Fix Typos/Contact Email in Policy

For personal data collected under this Privacy Policy, the controller will be the GitLab entity that employs you or is a party to your employment contract or contract for services. You can find a list of the GitLab entities (collectively, "GitLab") that act as a controller for your personal data [here](https://about.gitlab.com/company/visiting/).

If you are employed by a Professional Employment Organization ("PEO(s)"), your personal data may be processed according to both this Privacy Policy and any separate privacy policies published by your PEO as your Employer of Record.

If you are employed by a Professional Employment Organization ("PEO(s)"), your personal data may be processed according to both this Privacy Policy and any separate privacy policies published by your PEO as your Employer of Record or Agency of Record.

GitLab entities may act as controllers or processors on behalf of other GitLab entities and/or controllers. Furthermore, GitLab Inc., its affiliate entities and its subsidiaries participate in group-wide Information Technology ("IT") systems in order to harmonize GitLab's IT infrastructure and its use. These systems may hold personal data on all Team Members. Insofar that these systems serve to improve and harmonize the People Group processes within the company, GitLab Inc. in the U.S. is responsible for these systems.

GitLab, either directly or through our service providers, will collect and maintain the following categories of personal data about you in accordance with applicable law:

- **Contact information**, such as name, email, phone number, physical address, emergency contact information, and social media handles.

- **Personal identifiers**, such as photograph, gender, date of birth, residency, gender, gender identity, employee number, passport information, driver's license, veteran status, and identification cards.

- **Personal identifiers**, such as photograph, gender, date of birth, residency, gender, gender identity, employee number, passport information, visa information, driver's license, veteran status, and identification cards.

  - In addition, we may collect (*where allowed by local law*) **Personal Identifiers** that are considered sensitive personal data, such as race, ethnicity, sexual orientation, and disability status.

- **Household data**, such as emergency contact information, marital status, family member and dependent names, and family member and dependent contact information.

- **Systems administration data**, such as usernames, passwords, login and authentication records, device location, network activity data, IP address, application usage data, browser and operating systems data, browsing history (*where allowed by local law*), download history, and related metadata.

| Social media content and external communications | • Contact information<br>• Personal identifiers<br>• Employment qualifications | • Legitimate interests<br>• Consent |

| Artificial intelligence adoption and efficiency reports | • Systems administration data | • Legitimate interests |

Where consent is the legal basis for the processing of your personal data, such as the direct collection of sensitive personal data, you may withdraw your consent at any time by contacting GitLab's People Operations Team at [people-operations@gitlab.com](mailto:people-operations@gitlab.com) and the Privacy Team at [dpo@gitlab.com](mailto:dpo@gitlab.com). Further, any reporting based on sensitive personal data elements, such as diversity or disability metrics, will only contain anonymized or aggregated data.

Where consent is the legal basis for the processing of your personal data, such as the direct collection of sensitive personal data, you may withdraw your consent at any time by contacting GitLab's People Operations Team at [people_operations@gitlab.com](mailto:people_operations@gitlab.com) and the Privacy Team at [dpo@gitlab.com](mailto:dpo@gitlab.com). Further, any reporting based on sensitive personal data elements, such as diversity or disability metrics, will only contain anonymized or aggregated data.

Where you have withdrawn your consent but GitLab retains your sensitive personal data, we will only continue to process that sensitive personal data when we have another appropriate legal basis, such as processing necessary to comply with legal obligations related to your employment.

The California Privacy Rights Act broadly defines the sale of personal data to include disclosing Team Member personal data to a third-party business without entering into a service provider agreement with that business. If this occurs, the right to opt-out of a data sale must be provided to the Team Member.

GitLab does transmit specific Team Member personal details and compensation data to certain vendors in order to receive information back regarding industry benchmarking of both compensation and workforce metrics. These vendors include Radford, Comptryx, Compass, and other possible benchmarking surveys vendors, each of which retain this data for their own purposes, including to keep their benchmarking data up to date. While this data is often shared in an aggregated format, it may be deemed a data sale under California law. If you are in California and you do not want us to share your compensation data with these benchmarking vendors, please email both the People Operations team at [people-operations@gitlab.com](mailto:people-operations@gitlab.com) and the Total Rewards team at [total-rewards@gitlab.com](mailto:total-rewards@gitlab.com). You may also contact the Privacy Team at [dpo@gitlab.com](mailto:dpo@gitlab.com) to learn more about your right to opt-out of this data sharing.

