Interested in thoughts on this.
Users can send personal messages. These are not technically private; admin are capable of seeing them, though we would have to choose to go looking and would not do this lightly. For example, we would see messages flagged as abusive, and if we had good reason to think a user was using the platform for grooming purposes, we would reserve the right to check.
Would guess this is the balance we want. Admin on most sites have the ability to see messages, though sometimes it requires a database query-- though admin usually have the permissions to perform that anyway. The ability tends not to be broadcast, sometimes to prevent drama, sometimes to prevent an implication of liability if a user does misuse the messaging system.
We do have the option of disabling messages entirely, if people feel the ability to message would mislead users into a false sense of privacy. Reluctant to do that since it seems a bit much, though open to the idea.
We will not be providing truly private messages on this platform. We do not want to host material that we have no ability to oversee, in case that material is illegal to host.
While all messages can be viewed, we do not want to give the expectation that all messages will be viewed, or indeed that any messages would be viewed except in exceptional circumstances.
Considering adding a line to the privacy policy noting that anything one posts on the site is capable of being viewed by an admin. Perhaps that is already taken as a given. But while most websites work this way, we would hazard a guess that this is not generally understood.