GitLab Privacy Statement


Last updated: March 19, 2024

To see our California Consumer Privacy Act (CCPA) Notice at Collection, please click on the link or see the “U.S. State Privacy Rights” section below.

Introduction

At GitLab, we take the privacy and security of your information seriously. This privacy statement (“Privacy Statement”) will explain how GitLab B.V. and GitLab, Inc. ("GitLab", "we", "our", "us") handle your personal data. "Personal Data," as used in this Privacy Statement, is information that identifies or can reasonably be linked directly or indirectly to an identifiable person. The privacy practices and standards detailed in this Privacy Statement apply to all data subjects globally, unless specifically noted otherwise. In particular, this Privacy Statement will touch on the following sections:

This Privacy Statement applies to the GitLab websites ("Websites"), GitLab.com and GitLab Dedicated ("SaaS"), Self-managed ("Self-managed"), and additional software products and services; collectively "Services.

What Personal Data does GitLab Collect about Me?

The categories of Personal Data collected by GitLab change depending on the Services you use and whether those Services are free or paid. We have described below which Services correlate with the processing in each Personal Data category.

Information You Provide Directly

We collect the Personal Data you provide to us, for example:

Account Information: When you register for an account with GitLab, we collect information that identifies you such as your name, username, email address, country and/or region, and password. This is collected for free and paid users of the SaaS product.

Profile Information: We collect information that you voluntarily provide in your user profile; this may include your public avatar (which may be a photo), additional email addresses, company/organization name, job title, country, social media handles, and biography. Please note this information will be visible to other users of the Services and to the public, although you can limit the visibility of certain profile fields through your account and profile privacy settings. This is collected for free and paid users of the SaaS product.

Payment and Identity Verification Information: If you purchase a paid subscription from GitLab, we will collect payment information from you that may include your name, billing address and credit card or bank information. We may also use your credit card information and telephone number to verify your identity and prevent abuse of our pipelines. Please note that GitLab does not directly process or store your entire credit card number, but we do direct that information to our third-party payment processors for processing. This is collected for paid users of the Self-managed and SaaS products.

Contact Information: If you request GitLab to contact you, or sign up for marketing materials, events, or participate in user research and development, GitLab may collect information such as name, address, email address, telephone number, company name, and size of company. This may be collected through the Websites, such as through our live video and chat function on our marketing pages or during account registration.

Licensee Information: We collect licensee name, email address, and similar information associated with the individual that receives a license key for the paid users of the Self-managed product.

Content you provide through the use of the Services: Examples of content we collect and store include but are not limited to: the summary and description added to an issue, your repositories, commits, project contributions, profile metadata, activity data, comments, and any inputs and outputs generated by Artificial Intelligence (“AI”) and Machine-Learning (“ML”) powered features. Content also includes any code, files and links you upload to the Services. This is collected for the free and paid users of the SaaS product.

Customer Support and Professional Services Information: If you contact GitLab customer support or receive professional services, we will collect information about you related to your account and to the requests you are making or the services being provided. Customer Support information is collected through the Websites, such as the GitLab Community Forum and the GitLab Support Portal. For Community Programs, support will be provided through the Gitlab Service Desk.

Call Recordings: We may record and transcribe GitLab webinars, trainings, and online events. In addition, we may record and transcribe sales calls hosted on various videoconferencing technologies to enable our sales and support teams to share conversational insights, create training and presentations, and improve their internal processes.

Other Content You Submit: We may also collect other content that you submit to our Services. For example: feedback, comments and blog posts, or when you participate in any interactive features, surveys, contests, promotions, prize draws, activities or events. When you participate in interactive channels, we may collect and process information for demographic analysis. Such collection is not tied to any specific products, but may be collected through the Websites.

Information about Your Use of the Services We Collect Automatically

We may collect certain Personal Data automatically through your use of the Services, for example:

Device Information and Identifiers: When you access and use our Services, we automatically collect information about your device, which may include: device type, your device operating system, browser type and version, language preference, IP address, hardware identifiers, and mobile IDs. We may also derive your approximate location from this information, including country, city, state and postal code. This information may be collected through any use of the Services.

Subscription Data: We may automatically collect information about the number of active users, licensing timetables, historical user count, and IP address. This is collected for paid Self-managed and SaaS products. Subscription Data details can be found in the Metrics Dictionary.

Customer Product Usage Information: We may automatically collect Customer Product Usage Information to gather insights into the success of stages and features, track how value is delivered through the use of the Services, help generate optimal customer implementation of the Services, and understand end-to-end user behavior. Depending on the category of Customer Product Usage Information collected, the metrics are stored in an aggregated and/or pseudonymized format. Please see our Customer Product Usage Information page for more details regarding the purposes, de-identification, data elements, configuration and opt-out instructions for Customer Product Usage Information. This is collected for the free and paid users of the Self-managed and SaaS products.

