bsky.social privacy policy — score 55/100 (medium risk)

Viimati analüüsitud

Aruande sisu (kokkuvõte, leitud asjaolud, tsitaadid) on genereeritud inglise keeles ja seda pole lokaliseeritud.

Käivita uus analüüs teise poliitika kohta

Bluesky Social, PBC · bsky.app

Aruande üksikasjad

medium risk

Bluesky collects broad behavioral data and stores your direct messages unencrypted, but earns points for refusing to sell your data for targeted ads and providing solid GDPR rights infrastructure.

Bluesky Social, PBC's privacy policy presents a mixed compliance profile. On the positive side, the company explicitly disclaims selling or sharing personal data for targeted advertising, has appointed both a Data Protection Officer and EU/UK representatives, and provides a detailed supplemental notice for EU/UK GDPR subjects. However, significant concerns remain: direct messages are stored unencrypted and accessible internally for 'Trust & Safety,' behavioral tracking extends to posts viewed and links clicked, retention periods are determined on a vague 'case-by-case' basis without specific timelines, the policy is entirely silent on AI/model training use of user data, and international transfer safeguards are described only in generic terms without specifying which SCCs or adequacy decisions are actually relied upon. No subprocessor list is provided. The decentralized, public-by-design architecture also means most user activity is inherently public.

Viimati analüüsitud
AllikasURL
Pikkus39,003 märki

Kategooriate kaupa hinnang

Poliitika jaotus peamistele vastavusaladele. Hea = tugev, keskmine = segane, nõrk = muret tekitav.

Data Minimizationfair

Collects behavioral data beyond what is strictly necessary—such as posts viewed and links clicked—though it avoids ad-targeting data collection.

Transparencyfair

The policy is detailed with jurisdiction-specific supplemental notices, but remains vague on retention timelines, subprocessor identities, and AI training use.

Third-party Sharingfair

Explicitly does not sell data for targeted advertising, but shares broadly with unnamed service providers, business partners, and affiliates without enumeration.

International Transferspoor

Acknowledges worldwide transfers with only generic references to SCCs and no detail on actual safeguards, transfer destinations, or supplementary measures.

AI/Model Trainingpoor

The policy is entirely silent on whether user data is used for AI or machine learning model training, and provides no opt-out mechanism.

User Rightsgood

Comprehensive GDPR rights are described with a DPO, EU/UK representatives, clear response timelines (30/60 days), and supervisory authority contact information.

Peamised leitud asjaolud

Märkimisväärsed klauslid, probleemid või head tavad (kriitilised esimesena)

Kriitiline

Unencrypted Direct Messages Accessible to Staff

Section 8(A)(4) explicitly states that direct messages are 'unencrypted and can be accessed for Trust & Safety purposes.' This means private communications between users are not protected by end-to-end encryption and can be read by Bluesky personnel, representing a significant privacy gap for a messaging feature.

Kriitiline

Broad Behavioral Tracking Beyond Service Necessity

Section 8(B)(1) discloses collection of 'the posts you view on Bluesky, the links you click within Bluesky, and the frequency and duration of your activities.' This goes well beyond what is necessary to provide a microblogging service and constitutes surveillance-level behavioral tracking without a clear necessity justification under GDPR Article 5(1)(c).

Hoiatus

Vague Retention Periods Without Specific Timelines

Section 14 states retention is determined on a 'case-by-case' basis considering various criteria, but provides no concrete retention periods for any data category. Under GDPR Article 5(1)(e), personal data must not be kept longer than necessary, and the absence of defined periods makes compliance unverifiable.

Hoiatus

Silent on AI/Model Training Use of User Data

The policy does not address whether personal data—including posts, DMs, and usage data—is used to train AI or machine learning models. Section 10(B) mentions 'research and development' and 'developing new products and services,' which could encompass AI training, but there is no explicit disclosure or opt-out mechanism.

Hoiatus

International Transfer Safeguards Insufficiently Specified

Section 12 references Standard Contractual Clauses as a potential safeguard for EEA/UK/Brazil transfers but does not specify which SCC modules are used, which countries data is transferred to, or whether transfer impact assessments or supplementary measures are in place as required under Schrems II.

Hoiatus

No Subprocessor List Provided

Section 11(A)(4) discloses sharing with 'third-party service providers and vendors' for IT support, hosting, payment processing, and customer service, but no subprocessor list is included or linked. GDPR Article 28(2) and transparency principles require data subjects to know who processes their data.

Info

Do Not Track Signals Not Honored

Section 13(A)(3) states Bluesky 'currently do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.' While DNT lacks a consistent standard, this signals a dismissive posture toward user privacy preferences expressed through browser settings.

