Privacy Policy

Effective Date: October 17th, 2023

Below we provide you with an overview of what data we collect for what purpose and how we ensure the protection of the data in short and in a more detailed form.

The controller is Gitpod GmbH, Am Germaniahafen 1, 24143 Kiel/Germany, registered with the commercial register of the local court (Amtsgericht) Kiel under HRB 22228 ("we/us/our" or "Gitpod"). We offer services to our users and visitors (the "User/you/your") on our website https://gitpod.io ("Website") as well as related services including the use of our service according to our terms of service (jointly the "Service").

For any questions about data protection you may contact us via data@gitpod.io.

In Short

  • Controller

    Gitpod GmbH, am Germaniahafen 1, 24143 Kiel/Germany, registered with the commercial register of the local court (Amtsgericht) Kiel under HRB 22228, Email: contact@gitpod.io.

    We have appointed a data protection officer who may be contacted via data@gitpod.io

  • Purpose and Legal Basis of Processing Data; Provision and Recipients of Data

    Your data will be used for the following purposes:

    • to provide the functioning Website,
    • to implement this privacy policy and carrying out the contractual relationship and our Service,
    • to analyze how our Service is used and improve it,
    • to detect and prevent fraudulent or abusive use,
    • to provide and analyze our pages on Social Media,
    • to send you important updates about our service,
    • to send you marketing content, including newsletters,
    • to act according to our legal obligations, or
    • as otherwise explained in this privacy policy or by any communication by us.

    Your data is typically processed by us on the basis of our legitimate interests (specified in more detail further below), and on the basis of our contract with you under our terms of service. In some cases your data may be processed by us with your explicit consent, particularly where you opt-in to receiving our newsletter or other marketing.

    The data we process is limited, proportionate and necessary for the purposes listed above. If you do not wish to provide such data, this may limit your use of the Service (you will be informed of this at the relevant stage).

  • Transfer of Data outside of the EU

    In course of data processing by us data may be transferred to third countries, i.e. countries outside the EU. This may happen via implementation of third party providers such as cloud services and external service partners which process data on our behalf. Where this occurs we have proper safeguards in place to ensure the data is secured (at an equivalent level to as if it had never left the EU)

  • Your Rights

    You have the right to withdraw your consent relating to the use of data any time with effect for the future when such data processing is based in your consent.

    You are entitled to access the data stored by us and are also entitled to amend or rectify your data if such data are incorrect.

    You have the right to object to the processing of your personal data, for example if your personal data are processed for direct marketing purposes.

    You are entitled to request the erasure of your data.

    You are entitled to receive information about the stored data (in a structured, current and machine-readable format) at any time and to request the correction or deletion of the data in case of incorrect data storage.

    You have also the right to lodge a complaint with a supervisory authority at your choice. An overview of the European National Data Protection Authorities may be found here: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080

  • Period for Storing Data; Deletion

    The data are deleted if such data are no longer necessary for the purpose of processing, unless required by law to be retained.

  • Data Security

    We have implemented measures to ensure data and IT security. The Website is operated through a safe SSL-connection. If an SSL-connection is activated third parties are prevented from reading any data that are transferred by you to us.

More Detailed Information

  1. What is Personal Data?
  2. Applicable Laws to our processing of Personal Data
  3. How is my Data processed when visiting the Website and contacting us?
  4. What Third Party Services, Cookies, Analytics and Social Plugins does the Website use?
  5. How is my data processed when using the Gitpod Service (with User Account)?
  6. How is Data processed when visiting our Social Media pages?
  7. Is my Data transferred to Third Parties? Does automated decision making including profiling take place?
  8. Is my Data transferred outside the EU?
  9. Your Rights
  10. Duration of Storing your Data; Data Security; Access and Changes to this Privacy Policy; Contact Details
  1. What is Personal Data?

    Personal data is any information relating to an identified or identifiable natural person. Personal data includes e.g. name, email address or telephone number. We will only collect, use and/or pass on personal data if this is permitted by law or if the User consents to the data processing.

