bsky.social privacy policy — score 55/100 (medium risk)

Laatst geanalyseerd

De rapportinhoud (samenvatting, bevindingen, citaten) is in het Engels gegenereerd en niet gelokaliseerd.

Voer een nieuwe analyse uit op een ander beleid

Bluesky Social, PBC · bsky.app

Rapportdetails

medium risico

Bluesky collects broad behavioral data and stores your direct messages unencrypted, but earns points for refusing to sell your data for targeted ads and providing solid GDPR rights infrastructure.

Bluesky Social, PBC's privacy policy presents a mixed compliance profile. On the positive side, the company explicitly disclaims selling or sharing personal data for targeted advertising, has appointed both a Data Protection Officer and EU/UK representatives, and provides a detailed supplemental notice for EU/UK GDPR subjects. However, significant concerns remain: direct messages are stored unencrypted and accessible internally for 'Trust & Safety,' behavioral tracking extends to posts viewed and links clicked, retention periods are determined on a vague 'case-by-case' basis without specific timelines, the policy is entirely silent on AI/model training use of user data, and international transfer safeguards are described only in generic terms without specifying which SCCs or adequacy decisions are actually relied upon. No subprocessor list is provided. The decentralized, public-by-design architecture also means most user activity is inherently public.

Laatst geanalyseerd
BronURL
Lengte39,003 tekens

Beoordeling per categorie

Uitsplitsing van het beleid over belangrijke compliancegebieden. Goed = sterk, redelijk = gemengd, slecht = zorgwekkend.

Data Minimizationfair

Collects behavioral data beyond what is strictly necessary—such as posts viewed and links clicked—though it avoids ad-targeting data collection.

Transparencyfair

The policy is detailed with jurisdiction-specific supplemental notices, but remains vague on retention timelines, subprocessor identities, and AI training use.

Third-party Sharingfair

Explicitly does not sell data for targeted advertising, but shares broadly with unnamed service providers, business partners, and affiliates without enumeration.

International Transferspoor

Acknowledges worldwide transfers with only generic references to SCCs and no detail on actual safeguards, transfer destinations, or supplementary measures.

AI/Model Trainingpoor

The policy is entirely silent on whether user data is used for AI or machine learning model training, and provides no opt-out mechanism.

User Rightsgood

Comprehensive GDPR rights are described with a DPO, EU/UK representatives, clear response timelines (30/60 days), and supervisory authority contact information.

Belangrijkste bevindingen

Opvallende clausules, problemen of positieve praktijken (kritiek eerst)

Kritiek

Unencrypted Direct Messages Accessible to Staff

Section 8(A)(4) explicitly states that direct messages are 'unencrypted and can be accessed for Trust & Safety purposes.' This means private communications between users are not protected by end-to-end encryption and can be read by Bluesky personnel, representing a significant privacy gap for a messaging feature.

Kritiek

Broad Behavioral Tracking Beyond Service Necessity

Section 8(B)(1) discloses collection of 'the posts you view on Bluesky, the links you click within Bluesky, and the frequency and duration of your activities.' This goes well beyond what is necessary to provide a microblogging service and constitutes surveillance-level behavioral tracking without a clear necessity justification under GDPR Article 5(1)(c).

Waarschuwing

Vague Retention Periods Without Specific Timelines

Section 14 states retention is determined on a 'case-by-case' basis considering various criteria, but provides no concrete retention periods for any data category. Under GDPR Article 5(1)(e), personal data must not be kept longer than necessary, and the absence of defined periods makes compliance unverifiable.

Waarschuwing

Silent on AI/Model Training Use of User Data

The policy does not address whether personal data—including posts, DMs, and usage data—is used to train AI or machine learning models. Section 10(B) mentions 'research and development' and 'developing new products and services,' which could encompass AI training, but there is no explicit disclosure or opt-out mechanism.

Waarschuwing

International Transfer Safeguards Insufficiently Specified

Section 12 references Standard Contractual Clauses as a potential safeguard for EEA/UK/Brazil transfers but does not specify which SCC modules are used, which countries data is transferred to, or whether transfer impact assessments or supplementary measures are in place as required under Schrems II.

Waarschuwing

No Subprocessor List Provided

Section 11(A)(4) discloses sharing with 'third-party service providers and vendors' for IT support, hosting, payment processing, and customer service, but no subprocessor list is included or linked. GDPR Article 28(2) and transparency principles require data subjects to know who processes their data.

Info

Do Not Track Signals Not Honored

Section 13(A)(3) states Bluesky 'currently do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.' While DNT lacks a consistent standard, this signals a dismissive posture toward user privacy preferences expressed through browser settings.

