What can I do about this clause?

{'method': 'EMAIL', 'recipient': 'privacy@github.com', 'difficulty': 'EASY', 'action_type': 'DELETE_DATA', 'instructions': 'Email privacy@github.com stating you wish to exercise your right to erasure (GDPR) or deletion (CCPA). Include your account username and the specific data you want deleted. GitHub must respond within 30 days (GDPR) or 45 days (CCPA).', 'deadline_days': 30, 'deadline_hours': None} {'method': 'WEB_FORM', 'recipient': 'https://github.com/settings/admin', 'difficulty': 'EASY', 'action_type': 'EXPORT_DATA', 'instructions': 'Go to GitHub Settings > Account > Export account data to download a copy of your repositories and personal data. Alternatively, email privacy@github.com to request a full data portability export under GDPR Art. 20.', 'deadline_days': 30, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'FTC enforces against failure to honor stated privacy rights and commitments as unfair or deceptive practices under Section 5 of the FTC Act.', 'complaint_url': 'https://reportfraud.ftc.gov/'}, {'agency': 'State_AG', 'reason': 'California CPPA and AG enforce CCPA/CPRA data subject rights including deletion and access requests.', 'complaint_url': 'https://www.naag.org/find-my-ag/'}

What is the severity of this clause?

ConductAtlas classifies this User Rights — Access, Deletion, and Portability clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar User Rights — Access, Deletion, and Portability clauses across approximately 2 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

User Rights — Access, Deletion, and Portability — GitHub

Share 𝕏 Share in Share 🔒 PDF

Monitor governance changes for GitHub Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

You have rights to see, correct, delete, or export your personal data held by GitHub, and you can exercise these rights by emailing GitHub's privacy team.

ⓘ

This analysis describes what GitHub's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The provision establishes procedural obligations for GitHub to process data subject requests and operationalizes statutory rights that vary by jurisdiction. The response timeline requirement creates a defined operational standard for handling such requests.

Recent Activity

This document changed recently

High Apr 28, 2026

The updated terms now explicitly authorize GitHub to collect AI outputs generated within the platform alongside user-provided code and content, and to share personal data with Microsoft and other GitHub affiliates for purposes including training and improving artificial intelligence and machine learning technologies. The privacy statement indicates that aggregate and de-identified data will be used where feasible, but the updated language establishes broader authority for affiliate data sharing and AI model development than the previous version stated. The revised terms also remove specific disclosure of the conditions under which GitHub personnel may access private repositories, replacing that detail with a cross-reference to the Terms of Service, which means the scope of internal GitHub access to private repositories is now defined in a separate contract document rather than the privacy statement itself.

View change record →

Consumer impact (what this means for users)

You can request access to, correction of, deletion of, or a portable copy of your personal data from GitHub by emailing privacy@github.com, with response timelines governed by GDPR (30 days) or CCPA (45 days) depending on your location.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data
Within 30 days
Email privacy@github.com stating you wish to exercise your right to erasure (GDPR) or deletion (CCPA). Include your account username and the specific data you want deleted. GitHub must respond within 30 days (GDPR) or 45 days (CCPA).
Export Your Data
Within 30 days
Go to GitHub Settings > Account > Export account data to download a copy of your repositories and personal data. Alternatively, email privacy@github.com to request a full data portability export under GDPR Art. 20.

How other platforms handle this

Noom Medium

Depending on where you live, you may have certain rights regarding your personal information, including: the right to access the personal information we hold about you; the right to correct inaccurate personal information; the right to request deletion of your personal information; the right to data...

Airbnb Medium

You may have rights under applicable law to access, correct, delete, or obtain a copy of your personal information. Depending on where you live, you may also have the right to object to or restrict certain processing of your data, and to lodge a complaint with a supervisory authority. You can exerci...

Pinterest Medium

Depending on where you live, you may have certain rights regarding your personal information, such as the right to access, correct, delete, or transfer your personal information, to object to or restrict certain processing of your data, or to withdraw consent for processing where you've previously p...

See all platforms with this clause type →

Monitoring

GitHub has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
Depending on your location, you may have certain rights regarding your personal data. These may include the right to access personal data we hold about you, to correct inaccurate data, to request deletion of your data, to object to or restrict our processing, and to receive your data in a portable format. To exercise these rights, please contact us at privacy@github.com. We will respond to your request within the timeframe required by applicable law.

— Excerpt from GitHub's GitHub Privacy Statement

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

REGULATORY FRAMEWORK: GDPR Arts. 15–20 (access, rectification, erasure, restriction, portability, and objection rights); CCPA/CPRA §§1798.100, 1798.105, 1798.110, 1798.115, 1798.120; UK GDPR equivalent provisions; response timeframes of 30 days (GDPR, extendable to 90) and 45 days (CCPA, extendable to 90). Enforcement by Irish DPC, UK ICO, and California CPPA.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

FTC

FTC enforces against failure to honor stated privacy rights and commitments as unfair or deceptive practices under Section 5 of the FTC Act.
File a complaint →
State AG

California CPPA and AG enforce CCPA/CPRA data subject rights including deletion and access requests.
File a complaint →

Applicable regulations

Indiana Consumer Data Protection Act

US-IN

UK GDPR

United Kingdom

Provision details

Document information

Document

GitHub Privacy Statement

Entity

GitHub

Document last updated

May 5, 2026

Tracking information

First tracked

April 27, 2026

Last verified

April 27, 2026

Record ID

CA-P-003598

Document ID

CA-D-00254

Evidence Provenance

Source URL

https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement

Wayback Machine

View archived versions →

Content hash (SHA-256)

6b5f0a9a524d3261cfe25f12abc65ee86bfcca11dcb979d0a2c6fa30d7aa36e8

Analysis generated

April 27, 2026 14:59 UTC

Methodology

summarize_document-v7

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: GitHub
Document: GitHub Privacy Statement
Record ID: CA-P-003598
Captured: 2026-04-27 14:59:43 UTC
SHA-256: 6b5f0a9a524d3261…
URL: https://conductatlas.com/platform/github/github-privacy-statement/user-rights-access-deletion-and-portability/
Accessed: June 17, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Medium

Other risks in this policy

Law Enforcement and Government Disclosure high
Microsoft and Affiliate Data Sharing medium
Cookies and Advertising Tracking medium
Children's Privacy — Minimum Age Restriction medium
De-identified and Aggregate Data Use medium
Data Retention medium

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does GitHub's User Rights — Access, Deletion, and Portability clause do?

How does this clause affect you?

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.

Is ConductAtlas affiliated with GitHub?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by GitHub.