What are the institutional and regulatory implications of this document?

REGULATORY EXPOSURE: This policy engages GDPR (Art. 6 lawful bases, Art. 17 erasure, Art. 20 portability, Art. 46 SCCs for cross-border transfers), UK GDPR, CCPA/CPRA (Cal. Civ. Code §1798.100–§1798.199), COPPA (16 C.F.R. Part 312), and FTC Act Section 5 on unfair or deceptive practices; primary enforcement authorities include the Irish Data Protection Commission (EU lead supervisory authority), UK ICO, California Privacy Protection Agency (CPPA), FTC, and relevant state attorneys general. MATE…

How does GitHub's GitHub Privacy Statement affect users?

GitHub collects extensive personal data including your browsing behavior, IP-derived location, device identifiers, payment information, and repository activity, and shares this with Microsoft affiliates, third-party service providers, and advertising partners. Users under 13 are not permitted to use the service, and GitHub may disclose data to law enforcement or government bodies without prior notice to users in certain circumstances. You can request access to, correction of, or deletion of you…

How often is GitHub's GitHub Privacy Statement updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when GitHub updates this document?

Yes. Watcher subscribers ($9.99/month) can add GitHub to their watchlist and receive same-day email alerts whenever this document or any other GitHub document changes.

GitHub Privacy Statement — GitHub

8 Total

2 High severity

6 Medium severity

0 Low severity

Summary

This is GitHub's privacy policy explaining what personal information GitHub collects about the roughly 100 million developers who use its platform — including your name, email, IP address, browsing behavior, code repositories, and payment details. The most important thing to know is that GitHub shares your personal data with Microsoft (its parent company), third-party service providers, advertising partners, and government authorities, meaning your developer activity and profile data travel well beyond GitHub itself. If you are a California resident or in the EU/UK, you have specific rights to access, delete, or opt out of certain data uses, which you can exercise by contacting GitHub's Privacy team at privacy@github.com.

Technical Summary

The GitHub General Privacy Statement governs the collection, use, sharing, and retention of personal data across GitHub's products and services, with legal bases including contractual necessity, legitimate interests, consent, and legal obligation under GDPR Art. 6. GitHub collects a broad range of personal data including usage data, device/log information, location inferred from IP address, payment information, and content users upload, and shares this data with third-party service providers, corporate affiliates (including Microsoft), advertising partners, and government authorities upon lawful request. A notable provision permits GitHub to use aggregate and de-identified data derived from user content without restriction, and the policy allows sharing of personal data with Microsoft and other affiliates for joint operations, which expands data exposure beyond what many users would anticipate for a developer platform. The policy engages GDPR (including Chapter V cross-border transfer mechanisms via SCCs and adequacy decisions), CCPA/CPRA (§1798.100 et seq.) for California residents, and COPPA for users under 13; EU and UK residents are afforded specific rights including erasure, portability, and objection, while GitHub Inc. (a Microsoft subsidiary) serves as the data controller for most processing. Material compliance considerations include the breadth of third-party sharing with advertising and analytics vendors, the reliance on legitimate interests as a basis for certain processing, and the absence of an explicit opt-out mechanism for all non-essential data sharing outside of California and EU-specific rights.

Evidence Provenance

Captured April 28, 2026 06:21 UTC

Document ID CA-D-000254

Version ID CA-V-000987

Source URL https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement

Wayback Machine View archived versions →

SHA-256 b36cbcc068012375c4a0d88eb7699d8a007a4c8b93ea435d81210244c50bf16d

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed

Institutional Analysis

🔒 Institutional analysis locked

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Upgrade to Professional — $149/mo

Change Timeline

April 28, 2026 — Document updated high

GitHub updated its Privacy Statement on April 28, 2026, making several notable changes to how your data can be used. The policy now explicitly states that your data — including AI outputs — can be used to train and improve artificial intelligence and machine learning technologies, and this data can be shared with Microsoft and other affiliates for that purpose. Previously, the policy included specific protections describing when GitHub staff could access private repositories; that detailed list has been removed and replaced with a general reference to the Terms of Service.

3 added · 2 removed · 8 modified
View diff → View full record →
b36cbcc0…
March 19, 2026 — Initial capture

Initial snapshot — monitoring begins

ad856e2f…

View full version history (0 captures) →

Analyzed Changes

1 change analyzed since monitoring began.

