Privacy Policy
Categories of Sensitive Data. We may collect, process, or disclose certain personal data that qualifies as “sensitive data” under applicable U.S. state data privacy laws. For example, this data may be collected if you participate in a survey, share it in your account profile, or are engaged in certain community-focused repos. Sensitive data is a subset of personal data. In the list below, we outline the categories of sensitive data we collect, the sources of the sensitive data, our purposes of processing, and the categories of third-party recipients with whom we share the sensitive data. Please see the "What information GitHub collects" section for more information about the sensitive data we may collect.
| Sensitive Data Type | Purposes of Processing | Recipients |
|---|---|---|
| Account log-in, financial account, debit or credit card number, and the means to access the account (security or access code, password, credentials, etc.) | Transact commerce; process transactions; fulfill orders; provide our Services; help, secure, and troubleshoot; and detect and prevent fraud | Service providers and user-directed entities |
| Racial or ethnic origin, religious or philosophical beliefs, or union membership | Provide and personalize our products; product development; help, secure, and troubleshoot; and marketing | Service providers and user-directed entities |
| Medical or mental health, sex life, or sexual orientation | Provide and personalize our products; product development; help, secure, and troubleshoot; and marketing | Service providers and user-directed entities |
| Contents of your mail, email, or text messages (where GitHub is not the intended recipient of the communication) | Provide our products; safety; compliance; and help, secure, and troubleshoot | Service providers and user-directed entities |
GitHub asks your consent to collect and process your sensitive data or does so at your direction. We do not use or disclose your sensitive data for purposes other than the following:
- To perform the services, fulfill the transactions, or provide the goods or Services you reasonably expect;
- To help ensure the security and integrity of our Services, to combat malicious deceptive, fraudulent or illegal acts, and to protect the physical safety of individuals, to the extent the processing is reasonably necessary and proportionate;
- for transient use (including non-personalized advertising), so long as the personal data is not used for profiling, and is not used to alter an individual’s experience outside the current interaction with GitHub;
- To perform services to operate our business, such as maintaining accounts, providing customer service, processing, or fulfilling orders/transactions, verifying customer information, processing payments, provide financing, providing analytics, providing storage, and similar services;
- To undertake activities to verify or maintain the quality or safety of, or improve, upgrade, or enhance a service or device owned or controlled by GitHub; and
- To conduct any other activities in accordance with applicable law.
The charts above contain the primary sources, purposes of processing, and recipients for each category of personal data. We use the categories of personal information described above for the purposes listed in the "How GitHub uses your information" section of our Privacy Statement, such as meeting our legal obligations, improving our internal operations, and doing research. We also disclose the categories of personal information listed above for business or compliance purposes. Please see the "How we share information we collect" section of our Privacy Statement for additional details.
Not in a Position to Identify Data. In some situations GitHub may process data in a state called Not in a Position to Identify Data (NPI) or de-identified data. Data is in this state when we are not able to link data to an individual to whom such data may relate without taking additional steps. In those instances, and unless allowed under applicable law, we will maintain such information in an NPI state, and will not try to re-identify the individual to whom NPI data relates.
Disclosures of personal data for business or commercial purposes. As indicated in the How We share the information we collect section, we share personal data with third parties for various business and commercial purposes. The primary business and commercial purposes for which we share personal data are the purposes of processing listed in the table above. We also disclose the categories of personal information listed above for business purposes. Please see the "How we share the information we collect" section of our Privacy Statement for additional details.
Parties that control collection of personal data. In certain situations, we may allow a third party to control the collection of your personal data. For example, on our Enterprise Marketing Pages, advertisers may be the controllers of information they collect through their cookies.