  2. Applicable Laws to our processing of Personal Data

    of the European Parliament and Council of 27 April 2016, repealing the directive 95/46/EC, on the protection of individuals with regard to the processing of personal data, on the free movement of such data ("General Data Protection Regulation", GDPR) as well as in the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) and the German Telemedia Act (Telemediengesetz, TMG).

  3. How is my Data processed when visiting the Website and contacting us?

    Visiting the Website

    If you browse our Website the provider of the website collects and stores information automatically in so-called "server-log-files" that your browser transfers to us. These are: type/version of the browser, system software used, referrer URL, hostname of the device, time of the server request, IP-address or other unique device identifier.

    If you are using a mobile device the following data may also be processed additionally through the Website: country code, language, hostname of the device, name and version of the operational system.

    Furthermore, upon visiting our website we are storing an hashed version of your combined IP address and user agent to understand reoccurring visits and do trend analysis.

    The data points in the preceding paragraphs are also forwarded to a user data platform.

    We use these data only for statistical analysis for the purpose of operation, security and optimization of the performance and content on our Website. This data processing is necessary for Gitpod's legitimate interests (under Art. 6 (1) f. GDPR or TMG) – in particular for providing a secure and stable Website or Service, for improving our Website and for quality insurance.

    Contacting us

    When contacting us via email, the User’s details are stored for the purpose of processing the enquiry and, if applicable, follow-up questions based on your consent based on the legal basis of Art. 6 (1) a. GDPR or fulfilling your request based on Art. 6 (1) b. GDPR.

    Use of Front: The mail provider "Front" by Frontapp, Inc., 1455 Market St Fl 19, San Francisco, California, 94102, United States receives and processes on our behalf the data necessary to manage client inquiries and emails. For more information refer to https://front.com/privacy-policy.

    Emails and Newsletters

    With the newsletter we inform the user about the Website, our Service and us.

    When contacting us via email, the User’s details are stored for the purpose of processing the enquiry and, if applicable, follow-up questions based on your consent (under Art. 6 (1) a. GDPR) or fulfilling your request on a contractual basis (under Art. 6 (1) b. GDPR).

    We may also send you newsletters referring to similar services and products if you have an existing contractual relationship with us and you did not object to receiving such emails. The legal basis for such processing of data for sending and analysing such newsletters is our legitimate interests in raising awareness around our products and services to those who have already expressed an interest in similar products and services (Art. 6 (1) f. GDPR).

    Use of Customer.io: The mail provider "Customer.io" by Peaberry Software Inc., 921 SW Washington Street Suite 820 Portland, OR 97205, USA receives and processes on our behalf the data necessary for the emails and newsletters, in particular the email address. Customer.io provides Data Residency in the EU. For more information, refer to https://customer.io/legal/privacy-policy/.

    Newsletter subscription data will be stored by us until you unsubscribe from the newsletter and will be deleted after you unsubscribe from the newsletter (we may add your email address to a 'suppression list' to ensure no further contact is made following you unsubscribing). Data stored by us for other purposes (e.g. email address for the use of our Service) remain unaffected.

    You can withdraw your consent or object to the processing of data (email address) and their respective use for sending the newsletter and analyzing your data at any time. This can be done free of charge (except for the transmission costs) and via a link in the newsletter itself or notification to us.

  4. What Third Party Services, Cookies, Analytics and Social Plugins does the Website use?

    Cookies

    In order to offer you a convenient online service featuring numerous functions, our Website uses text files ("Cookies") containing information to identify returning visitors for the time of their visit to our Website. Cookies are usually saved on your device and facilitate the transfer of specific content, such as re-entering data, which has already been supplied, and to help us identify popular sections of our Website.

    The processing of data when using Cookies is typically based on our legitimate interests. We have an interest in conducting a statistical analysis of the User relationship for marketing and quality assurance purposes, and providing users with a stable and consistent Service.

    For further information on the cookies in use by the Website and the Service please see our separate Cookies Policy.

