GitHub keeps your personal data for as long as it needs to for service delivery, legal compliance, dispute resolution, and contract enforcement, with specific timeframes varying by data type.
This analysis describes what GitHub's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy does not specify retention periods for individual data categories, stating instead that retention is based on necessity and legal obligation; this means users cannot determine from this document alone how long specific types of data will be held.
Interpretive note: Specific retention periods for individual data categories are not disclosed in the policy text, making it unclear how long particular types of personal data are held in practice.
The updated terms now explicitly authorize GitHub to collect AI outputs generated within the platform alongside user-provided code and content, and to share personal data with Microsoft and other GitHub affiliates for purposes including training and improving artificial intelligence and machine learning technologies. The privacy statement indicates that aggregate and de-identified data will be used where feasible, but the updated language establishes broader authority for affiliate data sharing and AI model development than the previous version stated. The revised terms also remove specific disclosure of the conditions under which GitHub personnel may access private repositories, replacing that detail with a cross-reference to the Terms of Service, which means the scope of internal GitHub access to private repositories is now defined in a separate contract document rather than the privacy statement itself.
View change record →The policy authorizes retention of personal data across all collected categories for an unspecified duration tied to operational necessity and legal requirements; specific retention periods are not disclosed in this document.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
GitHub has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"GitHub retains personal data for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements. When data is no longer needed, GitHub will delete or anonymize it. Specific retention periods vary by data type and applicable legal requirements.— Excerpt from GitHub's GitHub Privacy Statement
(1) REGULATORY LANDSCAPE: Data retention practices implicate GDPR Article 5(1)(e) (storage limitation), which requires personal data to be kept no longer than necessary for the purposes for which it is processed. CCPA also requires reasonable retention periods. The Irish DPC and California Privacy Protection Agency are the primary enforcement authorities. Retention policies that are broadly stated without specific periods may face scrutiny under storage limitation requirements. (2) GOVERNANCE EXPOSURE: Medium. The absence of specific retention periods in the policy creates a compliance disclosure gap; while internal retention schedules may exist, they are not surfaced to users in this document, limiting users' ability to exercise rights based on retention status. (3) JURISDICTION FLAGS: EU/EEA users have the strongest standing to challenge indefinite or overly broad retention under GDPR storage limitation principles. California residents can request deletion under CCPA, but GitHub's retention for legal obligation purposes may limit the scope of deletion available. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should request GitHub's data retention schedule as part of procurement due diligence and confirm that retention periods for enterprise user data align with the enterprise's own data governance policies and legal hold obligations. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should request GitHub's internal retention schedule, verify that deletion requests result in timely purging of data not subject to legal hold exceptions, and assess whether GitHub's anonymization practices meet the standard for true anonymization under applicable law.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy does not specify retention periods for individual data categories, stating instead that retention is based on necessity and legal obligation; this means users cannot determine from this document alone how long specific types of data will be held.
The policy authorizes retention of personal data across all collected categories for an unspecified duration tied to operational necessity and legal requirements; specific retention periods are not disclosed in this document.
ConductAtlas has identified this type of provision across 135 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by GitHub.