GitLab does transmit specific Team Member personal details and compensation data to certain vendors in order to receive information back regarding industry benchmarking of both compensation and workforce metrics. These vendors include Radford, Comptryx, Compass, and other possible benchmarking surveys vendors, each of which retain this data for their own purposes, including to keep their benchmarking data up to date. While this data is often shared in an aggregated format, it may be deemed a data sale under California law. If you are in California and you do not want us to share your compensation data with these benchmarking vendors, please email both the People Operations team at [people_operations@gitlab.com](mailto:people_operations@gitlab.com) and the Total Rewards team at [total-rewards@gitlab.com](mailto:total-rewards@gitlab.com). You may also contact the Privacy Team at [dpo@gitlab.com](mailto:dpo@gitlab.com) to learn more about your right to opt-out of this data sharing.

### Storage of Personal Data

GitLab stores Team Member records in the following locations: [Workday](https://theloop.gitlab.com/site/4455aa7f-24d9-41f2-b940-467b54962e4d/page/0fa19bf4-fd6a-41b9-9316-c2dcf3add854), [Greenhouse](/handbook/hiring/), with our [payroll providers](https://internal.gitlab.com/handbook/finance/payroll/) (HR Savvy, SD Worx, iiPay, ADP, CloudPay, and Papaya Global), and [other systems as necessary](https://internal.gitlab.com/handbook/people-group/people-operations/people-operations/tools_and_systems/#company-wide-systems) (Google Workspace, Docusign, etc.). Team Members have self service access to Workday, their appropriate payroll provider, and other Team Member facing software provisioned through Okta. GitLab also contracts with [First Advantage](/handbook/hiring/talent-acquisition-framework/coordinator/#initiating-a-background-screening-through-sterling-talent-solutions) and [LawLogix](https://internal.gitlab.com/handbook/people-group/people-operations/people-operations/tools_and_systems/?search=sterling+talent#onboarding-systems) to conduct and store information related to pre-employment screenings, such as background checks and employment eligibility verification. Where available, documents and information stored with those companies may be shared with you.

Lastly, where GitLab utilizes PEOs, such as GX, Global Upside, Remote, CXC, and Papaya Global, to hire a Team Member, the applicable PEO, as the agent of record or employer of record (as applicable), will retain the personnel files of its respective hires. Access to personal data is only authorized when there is a legitimate and lawful basis, and access is only granted to appropriate personnel. Requests for confidential Team Member data from anyone outside our company under any circumstances must be approved in accordance with applicable local laws.

Lastly, where GitLab utilizes PEOs, such as GX, Remote, and CXC, to hire a Team Member, the applicable PEO, as the agent of record or employer of record (as applicable), will retain the personnel files of its respective hires. Access to personal data is only authorized when there is a legitimate and lawful basis, and access is only granted to appropriate personnel. Requests for confidential Team Member data from anyone outside our company under any circumstances must be approved in accordance with applicable local laws.

### Retention of Collected Personal Data

### Access to Personal Data We Collect

To the extent access is allowed by applicable law, you can request access to the personal data that we hold about you. There are two separate processes to obtain access to your personal data. If you are an active GitLab Team Member you can access your personnel documents via self-service in Workday (and the various payroll systems as applicable). For additional assistance on obtaining your personnel file GitLab team members should reach out through [HelpLab](https://helplab.gitlab.systems/esc?id=emp_taxonomy_topic&topic_id=57e1ad3997804e50a326158de053af3d). Former team members can email people-operations@gitlab.com to request their personnel file. You can review the types of personal data contained in a Personnel File [here](/handbook/legal/record-retention-policy/#team-member-personnel-file-retention-policy). If you want to review personal data beyond what is included in a Personnel File, please submit a Data Access Request [form](https://forms.gle/8LVd1jseHoxCD47o9).