Website Usage Data: When you visit our Websites, we automatically log information about how you interact with the sites, such as the referring site, date and time of visit, and the pages you have viewed or links you have clicked. For our Websites, GitLab uses session replay, which captures a de-identified log of the marketing Websites that you visit.

Cookies and Similar Tracking Technologies: GitLab uses cookies and similar technologies to provide functionality, such as storing your settings, and to recognize you as you use our Services. In addition, we use cookies to gather information to provide interest-based advertising which is tailored to you based on your online activity. Please review our Cookies Policy to learn about our practices and the controls we provide you.

Email Engagement Information: When we send you emails, they may include technology such as a web beacon, that tells us your device type, email client, and whether you have received and opened an email, or clicked on any links contained in the email.

Third-Party Integrations: The Services allow for integrations with third-party git applications, such as GitPod, or third-party extensions, such as those in the Visual Studio code marketplace. Further, the Services may contain buttons, links, tools and content from third-party services, such as Meta and X. We may collect information about your use of these integrated applications and extensions, and when you see or interact with these integrations some information may be automatically sent to these third-party companies. However, any third-party integrations’ policies and procedures are not controlled by GitLab, and this Privacy Statement does not cover how third-party integrations use your information. We recommend you read the privacy statements of any third-party companies before connecting to or using their applications or services.

Information from Third-Parties and Partners

We may collect Personal Data from other parties in the following ways:

Vendors and Partners: We may receive information about you from third-parties such as vendors, resellers, partners, or affiliates. For example, we receive information from our resellers about you and your orders, or we may supplement the data we collect with demographic information licensed from third-parties in order to personalize the Services and our offers to you. Likewise, our sales, marketing, and recruiting teams may receive access to third-party databases containing information to enrich and cleanse business contacts and other corporate data, which may include your email, phone number, and general geographic location through reverse IP lookup services. We may also receive social listening data from companies that monitor public social media posts.

Third-Party Services: GitLab allows you to sign up for/in to our Services using third-party accounts, such as Meta or Google. When you give permission for this to happen, GitLab will receive information about you from your third-party account, such as name, email address, location and demographic information. In addition, GitLab allows you to connect the Services through third-party applications, like Jira and Slack. As part of this interaction, third-party applications may send Personal Data to GitLab in accordance with the privacy settings of the third-party service. This Personal Data may include contact information, location, chat commands, and information related to your GitLab projects.

Other Users of the Services: Other users of the Services may provide information about you when they submit issues and comments, or we may receive information when you are designated as a representative or administrator on your company's account.

When you are asked to provide personal data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain products or features, those products or features may not be available or function correctly.

Information Processed by AI-Powered Features

When you use the GitLab Duo suite of AI capabilities, including Code Suggestions, Suggested Reviewers, and other AI/ML features, your Personal Data will be processed in accordance with this Privacy Statement.

To provide these features, GitLab may transmit your code, supporting contextual information, and other prompts you submit to the Services to third-parties, such as private code modeling service providers. Further, GitLab may collect AI prompts and output to debug and troubleshoot the services and enforce our Website Terms of Use. We may also collect first-party usage data related to Duo features for the purposes of identifying and developing product improvements and assessing features engagement. However, we will not use your AI-inputs to train any language models without your instruction or prior consent. This data may be collected in both the SaaS and Self-managed products where AI-features are enabled.

What Personal Data is Not Collected by GitLab?

GitLab does not intentionally collect sensitive Personal Data, such as social security numbers, genetic data, health information, or religious information. Although GitLab does not request or intentionally collect any sensitive Personal Data, we realize that users might store this kind of information in a GitLab repository.

GitLab does not intentionally collect the Personal Data of individuals that are stored in users' repositories or other free-form content inputs. If Personal Data is stored in a user repository then the repository owner is responsible for its processing.

If you are a child under the age of 13, you may not have an account. With the exception of Educational Licenses, GitLab does not knowingly collect information from, or direct any of our Services to, children under 13. If we learn or have reason to suspect that a user is under the age of 13, we will close the child's account.

With Whom does GitLab Share My Personal Data?

We may share each of the categories of Personal Data we collect with the types of third-parties described below, for the following business purposes:

Sharing with Users and the Public: We may share your Personal Data with other users of the Services and with the public if you choose to make your SaaS Profile public. You have control over what information is public; however, your name and username will always be displayed. If you do not want to disclose your real name, please use a pseudonym or other alias in your profile and username. To change your settings, go to User Settings in your profile. You should also be aware that any information you share as part of a project, blog, website etc. may be publicly available and you should consider this carefully when interacting with the Services. Also, we may collect and share public community contribution metrics as part of our Evangelist Program.

