Privacy Policy

Effective date: 11 June 2026

Part 1: Introduction

1. Welcome

This Privacy Policy explains how Stichting Modal ("Modal", "we", "us", "our") processes personal data when you use:

  • the Eurosky Personal Data Server (PDS), our infrastructure for hosting your AT Protocol identity and the data associated with it;
  • the Eurosky Portal, the front-end at portal.eurosky.tech for managing your Eurosky account;
  • mu, a social application by Eurosky for reading, posting, and following conversations across the open social web.

Stichting Modal is a non-profit foundation established under the laws of the Netherlands, registered at Kranenburgweg 135 A, 2583 ER The Hague (RSIN 868779465). For the purposes of the EU General Data Protection Regulation (GDPR), Stichting Modal is the data controller for personal data processed in connection with the operation of all three services.

This Privacy Policy is the companion to our Terms of Service, which sit at the same URL family and govern your use of the same three services. The Privacy Policy explains what we do with personal data; the Terms of Service explain what the services are and how you use them.

2. What this Privacy Policy covers, and which Parts apply to you

This Privacy Policy is organised in four Parts, mirroring the structure of our Terms of Service.

Part 1 (this Part) introduces the document.

Part 2 sets the common rules that apply to all processing across our services: who we are, the rights you have, our security and breach posture, our retention principles, our position on selling and profiling, international transfers, and how to contact us.

Part 3 covers personal data processed in connection with the Eurosky PDS and the Eurosky Portal. It applies to you if you have a Eurosky account.

Part 4 covers personal data processed in connection with mu. It applies to you if you use mu, regardless of where your account is hosted.

The three common user paths from the Terms of Service apply here too:

  1. You have a Eurosky account and you do not use mu. Parts 1, 2, and 3 apply to your processing. Part 4 does not.
  2. You have a Eurosky account and you use mu. Parts 1, 2, 3, and 4 all apply.
  3. You use mu with an account on a different PDS provider. Parts 1, 2, and 4 apply. Part 3 does not, because we do not host your account.

3. What this Privacy Policy does not cover

This Privacy Policy does not cover:

  • the Eurosky marketing website, mailing lists, and general communications: a separate Privacy Policy applies at https://eurosky.tech/privacy;
  • the EU-HAUL migration tool, which is a separate Modal product with its own Terms of Service and Privacy Policy at https://move.eurosky.tech;
  • the processing carried out by other ATProto applications and PDS providers that you may use through your Eurosky account or alongside mu, which are governed by their own privacy notices.

The Eurosky marketing-site Privacy Policy is kept separate from this document because the marketing site has different data flows (mailing list, newsletter, donor data) and a different lawful-basis profile. We point you to it explicitly so you know where to find it.


Part 2: Common rules

Applies to everyone using any of our services.

4. Who we are and how to reach us

Data controller: Stichting Modal, Kranenburgweg 135 A, 2583 ER The Hague, Netherlands (RSIN 868779465).

Privacy contact: privacy@eurosky.tech.

Data Protection Officer (DPO): we have designated a Data Protection Officer in line with Article 37 of the GDPR. You can contact our DPO at dpo@eurosky.tech. Correspondence routed to that mailbox reaches the DPO directly.

Postal correspondence: Stichting Modal, Kranenburgweg 135 A, 2583 ER The Hague, Netherlands.

You also have the right to lodge a complaint with your local supervisory authority. As we are established in the Netherlands, the lead supervisory authority for cross-border processing is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). If you live in another EU or EEA Member State, you can also complain to your own national authority.

5. The categories of personal data we process

Across our services we process the following broad categories of personal data. Parts 3 and 4 below set out the specifics for each service.

  • Identity and account data: your AT Protocol handle, your account identifier (DID), your profile information, and (for Eurosky-hosted accounts) the email and password you set during sign-up.
  • Age confirmation: for the Eurosky PDS and Portal, the record that you self-declared you are 16 or over at sign-up, with the date and source of that confirmation. For mu, your date of birth, which we collect at sign-up or sign-in and use to confirm you are 18 or over.
  • Content you create or receive: posts, profile fields, photos, videos, lists, direct messages, and feedback you send us.
  • Social graph data: your follows, followers, likes, and other relationships expressed through your account.
  • OAuth grants and app authorizations: the list of third-party applications (including mu) that you have authorised to act on your behalf via OAuth, the scopes you have granted them, and the timestamps of those grants.
  • Authentication metadata: sessions, last-login timestamps, login attempts, two-factor authentication setup where applicable, and email verification tokens.
  • Account recovery information: recovery email if different from sign-up email, recovery keys, and pending recovery actions.
  • Handle change history: if you change your handle, we keep a record of the previous handle for trust-and-safety, abuse-prevention, and federation reasons.
  • Service interaction data: the actions you take while using our services, including reports you submit, appeals you file, and interactions with our recommender feeds where applicable.
  • Account-state acknowledgements: records of your acceptance of these Terms, dismissal of in-product notices and banners, and similar acknowledgements needed to operate the services.
  • Technical and operational data: IP addresses (and the approximate geographic location they imply), user-agent strings, timestamps, server logs, OAuth flow state, and security and abuse-prevention signals.
  • Preferences and configuration: your settings within each service, such as language, theme, content filters, and feed selections.
  • Aggregated and de-identified analytics: as described in §22, mu uses privacy-preserving analytics that count visits, sessions, and aggregate patterns without identifying individual users.
  • Personal data we receive from third parties on your instruction: for example, when you migrate an account to us using a tool that transfers data on your behalf, or when an age-assurance vendor (where applicable, post-launch) returns a result of your age check.