Kokkuvõte kasutajale

Your posts and profile are public by design, your DMs are not encrypted and can be read by Bluesky staff, and the company tracks what you view and click—but at least they don't sell your data to advertisers.

Vastavusseisund

Partial GDPR compliance with structural elements in place (DPO, EU representative, rights disclosures) but substantive gaps in data minimization, retention specificity, transfer safeguards, and AI transparency.

EL-i ülekanded

The policy acknowledges international transfers from the EEA/UK/Brazil and references Standard Contractual Clauses as a potential safeguard, but provides no detail on which SCCs are actually in place, which countries data is transferred to, or whether supplementary measures are implemented. This is insufficiently specific under Schrems II requirements.

Tuvastatud signaalid

Tekstis tuvastatud konkreetsed andmed ja tavad

Kogutud andmed
Email addressPhone numberProfile imagesBirth dateUsernamePosts and commentsDirect messagesIP addressDevice and browser informationUsage information (posts viewed, links clicked, activity frequency and duration)Cookie identifiersMobile carrierLocation data (if permitted)Payment informationJob application informationGovernment ID (via third-party age verification)
Töötlemise eesmärgid
Service provision and account managementTrust and safety enforcementResearch and developmentAnalytics and measurementMarketing (with opt-out)Fraud prevention and securityLegal complianceDe-identified data creationNew product and service development
Jagamine kolmandate osapooltega
Public posts and profiles shared by design on decentralized networkThird-party service providers (IT, hosting, payments, customer service)Business partners for joint products/servicesParent and subsidiary companiesLegal, financial, and insurance advisorsLaw enforcement and regulatory bodiesParties in merger, acquisition, or asset transfer events
Rahvusvahelised ülekanded
Data may be transferred worldwideSCCs referenced for EEA/UK/Brazil transfersNo specific countries of transfer disclosedNo transfer impact assessment mentionedNo supplementary measures described
Tehisintellekt / Mudeli koolitus
Policy is silent on AI/model trainingResearch and development mentioned as a processing purposeDeveloping new products and services mentioned as a processing purposeNo opt-out for AI training providedDe-identified data creation mentioned

Tõendite väljavõtted

Otsesed tsitaadid poliitikast nende leidude toetuseks

Your Direct Messages. We store and process your direct messages so you can communicate directly with other users on the Bluesky App. These are unencrypted and can be accessed for Trust & Safety purposes.

We may also collect personal information about your use of Bluesky, including the posts you view on Bluesky, the links you click within Bluesky, and the frequency and duration of your activities.

We do not sell or share Personal Data for the purpose of displaying advertisements that are selected based on Personal Data from your activities on or use of Bluesky ('Targeted Advertising').

We may transfer, process, and store all personal information we collect anywhere in the world.

When determining the retention period, we make case-by-case determinations, taking into account various criteria, like the type of products and services requested by or provided to you, the nature and length of our relationship with you...

We currently do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers, as there is no consistent industry standard for compliance.

Puudub või ebaselge

  • No subprocessor list or link to one
  • No specific data retention periods
  • No AI/model training disclosure
  • No end-to-end encryption for DMs
  • No detail on international transfer safeguards beyond generic SCC reference
  • No cookie consent banner or preference center described
  • No data breach notification procedure
  • No DPIA references
  • No Legitimate Interest Assessments disclosed

Küsimused, mida küsida

  • What specific third-party service providers and subprocessors currently process Bluesky user personal data, and where are they located?
  • Are user data—specifically posts, direct messages, and usage behavior—used to train AI or machine learning models, and if so, how can users opt out?
  • Which specific Standard Contractual Clause modules have been executed for EEA/UK data transfers, and have transfer impact assessments been conducted?
  • What are the concrete retention periods for each category of personal data, particularly for DMs, usage data, and IP addresses?
  • When will direct messages be protected with end-to-end encryption, given the current unencrypted access for Trust & Safety purposes?
  • How does Bluesky justify the collection of posts viewed and links clicked as necessary under GDPR's data minimization principle?
  • What is the process and timeline for responding to GDPR data subject access requests, and in what format is data typically provided?
Selle analüüsi genereerib tehisintellekt ja see ei ole õigusnõuanne. Vastavusotsuste puhul konsulteeri alati kvalifitseeritud juristiga.

Jaga seda analüüsi

Igaüks, kellel on see link, saab ülalolevat tulemust vaadata.

DentroChati loodud

100% Euroopa tehisintellektivestlus kõigile

Vestle tehisintellektiga, tööta failidega, loo pilte ja otsi veebist. Andmed jäävad Euroopasse.

EL-is majutatud infrastruktuurTekst, failid, pildid ja veebiotsingKiire, Mõtlemise ja Loova režiimidPrivaatsus vaikimisi esikohalÜkski andme ei lahku Euroopast
Proovi tasuta →