Update to Privacy Statement for Spring 2018
Over the last few months, we've gotten a few questions asking about our General Data Protection Regulation (GDPR) compliance. We are proud to announce that we are compliant with the GDPR. Additionally, we have always provided the same level of privacy protection to our users regardless of their residency, location, or citizenship, and that will not change. We provide strong privacy and security protection to _all_ of our users. For the most part, our changes to the Privacy Statement are only points of clarification. GitHub doesn't ask for more personal data from our users than we need to provide our services to you. Where we offer you the option of giving us more data, we provide you the ability to access and delete the data you have given us. For example, you can always remove your profile information, your comments in issues, and your repository contents. We have gone through our Privacy Statement to provide more context and transparency, though, so our users understand exactly why we ask for information and what we'll do with it. ### GDPR Compliance * The GDPR requires us to inform our users about the legal basis on which we process their data. In this update, we explain what data we collect and why. * We describe our security practices in more detail. * We now provide a separate page describing our tracking, our use of cookies, and listing our subprocessors (the vendors and third parties we have engaged to process personal data on our behalf). * Throughout the Privacy Statement, we provide greater transparency and insight into our data collection, data handling, data retention, and data deletion processes. * If you are a Corporate Terms of Service customer and you need a Data Protection Agreement with us, please [contact support](https://github.com/contact). We will be happy to provide one. Please understand that with the GDPR compliance deadline coming up, our volume of requests is high, but we will respond to you as promptly as possible.

Over the last few months, we've gotten a few questions asking about our General Data Protection Regulation (GDPR) compliance. We are proud to announce that we are compliant with the GDPR. Additionally, we have always provided the same level of privacy protection to our users regardless of their residency, location, or citizenship, and that will not change. We provide strong privacy and security protection to _all_ of our users. For the most part, our changes to the Privacy Statement are only points of clarification. GitHub doesn't ask for more personal data from our users than we need to provide our services to you. Where we offer you the option of giving us more data, we provide you the ability to access and delete the data you have given us. For example, you can always remove your profile information, your comments in issues, and your repository contents. We have gone through our Privacy Statement to provide more context and transparency, though, so our users understand exactly why we ask for information and what we'll do with it. ### GDPR Compliance * The GDPR requires us to inform our users about the legal basis on which we process their data. In this update, we explain what data we collect and why. * We describe our security practices in more detail. * We now provide a separate page describing our tracking, our use of cookies, and listing our subprocessors (the vendors and third parties we have engaged to process personal data on our behalf). * Throughout the Privacy Statement, we provide greater transparency and insight into our data collection, data handling, data retention, and data deletion processes. * If you are a Corporate Terms of Service customer and you need a Data Protection Agreement with us, please [contact support](https://github.com/contact). We will be happy to provide one. Please understand that with the GDPR compliance deadline coming up, our volume of requests is high, but we will respond to you as promptly as possible.
Create github-subprocessors-and-cookies.md
This page provides a list of GitHub's subprocessors, such as our vendors and service providers. It also offers some transparency into the cookies we set and why we set them, as well as describing exactly where we do tracking for analytics purposes on our site and who our analytics providers are (at the moment, we use Google Analytics, but if we bring on additional providers, we will be able to provide fuller transparency here).
github · nsqe · May 24, 2018 · nsqe · Apr 19, 2018 · nsqe
diff --git a/Policies/github-subprocessors-and-cookies.md b/Policies/github-subprocessors-and-cookies.md
+| Box | Corporate document storage | United States |
+| Braintree (PayPal) | Subscription credit card payment processor | United States |
+| DocuSign | Contract signature processor | United States |
+| DropBox | Corporate document storage | United States |
diff --git a/Policies/github-subprocessors-and-cookies.md b/Policies/github-subprocessors-and-cookies.md
+| Oracle | Corporate financial system | United States |
+| Salesforce.com | Customer relations management | United States |
+| Seal | Contract clause analysis system | United States |
+| ZenDesk | Customer support ticketing system | United States |
diff --git a/Policies/github-privacy-statement.md b/Policies/github-privacy-statement.md
+| [How GitHub secures your information](#how-github-secures-your-information) | We take all measures reasonably necessary to protect the confidentiality, integrity, and availability of your personal information on GitHub and to protect the resiliance of our servers as they host your information. | 
+| [GitHub's global privacy practices](#githubs-global-privacy-practices) | GitHub complies with both the EU-US Privacy Shield Framework and the General Data Protection Regulation. Please see this section for more specific information. | 
+| [How we respond to compelled disclosure](#how-we-respond-to-compelled-disclosure) | We may share your information in response to a warrant, subpoena, or other court action, or if disclosure is necessary to protect our rights or the rights of the public at large. We strive for transparency, and will notify you when possible. | 
+| [How we communicate with you](#how-we-communicate-with-you) | We communicate with you by email. You can control the way we contact you in your account settings. | 
diff --git a/Policies/github-privacy-statement.md b/Policies/github-privacy-statement.md
@@ -25,119 +45,150 @@ If you're **just browsing the website**, we collect the same basic information t
 
