GitHub can take your personal data, strip out identifying details, and use the resulting anonymized data for any purpose without being bound by the privacy protections in this policy.
This analysis describes what GitHub's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This clause establishes a carve-out from privacy protections for data in de-identified or aggregated form, permitting internal research operations and product development to proceed without the notice and consent requirements that apply to personal data handling.
The updated terms now explicitly authorize GitHub to collect AI outputs generated within the platform alongside user-provided code and content, and to share personal data with Microsoft and other GitHub affiliates for purposes including training and improving artificial intelligence and machine learning technologies. The privacy statement indicates that aggregate and de-identified data will be used where feasible, but the updated language establishes broader authority for affiliate data sharing and AI model development than the previous version stated. The revised terms also remove specific disclosure of the conditions under which GitHub personnel may access private repositories, replacing that detail with a cross-reference to the Terms of Service, which means the scope of internal GitHub access to private repositories is now defined in a separate contract document rather than the privacy statement itself.
View change record →GitHub can derive de-identified or aggregate data from your personal information and repository activity and use or share it without restriction, including potentially for training AI models like GitHub Copilot, with no opt-out provided under this provision.
How other platforms handle this
Mixpanel may use aggregated or de-identified data derived from customer event data for its own purposes, including improving its services, developing new features, and generating analytics insights, provided that such data cannot reasonably be used to identify individual users.
We target (and measure the performance of) ads to Members, Visitors and others both on and off our Services directly or through a variety of partners, using the following data, whether separately or combined: Data from advertising technologies on and off our Services, like web beacons, pixels, ad ta...
Microsoft uses data we collect to provide you with rich, interactive experiences. In particular, we may use data to show you advertising or serve Microsoft-selected content within Microsoft products and services. Microsoft does not use what you say in email, chat, video calls, or voice mail to targe...
Monitoring
GitHub has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We may use de-identified or aggregate information derived from your personal data for research, analytics, and to improve our products and services. Such de-identified or aggregate data is not subject to this Privacy Statement and may be used and shared by GitHub without restriction.— Excerpt from GitHub's GitHub Privacy Statement
REGULATORY FRAMEWORK: GDPR Recital 26 and Art. 4(1) establish that truly anonymized data falls outside GDPR scope, but the standard for anonymization is high (FPF and EDPB guidance); CCPA/CPRA §1798.140(m) defines 'deidentified' data with specific technical and contractual requirements including public commitments not to re-identify; FTC has issued guidance on the re-identification risk of 'anonymized' datasets.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This clause establishes a carve-out from privacy protections for data in de-identified or aggregated form, permitting internal research operations and product development to proceed without the notice and consent requirements that apply to personal data handling.
GitHub can derive de-identified or aggregate data from your personal information and repository activity and use or share it without restriction, including potentially for training AI models like GitHub Copilot, with no opt-out provided under this provision.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by GitHub.