con la IA, trabaja con archivos, genera imágenes y busca en la web. Los datos permanecen en Europa.

Infraestructura alojada en la UETexto, archivos, imágenes y búsqueda webModos Rápido, Reflexión y CreativoPrivacidad por defectoNingún dato sale de Europa
Probar gratis →