    Salesforce

    We use Salesforce, provided by Salesforce, Inc. as our Customer Relationship Management System, which is also integrated with the contact forms on this website. The information stored in this system includes contact data such as your name, email or phone number and associated organisation (where applicable). You can also find more information in Salesforce's privacy policy: https://www.salesforce.com/eu/company/privacy/full_privacy/

    Front

    We use the services by Frontapp, Inc. for managing client inquiries and emails. For details on Front please refer to the respective section above.

    Customer.io

    We use the services by Customer.io for sending newsletters and emails. For details on Customer.io please refer to the respective section above.

    Google Analytics

    We use Google Analytics a web analytics tool offered by Google (inter alia Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and Google LLC, Mountain View, CA, USA ("Google"). For analysis, text files will be stored on your device. The information stored in the corresponding files about the use of this website are generally transmitted and stored in Google server in the USA. As the IP anonymization is active on this Website, your IP address will be shortened by Google within the member states of the European Union (EU). This information will be used to evaluate your use of the services offered here and enable the operator of this website to analyze your website activity and provide other services associated with the website service. The IP address transmitted from your browser, as part of Google Analytics will not be merged with other data from Google.

    When the IP address is processed this is based on our legitimate interests of a statistical analysis of the relationship for marketing and quality assurance purposes according to Art. 6 (1) f. GDPR or TMG.

    We point out that an automated decision making or profiling can take place when integrating Google or an existing Google account.

    For Users who have their usual residence in the European Economic Area or Switzerland, Google Ireland Limited is the data controller for your data, unless otherwise stated in the privacy notices of a particular service. Google Ireland Limited is therefore the company affiliated with Google which is responsible for processing your data and complying with applicable data protection laws.

    You can also find more information in Google's privacy policy https://policies.google.com/privacy.

    OPT-OUT: You can deactivate the use of Google Analytics by enabling the "Do Not Track" setting in your web browser. You may follow the instructions in this guide.

    Google Fonts

    Our Website uses the "Google Fonts" service of Google (inter alia Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and Google LLC, Mountain View, CA, USA to integrate and display text on the website. For this purpose Google may process your data (including the IP address) on servers in the USA.

    When the IP address is processed this is based on our legitimate interests of technical functionality of the Website based on Art. 6 (1) f. GDPR or TMG.

    You can also find more information in Google's privacy policy: https://policies.google.com/privacy.

    Segment

    We use Segment, provided by Segment.io, Inc., on our Website and Product to capture marketing- and product-related user information in order to offer the best experience to our users. Segment operates in compliance with the GDPR.

    You can also find more information in Segment's privacy policy: https://segment.com/legal/privacy/.

    OPT-OUT: You can deactivate the capturing of user-specific Website data by enabling the "Do Not Track" setting in your web browser. You may follow the instructions in this guide.

    Mixpanel

    We use Mixpanel, provided by Mixpanel, Inc., as data sink for Segment for the analysis of user behaviour in order to offer the best experience to our users. Mixpanel operates in compliance with the GDPR.

    You can also find more information in Mixpanel's privacy policy: https://mixpanel.com/legal/privacy-policy/.

    OPT-OUT: You can deactivate that user-specific Website informnation is sent to Mixpanel by enabling the "Do Not Track" setting in your web browser. You may follow the instructions in this guide.

    Metabase

    We use Metabase, provided by Metabase, Inc., to explore and analyse usage data that may contain data captured by Segment from the Website and Product. Metabase operates in compliance with the GDPR.

    You can also find more information in Metabase's privacy policy: https://metabase.com/privacy/.

    Orbit Labs

    We use Orbit Labs, provided by Orbit Labs, Inc., to analyse engagement of our community on social Platforms such as GitHub, Twitter and Discord. Orbit Labs has no access to data of our Website Visitors. Orbit Labs acts as data controller in accordance with the GDPR (see Section Who is responsible for your personal information of the Privacy Policy).

    Youtube

    We use the YouTube.com platform to [post our own videos and] make them publicly available. YouTube is operated by Google (inter alia Youtube LLC, USA and Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland).

