Bluesky AT Protocol Network Services Privacy Notice

Last Updated: May 22, 2024

The Authenticated Transfer Protocol (“AT Protocol”) is a decentralized social networking protocol that developers may use to build, operate, and federate social media and microblogging applications and communities (each a “Developer Application”). A summary of our privacy practices for Bluesky Network Services implementing the AT Protocol is immediately below. You can read on for more detail. Please keep in mind that because the AT Protocol is decentralized, Developer Applications are operated by third parties (“Developers”) who Bluesky doesn’t control and who may have their own privacy practices. Developer Applications may have their own Privacy Notices, which we encourage you to read.

• User Content is Public. If end users (each an “End User”) create accounts with Developer Applications, content including their profiles and posts will be available to the general public. Bluesky does not control information End Users post on third-party Developer Applications.
• Direct Messages are Private. Content you sent to another Bluesky user through Direct Messages is private between you and the user(s). If you’ve shared this information through a third-party service, the information may be visible to them. DMs may be accessed by moderators when reported in-app, or by Bluesky Trust and Safety staff investigations into significant violations of the Community Guidelines.
• Updates. We may update this Privacy Notice from time to time. We will post these changes on the Site and in the App. We may also send you other notifications about these updates.
• Personal Information We Collect. We collect personal information when you provide it to us, when we collect it automatically through your use of the AT Protocol Network Services (as defined in the Privacy Notice below), or when third parties provide it to us.
• How We Use Personal Information. We may use your personal information: (1) to provide the AT Protocol Network Services; (2) for administrative purposes such as to improve the AT Protocol Network Services; (3) with your consent; and (4) for other permissible purposes as requested by you or as allowed under applicable law.
• How We Disclose Your Personal Information. We may share personal information with third parties, such as to provide the AT Protocol Network Services or to protect us or others.
• Your Privacy Rights and Choices. You may be able to manage your preferences around communications from Bluesky and other optional features offered via the AT Protocol Network Services. In addition, some privacy laws grant individuals certain rights regarding their personal information.
• International Transfers. We may transfer personal information internationally.
• How Long We Keep Personal Information. We may keep your personal information as necessary to fulfill the purpose(s) for which we collected it.
• Supplemental Notices for Certain Jurisdictions. Certain jurisdictions may have additional requirements for our processing of your personal information.
• Security. We make reasonable efforts to protect your information.
• Children’s Personal Information. The AT Protocol Network Services are not directed to children.
• Questions? If you have any questions regarding our privacy practices, please contact us at: support@bsky.app.

This Privacy Notice explains how Bluesky, PBC d.b.a. Bluesky (“Bluesky,” “we,” “us,” or “our”) collects, uses, and shares your personal information in its operation of the AT Protocol, and how you can exercise your privacy rights.

This Privacy Notice applies to the information we process in connection to the AT Protocol Relay Services ( “Relay”) operated by Bluesky, the AT Protocol Personal Data Server operated by Bluesky (“PDS”), the Bluesky Application API Server operated by Bluesky (“AppServer”), and other network services operated by Bluesky speaking the AT Protocol. In this Privacy Notice, we refer to all of these services operated by Bluesky collectively as the “AT Protocol Network Services”.

An Important Note: Third-party Developer Applications can be built on the AT Protocol, and they may interoperate with the Bluesky App (“App”). If you are an End User of a Developer Application running on the AT Protocol, this Privacy Notice does not apply to the Developer Application’s processing of your personal information (the “Developer Application End User Data”). Bluesky does not control these Developer Applications, and they may have their own Privacy Notices, which we encourage you to read.

1. UPDATES TO THIS PRIVACY NOTICE
2. PERSONAL INFORMATION WE COLLECT
3. HOW WE USE PERSONAL INFORMATION
4. HOW WE SHARE PERSONAL INFORMATION
5. YOUR PRIVACY CHOICES AND RIGHTS
6. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION
7. HOW LONG WE KEEP PERSONAL INFORMATION
8. SUPPLEMENTAL NOTICE FOR CERTAIN JURISDICTIONS
9. SECURITY
10. CHILDREN’S PERSONAL INFORMATION
11. CONTACT US

1. UPDATES TO THIS PRIVACY NOTICE

We may update this Privacy Notice from time to time at our sole discretion. If we do, we’ll let you know by posting the updated Privacy Notice on the Site, to the App, and we may also send other communications.

2. PERSONAL INFORMATION WE COLLECT

The types of personal information we collect depend on how you interact with us, the AT Protocol Network Services, and the requirements of applicable law.

1. Personal Information You Provide to Us Directly

   We collect personal information that you provide to us.

   • Account Creation. If you create an account on an AT Protocol Network Service, we collect personal information such as your email address, phone number, and username.
   • Your Communications with Us. We may collect personal information, such as your name, email address, or phone number when you contact us.
2. Personal Information We Collect Automatically

   We may collect personal information automatically when Developers and their End Users use the AT Protocol Network Services.