We do not intentionally process special categories of personal data (Article 9 GDPR). We recognise that content you post may incidentally reveal such information, in which case our processing is limited to what is necessary to host and display the content you have chosen to make public, to apply moderation, and to comply with the law.

6. The lawful bases on which we rely

Under Article 6 of the GDPR, we rely on the following lawful bases. Parts 3 and 4 below indicate which lawful basis applies to which specific processing.

  • Performance of a contract (Article 6(1)(b)) to provide the services you have asked us to provide and to take steps at your request before entering into the contract.
  • Legitimate interests (Article 6(1)(f)) to operate, secure, and improve our services, to detect and prevent abuse, and to inform you of changes that affect you, where those interests are not overridden by your fundamental rights and freedoms.
  • Legal obligation (Article 6(1)(c)) to comply with EU and Member State law, including the Digital Services Act, the Terrorist Content Online Regulation, tax and accounting law, and lawful orders from competent authorities.
  • Vital interests (Article 6(1)(d)) in rare cases involving an immediate threat to life or safety.
  • Consent (Article 6(1)(a)) where the law requires consent for a specific processing activity, for example certain forms of marketing communication. Where we rely on consent, you can withdraw it at any time and we will stop the processing that depended on it.

We do not rely on consent for the core operation of the services, because Article 6(1)(b) and (f) cover those activities. We may rely on consent for specific optional features.

7. What we will never do with your personal data

These are negative commitments that apply across all our services.

  • We will never sell your personal data. Not your account information, not your content, not your interaction data, not any other personal data we hold.
  • We will never profile you for advertising purposes. We do not build advertising profiles of you. We do not sell or share data that would let anyone else profile you for advertising.
  • We will not train general-purpose AI models on your content without your separate, opt-in consent. We may use automated systems (including AI-based systems) to detect spam, abuse, and prohibited content, as described in §23.

8. International transfers

Personal data processed in connection with our services is hosted and processed in the European Union. At the time of writing, both the Eurosky PDS and the Eurosky Portal are hosted by Hetzner Online GmbH (Germany), an EU-headquartered hosting provider operating EU-based data centres, and mu is hosted by Bunny.net (Slovenia), also an EU-headquartered provider. We may change our specific hosting providers, but we are committed to using only hosting providers that are headquartered in the EU and that operate from data centres located in the EU for these services.

In the course of operating, securing, and supporting our services, we may use ancillary tools and service providers (for example, for email delivery, error tracking, or operational support), some of which may be established outside the European Economic Area. Where personal data is transferred to a country outside the EEA as a result, we ensure that appropriate safeguards are in place in accordance with EU data protection law, including:

  • Standard Contractual Clauses approved by the European Commission;
  • adequacy decisions by the European Commission, where one exists for the destination country;
  • other measures permitted under Articles 46 to 49 of the GDPR.

The primary contents of your Eurosky PDS account, and the primary processing carried out on mu, are not transferred outside the European Union, except as a result of AT Protocol federation as described in §13.

Content delivery on mu transits Bluesky's appview at launch. This is a material exception we want to flag separately. At launch, mu does not yet run its own appview; the posts, profiles, follows, and other public records shown to you on mu are fetched and served through the appview operated by Bluesky Social, PBC in the United States. This means that while you use mu, your interactions and the content displayed to you transit Bluesky's US-based infrastructure, even where your account is hosted on the Eurosky PDS or a third-party EU PDS. The underlying records you have published to your PDS remain on your PDS in the EU; what transits the US is the delivery and indexing of the public content shown in your mu experience. The lawful basis for this transfer is the necessity of providing you with mu (Article 6(1)(b) GDPR) combined with the public character of the content involved (see §13 federation). We are building our own appview and will update this section when mu switches to it.

9. Your rights under the GDPR

You have the following rights in relation to personal data we process about you. You can exercise them by writing to privacy@eurosky.tech or by using the relevant in-product setting where available.

  • Access (Article 15): ask us for a copy of the personal data we process about you, and information about how we process it.
  • Rectification (Article 16): ask us to correct inaccurate or incomplete personal data.
  • Erasure (Article 17): ask us to delete personal data, in the circumstances set out in the GDPR.
  • Restriction of processing (Article 18): ask us to stop processing personal data for a period while we resolve a dispute about it.
  • Data portability (Article 20): ask us to provide personal data you have given to us in a structured, commonly used, machine-readable format, and to transmit it to another controller where technically feasible. The AT Protocol is built around portability; our Terms of Service §20 describes the migration mechanics.
  • Object (Article 21): object to processing carried out on the basis of legitimate interests; we will stop unless we can demonstrate compelling legitimate grounds that override your interests.
  • Withdraw consent (Article 7(3)) where processing depends on consent.
  • Not be subject to a solely automated decision (Article 22) that produces legal effects or similarly significantly affects you. Our moderation decisions on mu involve automated systems, but appeals are reviewed by a person (see Terms of Service §26.2 and §23 below).

