Gitlab hero border pattern left svg Gitlab hero border pattern right svg

GitLab Privacy Policy

Last updated: 21 January 2021

Introduction

At GitLab, we take the privacy and security of your information seriously. This privacy policy (“Privacy Policy”) will explain how we collect, use and share your personal information, and how you may exercise your rights. This Privacy Policy applies to the GitLab websites (“Websites”), GitLab.com (“SaaS”), and Self-managed (“Self-managed”) products and services; collectively “Services.”

“Personal information” as used in this Privacy Policy is information that identifies or can reasonably be linked directly or indirectly to an identifiable person

What personal information does GitLab collect about me?

Information You Provide Directly

We collect the personal information you provide to us, for example:

Account Information: When you register for an account with GitLab, we collect information that identifies you such as your name, username, email address and password.

Profile Information: We collect information that you voluntarily provide in your user profile; this may include your public avatar (which may be a photo), additional email addresses, company/organization name, job title, country, social media handles, and biography. Please note this information may be visible to other users of the Services and to the public depending on the privacy setting you apply.

Payment Information: If you purchase a paid subscription from GitLab, we will collect payment information from you that may include your name, billing address and credit card or bank information.

Contact Information: If you request GitLab to contact you, or sign up for marketing materials or events, GitLab may collect information such as name, address, email address, telephone number, company name, and size of company.

Content you provide through the use of the Services: When you use the SaaS service, we collect and store content that you post, send, receive and share. Examples of content we collect and store include but are not limited to: the summary and description added to an issue, your repositories, commits, project contributions and comments. Content also includes any code, files and links you upload to the SaaS service.

If you are using our Self-managed product, we do not host, store, transmit, receive or collect information about you (including your content), except in limited cases, where permitted by your administrator. See the section on “Information about your use of the Services” for more details.

We may also collect other content that you submit to our Services. For example: feedback, comments and blog posts, or when you participate in any interactive features, surveys, contests, promotions, sweepstakes, activities or events.

Customer Support and Professional Services: If you contact GitLab customer support or receive professional services, we will collect information about you related to your account and to the requests you are making or the services being provided.

Information About Your Use of the Services We Collect Automatically

Device Information and Identifiers: When you access and use our Services, we automatically collect information about your device, which may include: device type, your device operating system; browser type and version; language preference; IP address, cookie identifiers, hardware identifiers, and mobile IDs.

License Information: For our Self-managed products we may automatically collect information about the number of active users, historical user count, licensee name, email address, IP address and similar information.

Services Usage Data: GitLab may also collect information about how you use our SaaS and Self-hosted products such as, activity data, feature usage, and product version data. This information may be aggregated or identifiable. For more information about the data collected, and how to set your preferences, please visit Services Usage Data

Website Usage Data: When you visit our Websites, we automatically log information about how you interact with the sites, such as the referring site, data and time of visit, and the pages you have viewed or links clicked on.

Cookies and Similar Tracking Technologies: GitLab uses cookies and similar technologies to provide functionality, such as storing your settings, and to recognize you as you use our Services. In addition, we use cookies to gather information to provide interest-based advertising which is tailored to you based on your online activity. Please review our Cookie Policy to learn about our practices and the controls we provide you.

Email marketing: When we send you emails, they may include technology such as a web beacon, that tells us your device type, email client, and whether you have received and opened an email, or clicked on any links contained in the email.

Buttons, tools, and content from other companies: The Services may include links or buttons to third party services such as Facebook and Twitter. We may collect information about your use of these features. In addition, when you see or interact with these buttons, tools, or content, some information from your browser may automatically be sent to the other company. Please read that company’s privacy policy for more information.

Information from Third parties and Partners

We may also receive information about you from third parties such as vendors, resellers, partners, or affiliates. For example, we receive information from our resellers about you and your orders, or we may supplement the data we collect with demographic information licensed from third parties in order to personalize the Services and our offers to you.

Third Party sign-in services: GitLab allows you to sign up for/in to our Services using third party accounts, such as Facebook or Google. When you give permission for this to happen, GitLab will receive information about you from your third-party account, such as name, email address, location and demographic information.

When you are asked to provide personal data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain products or features, those products or features may not be available or function correctly.

How is your personal information used?

GitLab uses your personal information for the following purposes:

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we collect and process your personal information on the following legal bases set out by applicable law:

Performance of a contract: We use your personal information to provide the Services you have subscribed to, and to complete and administer the contract you have entered into with GitLab.

Legitimate Interests: We use your personal information for our legitimate interests, such as to provide you with relevant content, improve our products and services, and for administrative, security, fraud prevention and legal purposes. You may object to the processing of your personal information for these purposes at any time.

Consent: We may use your personal information, with your consent, for specific purposes such as marketing, surveys, and research. You may withdraw your consent for the specific purpose or object to the processing of your personal information at any time.

Who is your information shared with?

We may share each of the categories of personal information we collect with the types of third parties described below, for the following business purposes:

Sharing with Users and the Public: We may share your personal information with other users of the Services and with the public if you choose to make your SaaS Profile public. You have control over what information is public. To change your settings, go to User Settings in your profile. You should also be aware that any information you share as part of a project, blog, website etc. may be publicly available and you should consider this carefully when interacting with the Services.

Sharing with Managed Accounts and Administrators: If you have created a GitLab account with your corporate email address, we may share your personal information with your Company if your Company enters into a commercial relationship with GitLab. If this happens, then your use of the software and your account is subject to the terms and any data protection agreement between your Company and GitLab.

In addition, if you choose to become a member of a project, your username, email address, IP address, the date when access was granted, the date when access expires, and your access role will be shared with the group owners of that project.