Sharing with Managed Accounts and Administrators: If you have created a GitLab account with your corporate email address, we may share your Personal Data with your Company if your Company enters into a commercial relationship with GitLab. If this happens, then your use of the software and your account is subject to the terms and any data protection agreement between your Company and GitLab.

In the event you change the email address on your account from a corporate email address to a personal email address and, thereafter, your Company enters into a commercial relationship with GitLab, your Personal Data related to that account will not be shared with your Company. GitLab will not link an account to a Company based on retroactive use of a corporate email.

In addition, if you choose to become a member of a group, your username, email address, IP address, the date when access was granted, the date when access expires, your access role, and audit logs containing information related to your actions in the group will be shared with the owners of that group.

Sharing with Service Providers: We share your Personal Data with our service providers. These are companies who provide services on our behalf, including in the areas of cloud hosting, marketing, advertising, ad measurement, social engagement, analytics, support ticketing, credit card processing, AI and ML, security, and other such similar services. These companies are subject to contractual requirements that govern the security and confidentiality of your information.

For example, we use analytics providers, such as Google Analytics and Google Signals, to help us understand the operation and performance of our Services and Stripe for payment, analytics, and other business services.. To learn about how Google uses and shares data it collects through its services, please visit https://www.google.com/policies/privacy/partners/. You can learn more about Stripe and its processing activities via their privacy policy at stripe.com/privacy. In addition, please visit our Sub-Processors page to see the list of our Sub-Processors that we use in order to provide customer support, host the Services, and provide key product features.

Sharing with Partners and Resellers: GitLab works with third-parties who provide sales, consulting, support and technical services for our Services. Where permitted and with your consent (if required), we may share your data with these partners and resellers.

Sharing with Affiliated Companies: GitLab will share information collected with companies owned and operated by us.

Sharing for Fraud and Prevention Abuse: We may share your information when we have a good faith belief that the disclosure is necessary to prevent fraud, abuse of our services, defend against attacks, and to protect the safety of GitLab and our users. For example, we may share your name and phone number with service providers to facilitate an identity verification call or SMS text for fraud prevention.

Law Enforcement: GitLab may disclose Personal Data or other information we collect about you to law enforcement if required in response to a valid subpoena, court order, search warrant, a similar government order, or when we believe in good faith that disclosure is necessary to comply with our legal obligations, to protect our property or rights, or those of third-parties or the public at large.

Merger or Acquisition: We may share your Personal Data if we are involved in a merger, sale, or acquisition of corporate entities or business units. If any such change of ownership happens, we will ensure that it is under terms that preserve the confidentiality of your Personal Data, and we will notify you on our website or by email before any transfer of your Personal Data.

Sharing Personal Data Across National Borders

Our Services are hosted in the United States and information we collect will be stored and processed on our servers in the United States. Our employees, contractors, affiliated organizations, service providers, and sub-processors that process Personal Data may be located in the United States or other countries outside of your home country. If you reside in the EEA, United Kingdom, or Switzerland, and we transfer information about you to a jurisdiction that has not been found by the European Commission to have adequate data protections, we will use available safeguards and legal mechanisms to help ensure your rights and protections, including using Standard Contractual Clauses or obtaining your consent.

For our customers whose use of the GitLab Websites and Services involves the processing of Personal Data from Japan, GitLab will transfer Personal Data originating in Japan to both its EEA and non-EEA affiliates, such as GitLab, Inc. in the United States. To make this transfer, GitLab relies on the Japan Personal Information Protection Commision’s adequacy decisions about the Personal Data protection system of the EEA and the United Kingdom, or the transfer will be made in accordance with our intra-company data transfer agreements that provide for obligations equivalent to those as stated under the APPIJ.

How does GitLab Secure My Personal Data?

We work hard to protect your Personal Data. We employ administrative, technical, and physical security controls where appropriate, to protect your information from unauthorized access or destruction. For more information on our security practices please see: Technical and Organizational Security Measures for GitLab.com.

Except to host the Services, GitLab does not process Personal Data in private groups or projects unless the following situations arise: to maintain security or to remediate a security incident; to scan for malware and vulnerabilities that violate the Website Terms of Use; to comply with our legal obligations; to ensure the availability of the Services; to provide support to a repository owner upon request; or on the basis of your consent.

Data Retention

In order to protect your Personal Data, GitLab will only retain your Personal Data for as long as your account is active or as needed to perform our contractual obligations, provide you the Services, comply with legal obligations, resolve disputes, preserve legal rights, or enforce our agreements.