We aim to respond to requests within one month of receiving them. The GDPR allows us to extend this by two further months for complex or numerous requests; if we do, we will tell you why.

If we decline to act on your request, we will tell you why and inform you of your right to complain to your supervisory authority.

We may need to verify your identity before responding, particularly for access, erasure, and portability requests, to make sure we are not disclosing personal data to the wrong person.

10. Children and minors

Our minimum age depends on the service:

  • Eurosky PDS and Portal: 16 years old.
  • mu: 18 years old.

Users aged 16 or 17 may hold a Eurosky account but cannot use mu (see Terms of Service §4). We do not knowingly process personal data of users below the applicable minimum age for the service they are using.

If we have reasonable grounds to believe a user is below the applicable minimum age, we will suspend access until age is confirmed and, failing confirmation, terminate the account or the relevant access and delete the personal data in accordance with §11.

For users aged 16 or 17 with a Eurosky account, we apply the same data-protection commitments as for adult users, and additionally do not present recommendations based on profiling of any user and do not target advertising of any kind (see §7 and Terms of Service §13).

At launch, age assurance is light-touch and differs by service.

  • For the Eurosky PDS and Portal, we rely on self-declaration: at sign-up, we ask you to confirm that you are 16 or over, and we record that confirmation.
  • For mu, we ask you to provide your date of birth at sign-up or sign-in, and we use that date of birth to confirm you are 18 or over.

We do not, at launch, use payment-card checks, government-ID verification, or any third-party age-assurance vendor for either service.

Where local law later requires us to apply specific age-assurance methods, we will introduce them over time, choosing the least intrusive method that meets the requirement. Methods we anticipate adopting may include verified payment-card checks and zero-knowledge proof of age via the EU Digital Identity system. We do not retain biometric data, ID documents, or images supplied to age-assurance vendors. We will not use facial age estimation.

If you are a parent or guardian and believe a person below the applicable minimum age has provided us with personal data, please contact privacy@eurosky.tech and we will take prompt action to delete that data.

11. How long we keep personal data

We retain personal data only as long as necessary for the purposes for which it was collected, taking into account legal obligations, security, and your ability to use the services. The specific retention periods that apply to each service are set out in Parts 3 and 4 below; the principles in this section apply across them all.

  • Account data is retained for as long as your account is active.
  • Technical and operational data, including server logs, IP addresses, and security signals, is retained for 30 days, unless a longer period is required for legal, security, or operational reasons (for example, to investigate a specific incident).
  • Backups are retained on a rolling basis as described in §12; deletion requests are honoured in the active systems and the data is purged from backups on the next rotation cycle.
  • Trust-and-safety records, including evidence relating to moderation actions and abuse investigations, are retained for as long as necessary to enforce these decisions, defend appeals, and meet our legal obligations under the DSA and applicable Member State law.
  • Records required by tax, accounting, and other legal obligations are retained for the periods required by the law that imposes the obligation (typically seven years for Dutch tax records under Article 52 AWR).

When the retention period ends, we delete or irreversibly anonymise the data.

12. Backups

We make regular backups of our infrastructure for resilience and disaster-recovery purposes. Backups are stored on EU infrastructure with the same hosting principles described in §8. Personal data persists in backups until the backup is rotated out; rotation runs on a defined cycle (typically no longer than 35 days). Erasure requests are honoured in the active systems immediately and the backup copies are purged on the next rotation.

13. AT Protocol federation: an important note

Our services run on the AT Protocol, an open, federated standard. This has practical consequences for your personal data that you should understand.

  • Public content is genuinely public. Posts, profile information, follows, likes, and similar records are designed to be readable by anyone on the network, including ATProto operators we do not control.
  • Other operators may cache or store your content. Relays, AppViews, feed generators, and other ATProto services may read, index, cache, and re-display your content. We cannot control them.
  • Deletion propagates but cannot be guaranteed network-wide. When you delete content from your Eurosky PDS, we publish deletion (tombstone) events on the protocol firehose. We honour the deletion in our systems and notify the network. We cannot force other operators to honour the deletion in theirs.
  • Federation runs both ways. Even after you stop using mu, public content involving you may continue to appear on mu, because mu fetches content from across the AT Protocol network rather than only from people who actively use mu. This includes content you posted before you stopped, and new replies, quotes, or reshares from others. See §27 for what we do with mu-side caches when you leave.

These are structural consequences of using an open protocol. They are part of the value (your account and content are portable, not locked into our infrastructure) and part of the cost (you cannot un-publish public content with absolute certainty, and you cannot guarantee that public content involving you stops appearing on mu just because you stopped using mu).