Sharing with Service Providers: We share your personal information with our service providers. These are companies who provide services on our behalf, such as hosting our Services, marketing, advertising, social, analytics, support ticketing, credit card processing, security and other such similar services. These companies are subject to contractual requirements that govern the security and confidentiality of your information.

For example, we use analytics providers, such as Google Analytics, to help us understand the operation and performance of our Services. To learn about how Google uses and shares data it collects through its services, please visit https://www.google.com/policies/privacy/partners/.

Sharing with Partners and Resellers: GitLab works with third parties who provide sales, consulting, support and technical services for our Services. Where permitted and with your consent (if required), we may share your data with these partners and resellers.

Sharing with Affiliated Companies: GitLab will share information collected with companies owned and operated by us.

Sharing for Fraud and Prevention Abuse: We may share your information when we have a good faith belief that the disclosure is necessary to prevent fraud, abuse of our services, defend against attacks, and to protect the safety of GitLab and our users.

Law Enforcement: GitLab may disclose personal information or other information we collect about you to law enforcement if required in response to a valid subpoena, court order, search warrant, a similar government order, or when we believe in good faith that disclosure is necessary to comply with our legal obligations, to protect our property or rights, or those of third parties or the public at large.

Merger or Acquisition: We may share your personal information if we are involved in a merger, sale, or acquisition of corporate entities or business units. If any such change of ownership happens, we will ensure that it is under terms that preserve the confidentiality of your personal information, and we will notify you on our website or by email before any transfer of your personal information.

Is your personal information transferred across national borders?

Our Services are hosted in the United States and information we collect will be stored and processed on our servers in the United States. Our employees, contractors, affiliated organizations and processors that process personal information may be located in the United States or other countries outside of your home country. If you reside in the European Economic Area, United Kingdom, or Switzerland, and we transfer information about you to a jurisdiction that has not been found by the European Commission to have adequate data protections, we will use available safeguards and legal mechanisms to help ensure your rights and protections, including using Standard Contractual Clauses or obtaining your consent.

Security

We work hard to protect your personal information. We employ administrative, technical, and physical security controls where appropriate, to protect your information. For more information on our security practices please see: Technical and Organizational Security Measures for GitLab.com.

Data Retention

GitLab will retain your information for as long as your account is active or as needed to perform our contractual obligations, provide you the Services, comply with legal obligations, resolve disputes, preserve legal rights, or enforce our agreements.

We may delete inactive accounts and associated projects and repositories after a period of twelve (12) months.

Rights and Choices

You have the right to access, correct, restrict or delete your personal information, and to port your personal information to another company. While these rights may vary by jurisdiction, GitLab provides you with the same rights and choices, no matter where you live.

You may exercise your choices and rights as follows:

To opt out of email marketing: You may opt-out of email marketing by clicking the “unsubscribe” link located at the bottom of any email you receive or by visiting our preference center and unsubscribing. You may continue to receive transactional email messages about your account and the Service after you have unsubscribed.

To opt-out of Interest-based advertising: If you wish to opt-out of interest-based advertising, please visit the Cookie Policy to see your options.

Request a copy of your information: You may request a copy of the personal information that GitLab has about you.

Update your Information: If you already have an account, you may access, update, or alter your user profile information by logging into your account and updating profile settings.

To delete your Account: You may delete your account by logging into your account and going to the “Delete my Account” option in your profile settings.

Please note that due to the open source nature of our Services, we may retain limited personal information indefinitely in order to provide a transactional history. For example, if you provide your information in connection with a blog post or comment, we may display that information even if you have deleted your account as we do not automatically delete community posts. Also, if you contribute to a public project (not owned by GitLab), and you provide your personal information in connection with that contribution, your personal information will be embedded and publicly displayed with your contribution, and we will not be able to delete or erase it because doing so would break the project.

If you contribute to a GitLab project by commenting in, or creating an issue or merge request and you provide your personal information in connection with that contribution, your personal information associated with your contribution will be deleted and attributed to a ghost user. However, please note that if the content of the contribution contains personal information, this information would remain and you will need to submit a specific request to have this information deleted.

To port your projects: You may port your projects by either using the Export functionality provided within the SaaS product which will also include all metadata, or by cloning your repositories. To port your profile information, you may use the API.

California Privacy Rights

Under the California Consumer Privacy Act (“CCPA”) you are entitled to certain rights such as access to your specific personal information, details about our processing of your personal information, and the right to delete your information. You may exercise all of these rights as described in the “Your Rights and Choices” section. GitLab does not sell your personal information, as defined under CCPA, and has not done so for the past 12 months.

You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under the CCPA. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us. To provide or delete specific pieces of personal information we will need to verify your identity to the degree of certainty required by law. We will verify your request by using one of the methods set forth here.

Information GitLab Does Not Collect

GitLab does not intentionally collect sensitive personal information, such as social security numbers, genetic data, health information, or religious information. Although GitLab does not request or intentionally collect any sensitive personal information, we realize that users might store this kind of information in a GitLab repository. If you are a child under the age of 13, you may not have an account. GitLab does not knowingly collect information from, or direct any of our Services to, children under 13. If we learn or have reason to suspect that a user is under the age of 13, we will close the child’s account.

CCPA Metrics Reporting

You can find our metrics for data subject requests in the last year here.

Policy Changes

GitLab may change its Privacy Policy from time to time. When we do, we will update the date at the top of this Policy. If we decide to make a significant change to our Privacy Policy, we will post a notice of the update on the homepage of our Website. We may also provide notification via email of any material changes to our Privacy Policy.

Contact Us

Your information is controlled by GitLab B.V. and GitLab Inc. If you have questions or concerns about the way we are handling your information, please email us with the subject line "Privacy Concern" at DPO@gitlab.com.

Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license