What can I do about this clause?

{'method': 'EMAIL', 'recipient': 'privacy@github.com', 'difficulty': 'EASY', 'action_type': 'DELETE_DATA', 'instructions': 'Email privacy@github.com stating you wish to exercise your right to erasure (GDPR) or deletion (CCPA). Include your account username and the specific data you want deleted. GitHub must respond within 30 days (GDPR) or 45 days (CCPA).', 'deadline_days': 30, 'deadline_hours': None} {'method': 'WEB_FORM', 'recipient': 'https://github.com/settings/admin', 'difficulty': 'EASY', 'action_type': 'EXPORT_DATA', 'instructions': 'Go to GitHub Settings > Account > Export account data to download a copy of your repositories and personal data. Alternatively, email privacy@github.com to request a full data portability export under GDPR Art. 20.', 'deadline_days': 30, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'FTC enforces against failure to honor stated privacy rights and commitments as unfair or deceptive practices under Section 5 of the FTC Act.', 'complaint_url': 'https://reportfraud.ftc.gov/'}, {'agency': 'State_AG', 'reason': 'California CPPA and AG enforce CCPA/CPRA data subject rights including deletion and access requests.', 'complaint_url': 'https://www.naag.org/find-my-ag/'}

What is the severity of this clause?

ConductAtlas classifies this User Rights — Access, Deletion, and Portability clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar User Rights — Access, Deletion, and Portability clauses across approximately 2 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

User Rights — Access, Deletion, and Portability — GitHub

Share 𝕏 Share in Share 🔒 PDF

What it is

You have rights to see, correct, delete, or export your personal data held by GitHub, and you can exercise these rights by emailing GitHub's privacy team.

Clause Stability Highly Volatile

Change

Month Monitored

Apr 27, 2026

First Seen

Apr 27, 2026

Last Seen

This clause has changed once in 1 month of monitoring.

Change history

modified Apr 28, 2026

Previous version had no excerpt; current version now includes specific contact method and response timeline commitment.

View full change record →

Consumer impact (what this means for users)

You can request access to, correction of, deletion of, or a portable copy of your personal data from GitHub by emailing privacy@github.com, with response timelines governed by GDPR (30 days) or CCPA (45 days) depending on your location.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data
Within 30 days
Email privacy@github.com stating you wish to exercise your right to erasure (GDPR) or deletion (CCPA). Include your account username and the specific data you want deleted. GitHub must respond within 30 days (GDPR) or 45 days (CCPA).
Export Your Data
Within 30 days
Go to GitHub Settings > Account > Export account data to download a copy of your repositories and personal data. Alternatively, email privacy@github.com to request a full data portability export under GDPR Art. 20.

Cross-platform context

See how other platforms handle User Rights — Access, Deletion, and Portability and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

These rights allow you to take control of your personal data on GitHub, but the process requires proactive contact with GitHub and relies on their compliance with applicable legal timelines.

View original clause language

Depending on your location, you may have certain rights regarding your personal data. These may include the right to access personal data we hold about you, to correct inaccurate data, to request deletion of your data, to object to or restrict our processing, and to receive your data in a portable format. To exercise these rights, please contact us at privacy@github.com. We will respond to your request within the timeframe required by applicable law.

Institutional analysis (Compliance & legal intelligence)

REGULATORY FRAMEWORK: GDPR Arts. 15–20 (access, rectification, erasure, restriction, portability, and objection rights); CCPA/CPRA §§1798.100, 1798.105, 1798.110, 1798.115, 1798.120; UK GDPR equivalent provisions; response timeframes of 30 days (GDPR, extendable to 90) and 45 days (CCPA, extendable to 90). Enforcement by Irish DPC, UK ICO, and California CPPA.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

FTC enforces against failure to honor stated privacy rights and commitments as unfair or deceptive practices under Section 5 of the FTC Act.
File a complaint →
State AG

California CPPA and AG enforce CCPA/CPRA data subject rights including deletion and access requests.
File a complaint →

Provision details

Document information

Document

GitHub Privacy Statement

Entity

GitHub

Document last updated

April 29, 2026

Tracking information

First tracked

April 27, 2026

Last verified

April 27, 2026

Record ID

CA-P-003598

Document ID

CA-D-00254

Evidence Provenance

Source URL

https://docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement

Wayback Machine

View archived versions →

SHA-256

6b5f0a9a524d3261cfe25f12abc65ee86bfcca11dcb979d0a2c6fa30d7aa36e8

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: GitHub | Document: GitHub Privacy Statement | Record: CA-P-003598
Captured: 2026-04-27 14:59:43 UTC | SHA-256: 6b5f0a9a524d3261…
URL: https://conductatlas.com/platform/github/github-privacy-statement/user-rights-access-deletion-and-portability/
Accessed: May 2, 2026

Classification

Severity

Medium

User Rights — Access, Deletion, and Portability