14. Security

We use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or destruction. Measures include encryption in transit (HTTPS for all connections), access controls on our internal systems, monitoring for unauthorised activity, and regular review of our infrastructure and procedures.

We do not claim our security is infallible. No service connected to the internet is.

15. Personal data breaches

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority (the Dutch Autoriteit Persoonsgegevens) without undue delay and, where feasible, no later than 72 hours after we become aware of the breach (Article 33 GDPR).

Where the breach is likely to result in a high risk to the rights and freedoms of affected users, we will also notify those users without undue delay, by the channels described in Terms of Service §16 (Article 34 GDPR).

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our services, our processing, or applicable law. The most recent version will always be published at this URL, with the date of the latest update at the top.

If we make a material change, we will tell you through the relevant service or by email at least 30 days before the change takes effect, unless the change is required immediately by law.


Part 3: The Eurosky PDS and Portal

Applies to you if you have a Eurosky account.

17. About the Eurosky PDS and the Portal

The Eurosky Personal Data Server (PDS) provides identity hosting and personal data storage for the AT Protocol. It is infrastructure: it does not provide feeds, rank posts, or curate speech.

The Eurosky Portal is the front-end at portal.eurosky.tech for managing your Eurosky account. It allows you to create or sign in to your account, view your profile information and the data stored under your account, discover compatible third-party AT Protocol applications, and (for selected apps) use sign-in facilitation. The Portal is currently in beta. The Portal is not an online platform: it does not host user content, operate feeds, recommend content, or curate speech.

The Portal's featured-apps directory is a form of editorial curation: we choose which third-party applications appear in the directory and may feature specific apps. We do this to help you find applications that work with your Eurosky account. The applications themselves are operated by independent third parties under their own terms and privacy policies, and we do not control them. Inclusion in the directory is not an endorsement or warranty; it indicates that the application is compatible with the AT Protocol and your Eurosky account.

Modal operates the PDS and the Portal together. Your Eurosky account is a single thing; the PDS is the data layer and the Portal is one of the surfaces you can manage it through.

18. Personal data processed by the Eurosky PDS

Depending on how you use the PDS, we may process the following categories of personal data:

  • account identifiers including your AT Protocol DID and your handle;
  • handle change history if you change your handle, kept for trust-and-safety and federation reasons;
  • profile information you choose to provide (display name, description, avatar, banner, links);
  • content you post, upload, or store via your PDS, including the post records, media blobs, and metadata associated with them;
  • social graph data including your follows, blocks, mutes, lists, and similar relationships;
  • OAuth and authentication state for sessions and access tokens used by applications you have authorised, including mu;
  • email and password you provide when creating a Eurosky account, used for account creation and recovery;
  • account recovery information, including recovery email if different from sign-up email and any recovery keys;
  • age confirmation that you self-declared you are 16 or over at PDS sign-up (and, where you also use mu, 18 or over at mu sign-up or sign-in), with the date and the in-product surface where you declared it;
  • technical and operational data needed to operate the PDS, including IP addresses, timestamps, and server logs;
  • security and abuse-prevention signals.

We do not intentionally process special category data via the PDS.

Lawful bases. Performance of a contract (Article 6(1)(b)) for the core hosting service; legitimate interests (Article 6(1)(f)) for security, abuse prevention, and operations; legal obligation (Article 6(1)(c)) for compliance with EU and Member State law.

19. Personal data processed by the Eurosky Portal

The Portal is a front-end. Most of the data it shows you is fetched from your PDS on demand. The Portal itself processes:

  • OAuth flow state during sign-in, including the temporary parameters needed for the OAuth handshake. The Portal does not handle or store your password; passwords are submitted directly to the PDS.
  • OAuth access tokens that the Portal holds server-side only and uses to retrieve your profile information from your PDS. Tokens are not exposed to your browser or to third-party applications.
  • Profile data fetched from your PDS for display in your dashboard: handle, display name, avatar, post count, follower count, following count. Depending on how your PDS resolves the request, this fetch may also call an AT Protocol AppView (such as the Bluesky AppView, operated by Bluesky PBC in the United States). Only the minimum public data needed to populate the dashboard is involved; your OAuth token is never shared with an AppView.
  • Server-side account state for whether you have accepted the Terms of Service, whether you have dismissed the welcome banner, your login-session state, and the OAuth flow state described above.
  • The handle you share when using sign-in facilitation for selected third-party apps. Only your handle (and, where applicable, a marker identifying Eurosky as the referring service) is shared. The Portal does not share your OAuth access token, your email address, your password, or any other profile or account data with third-party apps through this feature.
  • Media you browse from your PDS. Where the Portal lets you browse and view data stored in your PDS, such as images, videos, and other media (blobs), that data is retrieved from your PDS using your existing authentication and displayed to you within the Portal for your own use. The Portal does not share this data with any third party. Whether the Portal independently stores copies of this data, and if so for how long, depends on how this feature is implemented at launch, as surfaced in-product.
  • Technical and operational data for the Portal's operation, including IP addresses, user-agent strings, timestamps, and server logs.

