This analysis describes what GitHub's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision defines the operational scope and duration of GitHub's data processing activities, establishing both a necessity standard for retention and a mandatory disposition process for data no longer required. This framework structures GitHub's obligations regarding when personal data must be removed from active processing systems.
The updated terms now explicitly authorize GitHub to collect AI outputs generated within the platform alongside user-provided code and content, and to share personal data with Microsoft and other GitHub affiliates for purposes including training and improving artificial intelligence and machine learning technologies. The privacy statement indicates that aggregate and de-identified data will be used where feasible, but the updated language establishes broader authority for affiliate data sharing and AI model development than the previous version stated. The revised terms also remove specific disclosure of the conditions under which GitHub personnel may access private repositories, replacing that detail with a cross-reference to the Terms of Service, which means the scope of internal GitHub access to private repositories is now defined in a separate contract document rather than the privacy statement itself.
View change record →Users' personal data will be retained according to the purposes outlined in the Privacy Statement rather than indefinitely, and GitHub commits to delete or anonymize such data once those purposes are fulfilled. If immediate deletion is not technically feasible, GitHub will segregate the data from further processing pending deletion.
How other platforms handle this
We retain personal data for as long as needed to provide our services, comply with our legal obligations, resolve disputes, and enforce our policies. Retention periods will vary depending on the type of data and the purposes for which we use it.
Microsoft retains personal data for as long as necessary to provide the products and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for differen...
We keep information as long as we need it to provide our products and services and fulfil the purposes described in this policy. This is a case-by-case determination that depends on things like the nature of the information, why it is collected and processed, relevant legal or operational retention ...
Monitoring
GitHub has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We retain personal data for as long as necessary to fulfill the purposes outlined in this Privacy Statement, unless a longer retention period is required or permitted by law. When we no longer need the personal data, we will delete or anonymize it. If deletion is not immediately possible, we will securely store the personal data and isolate it from any further processing until deletion is possible.— Excerpt from GitHub's GitHub Privacy Statement
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision defines the operational scope and duration of GitHub's data processing activities, establishing both a necessity standard for retention and a mandatory disposition process for data no longer required. This framework structures GitHub's obligations regarding when personal data must be removed from active processing systems.
Users' personal data will be retained according to the purposes outlined in the Privacy Statement rather than indefinitely, and GitHub commits to delete or anonymize such data once those purposes are fulfilled. If immediate deletion is not technically feasible, GitHub will segregate the data from further processing pending deletion.
ConductAtlas has identified this type of provision across 66 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by GitHub.