audit report
GitHub
GitHub's privacy policy claims comprehensive data collection (account data, service usage, IP, device info), uses both essential and non-essential cookies for analytics and advertising, shares data with Microsoft and other service providers, and does not sell personal data. Observable behavior aligns: three first-party cookies are set, HSTS and CSP headers enforce security, and only GitHub-controlled CDNs and AWS hosting are loaded on the homepage—no third-party ad networks or analytics vendors are directly invoked. However, the policy's claims about advertising and analytics likely apply to other parts of GitHub not visible on the homepage itself.
findings
- note
Homepage loads minimal third-party code despite broad advertising claims
The policy explicitly claims GitHub uses non-essential cookies for interest-based advertising and shares data with advertising networks and analytics providers, yet the homepage observation shows zero third-party ad or analytics vendors loaded—only GitHub CDN, GitHub-owned image services, and AWS. This suggests advertising and analytics implementation may be confined to specific pages (e.g., Enterprise Marketing Pages mentioned in the policy) or user segments, rather than applied globally.
Policy: 'We may also employ third-party Cookies to gather data for interest-based advertising' Policy: 'shared...to or with advertising networks' Observation: third_parties only include githubassets.com (GitHub CDN), githubusercontent.com (GitHub), and amazonaws.com (AWS hosting) - note
Named third parties in policy (Google, Twitter, LinkedIn, VSCode) not loaded on homepage
The policy lists Microsoft, Google, Twitter, LinkedIn, and Visual Studio Code as named third parties, but none of these domains appear in the homepage load. This is consistent with the advertising/analytics note above—these integrations likely activate conditionally or on other pages, not on the public homepage.
Policy names: 'Microsoft, Google, Twitter, LinkedIn, Visual Studio Code' Observation: No googleapis.com, twitter.com, linkedin.com, or code.visualstudio.com domains detected - info
No privacy-sensitive third parties detected
No analytics, advertising, tracking, or session replay vendors were observed on this page.
how we detected this → - info
Web beacon tracking in emails disclosed but not observable from homepage
The policy discloses use of web beacons in emails to track opens and clicks, which is appropriate transparency but not verifiable from the homepage observation (email tracking only activates when users receive and open email).
Policy: 'Our emails may have web beacons that offer information on your device type, email client, email reception, opens, and link clicks'
third parties observed
| vendor | domain | category | hits | disclosure |
|---|---|---|---|---|
| AWS | amazonaws.com | hosting | 1 | not named |
| GitHub | githubassets.com | cdn | 95 | not named |
| GitHub | githubusercontent.com | cdn | 3 | not named |
policy claims
source · https://docs.github.com/site-policy/privacy-policies/github-privacy-statement
- collects pii
- yes
- shares 3p
- yes
- sells data
- no
- cookies
- yes
- analytics
- yes
- advertising
- yes
named third parties (5)
Microsoft, Google, Twitter, LinkedIn, Visual Studio Code
retention
GitHub retains personal data as long as the account is active and as needed to fulfill contractual obligations, comply with legal requirements, resolve disputes, and enforce agreements. The retention duration depends on the purpose of data collection and any legal obligations.
user rights
Users have the right to access, rectify, erase, limit processing, object to processing, withdraw consent, and receive data in portable format. Users can exercise rights by emailing privacy@github.com. For EEA/UK users, additional rights under GDPR apply including complaint to Data Protection Authorities.
response headers
- hsts
- yes
- csp
- yes
- server
- github.com
run this yourself
Every audit on this site is reproducible. Install stackpeek and run the same check against https://github.com from your own machine — the tool is MIT-licensed and runs locally.
pip install stackpeek
stackpeek audit https://github.comprovenance
This audit was generated by running
stackpeek
against https://github.com
from a public IP, using only HTTP GET and standard browser headers. The
findings compare the observed HTML against the
extracted privacy policy
using the
public methodology.
Re-scans append new findings at new permalinks and never overwrite the
historical record.