GitHub may share your personal data with Microsoft and its subsidiaries for service, security, and product improvement purposes, and Microsoft may use that data under Microsoft's own privacy policy.
This analysis describes what GitHub's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy authorizes transfer of personal data to Microsoft's broader corporate family, meaning data collected by GitHub may be processed under Microsoft's separate privacy terms and for Microsoft's own operational purposes, not solely for GitHub service delivery.
Interpretive note: The precise scope of permitted purposes for Microsoft affiliate sharing is broadly described; the operational extent of sharing for product improvement purposes is not fully specified in the policy text.
The updated terms now explicitly authorize GitHub to collect AI outputs generated within the platform alongside user-provided code and content, and to share personal data with Microsoft and other GitHub affiliates for purposes including training and improving artificial intelligence and machine learning technologies. The privacy statement indicates that aggregate and de-identified data will be used where feasible, but the updated language establishes broader authority for affiliate data sharing and AI model development than the previous version stated. The revised terms also remove specific disclosure of the conditions under which GitHub personnel may access private repositories, replacing that detail with a cross-reference to the Terms of Service, which means the scope of internal GitHub access to private repositories is now defined in a separate contract document rather than the privacy statement itself.
View change record →The policy permits GitHub to share user personal data including identifiers, usage data, and content interactions with Microsoft Corporation and affiliated entities, who may then process that data under Microsoft's privacy statement for purposes beyond direct GitHub service delivery.
How other platforms handle this
We may share your personal information with our affiliates, meaning entities that control, are controlled by, or are under common control with Consensys. We also share information with service providers who assist in operating our services, subject to confidentiality obligations.
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
Loyalty and partner program companies. We share information with our loyalty and partner program companies, like Ulta Beauty and Marriott.
Monitoring
GitHub has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"As a member of the Microsoft family of companies, GitHub may share personal data with Microsoft Corporation and its subsidiaries and affiliates. Microsoft may use this information consistent with its own privacy statement. Sharing within the corporate family may occur for purposes including service delivery, security, and product improvement.— Excerpt from GitHub's GitHub Privacy Statement
(1) REGULATORY LANDSCAPE: This provision implicates GDPR Articles 26 and 28 (joint controllers and processors), Article 46 (transfers to third countries), and CCPA provisions on sharing personal information with affiliates. The Irish Data Protection Commission is the lead supervisory authority for GDPR purposes. Intra-group data transfers to Microsoft US entities require adequate transfer mechanisms such as Standard Contractual Clauses. (2) GOVERNANCE EXPOSURE: High. Affiliate sharing with a parent company of Microsoft's scale and data processing footprint creates significant compliance exposure for enterprise customers, particularly where employees' professional activity data may be shared across the Microsoft ecosystem. The scope of permitted sharing purposes (security, product improvement) is broadly stated and may require further specification to satisfy GDPR purpose limitation requirements. (3) JURISDICTION FLAGS: EU/EEA and UK users face heightened exposure given the volume of US-based Microsoft processing. California residents should note that affiliate data sharing may qualify as sharing under CCPA/CPRA. Organizations in financial services or healthcare sectors may have additional contractual or regulatory restrictions on affiliate data sharing. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should obtain and review GitHub's Data Processing Agreement to confirm the scope and basis for Microsoft affiliate data sharing. Where enterprise contracts include data residency requirements, teams should verify whether affiliate sharing is scoped or limited. Liability for downstream Microsoft processing may not be clearly allocated in standard GitHub agreements. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should conduct a data transfer impact assessment for intra-group transfers to Microsoft US entities, verify that Standard Contractual Clauses are in place and current, and assess whether employee-facing privacy notices disclose Microsoft affiliate sharing in sufficient detail.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy authorizes transfer of personal data to Microsoft's broader corporate family, meaning data collected by GitHub may be processed under Microsoft's separate privacy terms and for Microsoft's own operational purposes, not solely for GitHub service delivery.
The policy permits GitHub to share user personal data including identifiers, usage data, and content interactions with Microsoft Corporation and affiliated entities, who may then process that data under Microsoft's privacy statement for purposes beyond direct GitHub service delivery.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by GitHub.