GitHub states that users in applicable jurisdictions can request to access, correct, delete, or export their personal data, and can object to certain types of processing, by submitting a request through GitHub's privacy portal.
This analysis describes what GitHub's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The policy confirms data subject rights for users in applicable jurisdictions including GDPR rights for EU users and CCPA rights for California residents, with GitHub committing to respond in accordance with applicable law, though the specific timelines and scope of each right are not fully described in this provision.
Interpretive note: The policy does not specify response timelines, identity verification procedures, or how enterprise controller versus GitHub controller scenarios affect data subject request handling, creating operational uncertainty.
The updated terms now explicitly authorize GitHub to collect AI outputs generated within the platform alongside user-provided code and content, and to share personal data with Microsoft and other GitHub affiliates for purposes including training and improving artificial intelligence and machine learning technologies. The privacy statement indicates that aggregate and de-identified data will be used where feasible, but the updated language establishes broader authority for affiliate data sharing and AI model development than the previous version stated. The revised terms also remove specific disclosure of the conditions under which GitHub personnel may access private repositories, replacing that detail with a cross-reference to the Terms of Service, which means the scope of internal GitHub access to private repositories is now defined in a separate contract document rather than the privacy statement itself.
View change record →Users in the EU, UK, California, and other jurisdictions with applicable privacy laws can exercise rights to access, correct, delete, or port their personal data by submitting a request through GitHub's privacy contact page at https://support.github.com/contact/privacy.
How other platforms handle this
Depending on where you live, you may have certain rights regarding your personal information. These rights may include the right to access your personal information, the right to correct inaccurate data, the right to delete your data, the right to portability, the right to object to processing, and ...
Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...
For individuals in the United States, please also refer to our Notice For Individuals Residing In Certain US States below and the Consumer Health Data Policy.
Monitoring
GitHub has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Depending on your location, you may have certain rights with respect to your personal data, including the right to access, correct, delete, or port your data. You may also have the right to object to or restrict certain processing. To exercise these rights, please contact us through our privacy request portal. We will respond to your request in accordance with applicable law.— Excerpt from GitHub's GitHub Privacy Statement
(1) REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 15-22 (data subject rights including access, rectification, erasure, restriction, portability, and objection), CCPA/CPRA rights to know, delete, correct, and opt out, and comparable rights under UK GDPR and other state laws. The Irish DPC, UK ICO, and California Privacy Protection Agency are the relevant enforcement authorities. GitHub's commitment to respond in accordance with applicable law is standard but the policy does not specify response timelines or detail the verification procedures applied to identity confirmation. (2) GOVERNANCE EXPOSURE: Medium. Failure to respond to data subject requests within statutory timelines (30 days under GDPR, 45 days under CCPA) creates regulatory exposure. Where GitHub acts as a processor for enterprise customers (rather than a controller), the routing of data subject requests between GitHub and enterprise customers as controllers may require clarification in the Data Processing Agreement. (3) JURISDICTION FLAGS: EU/EEA and UK users have the most extensive set of enforceable rights. California residents have CCPA/CPRA rights. Additional US state residents in Virginia, Colorado, Connecticut, and other states with comprehensive privacy laws also have applicable rights. Minor users may have additional deletion rights under COPPA or equivalent state laws. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers who are data controllers should confirm in their DPA with GitHub how data subject requests submitted directly to GitHub are handled versus those that should be routed through the enterprise customer, to avoid double-handling or gaps in response. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should test the privacy request portal to confirm timely acknowledgment and resolution, document GitHub's identity verification procedures for deletion requests, and confirm that enterprise-level DPAs address the allocation of data subject request obligations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The policy confirms data subject rights for users in applicable jurisdictions including GDPR rights for EU users and CCPA rights for California residents, with GitHub committing to respond in accordance with applicable law, though the specific timelines and scope of each right are not fully described in this provision.
Users in the EU, UK, California, and other jurisdictions with applicable privacy laws can exercise rights to access, correct, delete, or port their personal data by submitting a request through GitHub's privacy contact page at https://support.github.com/contact/privacy.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by GitHub.