GitHub updated its Privacy Statement on April 28, 2026 to explicitly authorize collection and use of AI outputs from user-provided content, and to broaden the scope of personal data sharing with affiliates to include product development and AI/machine learning training. The statement also removed specific language describing the conditions under which GitHub personnel may access private repositories and replaced it with a reference to the Terms of Service. These changes expand the stated purposes for data use and affiliate sharing without adding explicit opt-out mechanisms.
The updated terms now explicitly authorize GitHub to collect AI outputs generated within the platform alongside user-provided code and content, and to share personal data with Microsoft and other GitHub affiliates for purposes including training and improving artificial intelligence and machine learning technologies. The privacy statement indicates that aggregate and de-identified data will be used where feasible, but the updated language establishes broader authority for affiliate data sharing and AI model development than the previous version stated. The revised terms also remove specific disclosure of the conditions under which GitHub personnel may access private repositories, replacing that detail with a cross-reference to the Terms of Service, which means the scope of internal GitHub access to private repositories is now defined in a separate contract document rather than the privacy statement itself.
The updated terms establish explicit authority for GitHub to use AI outputs and personal data for AI/ML model training and improvement, and to share this data with affiliates including Microsoft for these purposes. This expands the stated scope of data processing beyond prior language and formalizes a use case (AI model training) that some users may not have anticipated when evaluating how their code and data would be used. Organizations that have made representations to their own customers about code use restrictions or data protection measures should evaluate whether this policy change affects those commitments.
→ Personal data including code, text, and AI outputs will be used by GitHub and shared with affiliates for AI and machine learning development as stated in the updated terms.
→ GitHub's authority to share data with Microsoft and other affiliates for product development and AI training will apply to all users unless GitHub provides an opt-out mechanism outside the privacy statement.
This is the 2nd significant Ai Training Rights change GitHub has made since ConductAtlas began monitoring.
Across all monitored documents, GitHub has made 2 significant changes.
The policy now explicitly includes AI outputs alongside user-provided code and content as collected personal data, expanding the scope of what GitHub considers data collection.
The policy now explicitly authorizes sharing personal data with Microsoft and other GitHub affiliates for product development and AI/ML model training, removing the prior limitation that affiliate use must be consistent with the privacy statement.
The policy removes the explicit list of conditions under which GitHub may access private repositories and directs users to the Terms of Service instead, reducing privacy-policy-level transparency about these access practices.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
If your organization processes user data on GitHub, you must now acknowledge that GitHub will use some of that data to train and improve AI technologies.
GitHub now states it collects AI-generated outputs alongside code and text you provide, expanding what data it considers collected from your use.
+ 1 more obligation changes. Full breakdown available with Watcher.
Track changes →This change expands stated data processing purposes to explicitly include AI/ML model training and improvement, and broadens affiliate data sharing authority to include these purposes. Organizations subject to GDPR, CCPA, or similar privacy regimes should assess whether the expanded processing purposes and affiliate sharing fall within documented lawful bases and whether notice to data subjects complies with applicable disclosure requirements. The removal of specific private repository access conditions from the privacy statement and replacement with a Terms of Service cross-reference may affect how organizations document data subject rights and access practices. No imminent compliance violation is evident, but regulatory frameworks in multiple jurisdictions require transparent notice of AI-related processing purposes and affiliate data flows.
GDPR (processing purpose transparency, Article 6 lawful basis documentation, affiliate data controller relationships), UK GDPR, CCPA (purpose specification and affiliate disclosure requirements), EU AI Act (if applicable to GitHub's model training), sector-specific regulations if applicable to customer data classifications.
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-001456.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — WatcherGitHub added a new section titled 'AI Features, Training, and Your Data' to its Terms of Service on April 28, …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.