GitHub Privacy Statement
End User Notice: Organization-Provided GitHub Accounts
-
Manage and administer your GitHub account, including adjusting privacy settings. -
Access and utilize your Personal Data, which includes details on how you use the Services, as well as your content and files.
Third Party Access and Data Protection
Personal Data We Collect
From You
-
Account Data: We collect certain information when you open an account such as your GitHub handle, name, email address, password, payment information and transaction information. -
User Content and Files: When you use our Services, we collect Personal Data included as part of the information you provide such as code, inputs, text, documents, images, or feedback. -
Demographic information: In some cases, you provide us with ethnicity, gender, or similar demographic details. -
Feedback Data: This consists of information you submit through surveys, reviews, or interactive features. -
Payment Information: For paid subscriptions, we collect details like name, billing address, and payment specifics. -
Profile Information: We collect information to create a user profile, which may include a photo, additional email addresses, job title, or biography. -
Sales and Marketing Data: This includes information provided for promotional communications, such as name, email address, and company name. -
Support Data: When you seek customer support, we collect details like code, text, or multimedia files.
Automatically
-
Buttons, Tools, and Content from Other Companies: Our Services may contain links or buttons that lead to third-party services like Twitter or LinkedIn. Use of these features may result in data collection. Engaging with these buttons, tools, or content may automatically send certain browser information to these companies. Please review the privacy statements of these companies for more information. -
Essential Cookies and Similar Tracking Technologies: We use cookies and similar technologies to provide essential functionality like storing settings and recognizing you while using our Services. -
Non-essential Cookies: Depending on your jurisdiction, we may use online analytics products that use cookies to help us analyze how de-identified users use our Services and to enhance your experience when you use the Services. We may also employ third-party Cookies to gather data for interest-based advertising. In some jurisdictions, we only use non-essential cookies after obtaining your consent. See this section for more details and control options. -
Email Marketing Interactions: Our emails may have web beacons that offer information on your device type, email client, email reception, opens, and link clicks. -
Geolocation Information: Depending on the Service's functionality, we collect regional geolocation data -
Service Usage Information: We collect data about your interactions with the Services, such as IP address, device information, session details, date and time of requests, device type and ID, operating system and application version, information related to your contributions to repositories, and performance of specific features or Services. -
Website Usage Data: We automatically log data about your Website interactions, including the referring site, date and time of visit, pages viewed, and links clicked.
From Third Parties
-
Information from Other Users of the Services: Other users may share information about you when they submit issues and comments. We may also receive information about you if you are identified as a representative or administrator on your company's account. -
Publicly Available Sources: We may acquire information about you from publicly available sources like public GitHub repositories. -
Services you linked to your GitHub account: When you or your administrator integrate third-party apps or services with our Services, we receive information based on your settings with those services. This can include details like your name and email from services like Google for authentication. The information we receive depends on the third-party's settings and privacy policies. Always review these to understand what data is shared with our Services. -
Vendors, Partners, and Affiliates: We may receive information about you from third parties, like vendors, resellers, partners, or affiliates for the purposes outlined in this statement.
Processing Purposes: How We Use Your Personal Data
-
Business Operations: We use Personal Data for activities like billing, accounting, and compensation. This includes creating aggregated statistical data for internal reporting, financial reporting, revenue planning, capacity planning, and forecast modeling (including product strategy). -
Communication: We use Personal Data to inform you about new Services, features, offers, promotions, and other pertinent information. This also includes sending confirmations, invoices, technical notices, updates, security alerts, and administrative messages. -
Inference: We generate new information from other data we collect to derive likely preferences or other characteristics. For instance, we infer your general geographic location based on your IP address. -
Personalization: We use Personal Data to customize the Service to your preferences, to evaluate the effectiveness of enterprise business ads and promotional communications, and to ensure a seamless and consistent user experience. -
Safety and Security: To promote safety, integrity, and security across our Services, we process Personal Data, using both automated and, at times, manual techniques for abuse detection, prevention, and violations of terms of service. -
Service Provision: We use Personal Data to deliver and update our Services as configured and used by You, and to make ongoing personalized experiences and recommendations. -
Troubleshooting: We use Personal Data to identify and resolve technical issues. -
Ongoing Service Performance: Personal Data helps us keep the Services up to date and performant, and meet user productivity, reliability, efficacy, quality, privacy, accessibility and security needs. -
Complying with and resolving legal obligations: including responding to Data Subject Requests for Personal Data processed by GitHub as Controller (for example website data), tax requirements, agreements and disputes. -
Delivering Professional Services: We use Personal Data to deliver training, consulting or implementation (“Professional Services”). This includes providing technical support, professional planning, advice, guidance, data migration, deployment, and solution/software development services. -
Improving Professional Services: Enhancing delivery, efficacy, quality, and security of Professional Services and the underlying product(s) based on issues identified while providing Professional Services, including fixing software defects, and otherwise keeping the Professional Services up to date and performant.
