Guidelines for Legal Requests of User Data

In this article

Are you a law enforcement officer conducting an investigation that may involve user content hosted on GitHub? Or maybe you're a privacy-conscious person who would like to know what information we share with law enforcement and under what circumstances. Either way, you're on the right page.

In these guidelines, we provide a little background about what GitHub is, the types of data we have, and the conditions under which we will disclose private user information. Before we get into the details, however, here are a few important details you may want to know:

  • We will notify affected users about any requests for their account information, unless prohibited from doing so by law or court order.
  • We will not disclose location-tracking data, such as IP address logs, without a valid court order or search warrant.
  • We will not disclose any private user content, including the contents of private repositories, without a valid search warrant.

About these guidelines

Our users trust us with their software projects and code—often some of their most valuable business or personal assets. Maintaining that trust is essential to us, which means keeping user data safe, secure, and private.

While the overwhelming majority of our users use GitHub's services to create new businesses, build new technologies, and for the general betterment of humankind, we recognize that with millions of users spread all over the world, there are bound to be a few bad apples in the bunch. In those cases, we want to help law enforcement serve their legitimate interest in protecting the public.

By providing guidelines for law enforcement personnel, we hope to strike a balance between the often competing interests of user privacy and justice. We hope these guidelines will help to set expectations on both sides, as well as to add transparency to GitHub's internal processes. Our users should know that we value their private information and that we do what we can to protect it. At a minimum, this means only releasing data to third-parties when the appropriate legal requirements have been satisfied. By the same token, we also hope to educate law enforcement professionals about GitHub's systems so that they can more efficiently tailor their data requests and target just that information needed to conduct their investigation.

GitHub terminology

Before asking us to disclose data, it may be useful to understand how our system is implemented. GitHub hosts millions of data repositories using the Git version control system. Repositories on GitHub—which may be public or private—are most commonly used for software development projects, but are also often used to work on content of all kinds.

  • Users — Users are represented in our system as personal GitHub accounts. Each user has a personal profile, and can own multiple repositories. Users can create or be invited to join organizations or to collaborate on another user's repository.

  • Collaborators — A collaborator is a user with read and write access to a repository who has been invited to contribute by the repository owner.

  • Organizations — Organizations are a group of two or more users that typically mirror real-world organizations, such as businesses or projects. They are administered by users and can contain both repositories and teams of users.

  • Repositories — A repository is one of the most basic GitHub elements. They may be easiest to imagine as a project's folder. A repository contains all of the project files (including documentation), and stores each file's revision history. Repositories can have multiple collaborators and, at its administrators' discretion, may be publicly viewable or not.

  • Pages — GitHub Pages are public webpages freely hosted by GitHub that users can easily publish through code stored in their repositories. If a user or organization has a GitHub Page, it can usually be found at a URL such as or they may have the webpage mapped to their own custom domain name.

  • Gists — Gists are snippets of source code or other text that users can use to store ideas or share with friends. Like regular GitHub repositories, Gists are created with Git, so they are automatically versioned, forkable and downloadable. Gists can either be public or secret (accessible only through a known URL). Public Gists cannot be converted into secret Gists.

User data on

Here is a non-exhaustive list of the kinds of data we maintain about users and projects on GitHub.

We will notify any affected account owners

It is our policy to notify users about any pending requests regarding their accounts or repositories, unless we are prohibited by law or court order from doing so. Before disclosing user information, we will make a reasonable effort to notify any affected account owner(s) by sending a message to their verified email address providing them with a copy of the subpoena, court order, or warrant so that they can have an opportunity to challenge the legal process if they wish. In (rare) exigent circumstances, we may delay notification if we determine delay is necessary to prevent death or serious harm.

Disclosure of non-public information

It is our policy to disclose non-public user information in connection with a civil or criminal investigation only with user consent or upon receipt of a valid subpoena, civil investigative demand, court order, search warrant, or other similar valid legal process. In certain exigent circumstances (see below), we also may share limited information but only corresponding to the nature of the circumstances, and would require legal process for anything beyond that. GitHub reserves the right to object to any requests for non-public information. Where GitHub agrees to produce non-public information in response to a lawful request, we will conduct a reasonable search for the requested information. Here are the kinds of information we will agree to produce, depending on the kind of legal process we are served with:

In the case of organization accounts, we can provide the name(s) and email address(es) of the account owner(s) as well as the date and IP address at the time of creation of the organization account. We will not produce information about other members or contributors, if any, to the organization account or any additional information regarding the identified account owner(s) without a follow-up request for those specific users.

Please note that the information available will vary from case to case. Some of the information is optional for users to provide. In other cases, we may not have collected or retained the information.

Under exigent circumstances — If we receive a request for information under certain exigent circumstances (where we believe the disclosure is necessary to prevent an emergency involving danger of death or serious physical injury to a person), we may disclose limited information that we determine necessary to enable law enforcement to address the emergency. For any information beyond that, we would require a subpoena, search warrant, or court order, as described above. For example, we will not disclose contents of private repositories without a search warrant. Before disclosing information, we confirm that the request came from a law enforcement agency, an authority sent an official notice summarizing the emergency, and how the information requested will assist in addressing the emergency.

Cost reimbursement

We reserve the right to seek reimbursement for administrative costs associated with responding to requests for information, as allowed by law.

Data preservation

We will take steps to preserve account records for up to 90 days upon formal request from U.S. law enforcement in connection with official criminal investigations, and pending the issuance of a court order or other process.

Submitting requests

Please serve requests to:

GitHub, Inc.
c/o Corporation Service Company
2710 Gateway Oaks Drive, Suite 150N
Sacramento, CA 95833-3505

You may also send a courtesy copy to

Please make your requests as specific and narrow as possible, including the following information:

  • Full information about authority issuing the request for information
  • The name and badge/ID of the responsible agent
  • An official email address and contact phone number
  • The user, organization, repository name(s) of interest
  • The URLs of any pages, gists or files of interest
  • The description of the types of records you need

Please allow at least two weeks for us to be able to look into your request.

Requests from foreign law enforcement

As a United States company based in California, GitHub is not required to provide data to foreign governments in response to legal process issued by foreign authorities. Foreign law enforcement officials wishing to request information from GitHub should contact the United States Department of Justice Criminal Division's Office of International Affairs. GitHub will promptly respond to requests that are issued via U.S. court by way of a mutual legal assistance treaty (“MLAT”) or letter rogatory.


Do you have other questions, comments or suggestions? Please contact GitHub Support or GitHub Premium Support.

Ask a human

Can't find what you're looking for?

Contact us