    Some of our Website contain links to the YouTube platform. In general, we are not responsible for the content of websites to which links are provided. In the event that you click a link on YouTube, we would like to point out that YouTube stores the data of its users (e.g. personal information, IP address) in accordance with its own privacy guidelines and uses them for business purposes.

    On our Website we also integrate videos stored on YouTube directly. In this integration, content from the YouTube website is displayed in sub-areas of a browser window. However, YouTube videos are only accessed by clicking on them separately. This technique is also called ‘framing’. If you click on a (sub-)page of our Website where YouTube videos are included, a connection is established to the YouTube servers and the content is displayed on the Website by notifying your browser.

    YouTube content is only integrated in the ‘extended data protection mode’. YouTube provides this by itself, thereby ensuring that YouTube does not initially store any cookies on your device. However, when you access the relevant pages, the IP address and the other data are processed by Youtube. However, this information cannot be assigned to you unless you log in your YouTube or another Google service (e.g. Gmail) account or are permanently registered before accessing the site.

    As soon as you click on an integrated video, YouTube only stores cookies on your device that do not contain any personally identifiable data, unless you are currently logged in to a Google service. These cookies can be prevented by appropriate browser settings and extensions (for more information, please see our Cookies Policy).

    For Users who have their usual residence in the European Economic Area or Switzerland, Google Ireland Limited is the data controller for your data, unless otherwise stated in the privacy notices of a particular service. Google Ireland Limited is therefore the company affiliated with Google which is responsible for processing your data and complying with applicable data protection laws.

    Further information about data processing and privacy practices of YouTube and Google can be found here:

  5. How is my Data processed when using the Gitpod Service (with User Account)?

    Registration and Access to Existing Account

    In order to fully use our full online Service, you will need to register. You may only register if you have an existing user account at the third party services set forth on the Website, for example the service offered on the website https://github.com operated by GitHub Inc., 88 Colin P Kelly Jr St, San Francisco, CA 94107, USA, ("Existing Account").

    When you sign up for using the Gitpod Service via your Existing Account, data at such Existing Account with be accessible by us with your explicit consent only. Such data include: user profile data (name, username and email address), list of repositories you have access to.

    You can manage these data at any time via using your Existing Account linked to the Gitpod Service.

    The data entered or transferred via the Existing Account as part of the registration process and any further data entered, will only be used via the Website and with our support to the extent that this processing is necessary for the fulfillment of a contract with us or for the implementation of pre-contractual measures, i.e. use of the Gitpod Service, as well as for the execution and processing of inquiries by you.

    The processing of data when using our Service is generally based on the legal basis of Art. 6 (1) b. GDPR or TMG, i.e. the data will be processed, when this is necessary for the fulfilment of the contract between you and us or for executing any measures that take place on your request prior to the contract. Note that, as set out above, this is all carried out with your authorisation and you can manage the data within your Existing Account at any time.

    Use of the Gitpod Service

    For the further use of the Gitpod Service on the Website you submit more data depending on the way of use of our services according to our terms of service.

    We use the information and data collected in the Service, including your personal data, in order to fulfill our contractual obligations for you/our customers based on the legal basis of Art. 6 (1) b. GDPR or TMG and as further set forth in this privacy policy or our terms of service. This also includes sending you emails and notifications necessary for the Service.

    In the event we process personal data controlled by the customer as data processor we will offer and enter into a respective separate data processing agreement with such customer whereas such data processing agreement may be requested via email to data@gitpod.io.

    We do not store or receive any kind of payment or credit card data but use external payment providers as set forth on the Website.

    We may also analyze your personal data when using the Gitpod Service for the purpose of improving our Service. We may also store your data to assure fair use of our Service. The legal basis for analyzing and storing such data is Art. 6 (1) f. GDPR with our legitimate interest of marketing and quality assurance.

    We also process your data if this is necessary to comply with our legal obligations (legal basis: Art. 6 (1) c. GDPR), for example legal retention periods, such as for tax and accounting purposes. .