Cookies and local browser storage. The Portal uses:

  • a first-party session cookie to maintain your authenticated login session;
  • a theme key in your browser's local storage to remember whether you have selected light or dark mode;
  • a language key in your browser's local storage to remember your preferred language.

The Portal sets no third-party cookies, no tracking cookies, no advertising cookies, and no analytics cookies.

Lawful bases. Performance of a contract (Article 6(1)(b)) for the core Portal functionality; legitimate interests (Article 6(1)(f)) for security, abuse prevention, and operations; legal obligation (Article 6(1)(c)) for legal compliance.

20. Hosting, transfers, and retention for the PDS and Portal

Hosting. The PDS and the Portal are both hosted on cloud infrastructure provided by Hetzner Online GmbH (Germany), an EU-headquartered hosting provider, in data centres located within the European Union. We may change provider, but we will use only EU-headquartered providers.

Transfers. As described in §8, the PDS and Portal do not transfer the primary contents of your account outside the European Union. The exceptions are AT Protocol federation (§13) and the Bluesky AppView call described in §19. Both are necessary consequences of operating on an open protocol.

Retention.

  • PDS account data (DID, handle, profile, content stored in your repository) is retained for as long as your account is active or deactivated. While an account is deactivated, the data stays in place but is not served on the network. Your handle is held for you for 30 days from the moment of deactivation; after 30 days of continuous deactivation, the handle is released. The account itself remains in its deactivated state until you reactivate or fully delete it, or until the additional deactivated-account retention period expires: a deactivated account that has not been reactivated is fully deleted 12 months after the date of deactivation.
  • Technical and operational data for the PDS and the Portal (server logs, IP addresses, security signals) is retained for 30 days unless a longer period is required for legal, security, or operational purposes.
  • OAuth tokens and login-session state are retained server-side for the duration of your session, and are deleted or invalidated when your session ends.
  • Server-side acknowledgements (Terms of Service acceptance, welcome-banner dismissal) are retained for as long as your Eurosky account exists.
  • Age-confirmation records are retained for as long as your account exists and as required by applicable law (for example, to demonstrate compliance with minimum-age obligations if challenged by a supervisory authority).

If you delete your account or migrate to another provider, we handle your data in accordance with the AT Protocol and applicable law. Certain limited data may be retained where required for legal, security, or operational purposes, as described in §11.

21. PDS-layer moderation and data flows

The Eurosky PDS is infrastructure, not a curation platform. We do not proactively monitor, rank, or curate content. We do not use third-party moderation services at the PDS layer. Moderation at the PDS layer is legal compliance only: we act on lawful notices we receive and where we are legally required to do so.

The notices we act on include:

  • notices submitted under the EU Digital Services Act (Article 16), including notices from any natural or legal person;
  • removal orders under Regulation (EU) 2021/784 on terrorist content;
  • notices submitted by trusted flaggers under Article 22 of the DSA, which we process with priority;
  • notices from Bluesky Social, PBC about illegal content that Bluesky detects in federated data on the AT Protocol firehose (which Bluesky's infrastructure ingests as a normal part of operating on the network);
  • court orders and lawful orders from competent EU and Member State authorities;
  • and other clearly unlawful content where we are legally required to act.

We treat all sources as notices to be assessed against the law. We are the controller of the decision to act or not act on PDS-layer data; the source of the notice does not determine the outcome.

This processing is separate from the moderation that mu carries out at the application layer, described in §23 below. Where you use mu with an account hosted on the Eurosky PDS, both layers may process your content for moderation purposes: the PDS layer for legal compliance, the mu layer under the mu Community Guidelines.

Lawful basis for PDS-layer moderation processing: legal obligation (Article 6(1)(c)) and legitimate interests (Article 6(1)(f)) for protecting users and the integrity of our services.


Part 4: mu

Applies to you if you use mu, regardless of where your account is hosted.

22. Personal data mu processes

When you use mu, we process the following categories of personal data. Some of it is yours and lives primarily on the PDS that hosts your account; the rest is generated by your use of mu specifically.

22.1 Authentication

mu authenticates you using OAuth. You sign in by being redirected to the PDS that hosts your account; you enter your password there, not in mu. We receive an OAuth access token that we hold server-side and use to make requests on your behalf to your PDS. We do not store your password or any other authentication credentials.

If your account is hosted on the Eurosky PDS, the OAuth flow happens between mu and the PDS we also operate (covered by Part 3). If your account is hosted on a third-party PDS, the credential layer is governed by that provider's privacy policy.

Date of birth for age confirmation on mu. At sign-up or sign-in, mu asks you for your date of birth and uses it to confirm you are 18 or over. We record the date of birth, the date and source of the confirmation, and the outcome (pass or fail). We do not use your date of birth for any other purpose. The lawful basis is performance of a contract (Article 6(1)(b) GDPR) for the act of providing mu access to a user who meets the age requirement, combined with legal obligation (Article 6(1)(c)) in respect of minimum-age compliance.

