GitLab is an open source project and collaborative community, as well as a company. This means that many portions of our Websites, including information you voluntarily provide, will be public-facing for the open sharing of innovative developments, ideas, and information that makes our collaborative community so great. While we are committed to open sharing, we strive to respect the privacy of individual community members and will minimize the information we collect and share. If you do not want to share your information, including personally identifiable information, with other community members and the public, please be thoughtful as to how you interact with our Websites and what information you provide through the Websites (for example, through creating a public profile, project contributions, comments, and blog posts).
Oversight of Data Security is handled by GitLab's respective Data Protection Officers. Should you wish to make modifications, deletions, or additions to any personal data you believe to be captured by GitLab, or if you have any general security concerns, please contact the Data Protection Office (DPO) for your respective territory at the following email address:GitLab Security.
For the Americas:Mel Farber.
For Europe and the Middle East:Jan Urbanc.
For Asia Pacific:Robert Mitchell.
Like most website operators, GitLab collects basic non-personally-identifying information from Website visitors of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. We collect this information to better understand how visitors use the Website, to improve our Websites and experience for visitors, and to monitor the security of the Websites. From time to time, GitLab may publicly release non-personally-identifying information collected from Website visitors in the aggregate, e.g., by publishing a report on trends in the usage of the Website.
GitLab also collects potentially personally-identifying information like Internet Protocol (IP) addresses from visitors. GitLab does not use such information to identify or track individual visitors, however. We collect this information to understand how visitors use the Websites, to improve performance and content, and to monitor the security of the Websites.
GitLab may collect statistics about the behavior of visitors to our Websites. For instance, GitLab may reveal how many downloads a particular version got using aggregated statistics that contain anonymous user information only.
GitLab collects information about usage from each self-managed GitLab instance (Community Edition and Enterprise Edition) through a usage ping. The usage ping sends a payload containing data such as total number of projects and pipelines, as well as license information and hostname to GitLab. Only aggregates of usage data is sent: no project names or other content is sent to GitLab. You can view the exact payload of the usage ping in the administration panel in GitLab. Here you can also opt-out of the usage ping.
Visitors can always refuse to supply personally-identifying information, with the caveat that it may prevent you from engaging in certain Website-related activities or being able to access and use certain features and services.
For details about what information is collected and with whom it is shared, please go to Tech Stack Applications.
GitLab does not intentionally collect sensitive personal information, such as social security numbers, genetic data, health information, or religious information. Although GitLab does not request or intentionally collect any sensitive personal information, we realize that users might store this kind of information in a Gitlab repository. If you store any sensitive personal information on GitLab’s servers, you are consenting to our storage of that information on our servers, which are located in the United States.
If you're a child under the age of 13, you may not have an account on the Website. GitLab does not knowingly collect information from or direct any of our Website or content specifically to children under 13. If we learn or have reason to suspect that a user is under the age of 13, we will close the child’s account.
Other countries may have different minimum age limits. If you are below the minimum age for providing consent for data collection in your country, you may not use GitLab.
Performance of a contract. The use of your information may be necessary to perform the contract that you have with us. For example, if you use our Websites to purchase GitLab product subscriptions or services, contribute to a project, create a profile, post and comment through our Websites, or request information through our Websites, we will use your information to carry out our obligation to complete and administer that contract or request.
Legitimate interests. We use your information for our legitimate interests, such as to provide you with the best content through our Websites and communications with users and the public, to improve and promote our products and services, and for administrative, security, fraud prevention and legal purposes.
GitLab only discloses potentially personally-identifying and personally-identifying information to those of its employees, contractors, and affiliated organizations that (i) need to know that information in order to process it on GitLab's behalf or to provide services available on the Website, and (ii) that have agreed not to disclose it to others.
Please note, email and IP addresses of members of a repository may be shared with the respective administrator of that repository.
GitLab will not rent or sell potentially personally-identifying and personally-identifying information to anyone. Other than to its employees, contractors, and affiliated organizations, as described above, GitLab discloses potentially personally-identifying and personally-identifying information only when required to do so by law, or when GitLab believes in good faith that disclosure is reasonably necessary to protect the property or rights of GitLab, third parties, or the public at large.
GitLab takes measures reasonably necessary to protect against the unauthorized access, use, alteration, or destruction of potentially personally-identifying and personally-identifying information.