Samenvatting voor de gebruiker

Your posts and profile are public by design, your DMs are not encrypted and can be read by Bluesky staff, and the company tracks what you view and click—but at least they don't sell your data to advertisers.

Nalevingshouding

Partial GDPR compliance with structural elements in place (DPO, EU representative, rights disclosures) but substantive gaps in data minimization, retention specificity, transfer safeguards, and AI transparency.

EU-overdrachten

The policy acknowledges international transfers from the EEA/UK/Brazil and references Standard Contractual Clauses as a potential safeguard, but provides no detail on which SCCs are actually in place, which countries data is transferred to, or whether supplementary measures are implemented. This is insufficiently specific under Schrems II requirements.

Gedetecteerde signalen

Specifieke gegevens en praktijken geïdentificeerd in de tekst

Verzamelde gegevens
Email addressPhone numberProfile imagesBirth dateUsernamePosts and commentsDirect messagesIP addressDevice and browser informationUsage information (posts viewed, links clicked, activity frequency and duration)Cookie identifiersMobile carrierLocation data (if permitted)Payment informationJob application informationGovernment ID (via third-party age verification)
Verwerkingsdoeleinden
Service provision and account managementTrust and safety enforcementResearch and developmentAnalytics and measurementMarketing (with opt-out)Fraud prevention and securityLegal complianceDe-identified data creationNew product and service development
Delen met derden
Public posts and profiles shared by design on decentralized networkThird-party service providers (IT, hosting, payments, customer service)Business partners for joint products/servicesParent and subsidiary companiesLegal, financial, and insurance advisorsLaw enforcement and regulatory bodiesParties in merger, acquisition, or asset transfer events
Internationale overdrachten
Data may be transferred worldwideSCCs referenced for EEA/UK/Brazil transfersNo specific countries of transfer disclosedNo transfer impact assessment mentionedNo supplementary measures described
AI / Modeltraining
Policy is silent on AI/model trainingResearch and development mentioned as a processing purposeDeveloping new products and services mentioned as a processing purposeNo opt-out for AI training providedDe-identified data creation mentioned

Bewijsfragmenten

Directe citaten uit het beleid ter ondersteuning van deze bevindingen

Your Direct Messages. We store and process your direct messages so you can communicate directly with other users on the Bluesky App. These are unencrypted and can be accessed for Trust & Safety purposes.

We may also collect personal information about your use of Bluesky, including the posts you view on Bluesky, the links you click within Bluesky, and the frequency and duration of your activities.

We do not sell or share Personal Data for the purpose of displaying advertisements that are selected based on Personal Data from your activities on or use of Bluesky ('Targeted Advertising').

We may transfer, process, and store all personal information we collect anywhere in the world.

When determining the retention period, we make case-by-case determinations, taking into account various criteria, like the type of products and services requested by or provided to you, the nature and length of our relationship with you...

We currently do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers, as there is no consistent industry standard for compliance.

Ontbreekt of onduidelijk

  • No subprocessor list or link to one
  • No specific data retention periods
  • No AI/model training disclosure
  • No end-to-end encryption for DMs
  • No detail on international transfer safeguards beyond generic SCC reference
  • No cookie consent banner or preference center described
  • No data breach notification procedure
  • No DPIA references
  • No Legitimate Interest Assessments disclosed

Vragen om te stellen

  • What specific third-party service providers and subprocessors currently process Bluesky user personal data, and where are they located?
  • Are user data—specifically posts, direct messages, and usage behavior—used to train AI or machine learning models, and if so, how can users opt out?
  • Which specific Standard Contractual Clause modules have been executed for EEA/UK data transfers, and have transfer impact assessments been conducted?
  • What are the concrete retention periods for each category of personal data, particularly for DMs, usage data, and IP addresses?
  • When will direct messages be protected with end-to-end encryption, given the current unencrypted access for Trust & Safety purposes?
  • How does Bluesky justify the collection of posts viewed and links clicked as necessary under GDPR's data minimization principle?
  • What is the process and timeline for responding to GDPR data subject access requests, and in what format is data typically provided?
Deze analyse is door AI gegenereerd en is geen juridisch advies. Raadpleeg altijd een gekwalificeerde jurist voor compliancebeslissingen.

Deel deze analyse

Iedereen met deze link kan het resultaat hierboven bekijken.

Gebouwd door DentroChat

100% Europese AI-chat voor iedereen

Chat met AI, werk met bestanden, genereer afbeeldingen en zoek op het web. Gegevens blijven in Europa.

Infrastructuur gehost in de EUTekst, bestanden, afbeeldingen en webzoekenSnelle, Denk- en Creatieve modiPrivacy-first als standaardGeen gegevens verlaten Europa
Gratis proberen →