22.2 Content you create and receive via mu

mu sends and retrieves content via the PDS hosting your account. When you post, the post is written to your PDS. When you read, mu fetches posts from the relevant PDSes through the AT Protocol.

mu may cache content on its servers for performance and reliability. Caches are short-lived, are not the system of record for your content, and follow the deletion rules in §11.

At launch, content delivery on mu transits Bluesky's appview. mu does not yet run its own appview (indexer). The posts, profiles, follows, likes, and other public records you see when you use mu are fetched and served through the appview operated by Bluesky Social, PBC in the United States. This means that while you use mu, your interactions and the content displayed to you transit Bluesky's US infrastructure, even where your account is hosted on the Eurosky PDS or a third-party EU PDS. We do not pay Bluesky for this access; the appview is open. Bluesky processes the data it receives under its own privacy policy. We are building our own appview and will switch mu over to it when ready; we will update this section when we do. See §8 for the international-transfer implications.

Direct Messages. mu uses Bluesky's Direct Message service as part of the Atmosphere. DMs you send through mu are routed through Bluesky Social, PBC's DM infrastructure, not through mu's own servers. DMs are not end-to-end encrypted. Bluesky's Trust & Safety can access them under Bluesky's DM policies, which are separate from these Terms and from this Privacy Policy. We are processing DM-related metadata (delivery, notifications, mute lists) on the mu side, but the message content itself sits in Bluesky's systems. If you do not want DMs to go through Bluesky's infrastructure, do not use DMs on mu until we revisit this arrangement.

22.3 Service interaction data

We process records of how you use mu, including:

  • feed and content interactions that drive the recommender systems described in §24 (what feeds you select, what you opt into for personalisation);
  • reports you submit through the mu reporting channel (§25 ToS / §23.2 here);
  • appeals you file (§26 ToS / §23.2 here);
  • mute, block, and label preferences you set, including third-party label services you subscribe to (Terms of Service §27);
  • notification settings and notification delivery records.

22.4 Technical and operational data

When you use mu, we process technical data needed to operate the service: IP addresses, user-agent strings, timestamps, server logs, and security and abuse-prevention signals.

22.5 Privacy-preserving analytics with Plausible

mu uses Plausible Analytics to understand how the service is being used. Plausible is a privacy-preserving analytics service provided by Plausible Insights OÜ, an Estonian company headquartered in the European Union. We chose Plausible because its design fits our intent for mu: aggregate signals that tell us how the service is doing, without per-user tracking, without cookies, and without sharing data with advertising networks.

The kinds of questions we use Plausible to answer are: how many people are using mu, at what time of day, and roughly from where (at the level of town or city, in the aggregate).

What Plausible collects when you use mu:

  • the URL of the page you are on within mu;
  • the referrer (the page you arrived from, if any);
  • the browser and operating system family of your device;
  • the device type category (desktop, tablet, mobile);
  • the country, region, and city derived from your IP address.

Each of these values is recorded against an aggregate session count. Plausible does not store your IP address. Plausible does not store identifiers that persist across sessions or across sites.

What Plausible does not collect or use:

  • no cookies of any kind, first-party or third-party;
  • no persistent identifiers in your browser;
  • no fingerprinting techniques designed to identify individual devices across sessions;
  • no cross-site or cross-device tracking;
  • no advertising identifiers;
  • no per-user behaviour profiles.

Because Plausible does not use cookies and does not store personal data in the form usually triggered by ePrivacy Directive Article 5(3), we do not show a cookie banner for analytics. We rely on legitimate interests (Article 6(1)(f) GDPR) as the lawful basis for Plausible processing, on the basis that the aggregate signals are necessary to operate, secure, and improve mu and the impact on your fundamental rights is minimal.

Deployment. We use Plausible Cloud, the managed service operated by Plausible Insights OÜ on Hetzner DE infrastructure. Plausible acts as our data processor under a Data Processing Agreement. Both Plausible and the underlying hosting are EU-headquartered and EU-hosted; no personal data is transferred outside the EEA for analytics purposes.

Bunny.net also produces standard server-side traffic logs as a normal consequence of operating a CDN. Those logs are part of the technical and operational data described in §22.4, not part of the analytics described in this section. They are subject to the retention rules in §11 and §26.

22.6 Cookies and local browser storage on mu

mu uses:

  • a first-party session cookie to maintain your authenticated login session;
  • first-party preference storage in your browser's local storage and IndexedDB (not in cookies) for theme, language, sensitive-content filter settings, feed selections, and similar preferences. Preference values persist until you clear your browser storage or revoke authorization.

mu sets no third-party cookies for tracking, advertising, or analytics purposes. Plausible Analytics (§22.5) is the only third-party service involved in measuring how mu is used, and Plausible does not set cookies of any kind.

22.7 Lawful bases for mu

  • Performance of a contract (Article 6(1)(b)) for the core mu functionality, including authentication, content delivery, and notifications.
  • Legitimate interests (Article 6(1)(f)) for the operation, security, and improvement of mu, for detecting and preventing abuse, and for the privacy-preserving analytics described in §22.5. We have carried out balancing tests for these interests.
  • Legal obligation (Article 6(1)(c)) for compliance with the DSA, the Terrorist Content Online Regulation, lawful orders, and other applicable law.