To the extent access is allowed by applicable law, you can request access to the personal data that we hold about you. There are two separate processes to obtain access to your personal data. If you are an active GitLab Team Member you can access your personnel documents via self-service in Workday (and the various payroll systems as applicable). For additional assistance on obtaining your personnel file GitLab team members should reach out through [HelpLab](https://helplab.gitlab.systems/esc?id=emp_taxonomy_topic&topic_id=57e1ad3997804e50a326158de053af3d). Former team members can email people_operations@gitlab.com to request their personnel file. You can review the types of personal data contained in a Personnel File [here](/handbook/legal/record-retention-policy/#team-member-personnel-file-retention-policy). If you want to review personal data beyond what is included in a Personnel File, please submit a Data Access Request [form](https://forms.gle/8LVd1jseHoxCD47o9).

When requesting access to your personal data, please note that we may request specific information from you to enable us to confirm your identity and right to access, as well as to search for and provide you with the personal data that we hold about you.

### Right to Withdraw Consent

Where we are relying upon your consent to process data, you have the right to withdraw such consent at any time. Many of our systems offer self-service capabilities where you can remove optional data fields, thereby withdrawing consent. You can also request our assistance in your withdrawal by contacting GitLab's People Operations Team at [people-operations@gitlab.com](mailto:people-operations@gitlab.com) or the Privacy Team at [dpo@gitlab.com](mailto:dpo@gitlab.com).

Where we are relying upon your consent to process data, you have the right to withdraw such consent at any time. Many of our systems offer self-service capabilities where you can remove optional data fields, thereby withdrawing consent. You can also request our assistance in your withdrawal by contacting GitLab's People Operations Team at [people_operations@gitlab.com](mailto:people_operations@gitlab.com) or the Privacy Team at [dpo@gitlab.com](mailto:dpo@gitlab.com).

Please note that in limited circumstances, the withdrawal of your consent may result in our inability to provide you a certain service. For example, if you withdraw your consent to process secondary emergency contact information, we may not be able to contact your next-of-kin in an emergency, unless we have a legal obligation that supersedes your withdrawal of consent. In this event, we will inform you if withdrawal would affect any services or benefits.

### Right to Object to Processing Justified on Legitimate Interest Grounds

Where we are relying upon legitimate interest to process your personal data, you have the right to object to such processing, and we must stop such processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms. Normally, and where we rely upon legitimate interest as a basis for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis. To object, please contact GitLab's People Operations Team at [people-operations@gitlab.com](mailto:people-operations@gitlab.com) or the Privacy Team at [dpo@gitlab.com](mailto:dpo@gitlab.com).

Where we are relying upon legitimate interest to process your personal data, you have the right to object to such processing, and we must stop such processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms. Normally, and where we rely upon legitimate interest as a basis for processing, we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis. To object, please contact GitLab's People Operations Team at [people_operations@gitlab.com](mailto:people_operations@gitlab.com) or the Privacy Team at [dpo@gitlab.com](mailto:dpo@gitlab.com).

### Right to Not be Subject to Automated Decision-Making

### Other Inquiries or Concerns

If you have any questions or concerns regarding the handling of your personal data, please contact GitLab's People Operations Team at [people-operations@gitlab.com](mailto:people-operations@gitlab.com) or the GitLab Privacy Team at [dpo@gitlab.com](mailto:dpo@gitlab.com). Alternatively, you may report concerns or complaints to the Legal and Corporate Affairs Team.

If you have any questions or concerns regarding the handling of your personal data, please contact GitLab's People Operations Team at [people_operations@gitlab.com](mailto:people_operations@gitlab.com) or the GitLab Privacy Team at [dpo@gitlab.com](mailto:dpo@gitlab.com). Alternatively, you may report concerns or complaints to the Legal and Corporate Affairs Team.

You may also anonymously report violations of policy or law using our third-party managed Compliance & Fraud Prevention Hotline. You can access the Hotline by going to [Questions, Reporting, and Effect of Violations section of the Code Business Conduct and Ethics](https://about.gitlab.com/handbook/legal/gitlab-code-of-business-conduct-and-ethics/).