GitHub updated its Privacy Statement on April 28, 2026, making several notable changes to how your data can be used. The policy now explicitly states that your data — including AI outputs — can be used to train and improve artificial intelligence and machine learning technologies, and this data can be shared with Microsoft and other affiliates for that purpose. Previously, the policy included specific protections describing when GitHub staff could access private repositories; that detailed list has been removed and replaced with a general reference to the Terms of Service.
GitHub's updated policy now explicitly permits your personal data, including AI outputs, to be used for training and improving AI and machine learning models, and this data may be shared with Microsoft and other affiliates for that purpose. Previously, the policy contained a specific, enumerated list of circumstances under which GitHub staff could access your private repositories; that list has been removed, leaving protections less clearly defined and pointing users to the Terms of Service instead. You can review GitHub's privacy settings and, if applicable, submit a data subject request to limit certain processing of your personal data.
Your data and AI-generated outputs can now be used to train GitHub's and Microsoft's AI systems.
GitHub can now share your data with Microsoft specifically for AI training, which is a broader use than before.
+ 3 more obligation changes. Full breakdown available with Watcher.
Unlock — $9.99/mo →This change means GitHub can now use your code, documents, and AI outputs to train AI models and share them with Microsoft for that purpose — a significant expansion of how your data is used. The removal of explicit private repository access protections also makes it harder to understand the limits on who at GitHub can see your private code.
Across all monitored documents, GitHub has made 2 significant changes.
2 of GitHub's significant changes have been classified as negative for consumers.
GitHub now explicitly uses personal data, including AI outputs, to train and improve artificial intelligence and machine learning technologies.
Personal data may now be shared with Microsoft and other affiliates specifically for AI/ML training and product development, with affiliates no longer required to follow GitHub's Privacy Statement.
The explicit enumerated list of conditions permitting GitHub staff to access private repositories has been removed from the Privacy Statement and replaced with a reference to the Terms of Service.
ConductAtlas Policy Archive Entity: GitHub | Document: GitHub Privacy Statement | Record: CA-C-000695 Captured: 2026-04-28 06:21:11 UTC URL: https://conductatlas.com/change/2026-04-28-github-github-privacy-statement-695/ Accessed: May 2, 2026
Unlock the full analysis
14-day free trial available.
GitHub's April 28, 2026 update materially expands data use rights: personal data (now explicitly including AI outputs) may be used for AI/ML training and improvement, and shared with Microsoft and affiliates for that purpose. The prior explicit restriction on private repository access by GitHub personnel has been removed, replaced by a reference to the Terms of Service. This touches GDPR Art. 5(1)(b) (purpose limitation), Art. 13/14 (transparency), and CCPA/CPRA data use disclosures. Organizations using GitHub for software development — especially those handling regulated data — should reassess their vendor risk posture and DPAs immediately. Action is required.
1. GDPR Art. 5(1)(b) — Purpose limitation: expanding data use to AI/ML training may constitute incompatible secondary processing requiring a new legal basis or user consent.
Compliance intelligence locked
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-000695.
This new provision explicitly exempts de-identified and aggregate data from privacy protections, enabling unrestricted use and sharing for any purpose.
This new provision establishes a general indefinite retention standard with multiple qualifying factors, replacing the previous vague reference to data retention.
The removal of explicit AI/ML training data provisions eliminates disclosed restrictions on how user data is used for machine learning purposes, a significant omission given GitHub's Copilot services.
The removal of CCPA/CPRA-specific provisions eliminates explicit protections for California residents, though general rights provisions remain.
The removal of explicit payment data provisions leaves unclear how financial information collected for billing is handled and protected.
Previous version had no excerpt provided; current version now includes detailed disclosure conditions and explicit mention of law enforcement discretion.
Previous version had no excerpt; current version now explicitly states GitHub is a Microsoft subsidiary and clarifies data sharing is governed by Microsoft agreements.
Previous version had no excerpt; current version adds explicit disclosure of interest-based advertising and cross-site tracking partnerships.
Previous version had no excerpt; current version now includes specific contact method and response timeline commitment.
Previous version had no excerpt; current version adds specific contact mechanism and deletion commitment for unauthorized child data collection.
Previous version had no excerpt; current version now includes explicit acknowledgment that U.S. privacy laws may be less comprehensive than user's home country.
Cross-platform context
See how other platforms handle similar provisions across the ConductAtlas archive.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Unlock full diff — Watcher $9.99/moGitHub added a new section to their Terms of Service specifically about AI features like GitHub Copilot, explaining how your …
We monitor 200+ platforms and archive every change — verified and timestamped.