23. Moderation, reports, and automated systems on mu

23.1 The two layers (and what we can actually do at launch)

mu's moderation is described in two layers in Terms of Service §23: a Bluesky baseline and a mu layer of our own. For this Privacy Policy, two distinctions matter.

At launch. The systematic moderation signal on mu comes from the labelling service operated by Bluesky Social, PBC. The labels Bluesky publishes are public; ingesting them is not processing of your personal data per se. When mu applies a Bluesky label to specific content of yours, we process the content (which may be personal data) and our application of the label is a moderation action we record. We can suspend an account's ability to sign in to mu where suspension is warranted, but at launch we cannot ourselves apply specific moderation actions (hide, restrict, label, remove) to specific posts at the mu layer. The most we can do beyond suspension is flag cases back to Bluesky's Trust & Safety team, with whom we are in regular contact.

When our own moderation layer is live (target summer 2026). mu's own systems and moderators will be able to take specific actions on specific content under the mu Community Guidelines. When they do, we record the action, the content it applies to, the reason for it, and (where applicable) the appeal you have filed.

A structural point about suspension and content removal. These are different actions. Suspending an account from signing in to mu does not, by itself, remove that account's content from mu, because mu fetches content from across the AT Protocol network. Content removal is always a separate, case-by-case decision against specific content. This stays true once our own moderation layer is live; it is a property of operating on a federated protocol, not a transitional limitation.

23.1a Why Bluesky processes mu user data

You should understand a feature of the AT Protocol that affects what Bluesky sees, and why.

mu uses the app.bsky.* lexicon, the set of data schemas that Bluesky originally defined for posts, profiles, follows, likes, and similar records. The app.bsky.* lexicon is what most ATProto applications use today; mu is one of them. When you post on mu, your post is written as a record under that lexicon to the PDS that hosts your account, and is then broadcast on the AT Protocol firehose as a normal consequence of being on the open network.

Bluesky Social, PBC operates infrastructure that ingests the firehose for the app.bsky.* lexicon at the network level: a relay, an AppView, and a Trust & Safety service. This is part of how Bluesky's own application works and part of how it serves other applications on the network with labels. As a result, when you use mu and post app.bsky.* content, Bluesky's infrastructure sees that content because it is on the firehose, not because we share it with Bluesky. Bluesky's Trust & Safety service may then classify the content under Bluesky's own moderation rules and publish labels that anyone can subscribe to (including mu, see §23.1).

The consequences for your data:

  • We do not actively share your data with Bluesky. Bluesky's infrastructure sees app.bsky.* content because that content is on the AT Protocol firehose, which Bluesky's infrastructure ingests as a normal part of being on the network.
  • Bluesky's processing of your data is governed by Bluesky's own privacy policy, not ours. We cannot speak for it.
  • The labels Bluesky publishes are public. mu ingests them and applies them on mu by default (subject to §23.2 of the ToS). The label decision is Bluesky's; our application of it on mu is ours.
  • This arrangement is a property of the open social web, not a contract. If the AT Protocol lexicons or the firehose architecture change in ways that affect this, we will update this section.

If you do not want Bluesky's infrastructure to see your content, the answer is not to use the app.bsky.* lexicon. There are other lexicons on the open social web. mu currently only supports app.bsky.*.

23.2 Reports and appeals

When you submit a report through the mu reporting channel or by emailing safety@mu.social, we process:

  • the content of your report;
  • your account details and contact details;
  • evidence you provide;
  • our investigation notes, our decision, and the reasons.

When you file an appeal under Terms of Service §26 or by emailing appeals@mu.social, we process the appeal text, the underlying decision and its evidence, the reviewer's notes, and our decision.

We retain reports, appeals, and the records of our decisions for as long as necessary to enforce them, defend further appeals, comply with the DSA's transparency-reporting obligations (Article 24 DSA), and meet other legal obligations.

23.3 Automated systems

At launch, the systematic automated moderation signal applied to content on mu comes from Bluesky's labelling service, not from mu's own systems. mu applies the Bluesky baseline labels at scale, and performs human review on a per-report basis under §23.2 above. We do not run our own large-scale automated classifiers for spam, abuse, or prohibited content on mu at launch.

Once our own moderation layer is live (target summer 2026), mu will use additional automated systems (including AI-based systems) for:

  • detecting spam, abuse, and prohibited content to surface for human review or to apply our own labels;
  • detecting coordinated inauthentic behaviour (Community Guidelines §5.7);
  • supporting prioritisation in our human review queues.

Automated systems may make initial decisions to label or restrict content. Significant decisions that affect your access to mu (suspension, termination) are not made solely by automated means. You have the right under Article 22 of the GDPR not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you; the appeal route under Terms of Service §26.2 is the route by which you can request a human review, express your view, and contest the decision.

23.4 Statement of reasons

Where the Digital Services Act applies (Article 17), we provide a statement of reasons for the actions we take against your content or your access. The statement describes what we did, why, whether automated systems were involved, and how to appeal.