GitLab reserves the right to delete inactive accounts, projects, namespaces, and associated content. GitLab may deem an account, project, or namespace inactive based on various criteria, including, but not limited to, the account creation date, the last time there was a valid log-in, and the date of the last contribution. If we plan to delete your account or projects, we will provide advance notice by sending a message to the email address registered to your account. GitLab encourages you to utilize your account on occasion to avoid the risk of being deemed inactive. GitLab may also delete inactive or weak SSH keys to help keep your account safe. If you use GitLab’s chatbot feature on our Websites, a transcript of your live chat will be retained for 12-months.

What are My Rights and Choices Regarding Personal Data?

You have the right to access, correct, restrict or delete your Personal Data, and to port your Personal Data to another company. While these rights may vary by jurisdiction, GitLab provides you with the same rights and choices, no matter where you live. We provide these rights free of charge unless your requests are manifestly unfounded and excessive.

You may exercise your choices and rights as follows:

To opt out of marketing communications: You may opt-out of email marketing by clicking the “unsubscribe” link located at the bottom of any marketing email you receive or by visiting our preference center and unsubscribing. You may opt-out of telemarketing by asking our call agent to place you on our Do-Not-Call list or by visiting our preference center and unsubscribing. You may opt-out of messenger application communications, such as WhatsApp, by making a request through an in-app message or visiting our preference center and unsubscribing from telemarketing. You may continue to receive transactional email messages about your account and the Service after you have unsubscribed.

To opt-out of Interest-based advertising: If you wish to opt-out of interest-based advertising, please visit the Cookies Policy to see your options.

Request a copy of your information: You may request a copy of the Personal Data that GitLab has about you.

Update your information: If you already have an account, you may access, update, or alter your user profile information by logging into your account and updating profile settings.

To delete your account: If you only want to delete your SaaS account, you may do so by logging into your account and going to the “Delete Account” option in your User Settings. If your intention is to delete your Personal Data across all systems, including your account, you need to fill out a Personal Data Request Form and select "Account Deletion (full)" in the "Request Type" dropdown menu. If your account is tied to a Company that has entered into a commercial relationship with GitLab, you will have to ask your Company administrator to remove your account from that corporate namespace before we can delete it. Once your account is no longer associated with that corporate namespace, GitLab will process your deletion request according to the process stated herein.

Be advised that if you allow your repository to be forked or cloned by making it public or by providing specific authorization, such repositories will fall outside the scope of your request for deletion. GitLab does not have the visibility into or the ability to delete your Personal Data across all forked or cloned repositories nor can we make such a communication to all third-parties on your behalf. As such, you must make your request to delete such repositories directly to those third-parties that you allowed to fork or clone your data.

Please note that due to the open source nature of our Services, we may retain limited Personal Data indefinitely in order to provide a transactional history. For example, if you provide your information in connection with a blog post or comment, we may display that information even if you have deleted your account as we do not automatically delete community posts. Also, if you contribute to a public project (not owned by GitLab), and you provide your Personal Data in connection with that contribution, your Personal Data will be embedded and publicly displayed with your contribution, and we will not be able to delete or erase it because doing so would break the project.

One exception to embedded information in a public project occurs when your Personal Data is added by you or someone else to the comments section of a public project. In such a case, your Personal Data will be redacted since removing this information from only the comments section will not break the project.

If you contribute to a GitLab owned project by commenting in, or creating an issue or merge request and you provide your Personal Data in connection with that contribution, your Personal Data associated with your contribution will be deleted and attributed to a ghost user. However, please note that if the content of the contribution contains Personal Data, this information would remain and you will need to submit a specific request to have this information deleted.

To port your projects: You may port your projects by either using the Export functionality provided within the SaaS product which will also include all metadata, or by cloning your repositories. To port your profile information, you may use the API.

To inform your Supervisory Authority: In the unlikely event you disagree with our handling of your request, you have the right to file a complaint with the competent supervisory authority in your jurisdiction, such as the Autoriteit Persoonsgegevens (+31)-(0)70 - 8888 500 in the Netherlands.

Appeals: If you are located in a state or country where you are granted the right to appeal GitLab's resolution of a data subject rights request, we will provide the specific information on how to appeal in our initial resolution letter to your request.

U.S. State Privacy Rights

If you are a California resident or reside in a US-state that requires statutory privacy disclosures, please visit the U.S. State Privacy Rights Disclosures for a specific description of your privacy rights and collection practices.

Other Important Privacy Information

Statement Changes

GitLab may change its Privacy Statement from time to time. When we do, we will update the date at the top of this Statement. If we decide to make a significant change to our Privacy Statement, we will post a notice of the update on the homepage of our Website. We may also provide notification via email of any material changes to our Privacy Statement.

Contact Us

Your information is controlled by GitLab B.V. and GitLab Inc. If you have questions or concerns about the way we are handling your Personal Data, please email our privacy office with the subject line "Privacy Concern" at [email protected].