U.S. State Privacy Rights and Disclosures
Last updated: June 25, 2023
This page supplements our Privacy Statement and provides additional information for residents in certain US States which have specific privacy laws, including the rights available to those residents. This page includes our NOTICE AT COLLECTION under California law.
California
Effective 1 January 2023
This Notice at Collection is provided under California law which requires us to provide California residents with additional information on how GitLab collects, uses, retains, and discloses Personal Information. California residents’ additional rights are also summarized.
Personal Information We Collect
In the preceding twelve months, GitLab or our service providers may have collected the following categories of Personal Information for business or commercial purposes:
- Identifiers/Contact Information (such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, user name, or other similar identifiers);
- Personal Information, as defined in the California customer records law section 1798.80 (such as name, contact information, employment history, credit card number, debit card number or any other financial information);
- Commercial Information (such as records of products or services purchased, obtained, or considered);
- Internet or other electronic network activity information (such as data analytics and browsing history);
- Geolocation Data (such as device location);
- Audio, electronic, visual or similar information (such as call or video recordings);
- Professional or employment-related information);
- Inferred information (such as preferences, characteristics, and predispositions); and
- Sensitive Personal Information, which may include:
- Government identification, such as state identification information;
- Log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; and
- The contents of your email and other electronic communications unless we are the intended recipient of the communication.
Sources of Personal Information We Collect
We collect Personal Information from the following categories of sources, which are described in more detail in our Privacy Statement:
- Information you provide directly;
- Information we collect automatically through your acces to and use of our websites and services;
- Vendors and Partners;
- Third Party Sign-in services; and
- Other users of our services.
Business or Commercial Purposes for Collection of Personal Information
We use the Personal Information we collect for the following Business or Commercial purposes, which are further described in our Privacy Statement or otherwise disclosed to you:
| Purpose of Use | Categories of Personal Information |
|---|---|
| Auditing interactions with consumers. To understand how our services are used and to improve services, provide trainings and educational opportunities, to enforce legal terms that govern our services | {::nomarkdown}
|
| Detecting security incidents and debugging. To maintain the security of our services, detect and prevent fraud and abuse. | {::nomarkdown}
|
| Contextual customization of ads. To understand you and your preferences in order to display advertising to you and to send you marketing content, offers, and promotions. | {::nomarkdown}
|
| Internal Research. To improve and develop new services or features, diagnose issues, analyze use and measure effectiveness of our services to improve them in order to obtain and retain customers, and conduct research. | {::nomarkdown}
|
| Maintaining Quality and Safety. To understand how our services are used and improve the services, to provide a forum to discuss services, to protect the rights, safety and property of GitLab, you or any third-party | {::nomarkdown}
|
| Providing Customer Service, Maintaining/Servicing Customer Accounts, Verifying Customer Information. To create, identify and authenticate your access to the services, provide customer support and respond to your questions or feedback. | {::nomarkdown}
|
| Communication with Customers. To send you information, including confirmations, technical notices and releases, security alerts, schedule maintenance, and to support administrative messages such as password reset requests. | {::nomarkdown}
|
| Processing Payments. To perform business operations such as billing, renewals, and payment processing. | {::nomarkdown}
|
Categories of Personal Information Disclosed for a Business Purpose
We disclosed the following categories of Personal Information for a business purpose in the preceding 12-months: identifiers/contact information; Personal Information, as defined in the California customer records law section 1798.80; commercial information; internet or other electronic network activity information; geolocation data (such as device location); audio, electronic, visual or similar information (such as call or video recordings); professional or employment-related information; and inferred information (such as preferences, characteristics, and predispositions). We disclosed each category with our affiliated companies; order processing, and fulfillment vendors; payment processors and financial institutions; analytics and research vendors; information technology vendors; fraud prevention and security vendors; vendors supporting legal, compliance, accounting, audits and other internal functions; certain marketing and advertising vendors; and other third-parties as descibed in the “With Whom does GitLab Share my Personal data?” section of our Privacy Statement.
