The service includes meaningful user protections like export, deletion, hashed passwords, SSL, optional 2FA, and a no-sale statement. The main concerns are the decentralized network design, which spreads content to other servers, plus limited support scope and some moderation opacity.
Mastodon.social presents a relatively user-friendly privacy posture for a social platform: it offers account deletion, content export, clear security measures, and says it does not sell personal information. Key tradeoffs come from federation: public, followers-only, and direct-message content may be copied or delivered to other servers, reducing practical control once shared.
Points of interest
Because Mastodon is federated, your public content can be downloaded by other servers, and even followers-only or direct messages may be delivered to other servers. That limits practical control over where your content ends up.
"Your public content may be downloaded by other servers in the network. Your public and followers-only posts are delivered to the servers where your followers reside"
Direct messages are sent to recipients' servers when they are on other servers. Users should not assume DMs stay solely under mastodon.social's control.
"direct messages are delivered to the servers of the recipients, in so far as those followers or recipients reside on a different server than this"
Mastodon.social says it does not sell or trade personally identifiable information. It may still share data with service providers or when legally required, which is common but worth noting.
"We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information."
You can permanently delete your account at any time. This gives users a clear exit path, though copies of distributed content on other servers may persist in practice.
"You may irreversibly delete your account at any time."
The policy says sessions and API traffic use SSL, passwords are strongly hashed, and two-factor authentication is available. These are meaningful baseline protections for account access.
"your browser session, as well as the traffic between your applications and the API, are secured with SSL, and your password is hashed... You may enable two-factor authentication"
Users can request and download an archive of their content. This supports portability and backup before leaving the service.
"You can request and download an archive of your content, including your posts, media attachments, profile picture, and header image."
Authorized apps may access substantial account data depending on the permissions you grant. The positive limit is that apps cannot access your email address or password.
"it may access your public profile information... all your posts, and your favourites. Applications can never access your e-mail address or password."
Reports are usually handled quickly, but reporters are not told whether punishment occurred, and some enforcement is not visible publicly. This helps moderation flexibility but reduces transparency for users who report abuse.
"We usually handle reports within 24 hours. Please mind that you are not notified when a report you have made has led to a punitive action"
The service identifies the operating company and provides corporate registration details and contact information. That improves accountability compared with anonymous operators.
"Mastodon GmbH ... Mühlenstraße 8a ... 14167 Berlin ... Handelsregister ... HRB 230086 B"
Other Social services on AIgree
Compare Mastodon with…
The 7 clauses that actually matter, the red flags to watch for, in 5 minutes.
Report a problem with this summary
Spot something wrong, missing, or misleading? Tell us — we review every report.
Spot something wrong, missing, or misleading? Tell us — we review every report.
Thanks — your report was submitted and will be reviewed.
Documents
Terms of Service
source ↗- •This page does not provide Mastodon terms of service; it mainly lists contact, moderation, and company information for the mastodon.social server.
- •[email protected] only handles issues about the mastodon.social server and cannot help with accounts hosted on other servers.
- •Press or company-related questions should be sent to [email protected] instead of the server support address.
- •When reporting accounts, include example posts showing the alleged rule-breaking and any useful context, especially for languages moderators may not know.
- •The service says reports are usually handled within 24 hours.
- •Users are not notified if their report leads to punishment, and some enforcement actions may not be visible to the public.
- •For first offenses, moderators may delete offending content and may use harsher measures for repeated offenses.
- •The page identifies Mastodon GmbH in Berlin, Germany, as the company behind the service and provides its registration details.
Privacy Policy
source ↗- •Mastodon.social collects personal information you provide through the website or API and says this policy covers only entities it owns or controls.
- •It uses security measures like SSL for sessions and API traffic, hashed passwords, and optional two-factor authentication for account protection.
- •You can request and download an archive of your content, including posts, media attachments, profile picture, and header image.
- •You may permanently delete your account at any time.
- •The service uses cookies to recognize your browser, link it to your account, and remember your preferences for future visits.
- •It says it does not sell or trade personal information, but may share it with confidential service providers or when required by law.
- •Your public content can be downloaded by other servers, and posts or direct messages may be delivered to followers' or recipients' servers.
- •Apps you authorize may access profile and account content based on approved permissions, but cannot access your email address or password.
- •The service is intended for users at least 16 in the EU/EEA, 13 in the USA, with different age rules possible elsewhere.
