GitHub can take your personal data, strip out identifying details, and use the resulting anonymized data for any purpose without being bound by the privacy protections in this policy.
This new provision explicitly exempts de-identified and aggregate data from privacy protections, enabling unrestricted use and sharing for any purpose.
View full change record →GitHub can derive de-identified or aggregate data from your personal information and repository activity and use or share it without restriction, including potentially for training AI models like GitHub Copilot, with no opt-out provided under this provision.
Cross-platform context
See how other platforms handle De-identified and Aggregate Data Use and similar clauses.
Compare across platforms →The broad right to use de-identified data derived from user content without restriction — including for AI training and product improvement — means GitHub can extract commercial value from user behavior and code without the privacy policy's protections applying.
REGULATORY FRAMEWORK: GDPR Recital 26 and Art. 4(1) establish that truly anonymized data falls outside GDPR scope, but the standard for anonymization is high (FPF and EDPB guidance); CCPA/CPRA §1798.140(m) defines 'deidentified' data with specific technical and contractual requirements including public commitments not to re-identify; FTC has issued guidance on the re-identification risk of 'anonymized' datasets.
Compliance intelligence locked
Regulatory citations, enforcement risk, and due diligence action items.
Watcher: regulatory citations. Professional: full compliance memo.