Categories of Personal Information Sold or Shared
Under California law, the transmission of cookie identifiers and browsing behaviors to third-parties for interest-based advertising or cross-context behavioral advertising may be considered a sale of Personal Information. Subject to certain uses of the Services, we may share such Personal Information with third-parties, which may be considered a sale. We do not sell or share Sensitive Personal Information, nor do we sell or share any Personal Information about individuals who we know are under the age of 16. In the preceding 12-months, GitLab may have sold or shared the following categories of Personal Information to the following categories of third-party recipients for the purposes listed below.
| Categories of Personal Information Sold or Shared | Categories of Third-Party Recipients | Purpose of Disclosure |
|---|---|---|
| Identifiers/Contact information Internet or other electronic network activity information Geolocation data Inferred information |
Data Analytics Providers, Advertising Networks, Social Networks | Interest based advertising, data enrichment |
Retention and Deletion
Please review the Data Retention section of our Privacy Statement for more information about how long GitLab retains Personal Information.
California Privacy Rights
You are entitled to certain rights as a California resident, which include:
- Right to Know, in addition to what we have provided in this US State Privacy Rights and Disclosures Statement, what Personal Information we have collected from you in the preceding 12 months, including access to specific categories and pieces of Personal Information about you that we collect, use, disclose, sell, and share;
- Right to delete your Personal Information;
- Right correct your Personal Information;
- Right to non-discrimination of service or price if you exercise your privacy rights, and GitLab will not deny providing you with the Services or charge you different prices if you exercise your rights;
- You have the right to know whether your Personal Information is sold or shared and to opt-out of the sale of your Personal Information. You may opt-out of interest-based advertising based on your browser by exercising the Do Not Sell or Share My Personal Information link in the footer or header of our sites. You may exercise all other California rights as described in the Rights and Choices section of the GitLab Privacy Statement; and
- You have the right to receive notice of our privacy practices at or before the point where your Personal Information is collected. This US State Privacy Rights and Disclosures as well as our Privacy Statement serve as our Notice of Collection.
You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under California law. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized them to act on your behalf, and we may need you to verify your identity directly with us. To provide or delete specific pieces of Personal Information we will need to verify your identity to the degree of certainty required by law. We will verify your request by using one of the methods set forth here.
Virginia
Effective 1 January 2023
This notice is provided under the Virginia Consumer Data Protection Act (“VCDPA”) and explains the privacy rights of Virginia residents. It also provides certain mandated disclosures about our treatment of Virginia residents’ Personal Data.
Categories of Personal Data processed
We collect the Personal Data detailed in the “What Personal Data does GitLab collect about me?” section of our Privacy Statement.
Purpose for processing Personal Data
The purposes for processing your Personal Data are found in the “How Does GitLab use my Personal Data?” section of our Privacy Statement.
Disclosure of Personal Data
We may share each of the categories of Personal Data listed in our Privacy Statement with those third-parties detailed in the section titled “With Whom does GitLab share my Personal Data?”
Virginia Resident Rights
- Right to know whether GitLab processes your Personal Data and to access it;
- Right to correct inaccuracies in Personal Data;
- Right to delete Personal Data;
- Right of data portability;
- Right to opt out from targeted advertising; and
- Right to opt out from the sale of Personal Data.
How to Exercise Virginia Privacy Rights
To make an access, correction, deletion or portability request, use the Personal Data Request Form. You may designate in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under VCDPA. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized them to act on your behalf, and we may need you to verify your identity directly with us. To provide or delete specific pieces of Personal Data we will need to verify your identity to the degree of certainty required by law. We will verify your request by using one of the methods set for here. We do not sell your Personal Data, as the term “sale” is defined under the VCDPA.
Personal Data processed for Targeted Advertising
We process and disclose the following categories of Personal Data for targeted advertising: device information and identifiers, website usage data, and other online activity data provided through cookies and similar tracking technologies. We share each category with advertising agencies, data anlytics providers, and social networks.
How to Opt-Out from Targeted Advertising
To opt out from targeted advertising, click on the Cookie Preferences link in the footer or header of each of our website pages. An opt-out request will be specific to the device and browser you are using. Therefore you will need to opt-out from each browser that you use to access GitLab websites and services.
743ede6a)