 The information we collect about all visitors to our website includes the visitor’s browser type, language preference, referring site, additional websites requested, and the date and time of each visitor request. We also collect potentially personally-identifying information like Internet Protocol (IP) addresses.
 
-##### Why do we collect this?
+##### Why we collect this
diff --git a/Policies/github-privacy-statement.md b/Policies/github-privacy-statement.md
 - We use your User Personal Information, specifically your user name, to identify you on GitHub.
 - We use it to fill out your profile and share that profile with other users if you ask us to.
-- We will use your email address to communicate with you, if you've said that's okay, **and only for the reasons you’ve said that’s okay**. Please see our section on [email communication](#how-we-communicate-with-you) for more information.
+- We will use your email address to communicate with you, if you've said that's okay, **and only for the reasons you’ve said that’s okay**. Please see our section on [email communication](#how-we-communicate-with-you) for more information. 
diff --git a/Policies/github-privacy-statement.md b/Policies/github-privacy-statement.md
+Under certain international laws (including GDPR), GitHub is required to notify you about the legal basis on which we process User Personal Information. GitHub processes User Personal Information on the following legal bases:
+
+- When you create a GitHub account, you provide your user name and an email address. We require those data elements for you to enter into the Terms of Service agreement with us, and we process those elements on the basis of performing that contract. We also process your user name and email address on other bases. If you have a GitHub Hosted, GitHub Enterprise, or other paid account with us, there will be other data elements we must collect and process on the basis of performing that contract. GitHub does not collect or process a credit card number, but our third-party payment processor does.
+- When you fill out the information in your [user profile](https://github.com/settings/profile), you have the option to provide User Personal Information such as your full name, an avatar which may include a photograph, your biography, your location, your company, and a URL to a third party website. You have the option of setting a publicly visible email address here. We process this information on the basis of consent. All of this information is entirely optional, and you have the ability to access, modify, and delete it at any time (while you are not able to delete your email address entirely, you can set it private). 
diff --git a/Policies/github-privacy-statement.md b/Policies/github-privacy-statement.md
 ### What information GitHub does not collect
 
-We do not intentionally collect **sensitive personal information**, such as social security numbers, genetic data, health information, or religious information. Although GitHub does not request or intentionally collect any sensitive personal information, we realize that you might store this kind of information in your account, such as in a repository. If you store any sensitive personal information on our servers, you are consenting to our storage of that information on our servers, which are in the United States.
+We do not intentionally collect **sensitive personal information**, such as social security numbers, genetic data, health information, or religious information. Although GitHub does not request or intentionally collect any sensitive personal information, we realize that you might store this kind of information in your account, such as in a repository. If you store any sensitive personal information on our servers, you are responsible for complying with any regulatory controls regarding that data.
diff --git a/Policies/github-privacy-statement.md b/Policies/github-privacy-statement.md
 