   • Personal Information End Users Submit to the Developer Applications. We may collect personal information about End Users in connection with the operation of the AT Protocol. This includes the End User’s public username, profile and posts submitted via the Developer Application.
   • Device and Network Information. When you use the AT Protocol Network Services, either as a Developer or End User, we may collect certain information about your device and network. This may include your Internet protocol (IP) address (which can be used to derive your general location), user settings, cookie identifiers, mobile carrier, other unique identifiers, browser or device information, and Internet service provider (ISP).
   • Usage Information. When you use a Developer App to interact with content posted on an AT Protocol Network Service, we or Developers may log the types of content with which you interact, the frequency and duration of your activities, and other similar information. We or Developers may also collect personal information when you visit the Site, such as pages that you visit and the links you click on the Site.
3. Personal Information We Collect from Other Sources
   • Third Parties. We may collect personal information from third parties. For example, you may direct a Developer Application or other third-party social networking application to share personal information with us.
3. HOW WE USE PERSONAL INFORMATION

   We use your personal information for a variety of business purposes, including to provide the AT Protocol Network Services and for administrative purposes, as described below.

   1. Provide Our Services

   We use personal information to fulfill our contract with Developers and to provide the AT Protocol Network Services, such as:

   • Operating the AT Protocol;
   • Providing access to certain areas, functionalities, and features of the AT Protocol Network Services;
   • Answering support requests; and
   • Communicating with Developers about their accounts, use of the AT Protocol Network Services, and policy changes.
   2. Administrative Purposes

      We use personal information for various administrative purposes, such as:

      • Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention;
      • Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and taking appropriate actions against malicious actors;
      • Measuring interest in, and engagement with, the AT Protocol Network Services;
      • Creating de-identified and/or aggregated information;
      • Carrying out analytics;
      • Improving, upgrading, or enhancing the AT Protocol Network Services;
      • Developing new products and services;
      • Ensuring internal quality control and safety;
      • Sharing personal information with third parties as needed to provide the AT Protocol Network Services;
      • Enforcing our agreements and policies; and
      • Carrying out activities that are required to comply with our legal obligations.
   3. With Your Consent

      We may use personal information for other purposes that are clearly disclosed to you at the time you provide personal information or with your consent.

   4. Other Purposes

      We also use your personal information for other purposes as requested by you or as permitted by applicable law.

4. HOW WE SHARE PERSONAL INFORMATION

   We may disclose personal information to third parties for a variety of business purposes, including to provide the AT Protocol Network Services, to protect us or others, or in the event of a corporate transaction, as described below.

   1. Sharing to Provide the AT Protocol Network Services

      The categories of third parties with whom we may share personal information are described below.

      • Third-Party Services You Share or Interact With. The AT Protocol Network Services may link to or allow you to interface, interact, share information with, direct us to share information with, access and/or use third-party websites, applications, services, products, and technology (each a “Third-Party Service”). If you do, the information you share will be subject to the Third-Party Service’s privacy policy.
        For example, if you are an End User and request that your personal information be shared with another Developer Application, we may help facilitate that request.
      • Third-Party Actors Involved in Operation of the AT Protocol. Given the decentralized nature of the AT Protocol, we may share your public personal information such as your public posts and profile with third-party actors that operate on the AT Protocol. We are not responsible for the processing of personal information by third-party actors that operate on the AT Protocol.
      • Service Providers. We may share personal information with our third-party service providers and vendors. This includes service providers and vendors that provide us with IT support, hosting, payment processing, customer service, and related services.
      • Business Partners. We may share your personal information with our business partners to provide you with a product or service you have requested. We may also share your personal information with business partners with whom we jointly offer products or services.
   2. Sharing to Protect Us or Others

      We may access, preserve, and disclose any information we store if we, in good faith, believe doing so is required or appropriate to: (i) comply with law enforcement or national security requests and legal process, such as a court order or subpoena; (ii) protect your, our, or others’ rights, property, or safety; (iii) enforce our policies or contracts; (iv) collect amounts owed to us; or (v) assist with an investigation or prosecution of suspected or actual illegal activity.

   3. Sharing in the Event of Merger, Sale, or Other Asset Transfers

      If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, purchase or sale of assets, transition of service to another provider, or other similar corporate transaction, your personal information may be sold or transferred as part of such a transaction.

5. YOUR PRIVACY CHOICES AND RIGHTS

Your Privacy Choices. The privacy choices you have about your personal information are determined by applicable law and are described below.

• Email Communications. If you receive a marketing email from us, you may opt out by using the unsubscribe link at the bottom of such email. You may continue to receive transaction-related, non-promotional emails related to the AT Protocol Network Services.
• “Do Not Track.” Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Please note that we currently do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers, as there is no consistent industry standard for compliance.

