What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: The policy explicitly references GDPR and engages Standard Contractual Clauses for EEA, UK, and Brazil transfers, implicating the UK GDPR, Brazil's LGPD, and relevant EU supervisory authorities. The policy also addresses US state privacy law rights consistent with CCPA and similar state frameworks, and includes age verification provisions that engage COPPA and emerging state-level age-appropriate design laws (such as those in effect or pending in California, Texas, and…

How does Bluesky's Bluesky Privacy Policy affect users?

Bluesky collects a broad range of personal data including IP addresses, device identifiers, in-app browsing behavior, and direct messages that are explicitly described as unencrypted and accessible for internal Trust and Safety purposes. Public activity including posts, likes, follows, and blocks is distributed across the AT Protocol decentralized network, meaning third-party servers outside Bluesky's direct control may host copies of that content, which has practical implications for deletion …

How often is Bluesky's Bluesky Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Bluesky updates this document?

Yes. Watcher subscribers ($9.99/month) can add Bluesky to their watchlist and receive same-day email alerts whenever this document or any other Bluesky document changes.

CA-D-000540

Bluesky Privacy Policy

Bluesky

Last change detected May 5, 2026 Privacy policy

SHA-256: 51663972bd8dfd34860… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Bluesky ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

1 High severity

7 Medium severity

2 Low severity

Summary

This is Bluesky's privacy policy explaining what data the social media platform collects about you, how it uses that data, and who it shares it with. The most important thing to know is that your direct messages on Bluesky are not encrypted and can be read by Bluesky staff for safety purposes, and your public posts, likes, follows, and profile are visible to the entire decentralized network including third-party servers outside Bluesky's control. You can request access to, correction of, or deletion of your personal data by contacting Bluesky's privacy team at privacy@bsky.app.

Technical / Legal Breakdown

This document is Bluesky Social, PBC's privacy policy governing the collection, use, and sharing of personal data by the Bluesky microblogging application and website, with Bluesky acting as data controller as explicitly stated in the policy. The policy states that Bluesky collects account data (email, phone, birth date, images), usage data (IP address, device identifiers, browsing behavior within the app), direct messages (described as unencrypted and accessible for Trust and Safety purposes), and may collect biometric-adjacent data through third-party age verification services including facial age estimation and government ID verification. A structurally notable provision is the explicit statement that direct messages are unencrypted and can be accessed for Trust and Safety purposes, which diverges from the end-to-end encryption practices offered by some messaging platforms and creates a meaningful distinction users should understand; the policy also acknowledges the decentralized AT Protocol architecture means public posts are distributed across the network, potentially beyond Bluesky's direct control. The policy engages GDPR (referencing Standard Contractual Clauses for EEA transfers), UK data protection law, Brazil's LGPD, CCPA and other US state privacy laws, and COPPA-adjacent age verification obligations; the policy includes supplemental jurisdiction-specific notices and articulates legal bases for processing for jurisdictions that require such disclosure. Compliance teams should note the intersection of the AT Protocol's decentralized architecture with data deletion rights, as the practical enforceability of deletion requests against third-party nodes hosting federated content is not fully addressed in the document.

Institutional Analysis

Institutional analysis available with Professional

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Start Professional free trial

High — 1 provision

Third-Party Age Verification Including Facial Age Estimation Compare →

In some jurisdictions, Bluesky may require you to verify your age using methods including uploading a government ID or a facial scan; Bluesky states it does not retain biometric data itself, but this data is processed by third-party vendors.

Added May 9, 2026 Standard Seen across 262 platforms

Medium — 7 provisions

Unencrypted Direct Messages

Your private messages on Bluesky are not encrypted, meaning Bluesky staff can read them if needed for safety or policy enforcement reasons.

Added May 7, 2026 Rare
Public Posts and Decentralized Network Distribution

Everything you post publicly on Bluesky, including your profile, likes, who you follow, and who you block, is distributed across a decentralized network and visible to anyone, including third-party servers that may store copies.

Added May 9, 2026 Rare
Broad Automated Data Collection and Behavioral Tracking Compare →

Bluesky automatically collects data about how you use the app, including your IP address (which can reveal your approximate location), what posts you view, what links you click, and how long you spend on the platform.

Added May 9, 2026 Standard Seen across 251 platforms
Data Sharing in Merger, Acquisition, or Asset Transfer Compare →

If Bluesky is sold, merges with another company, or goes through bankruptcy, your personal data may be transferred to the new owner or acquirer as part of that transaction.

Added May 7, 2026 Standard Seen across 246 platforms
Law Enforcement and Government Disclosure Compare →

Bluesky may share any data it holds about you with law enforcement, government agencies, or other parties if it believes doing so is required by law or appropriate for safety or legal reasons.

Added May 7, 2026 Standard Seen across 246 platforms
International Data Transfers with Standard Contractual Clauses Compare →

Bluesky may store and process your data anywhere in the world, and for users in the EU, UK, and Brazil it uses Standard Contractual Clauses or similar approved mechanisms to make those transfers legal.

Added May 9, 2026 Standard Seen across 246 platforms
Children's Personal Information Compare →

Bluesky uses third-party age verification services where legally required to confirm users meet minimum age requirements, and collects birth date information at account creation.

Added May 7, 2026 Common Seen across 155 platforms

Low — 2 provisions

Do Not Track Non-Response

Bluesky does not honor the Do Not Track browser setting, meaning that even if you have enabled this feature in your browser to signal that you do not want to be tracked, Bluesky will continue its standard data collection practices.

Added May 9, 2026 Rare
User Privacy Rights (Access, Deletion, Portability, Objection) Compare →

Depending on where you live, you may have rights to access, correct, delete, or export your personal data, and to object to or restrict how Bluesky uses it.

Added May 9, 2026 Standard Seen across 223 platforms