-We do not host advertising on GitHub. We may occasionally embed content from third party sites, such as YouTube, and that content may include ads. While we try to minimize the amount of ads our embedded content contains, we can't always control what third parties show.
+We **do** share certain aggregated, non-personally identifying information with others about how our users, collectively, use GitHub, or how our users respond to our other offerings, such as our conferences or events. For example, we may [compile statistics on the usage of open source licenses across GitHub](https://github.com/blog/1964-open-source-license-usage-on-github-com). However, we do not sell this information to advertisers or marketers.
diff --git a/Policies/github-privacy-statement.md b/Policies/github-privacy-statement.md
+
+#### GitHub applications
+
+You also have the option of adding applications from GitHub, such as our Desktop app, our Mobile app, or other account features, to your account. These applications each have their own terms and may collect different kinds of User Personal Information; however, all GitHub applications are subject to this Privacy Statement, and we will always collect the minimum amount of User Personal Information necessary, and use it only for the purpose for which you have given it to us.
diff --git a/Policies/github-subprocessors-and-cookies.md b/Policies/github-subprocessors-and-cookies.md
+| `:"__Host-gist_user_session_same_site"` | This cookie is set to ensure that browsers that support SameSite cookies can check to see if a request originates from GitHub. |
+| `:_ga` | This cookie is used by Google Analytics. |
+| `:_octo` | This cookie is used by Octolytics, our internal analytics service, to distinguish unique users and clients. |
+| `:tracker` | This cookie tracks the referring source for signup analytics. |
diff --git a/Policies/github-privacy-statement.md b/Policies/github-privacy-statement.md
 
-We do not disclose User Personal Information outside GitHub, except in the situations listed in this section or in the section below on [Compelled Disclosure](#how-we-respond-to-compelled-disclosure).
+We **do not** share, sell, rent, or trade User Personal Information with third parties for their commercial purposes, expect where you have specifically told us to (such as by buying an integration from Marketplace).
diff --git a/Policies/github-privacy-statement.md b/Policies/github-privacy-statement.md
 
-We **do** share certain aggregated, non-personally identifying information with others about how our users, collectively, use GitHub, or how our users respond to our other offerings, such as our conferences or events. For example, we may [compile statistics on the usage of open source licenses across GitHub](https://github.com/blog/1964-open-source-license-usage-on-github-com). However, we do not sell this information to advertisers or marketers.
+We **do not** host advertising on GitHub. We may occasionally embed content from third party sites, such as YouTube, and that content may include ads. While we try to minimize the amount of ads our embedded content contains, we can't always control what third parties show. Any advertisements on individual GitHub Pages or in GitHub repositories are not sponsored by, or tracked by, GitHub. 
diff --git a/Policies/github-privacy-statement.md b/Policies/github-privacy-statement.md
 
-We may share User Personal Information with your permission, so we can perform services you have requested.
+We **do** share User Personal Information with a limited number of third party vendors who process it on our behalf to provide or improve our service, and who have agreed to privacy restrictions similar to our own Privacy Statement by signing data protection agreements. Our vendors perform services such as payment processing, customer support ticketing, network data transmission, and other similar services. When we transfer your data to our vendors under [Privacy Shield](/articles/github-privacy-statement/#githubs-global-privacy-practices), we remain responsible for it. While GitHub processes all User Personal Information in the United States, our third party vendors may process data outside of the United States or the European Union. If you would like to know who our third party vendors are, please see our page on [Subprocessors](/articles/github-subprocessors-and-cookies/).
diff --git a/Policies/github-privacy-statement.md b/Policies/github-privacy-statement.md
+- includes security safeguards reasonably designed to protect the confidentiality, integrity, availability, and resilience of our users' data; 
+- is appropriate to the nature, size, and complexity of GitHub’s business operations; 
+- includes incident response and data breach notification processes; and 
+- complies with applicable information security related laws and regulations in the geographic regions where GitHub does business. 
diff --git a/Policies/github-privacy-statement.md b/Policies/github-privacy-statement.md
--	We offer you simple methods of accessing, correcting, or deleting the data we have collected.
--	We provide our users notice, choice, accountability, security, and access, and we limit the purpose for processing. We also provide our users a method of recourse and enforcement. These are the Privacy Shield Principles, but they are also just good practices.
--	GitHub adheres to the [Privacy Shield Framework](https://www.privacyshield.gov/). You may view our entry in the [Privacy Shield List](https://www.privacyshield.gov/participant?id=a2zt000000001K2AAI). In addition to providing our users methods of unambiguous, informed consent and control over their data, we participate in and comply with the Privacy Shield framework, and we are committed to subject any Personal Information we receive from the EU and EEA to the Privacy Shield Principles. In addition, we continue to participate in the Safe Harbor Framework for Swiss data transfers to the US. Please read more about [GitHub's Privacy Shield and Safe Harbor commitments](/articles/global-privacy-practices/).
+Transmission of data on GitHub is encrypted using SSH, HTTPS, and SSL/TLS. While our data is not encrypted at rest, we manage our own cages and racks at top-tier data centers with excellent physical and network security, and when data is stored with a third party storage provider, it is encrypted.
diff --git a/Policies/github-privacy-statement.md b/Policies/github-privacy-statement.md
 