Sharing of Personal Data
-
Abuse and Fraud Prevention Entities: We may disclose Personal Data based on a good faith belief it is needed to prevent fraud, abuse, or attacks on our Services, or to protect the safety of GitHub and our users. -
Affiliates: Personal Data may be shared with GitHub affiliates, including Microsoft, to facilitate customer service, marketing and advertising, order fulfillment, billing, technical support, and legal and compliance obligations. Our affiliates may only use the Personal Data in a manner consistent with this Privacy Statement. -
GitHub Organization Accounts: If an organization adds you to their GitHub account, we might share Personal Data with that organization to fulfill the commercial relationship. In such a case, your use of the Services is protected by a data protection agreement and terms between your organization and GitHub -
Competent Authorities: We may disclose Personal Data to authorized law enforcement, regulators, courts, or other public authorities in response to lawful requests or to protect our rights and safety. Please refer to our Guidelines for Legal Requests of User Data for more information. -
Corporate Transaction Entities: we might disclose Personal Data within the limits of the law and in accordance with this Privacy Statement for strategic business transactions such as sales or a merger. -
Partners and Resellers: We cooperate with third-parties that offer sales, consulting, support, and technical services for our Services. We may share your data with these partners and resellers where allowed, and with your consent when required. -
Subprocessors and Service Providers: We may use vendors to provide services on our behalf, including hosting, marketing, advertising, social, analytics, support ticketing, credit card processing, or security services. They are bound by contractual obligations to ensure the security, privacy, and confidentiality of your information. Please visit https://docs.github.com/en/site-policy/privacy-policies/github-subprocessors to see our list of Subprocessors. -
Visual Studio Code (GitHub Codespaces): GitHub Codespaces and github.dev offer Visual Studio Code in a web browser, where some telemetry is collected by default. Details on telemetry collection are on the VS Code website . To opt out, go to File > Preferences > Settings in the top left menu of VS Code. Opting out will sync this preference across all future web sessions in GitHub Codespaces and github.dev. -
Other Third-party Applications: Upon your instruction, we may share Personal Data with third-party applications available on our Marketplace. You are responsible for the data you instruct us to share with these applications. -
Other Users and the Public: Depending on your account settings, we may share Personal Data with other users of the Services and the public. You control what information is made public. To adjust your settings, visit User Settings in your profile. Please be aware that any information you share in a collaborative context may become publicly accessible.
Private repositories: GitHub Access
-
security purposes -
automated scanning or manual review for known vulnerabilities, active malware, or other content known to violate our Terms of Service -
to assist the repository owner with a support matter -
to maintain the integrity of the Services, or -
to comply with our legal obligations if we have reason to believe the contents are in violation of the law.
Lawful Bases for Processing Personal Data (Applicable to EEA and UK End Users)
-
Contractual Necessity: Processing is required to fulfill our contractual duties to you, in accordance with the GitHub Terms of Service. -
Legal Obligation: We process data when it's necessary to comply with applicable laws or to protect the rights, safety, and property of GitHub, our affiliates, users, or third parties. -
Legitimate Interests: We process data for purposes that are in our legitimate interests, such as securing our Services, communicating with you, and improving our Services. This is done only when these interests are not overridden by your data protection rights or your fundamental rights and freedoms. -
Consent: We process data when you have explicitly consented to such processing. When we rely on consent as the legal basis, you have the right to withdraw your consent for data processing at any time. The procedures for withdrawal are detailed in this Statement and available on our website.
Your Privacy Rights
-
The right to access the data collected about you -
The right to request detailed information about the specific types of Personal Data we've collected over the past 12 months, including data disclosed for business purposes -
The right to rectify or update inaccurate or incomplete Personal Data under certain circumstances -
The right to erase or limit the processing of your Personal Data under specific conditions -
The right to object to the processing of your Personal Data, as allowed by applicable law -
The right to withdraw consent, where processing is based on your consent -
The right to receive your collected Personal Data in a structured, commonly used, and machine-readable format to facilitate its transfer to another company, where technically feasible
International data transfers
Data Privacy Framework (DPF)
Dispute resolution process
Government Enforcement
Security and Retention
Security
Contact Us
Information for Minors
Changes to Our Privacy Statement
Translations
French
Other translations
Our use of cookies and tracking technologies
Cookies and tracking technologies
What are cookies and similar technologies?
