What are the institutional and regulatory implications of this document?

(1) REGULATORY LANDSCAPE: The policy explicitly references GDPR and engages Standard Contractual Clauses for EEA, UK, and Brazil transfers, implicating the UK GDPR, Brazil's LGPD, and relevant EU supervisory authorities. The policy also addresses US state privacy law rights consistent with CCPA and similar state frameworks, and includes age verification provisions that engage COPPA and emerging state-level age-appropriate design laws (such as those in effect or pending in California, Texas, and…

How does Bluesky's Bluesky Privacy Policy affect users?

Users' direct messages are stored in unencrypted form and subject to access by Bluesky personnel for safety reviews. Public activity is replicated across decentralized network nodes operated by third parties, which affects the scope and timing of content deletion requests. The policy permits users to submit requests for access, correction, or deletion of personal data to privacy@bsky.app.

How often is Bluesky's Bluesky Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Bluesky updates this document?

Yes. Monitor subscribers ($19/month) can add Bluesky to their watchlist and receive same-day email alerts whenever this document or any other Bluesky document changes.

CA-D-000540

Bluesky Privacy Policy

Bluesky

Last change detected May 5, 2026 Privacy policy

SHA-256: 51663972bd8dfd34860… 1 version captured 0 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Bluesky ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

1 High severity

7 Medium severity

2 Low severity

Summary

This document establishes Bluesky's data collection, use, and sharing practices for its social media platform. The policy states that direct messages are transmitted unencrypted and are accessible to Bluesky staff for Trust and Safety purposes. Public posts, likes, follows, and profile information are distributed across the AT Protocol decentralized network, with copies potentially stored on third-party servers outside Bluesky's operational control.

Technical / Legal Breakdown

This document is Bluesky Social, PBC's privacy policy governing the collection, use, and sharing of personal data by the Bluesky microblogging application and website, with Bluesky acting as data controller as explicitly stated in the policy. The policy states that Bluesky collects account data (email, phone, birth date, images), usage data (IP address, device identifiers, browsing behavior within the app), direct messages (described as unencrypted and accessible for Trust and Safety purposes), and may collect biometric-adjacent data through third-party age verification services including facial age estimation and government ID verification. A structurally notable provision is the explicit statement that direct messages are unencrypted and can be accessed for Trust and Safety purposes, which diverges from the end-to-end encryption practices offered by some messaging platforms and creates a meaningful distinction users should understand; the policy also acknowledges the decentralized AT Protocol architecture means public posts are distributed across the network, potentially beyond Bluesky's direct control. The policy engages GDPR (referencing Standard Contractual Clauses for EEA transfers), UK data protection law, Brazil's LGPD, CCPA and other US state privacy laws, and COPPA-adjacent age verification obligations; the policy includes supplemental jurisdiction-specific notices and articulates legal bases for processing for jurisdictions that require such disclosure. Compliance teams should note the intersection of the AT Protocol's decentralized architecture with data deletion rights, as the practical enforceability of deletion requests against third-party nodes hosting federated content is not fully addressed in the document.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

High — 1 provision

Third-Party Age Verification Including Facial Age Estimation Compare →

In some jurisdictions, Bluesky may require you to verify your age using methods including uploading a government ID or a facial scan; Bluesky states it does not retain biometric data itself, but this data is processed by third-party vendors.

Added May 9, 2026 Standard Seen across 284 platforms

Medium — 7 provisions

Unencrypted Direct Messages Compare →

Your private messages on Bluesky are not encrypted, meaning Bluesky staff can read them if needed for safety or policy enforcement reasons.

Added May 7, 2026 Standard Seen across 284 platforms
Public Posts and Decentralized Network Distribution Compare →

Everything you post publicly on Bluesky, including your profile, likes, who you follow, and who you block, is distributed across a decentralized network and visible to anyone, including third-party servers that may store copies.

Added May 9, 2026 Standard Seen across 284 platforms
Broad Automated Data Collection and Behavioral Tracking Compare →

Bluesky automatically collects data about how you use the app, including your IP address (which can reveal your approximate location), what posts you view, what links you click, and how long you spend on the platform.

Added May 9, 2026 Standard Seen across 284 platforms
Data Sharing in Merger, Acquisition, or Asset Transfer Compare →

If Bluesky is sold, merges with another company, or goes through bankruptcy, your personal data may be transferred to the new owner or acquirer as part of that transaction.

Added May 7, 2026 Standard Seen across 252 platforms
Law Enforcement and Government Disclosure Compare →

Bluesky may share any data it holds about you with law enforcement, government agencies, or other parties if it believes doing so is required by law or appropriate for safety or legal reasons.

Added May 7, 2026 Standard Seen across 284 platforms
International Data Transfers with Standard Contractual Clauses Compare →

Bluesky may store and process your data anywhere in the world, and for users in the EU, UK, and Brazil it uses Standard Contractual Clauses or similar approved mechanisms to make those transfers legal.

Added May 9, 2026 Standard Seen across 284 platforms
Children's Personal Information Compare →

Bluesky uses third-party age verification services where legally required to confirm users meet minimum age requirements, and collects birth date information at account creation.

Added May 7, 2026 Standard Seen across 284 platforms

Low — 2 provisions

Do Not Track Non-Response Compare →

Bluesky does not honor the Do Not Track browser setting, meaning that even if you have enabled this feature in your browser to signal that you do not want to be tracked, Bluesky will continue its standard data collection practices.

Added May 9, 2026 Standard Seen across 284 platforms
User Privacy Rights (Access, Deletion, Portability, Objection) Compare →

Depending on where you live, you may have rights to access, correct, delete, or export your personal data, and to object to or restrict how Bluesky uses it.

Added May 9, 2026 Standard Seen across 284 platforms