-If you would like to cancel your account or delete your User Personal Information, you may do so in your [user profile](https://github.com/settings/admin). We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, but barring legal requirements, we will delete your full profile (within reason) within 30 days.
+Our emails might contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email more effective for you and to make sure we’re not sending you unwanted email. 
diff --git a/Policies/github-subprocessors-and-cookies.md b/Policies/github-subprocessors-and-cookies.md
+
+### Cookies on GitHub 
+
+GitHub uses cookies to make interactions with our service easy and meaningful. We use cookies (and similar technologies, like HTML5 localStorage) to keep you logged in, remember your preferences, and provide information for future development of GitHub.
diff --git a/Policies/github-subprocessors-and-cookies.md b/Policies/github-subprocessors-and-cookies.md
+
+A cookie is a small piece of text that our web server stores on your computer or mobile device, which your browser sends to us when you return to our site. Cookies do not necessarily identify you if you are merely visiting GitHub; however, a cookie may store a unique identifier for each logged in user. The cookies GitHub sets are essential for the operation of the website, or are used for performance or functionality. By using our website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept cookies, you will not be able to log in or use GitHub’s services.
+
+GitHub sets the following cookies on our users for the following reasons:
diff --git a/Policies/github-subprocessors-and-cookies.md b/Policies/github-subprocessors-and-cookies.md
+
+"[Do Not Track](https://www.eff.org/issues/do-not-track)" is a privacy preference you can set in your browser if you do not want online services — specifically ad networks — to collect and share certain kinds of information about your online activity from third party tracking services. GitHub does not currently respond differently to an individual browser's Do Not Track setting. If you would like to set your browser to signal that you would not like to be tracked, please check your browser's documentation for how to enable that signal. There are also good applications that block online tracking, such as [Privacy Badger](https://www.eff.org/privacybadger). 
+
+We do not track your online browsing activity on other online services over time and we do not host third-party advertising on GitHub that might track your activity on our site. We do have agreements with certain vendors, such as analytics providers, who help us track visitors' movements on certain pages on our site. Only our vendors, who are collecting data on our behalf, may collect data on our pages, and we have signed data protection agreements with every vendor who collects this data on our behalf. We use the data we receive from these vendors to better understand our visitors' interests, to understand our website's performance, and to improve our content. Any analytics vendor will be listed in our Subprocessor List above, and you may see a list of every page where we collect this kind of data below.
diff --git a/Policies/github-subprocessors-and-cookies.md b/Policies/github-subprocessors-and-cookies.md
+| ZenDesk | Customer support ticketing system | United States |
+| Zuora | Corporate billing system | United States |
+
+When we bring on a new vendor or other subprocessor who handles our Users' Personal Information, or remove a subprocessor, or we change how we use a subprocessor, we will update this page.