24. Recommender systems and feeds

At launch. mu does not yet run its own recommender. The default feeds you see in mu and the personalisation signal they use are powered by Bluesky's appview (see §22.2), and the recommender behaviour mu surfaces at launch is the behaviour of Bluesky's recommender, displayed through mu. The processing of your interaction data for ranking and personalisation at launch is done by Bluesky's systems under Bluesky's privacy policy, not by ours. mu can record which feeds you have chosen and which content you have interacted with through mu for our own service-interaction-data purposes (see §22.3), but at launch we do not run our own ranking models against that data.

When our own appview is live, we will run our own default feeds and our own recommender. At that point, we will process service-interaction data (which feeds you select, which content you interact with through mu) to drive ranking and personalisation on mu, and we will be specific in-product about which signals each of our own feeds uses. We will update this section when the switch happens.

Third-party feeds. Regardless of whether the appview is Bluesky's or ours, you can choose alternative feeds, including third-party feeds operated by independent operators on the AT Protocol, or opt out of personalised recommendations entirely. Third-party feeds and labelling services process your data under their own terms; we are not responsible for them. See Terms of Service §27.

We do not build advertising profiles of you (§7).

25. Third parties involved in mu's operation

mu involves the following categories of third parties.

  • Hosting: Bunny.net (Slovenia, EU).
  • Bluesky Social, PBC, in three distinct roles at launch: (a) as the publisher of the moderation labels we ingest and apply on mu (§23.1); (b) as the operator of the DM service we use at launch (§22.2); and (c) as the operator of the appview through which content delivery and the launch-period recommender signal on mu are served (§22.2, §24). Bluesky processes the data it sees in each of these roles under its own privacy policy.
  • Other PDS providers, where you use mu with an account hosted elsewhere. We exchange data with the PDS that hosts your account in order to fetch and write content on your behalf.
  • The AT Protocol network at large, including relays, AppViews, and other ATProto operators (§13).
  • Service providers acting as data processors on our behalf, for example for error tracking, customer support, or operational tooling, where contractual safeguards and (where applicable) Standard Contractual Clauses are in place.
  • Plausible Insights OÜ (Estonia) as our privacy-preserving analytics processor, on Plausible Cloud (Hetzner DE infrastructure). See §22.5.

We do not sell personal data to any third party. We do not share personal data with advertisers, advertising networks, or data brokers.

26. Retention specific to mu

In addition to the principles in §11, the following retention rules apply to mu:

  • Cached content for performance and reliability is retained for short periods only and is purged on the cache rotation cycle.
  • Reports and appeals are retained for as long as necessary to enforce decisions, defend further challenges, and comply with the DSA's transparency-reporting obligations.
  • Service-interaction data that drives recommender feeds is retained in aggregate; per-user signals used to personalise your feeds are kept while your account is active and can be reset from your settings or by ending your relationship with mu (Terms of Service §28).
  • Notification delivery records are retained for a short operational window (typically 30 days).
  • Aggregate analytics signals (§22.5) are retained in their aggregated form indefinitely, because by design they cannot be tied back to an individual.

27. Ending your relationship with mu

The mechanics of ending your relationship with mu and ending your Eurosky account are set out in Terms of Service §28 (mu) and §21.3 (Eurosky account). For privacy purposes:

  • when you revoke mu's OAuth authorization, mu loses the ability to act on your behalf from that moment, and the mu-side caches of identifiers and preferences associated with your account are deleted on the retention timelines described in §26;
  • when you deactivate your Eurosky account (where applicable), the data stored under your account stays in place but is paused: it is not served on the network, your handle is held for 30 days, and you can reactivate within that window (see §20 retention). If you reactivate, processing resumes; if you do not reactivate within 30 days, the handle is released, and the account remains in its deactivated state until you reactivate or fully delete it, or until the 12-month deactivated-account retention period described in §20 expires;
  • when you delete your Eurosky account (where applicable), we begin deletion of Your Content from the Eurosky PDS in accordance with §20;
  • when you migrate your Eurosky account to another PDS provider, Part 3 of this Privacy Policy stops applying to you, and your new PDS provider's privacy notice governs the hosting layer from that point; Part 4 continues to apply if you keep using mu.

Federation runs both ways. Even after you stop using mu, public content involving you may continue to appear on mu, because mu fetches content from across the AT Protocol network rather than only from people who actively use mu. We described this in §13. It means that ending your mu relationship deletes your mu-side data and revokes our access to your account, but it does not prevent public content involving you that lives elsewhere on the network from being displayed on mu.

We retain what we are required to keep for legal or trust-and-safety reasons (§11).


Contact

For all privacy-related questions: privacy@eurosky.tech.

For Data Protection Officer correspondence: dpo@eurosky.tech.

For data subject access, rectification, erasure, restriction, portability, and objection requests: privacy@eurosky.tech. You can also use the in-product settings for the relevant service where available.

For postal correspondence: Stichting Modal, Kranenburgweg 135 A, 2583 ER The Hague, Netherlands.

To lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl. You can also complain to your own national supervisory authority if you live in another EU or EEA Member State.