GitHub states that users in applicable jurisdictions can request to access, correct, delete, or export their personal data, and can object to certain types of processing, by submitting a request through GitHub's privacy portal.
This analysis describes what GitHub's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy confirms data subject rights for users in applicable jurisdictions including GDPR rights for EU users and CCPA rights for California residents, with GitHub committing to respond in accordance with applicable law, though the specific timelines and scope of each right are not fully described in this provision.
Interpretive note: The policy does not specify response timelines, identity verification procedures, or how enterprise controller versus GitHub controller scenarios affect data subject request handling, creating operational uncertainty.
The updated terms now explicitly authorize GitHub to collect AI outputs generated within the platform alongside user-provided code and content, and to share personal data with Microsoft and other Git…
Users in the EU, UK, California, and other jurisdictions with applicable privacy laws can exercise rights to access, correct, delete, or port their personal data by submitting a request through GitHub's privacy contact page at https://support.github.com/contact/privacy.
How other platforms handle this
Depending on where you live, you may have certain rights regarding your personal information, such as the right to access, correct, delete, or transfer your personal information, to object to or restrict certain processing of your data, or to withdraw consent for processing where you've previously p...
Depending on your location, you may have certain rights regarding your Personal Information, including the right to access, correct, or delete your Personal Information, the right to data portability, the right to opt out of certain data processing, and the right to not be discriminated against for ...
Depending on where you live, you may have certain rights with respect to your personal data, including the right to access, correct, delete, or port your personal data. You can exercise these rights by contacting us at privacy@bereal.com. We will respond to your request within the timeframe required...
Monitoring
GitHub has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Depending on your location, you may have certain rights with respect to your personal data, including the right to access, correct, delete, or port your data. You may also have the right to object to or restrict certain processing. To exercise these rights, please contact us through our privacy request portal. We will respond to your request in accordance with applicable law.— Excerpt from GitHub's GitHub Privacy Statement
(1) REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 15-22 (data subject rights including access, rectification, erasure, restriction, portability, and objection), CCPA/CPRA rights to know, delete, correct, and opt out, and comparable rights under UK GDPR and other state laws. The Irish DPC, UK ICO, and California Privacy Protection Agency are the relevant enforcement authorities. GitHub's commitment to respond in accordance with applicable law is standard but the policy does not specify response timelines or detail the verification procedures applied to identity confirmation. (2) GOVERNANCE EXPOSURE: Medium. Failure to respond to data subject requests within statutory timelines (30 days under GDPR, 45 days under CCPA) creates regulatory exposure. Where GitHub acts as a processor for enterprise customers (rather than a controller), the routing of data subject requests between GitHub and enterprise customers as controllers may require clarification in the Data Processing Agreement. (3) JURISDICTION FLAGS: EU/EEA and UK users have the most extensive set of enforceable rights. California residents have CCPA/CPRA rights. Additional US state residents in Virginia, Colorado, Connecticut, and other states with comprehensive privacy laws also have applicable rights. Minor users may have additional deletion rights under COPPA or equivalent state laws. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers who are data controllers should confirm in their DPA with GitHub how data subject requests submitted directly to GitHub are handled versus those that should be routed through the enterprise customer, to avoid double-handling or gaps in response. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should test the privacy request portal to confirm timely acknowledgment and resolution, document GitHub's identity verification procedures for deletion requests, and confirm that enterprise-level DPAs address the allocation of data subject request obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy confirms data subject rights for users in applicable jurisdictions including GDPR rights for EU users and CCPA rights for California residents, with GitHub committing to respond in accordance with applicable law, though the specific timelines and scope of each right are not fully described in this provision.
Users in the EU, UK, California, and other jurisdictions with applicable privacy laws can exercise rights to access, correct, delete, or port their personal data by submitting a request through GitHub's privacy contact page at https://support.github.com/contact/privacy.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by GitHub.