How do we and our partners use cookies and similar technologies?
| |
---|---|
| |
| |
| |
| |
What are your cookie choices and controls?
-
Specifically on GitHub Enterprise Marketing Pages Any GitHub page that serves non-essential cookies will have a link in the page’s footer to cookie settings. You can express your preferences at any time by clicking on that linking and updating your settings. Some users will also be able to manage non-essential cookies via a cookie consent banner, including the options to accept, manage, and reject all non-essential cookies. -
Generally for all websites You can control the cookies you encounter on the web using a variety of widely-available tools. For example:
-
If your browser sends a Do Not Track (DNT) signal, GitHub will not set non-essential cookies and will not load third party resources which set non-essential cookies. -
Many browsers provide cookie controls which may limit the types of cookies you encounter online. Check out the documentation for your browser to learn more. -
If you enable a browser extension designed to block tracking, such as Privacy Badger , non-essential cookies set by a website or third parties may be disabled. -
If you enable a browser extension designed to block unwanted content, such as uBlock Origin , non-essential cookies will be disabled to the extent that content that sets non-essential cookies will be blocked. -
You may use the Global Privacy Control (GPC) to communicate your privacy preferences. If GitHub detects the GPC signal from your device, GitHub will not share your data (we do not sell your data). To learn more, visit Global Privacy Control — Take Control Of Your Privacy -
Advertising controls. Our advertising partners may participate in associations that provide simple ways to opt out of ad targeting, which you can access at: -
United States: NAI and DAA -
Canada: Digital Advertising Alliance of Canada -
Europe: European Digital Advertising Alliance
US State Specific Information
Privacy Rights
-
Right to Knowledge and Correction: You have the right to request details on the specific personal information we’ve collected about you and the right to correct inaccurate information. You can exercise this right by contacting us. You can also access and edit basic account information in your settings. -
Right to Know Data Recipients: We share your information with service providers for legitimate business operations, such as data storage and hosting. For more details, please see “Sharing Your Information” below. -
Right to request Deletion: You reserve the right to request the deletion of your data, barring a few exceptions. Such exceptions include circumstances where we are required to retain data to comply with legal obligations, detect fraudulent activity, investigate reports of abuse or other violations of our Terms of Service, or rectify security issues. Upon receiving your verified request, we will promptly delete your personal information (unless an exception applies), and instruct our service providers to do the same. We employ brief retention terms by design. -
Right to a Timely Response: You are allowed to make two free requests in any 12-month period. We commit to responding to your request within 45 days. In complex cases, we may extend our response time by an additional 45 days. -
Non-Discrimination: We will not hold it against you when you exercise any of your rights. On the contrary, we encourage you to review your privacy settings closely and contact us with any questions.
Notice of Collection of Personal Information
Exercising your Privacy Rights
California
Mandatory Disclosures
-
We collected the following categories of personal information in the last 12 months: identifiers/contact information, demographic information (such as gender), payment card information associated with you, commercial information, Internet or other electronic network activity information, geolocation data, audio, electronic, visual or similar information, and inferences drawn from the above. -
The sources of personal information from whom we collected are: directly from you, automatically or from third parties. -
The business or commercial purposes of collecting personal information are as summarized above and in our Privacy Statement under Processing Purposes. -
We disclosed the following categories of personal information for a business purpose in the last 12 months: identifiers/contact information, demographic information (such as gender and rough geographic location), payment information, commercial information, Internet or other electronic network activity information, geolocation data, audio, electronic, visual or similar information, and inferences drawn from the above. We disclosed each category to third-party business partners and service providers, third-party sites or platforms such as social networking sites, and other third parties as described in the Sharing of Personal Data section of our Privacy Statement. -
As defined by applicable law, we “shared” the following categories of personal information in the last 12 months: identifiers/contact information, Internet or other electronic network activity information, and inferences drawn from the above. We shared each category to or with advertising networks, data analytics providers, and social networks. -
The business or commercial purpose of sharing personal information is to assist us with marketing, advertising, and audience measurement. -
We do not “sell” or “share” the personal information of known minors under 16 years of age.
Shine the Light Act
Removal of Content
Colorado/Connecticut/Virginia
-
If we deny your rights request, you have the right to appeal that decision. We will provide you with the necessary information to submit an appeal at that time. -
You have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. GitHub does not engage in such profiling as defined by Colorado law, so there’s no need to opt out.
Nevada