Your private messages on Bluesky are not encrypted, meaning Bluesky staff can read them if needed for safety or policy enforcement reasons.
This analysis describes what Bluesky's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Unlike platforms that offer end-to-end encrypted messaging, Bluesky explicitly confirms that direct messages can be accessed by the company, which means users should not treat DMs as confidential communications.
Users who assume their direct messages are private should understand that Bluesky can access message content for Trust and Safety reviews, which means sensitive personal communications sent via Bluesky DMs are not protected from company access.
Cross-platform context
See how other platforms handle Unencrypted Direct Messages and similar clauses.
Compare across platforms →Monitoring
Bluesky has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Your Direct Messages. We store and process your direct messages so you can communicate directly with other users on the Bluesky App. These are unencrypted and can be accessed for Trust & Safety purposes.— Excerpt from Bluesky's Bluesky Privacy Policy
(1) REGULATORY LANDSCAPE: This provision implicates GDPR Article 5 principles of confidentiality and integrity of personal data for EU/EEA users, as well as the UK GDPR equivalent. The policy's disclosure of access for Trust and Safety purposes is an explicit processing ground that should be evaluated against GDPR's lawfulness and necessity requirements. In the US, the Electronic Communications Privacy Act (ECPA) and applicable state wiretapping or electronic communications statutes may be relevant depending on jurisdiction. The FTC has general authority over unfair or deceptive practices related to consumer data handling. (2) GOVERNANCE EXPOSURE: Medium. The explicit disclosure that messages are unencrypted and accessible is a transparency positive, but the scope of who can access messages, under what internal authorization protocols, and what logging or audit trails exist is not described in the document. This creates operational exposure if access practices are challenged under GDPR or state privacy laws. (3) JURISDICTION FLAGS: EU and UK users have heightened exposure given GDPR and UK GDPR confidentiality principles. California users may have relevant rights under CCPA regarding access to information about how their messages are processed. Jurisdictions with strong communications privacy statutes (e.g., Illinois, California) may create additional exposure if access is not tightly governed internally. (4) CONTRACT AND VENDOR IMPLICATIONS: No vendor or third-party processing is indicated for direct message access in this provision. Internal access governance policies and access logs would be relevant in any data subject complaint or regulatory inquiry. B2B integrations that route communications through Bluesky's messaging layer should account for this disclosure. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should confirm that internal access controls for direct messages are documented and proportionate to Trust and Safety purposes. A Data Protection Impact Assessment may be warranted under GDPR Article 35 if message access is systematic or involves sensitive categories of data. User-facing disclosure in the app at the point of sending a message may strengthen compliance posture relative to GDPR transparency requirements.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Unlike platforms that offer end-to-end encrypted messaging, Bluesky explicitly confirms that direct messages can be accessed by the company, which means users should not treat DMs as confidential communications.
Users who assume their direct messages are private should understand that Bluesky can access message content for Trust and Safety reviews, which means sensitive personal communications sent via Bluesky DMs are not protected from company access.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Bluesky.