bsky.social privacy policy — score 55/100 (medium risk)
Utolsó elemzés
A jelentés tartalma (összefoglaló, megállapítások, idézetek) angolul készült és nincs lokalizálva.
Bluesky Social, PBC · bsky.app
Jelentés részletei
medium kockázatBluesky collects broad behavioral data and stores your direct messages unencrypted, but earns points for refusing to sell your data for targeted ads and providing solid GDPR rights infrastructure.
Bluesky Social, PBC's privacy policy presents a mixed compliance profile. On the positive side, the company explicitly disclaims selling or sharing personal data for targeted advertising, has appointed both a Data Protection Officer and EU/UK representatives, and provides a detailed supplemental notice for EU/UK GDPR subjects. However, significant concerns remain: direct messages are stored unencrypted and accessible internally for 'Trust & Safety,' behavioral tracking extends to posts viewed and links clicked, retention periods are determined on a vague 'case-by-case' basis without specific timelines, the policy is entirely silent on AI/model training use of user data, and international transfer safeguards are described only in generic terms without specifying which SCCs or adequacy decisions are actually relied upon. No subprocessor list is provided. The decentralized, public-by-design architecture also means most user activity is inherently public.
Kategória szerinti értékelés
A szabályzat bontása a fő megfelelőségi területekre. Jó = erős, közepes = vegyes, gyenge = aggasztó.
Collects behavioral data beyond what is strictly necessary—such as posts viewed and links clicked—though it avoids ad-targeting data collection.
The policy is detailed with jurisdiction-specific supplemental notices, but remains vague on retention timelines, subprocessor identities, and AI training use.
Explicitly does not sell data for targeted advertising, but shares broadly with unnamed service providers, business partners, and affiliates without enumeration.
Acknowledges worldwide transfers with only generic references to SCCs and no detail on actual safeguards, transfer destinations, or supplementary measures.
The policy is entirely silent on whether user data is used for AI or machine learning model training, and provides no opt-out mechanism.
Comprehensive GDPR rights are described with a DPO, EU/UK representatives, clear response timelines (30/60 days), and supervisory authority contact information.
Fő megállapítások
Fontos záradékok, problémák vagy jó gyakorlatok (kritikusak először)
Unencrypted Direct Messages Accessible to Staff
Section 8(A)(4) explicitly states that direct messages are 'unencrypted and can be accessed for Trust & Safety purposes.' This means private communications between users are not protected by end-to-end encryption and can be read by Bluesky personnel, representing a significant privacy gap for a messaging feature.
Broad Behavioral Tracking Beyond Service Necessity
Section 8(B)(1) discloses collection of 'the posts you view on Bluesky, the links you click within Bluesky, and the frequency and duration of your activities.' This goes well beyond what is necessary to provide a microblogging service and constitutes surveillance-level behavioral tracking without a clear necessity justification under GDPR Article 5(1)(c).
Vague Retention Periods Without Specific Timelines
Section 14 states retention is determined on a 'case-by-case' basis considering various criteria, but provides no concrete retention periods for any data category. Under GDPR Article 5(1)(e), personal data must not be kept longer than necessary, and the absence of defined periods makes compliance unverifiable.
Silent on AI/Model Training Use of User Data
The policy does not address whether personal data—including posts, DMs, and usage data—is used to train AI or machine learning models. Section 10(B) mentions 'research and development' and 'developing new products and services,' which could encompass AI training, but there is no explicit disclosure or opt-out mechanism.
International Transfer Safeguards Insufficiently Specified
Section 12 references Standard Contractual Clauses as a potential safeguard for EEA/UK/Brazil transfers but does not specify which SCC modules are used, which countries data is transferred to, or whether transfer impact assessments or supplementary measures are in place as required under Schrems II.
No Subprocessor List Provided
Section 11(A)(4) discloses sharing with 'third-party service providers and vendors' for IT support, hosting, payment processing, and customer service, but no subprocessor list is included or linked. GDPR Article 28(2) and transparency principles require data subjects to know who processes their data.
Do Not Track Signals Not Honored
Section 13(A)(3) states Bluesky 'currently do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.' While DNT lacks a consistent standard, this signals a dismissive posture toward user privacy preferences expressed through browser settings.
Összefoglaló a felhasználónak
Your posts and profile are public by design, your DMs are not encrypted and can be read by Bluesky staff, and the company tracks what you view and click—but at least they don't sell your data to advertisers.
Megfelelőségi helyzet
Partial GDPR compliance with structural elements in place (DPO, EU representative, rights disclosures) but substantive gaps in data minimization, retention specificity, transfer safeguards, and AI transparency.
EU-s átvitelek
The policy acknowledges international transfers from the EEA/UK/Brazil and references Standard Contractual Clauses as a potential safeguard, but provides no detail on which SCCs are actually in place, which countries data is transferred to, or whether supplementary measures are implemented. This is insufficiently specific under Schrems II requirements.
Észlelt jelek
A szövegben azonosított konkrét adatok és gyakorlatok
Bizonyító részletek
Közvetlen idézetek a szabályzatból e megállapítások alátámasztására
Your Direct Messages. We store and process your direct messages so you can communicate directly with other users on the Bluesky App. These are unencrypted and can be accessed for Trust & Safety purposes.
We may also collect personal information about your use of Bluesky, including the posts you view on Bluesky, the links you click within Bluesky, and the frequency and duration of your activities.
We do not sell or share Personal Data for the purpose of displaying advertisements that are selected based on Personal Data from your activities on or use of Bluesky ('Targeted Advertising').
We may transfer, process, and store all personal information we collect anywhere in the world.
When determining the retention period, we make case-by-case determinations, taking into account various criteria, like the type of products and services requested by or provided to you, the nature and length of our relationship with you...
We currently do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers, as there is no consistent industry standard for compliance.
Hiányzó vagy nem egyértelmű
- No subprocessor list or link to one
- No specific data retention periods
- No AI/model training disclosure
- No end-to-end encryption for DMs
- No detail on international transfer safeguards beyond generic SCC reference
- No cookie consent banner or preference center described
- No data breach notification procedure
- No DPIA references
- No Legitimate Interest Assessments disclosed
Felteendő kérdések
- What specific third-party service providers and subprocessors currently process Bluesky user personal data, and where are they located?
- Are user data—specifically posts, direct messages, and usage behavior—used to train AI or machine learning models, and if so, how can users opt out?
- Which specific Standard Contractual Clause modules have been executed for EEA/UK data transfers, and have transfer impact assessments been conducted?
- What are the concrete retention periods for each category of personal data, particularly for DMs, usage data, and IP addresses?
- When will direct messages be protected with end-to-end encryption, given the current unencrypted access for Trust & Safety purposes?
- How does Bluesky justify the collection of posts viewed and links clicked as necessary under GDPR's data minimization principle?
- What is the process and timeline for responding to GDPR data subject access requests, and in what format is data typically provided?
Elemzés megosztása
Bárki, aki rendelkezik ezzel a linkkel, megtekintheti a fenti eredményt.
A DentroChat készítette
100%-ban európai AI chat mindenkinek
Csevegj AI-val, dolgozz fájlokkal, generálj képeket és keress a weben. Az adatok Európában maradnak.