Updated April 28, 2026

high

What changed GitHub updated their GitHub Privacy Statement on April 28, 2026. Change detected: 3 sentence(s) added, 2 sentence(s) removed, 8 sentence(s) modified. Document contained 255 sentences after update.

Consumer impact GitHub's updated policy now explicitly permits your personal data, including AI outputs, to be used for training and improving AI and machine learning models, and this data may be shared with Microsoft and other affiliates for that purpose. Previously, the policy contained a specific, enumerated list of circumstances under which GitHub staff could access your private repositories; that list has been removed, leaving protections less clearly defined and pointing users to the Terms of Service instead. You can review GitHub's privacy settings and, if applicable, submit a data subject request to limit certain processing of your personal data.

Why it matters This change means GitHub can now use your code, documents, and AI outputs to train AI models and share them with Microsoft for that purpose — a significant expansion of how your data is used. The removal of explicit private repository access protections also makes it harder to understand the limits on who at GitHub can see your private code.

Recent Clause-Level Changes Apr 28, 2026

Added (2)

De-identified and Aggregate Data Use Medium

This new provision explicitly exempts de-identified and aggregate data from privacy protections, enabling unrestricted use and sharing for any purpose.

Data Retention Medium

This new provision establishes a general indefinite retention standard with multiple qualifying factors, replacing the previous vague reference to data retention.

Removed (3)

AI/ML Training Data Use

The removal of explicit AI/ML training data provisions eliminates disclosed restrictions on how user data is used for machine learning purposes, a significant omission given GitHub's Copilot services.

California Resident Rights (CCPA/CPRA)

The removal of CCPA/CPRA-specific provisions eliminates explicit protections for California residents, though general rights provisions remain.

Payment and Financial Data Collection

The removal of explicit payment data provisions leaves unclear how financial information collected for billing is handled and protected.

Modified (6)

Law Enforcement and Government Disclosure

Previous version had no excerpt provided; current version now includes detailed disclosure conditions and explicit mention of law enforcement discretion.

Microsoft and Affiliate Data Sharing

Previous version had no excerpt; current version now explicitly states GitHub is a Microsoft subsidiary and clarifies data sharing is governed by Microsoft agreements.

Cookies and Advertising Tracking

Previous version had no excerpt; current version adds explicit disclosure of interest-based advertising and cross-site tracking partnerships.

User Rights — Access, Deletion, and Portability

Previous version had no excerpt; current version now includes specific contact method and response timeline commitment.

Children's Privacy — Minimum Age Restriction

Previous version had no excerpt; current version adds specific contact mechanism and deletion commitment for unauthorized child data collection.

View full change record →

High Severity — 2 provisions

Law Enforcement and Government Disclosure

GitHub can hand over your personal data to police, government agencies, or other third parties when it believes there is a legal requirement or when it decides it is appropriate, without necessarily telling you first.

Added April 27, 2026
Cross-Border Data Transfers

GitHub transfers your personal data to the United States for processing, where US privacy laws may provide less protection than your home country's laws.

Added April 27, 2026

Medium Severity — 6 provisions

Microsoft and Affiliate Data Sharing

Because GitHub is owned by Microsoft, your personal data including your developer profile, activity, and content may be shared across the entire Microsoft group of companies for product and business purposes.

Added April 27, 2026
Cookies and Advertising Tracking

GitHub uses cookies and tracking pixels to monitor your activity on the site and to show you targeted ads, and it shares this tracking data with third-party advertising partners.

Added April 27, 2026
User Rights — Access, Deletion, and Portability

You have rights to see, correct, delete, or export your personal data held by GitHub, and you can exercise these rights by emailing GitHub's privacy team.

Added April 27, 2026
Children's Privacy — Minimum Age Restriction

GitHub does not allow children under 13 to use its services and will delete any data it discovers was collected from a child under 13.

Added April 27, 2026
De-identified and Aggregate Data Use

GitHub can take your personal data, strip out identifying details, and use the resulting anonymized data for any purpose without being bound by the privacy protections in this policy.

Added April 27, 2026
Data Retention

GitHub keeps your personal data for as long as it needs it for business, legal, or operational purposes, without specifying a fixed maximum retention period.

Added April 27, 2026