Risk Score
0 = very fair · 100 = very risky
Summary
This is GitHub's Terms of Service governing use of the GitHub platform, including repositories, AI features (like Copilot), and related services. Overall, the document is more transparent and user-friendly than most comparable platforms, with plain-English summaries alongside legal text. Users retain ownership of their content but grant GitHub and its Microsoft-affiliated entities broad licenses to use that content, including for AI/ML training, with an opt-out available for individual accounts. The terms are fairly standard for a major SaaS developer platform, though the AI training data license and the Access Reciprocity clause (D.9) are notably aggressive provisions worth careful attention.
Flagged Clauses
GitHub and Microsoft (explicitly named as an Affiliate) can use everything you post publicly — including your code — to train AI models. This is a very broad license that extends to GitHub's parent company and its affiliates. The document explicitly states this 'does not constitute a sale or other restricted transfer,' but the practical effect is that your public code can fuel commercial AI products.
“You grant GitHub and our Affiliates the right to store, host, archive, parse, display, and make copies of Your Content as necessary to provide, develop, and improve the Service, including by training AI Features, and for the purpose of training, developing, and improving artificial intelligence and machine learning models and technologies of our Affiliates.”
If you use AI features like Copilot, your prompts and the AI's responses can be used by GitHub and Microsoft to train AI models unless you actively opt out in settings. The good news: they say they won't sell this data to external AI companies for their own training. But the opt-out is on you — the default is data collection.
“Unless you opt out, GitHub's Affiliates may use your Inputs and Outputs under this license in accordance with their applicable privacy and contractual obligations. This license does not, however, permit GitHub or its Affiliates to share your Inputs or Outputs with third-party AI model providers for their own independent model training purposes.”
If you use AI features (like Copilot) while working in a private repository, the code and context you provide as input can be used for AI training — even for private repos. You can opt out, but you need to do so proactively. Private repos not used as AI input are explicitly excluded from this provision.
“If you provide your private repository content as Input to AI Features, we may use that Input to provide, develop, train, and improve the Service, including AI Features. Your ability to opt out under Section J.3 applies to this use of private repository content.”
This is an unusual reciprocity clause: if you scrape GitHub's public data to train an AI, you are agreeing to let GitHub scrape your own public-facing products and websites for AI training in return. This waiver is automatic — by scraping GitHub, you're granting this right. This only applies to large commercial platforms (exempts those with under 700M monthly active users or academic researchers).
“By using automated means to access, collect, or otherwise use any publicly accessible Content from the Service for the purpose of developing or training any commercially available artificial intelligence model... you hereby waive any and all policies, terms, conditions, or contractual provisions governing products, services, websites or datasets you own or operate that would otherwise prohibit, restrict, or place conditions upon GitHub's Access to any publicly accessible data...”
You technically keep 'moral rights' (rights of attribution and integrity recognized in many countries), but you agree not to enforce them against GitHub or Microsoft. This means GitHub can modify, adapt, or use your content without crediting you.
“You retain all moral rights to Your Content... However, you waive these rights and agree not to assert them against us or our Affiliates, to enable GitHub and our Affiliates to reasonably exercise the rights granted in Section D.4.”
GitHub commits to 30 days' notice before materially changing the terms. This is better than many services that reserve the right to change terms immediately or with minimal notice. However, continued use of the service after that period constitutes acceptance.
“We may modify this agreement, but we will give you 30 days' notice of material changes.”
GitHub can terminate accounts for copyright infringement or age violations. The terms don't include extensive detail about what happens to your data and repositories upon termination in the main body — users should review the cancellation section and privacy statement for data retention details after account closure.
“We will terminate the Accounts of repeat infringers of this policy. ...If we learn of any User under the age of 13, we will terminate that User's Account immediately.”
GitHub explicitly states users can cancel and close their account at any time. This is a user-friendly provision.
“You may cancel this agreement and close your Account at any time.”
GitHub broadly disclaims liability for damages you might suffer from using or being unable to use the service. This is standard for large platforms but means recourse for service outages or data loss may be very limited.
“We will not be liable for damages or losses arising from your use or inability to use the service or otherwise arising under this agreement.”
GitHub makes no warranties about service availability, accuracy, or fitness for any particular purpose. If the service goes down or malfunctions, GitHub has disclaimed responsibility. This is common for SaaS but worth noting for users who depend on the platform professionally.
“We provide our service as is, and we make no promises or guarantees about this service.”
The indemnification section places full responsibility for your use of the service on you. This means if a third party sues GitHub because of something you did on the platform, you may be required to cover GitHub's legal costs and damages.
“You are fully responsible for your use of the service.”
GitHub explicitly acknowledges that you own the content you create and post. This is a user-protective provision. The licenses you grant are for GitHub to operate the service, not a transfer of ownership.
“You own Your Content. If you post Content you did not create, you are responsible for ensuring you have the right to post it and for complying with any applicable licenses.”
GitHub explicitly states it does not claim ownership of what you put into AI features or what the AI generates for you. This is a relatively user-friendly stance compared to some AI service providers.
“GitHub does not claim ownership of your Input or Output.”
GitHub commits to accurate billing. Users are responsible for keeping payment information current. Detailed subscription and auto-renewal terms would be in the linked Additional Product Terms.
“You are responsible for payment. We are responsible for billing you accurately.”
Missing Protections
- No explicit arbitration clause or class action waiver is present in this document — that is actually a user-protective absence compared to many comparable platforms
- No explicit data retention/deletion timeline specified for what happens to user data after account termination
- No explicit SLA (Service Level Agreement) or uptime guarantees
- No explicit process described for users to request deletion of their data used in AI training prior to opt-out
- No specific detail on what 'material changes' threshold triggers the 30-day notice requirement vs. minor changes made without notice
- No explicit portability rights — the document does not describe a mechanism to export all your data/repositories before account closure (though GitHub does offer this in practice)
- GDPR-specific rights (right of access, erasure, portability for EU users) are referenced by link to Privacy Statement but not addressed in the ToS itself
- No explicit description of dispute resolution process beyond general law references
Fair Terms
- GitHub explicitly acknowledges that users own their content (Section D.3), which is clearer and more protective than many platforms
- 30-day advance notice required for material changes to terms (Section R) — stronger than most platforms
- No mandatory arbitration clause or class action waiver found in this document
- AI training opt-out is available for individual users at the account settings level (Section J.3)
- GitHub explicitly states it does not claim ownership of AI inputs or outputs (Section J.2)
- Private repositories are treated as confidential with specific enumerated exceptions for when GitHub can access them (Section E.2-E.3)
- The document prohibits GitHub from sharing user AI inputs/outputs with third-party AI model providers for their own independent training (Section J.3)
- The entire terms document is written with plain-English summaries alongside each section — unusually transparent presentation
- GitHub's own policy documents are licensed under Creative Commons Zero (Section G.3), allowing free reuse
- Account cancellation is explicitly permitted at any time (Section N)
Document information only — not legal advice.