Your Privacy Rights. Depending on what laws apply to your personal information, you may have the right to:

• Request Access to and Portability of Your Personal Informationincluding: (i) obtaining access to or a copy of your personal information; and (ii) receiving an electronic copy of personal information that you have provided to us, or asking us to send that information to another company in a structured, commonly used, and machine readable format (also known as the “right of data portability”);
• Request Correction of your personal information where it is inaccurate, incomplete, or outdated. In some cases, we may provide self-service tools that enable you to update your personal information;
• Request Deletion, Anonymization or Blocking of personal information including when processing is based on your consent, or when processing is unnecessary, excessive or noncompliant (also known as the “right to be forgotten”).
• Request to Opt-Out of Certain Processing Activities if we engage in certain data processing activities that give you a right of opt-out under applicable privacy laws;
• Request Restriction of or Object to our processing of your personal information;
• Withdraw your Consent to our processing of your personal information. Please note that your withdrawal will only take effect for future processing and will not affect the lawfulness of processing before the withdrawal.
• Be Informed about third parties with which your personal information has been shared; and
• Request the Review of Decisions Taken Exclusively Based on Automated Processing if these decisions could affect your rights under applicable data protection laws.

Please contact us using the information below if you would like to exercise any of these rights. We will process your requests in accordance with applicable laws. Before fulfilling your request, we may ask you to provide reasonable information to verify your identity. Please note that there are exceptions and limitations to each of these rights, and that while any changes you make will be reflected in active user databases instantly or within a reasonable period of time, we may retain information for backups, archiving, prevention of fraud and abuse, analytics, satisfaction of legal obligations, or where we otherwise reasonably believe that we have a legitimate reason to do so. Some laws may allow you to appeal our decision if we decline to process your request. If applicable laws grant you an appeal right, you may send us your appeal using the contact information below.

If you are an End User of a Developer’s Application and would like to exercise any of these rights, please directly contact the applicable Developer via the Developer Application to fulfill your request because Bluesky does not control the Developer’s Application processing of your personal information.

If your personal information is subject to the applicable data protection laws of Brazil, the European Economic Area, Switzerland, or the United Kingdom, and you believe our processing of your personal information violates applicable law, you have the right to lodge a complaint with the competent supervisory authority.

• Autoridade Nacionalde Proteçãode Dados (ANPD)
• EEA Data Protection Authorities (DPAs)
• Swiss Federal Data Protection and Information Commissioner (FDPIC)
• UK Information Commissioner’s Office (ICO)
6. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

We may transfer, process, and store all personal information we collect anywhere in the world. Some countries may have data protection laws that are different from the laws where you live.

If we transfer personal information from the European Economic Area, Switzerland, and/or the United Kingdom to a country that does not provide an adequate level of protection under applicable data protection laws, we will do so based on safeguards such as the European Commission-approved or UK Government-approved Standard Contractual Clauses, or otherwise in accordance with applicable data protection laws.

For more information about the safeguards we use for international transfers of your personal information, please contact us as set forth below.

7. HOW LONG WE KEEP PERSONAL INFORMATION

We keep the personal information we collect for as long as you use the AT Protocol Network Services, or as necessary to fulfill the purpose(s) for which we collected it. There are also other reasons why we may keep personal information. They may include, but are not limited to, providing the AT Protocol Network Services, resolving disputes, establishing legal defenses, conducting audits, pursuing legitimate business purposes, enforcing our agreements, and complying with applicable laws. When determining the retention period, we take into account various criteria, such as the type of products and services requested by or provided to you, the nature and length of our relationship with you, the impact on the AT Protocol Network Services we provide to you if we delete some personal information from or about you, mandatory retention periods provided by law, and any relevant statute of limitations.

8. SUPPLEMENTAL NOTICE FOR CERTAIN JURISDICTIONS
   1. Supplemental Notice for EU/UK GDPR

      This Supplemental Notice for EU/UK GDPR only applies to our processing of personal information that is subject to the EU or UK GDPR. Personal information means any information relating to an identified or identifiable individual. If you do not provide your personal information when requested, you may not be able to use AT Protocol Network Services if that personal information is necessary to provide you with our AT Protocol Network Services or if we are legally required to collect it.

      We process personal information when we have a valid legal basis, including as set forth below:

      • Performance of a Contract: Bluesky may need to process your personal information where required to perform our contract with you, namely the Terms of Service, and for the purposes described in Section 3(A) of this Privacy Notice.
      • Legitimate Interest: Bluesky may process your personal information where we or a third party have a legitimate interest, including the purposes in Section 3(B) of this Privacy Notice. We only rely on our or a third party’s legitimate interest to process your personal information where these interests are not overridden by your interests or fundamental rights and freedoms.
      • Consent: In some cases, Bluesky may also rely on your consent to process your personal information.
      • Compliance with our Legal Obligations: Bluesky may process your personal information to comply with our legal obligations. For example, we may process your personal information to comply with tax, labor, and accounting obligations.
9. SECURITY

We make reasonable efforts to protect your information by using physical and electronic safeguards designed to improve the security of the information we maintain. However, as our Services are hosted electronically, we can make no guarantees as to the security or privacy of your information.

10. CHILDREN’S PERSONAL INFORMATION

The Bluesky AT Protocol Network Services are not directed to children under 13 (or other age as required by local law outside of the United States). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has uploaded personal information to our site without your consent, you may contact us using the information provided below.

11. CONTACT US

Bluesky is the controller of the personal information we process under this Privacy Notice.

If you have any questions about our privacy practices or this Privacy Notice, or to exercise your privacy rights listed in this Privacy Notice, please contact us at support@bsky.app.