The Website is hosted in the United States and information we collect will be stored and processed on our servers in the United States. Our employees, contractors and affiliated organizations that process information for us as described above may be located in the United States or in other countries outside of your home country; by using the Website, you consent to the international transfer of your information by GitLab.
If you are a registered user of the Websites and have supplied your email address, GitLab may occasionally send you an email to tell you about security, system information, new features, solicit your feedback, or just keep you up to date with what's going on with GitLab and our products. We primarily use our blog to communicate this type of information, so we expect to keep this type of email to a minimum. There's an unsubscribe link located at the bottom of each of the marketing emails we send you so you can stop receiving such emails at any time.
If you send us a request (for example via a support email or via one of our feedback mechanisms), we reserve the right to publish your request in order to help us clarify or respond to your request or to help us support other users. We will not publish your personally-identifiable information in connection with your request.
For more information on what cookies are used, visit our Cookies Policy.
We use third party tracking services, but we don’t use these services to track you individually or collect your personally identifiable-information. We use these services to collect information about how the Website performs and how users navigate through and use the Website so we can monitor and improve our content and Website performance.
Third party tracking services gather certain simple, non-personally identifying information over time, such as your IP address, browser type, internet service provider, referring and exit pages, timestamp, and similar data about your use of the Website. We do not link this information to any of your personal information such as your user name.
"Do Not Track" is a privacy preference you can set in your browser if you do not want online services to collect and share certain kinds of information about your online activity from third party tracking services. GitLab does not track your online browsing activity on other online services over time and we do not permit third-party services to track your activity on our site beyond our basic tracking, which you may opt out of. Because we do not share this kind of data with third party services or permit this kind of third party data collection for any of our users, and we do not track our users on third-party websites ourselves, we do not need to respond differently to an individual browser's Do Not Track setting.
If you are located in the European Union, you are entitled to the following rights with regard to your personal information and data:
Additional rights that may apply to you in certain instances:
If you already have an account on the Websites, you may access, update, alter, or delete your basic user profile information by logging into your account and updating profile settings.
GitLab will retain your information for as long as your account is active or as needed to perform our contractual obligations, provide you services through the Website, to comply with legal obligations, resolve disputes, preserve legal rights, or enforce our agreements.
We will delete inactive accounts after a period of twelve (12) months. We will also erase information once it is no longer necessary to fulfill the purposes for which it was collected and processed.
If you have questions or concerns about the way we are handling your information, or would like to exercise your privacy rights, please email us with the subject line "Privacy Concern" at GitLab Legal.
We will respond within 30 days of receiving your message at the latest but please note for promptest response, we recommend emailing us.
GitLab takes the privacy of our employees, customers, consumers, and other third parties (“Data Subjects”) that have entrusted us with information very seriously. To ensure the rights of Data Subjects are respected and protected to the utmost extent, GitLab has implemented the following Privacy Program.
GitLab will: a) follow all applicable laws and regulations directed toward privacy and information security; b) keep protected information secure and use it appropriately; c) safeguard any confidential information Data Subjects share with us; d) ensure that protected information is used only for the reasons for which the information was gathered, unless further use is allowed by law; e) not disclose any information about a Data Subject without their written approval unless legally required to do so (for example, under a court-issued subpoena); f) legitimate and legal business reasons to access this information must be present in order to have permission to access protected data; g) take steps to protect the information against unauthorized use or release. In order to ensure compliance with this Program, the following controls have been established.
The GitLab environment must align and comply with our Security Best Practices All applications and technologies brought into the GitLab environment will undergo a Data Protection Impact Assessment (DPIA) in accordance with the existing DPIA Policy and DPIA Procedure. The DPIA Template should be completed for any and all technology within its environment to confirm proper and legitimate use and to identify if new information is being collected, new uses of information are employed, and/or if any further consents are required.
If any Sub-processors are identified, such Subprocessors will be identified on the GitLab Tech Stack. Subprocessors are required to execute a Data Protection Agreement with GitLab. Partners who work closely with GitLab are required to agree to Standard Contract Clauses for the protection of data. GitLab will enter into a Data Protection Agreement for those Controllers for whom it is a Subprocessor. All employees are required to protect data in accordance with the GitLab Data Classification Policy and the Acceptable Use Policy.
The Data Protection Officers will oversee any requests to modify, delete, add or amend personal data. The Privacy Officer will review the policies relating to privacy on no less than an annual basis. Internal Audit and IT Security will conduct audits to ensure compliance with the controls.