    For the above mentioned purposes your data may also be shared with our shareholders or affiliated companies.

    Integration of Third Party Services

    When using the Gitpod Service your data may also be processed by third party providers as set forth in this privacy policy. For details please refer to III above as well as VI and VIII below.

    When registering for a Gitpod account, we use Twilio Verify, provided by Twilio, Inc. as our phone number and user account verification service to detect fraud and abuse, which is integrated with the SaaS version of our product. The information processed in this system includes your phone number. For more information, you can refer to Twilio’s privacy policy at https://www.twilio.com/legal/privacy

    When using our paid Service your data will be processed by external payment providers. Currently we use the payment services by Stripe (for EU/EEA: Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Irland; more information: https://stripe.com/de/privacy ; contact: https://stripe.com/contact) and Chargebee (by Chargebee Inc. 340 S Lemon Avenue, 1537 Walnut, CA 91789, USA; more information: https://www.chargebee.com/privacy/). When using such services your data may be processed outside the EU. For the US companies of Stripe and Chargebee we have taken steps to include essentially-equivalent EU data protection standards when personal data is transferred to their US offices.

    Our service may also include links to pages on Twitter, Medium, and Spectrum Chat. For details please refer to the respective section below.

  6. How is Data processed when visiting our Social Media pages?

    We operate pages on

    When you visit our Social Media pages, data is processed both by us and by the responsible social media provider.

    In some cases the respective provider of Social Media assumes the data protection obligations towards you as the user, such as information on data processing, and is the contact person for your rights. This results from the fact that such provider has direct access to the relevant information on the Social Media page and the processing of your data. However, you are also welcome to contact us if this should become necessary and we will then forward the request to the respective provider if necessary.

    When using the Social Media providers set forth above data may also be processed outside the EU. We take steps with our Social Media partners to ensure that, in any transfer of your data, they are contractually bound to ensure an essentially equivalent EU standard of data protection.By using Medium Services, you authorize Medium to transfer, store, and use your information in the United States and any other country where Medium operates. Where your data is disclosed to Medium’s processors, it is subject by contract to at least the same level of data protection as that set forth under https://medium.com/policy/medium-privacy-policy-f03bf92035c9.

    With our Social Media pages, we can communicate with you and provide you with interesting information. We may receive further data from you through your comments, shared images, messages and reactions, which are then processed to answer or communicate with you. If you use Social Media on several end devices, a cross-device analysis of the data can take place.

    Data processing takes place with your consent or for the purpose of answering your enquiry or on the basis of legitimate interests in improving the services, advertising and marketing activities and presentation to the outside world (Art. 6 (1) f GDPR).

    As Twitter user, you can at any time influence how your user behavior is recorded when you visit Twitter pages. To do this, you can manage the settings for advertising preferences in your Twitter account or under https://twitter.com/personalization or https://twitter.com/de/privacy#overlay-chapter2.10.1 or without an account under https://pscp.tv/account/settings. Twitter also provides opportunities to contact or exercise rights at https://help.twitter.com/forms/privacy.

    As Medium user, you can at any time influence how your user behavior is recorded when you visit Medium pages. To do this, you can manage the settings for advertising preferences in your Medium account or under https://medium.com/me/settings or https://medium.com/me/following/suggestions. Medium also provides opportunities to contact or exercise rights in their privacy policy under https://medium.com/policy/medium-privacy- policy-f03bf92035c9.

    As a user of Discord you can find more information on how to influence the processing of your data in their privacy policy https://discord.com/privacy or contact them via privacy@discord.com.

  7. Is my Data transferred to Third Parties? Does Profiling or automated decision making take place?

    Transfer of Data to Third Parties

    We will transfer your personal data to a third party only (i) within the scope of legal provisions, i.e. if we are obliged to transfer the data due to a government or court order, or, (ii) if applicable, legal provisions authorize the transfer, e.g. if the transfer is required to pursue our legitimate interests or to fulfil a contract, for example in case of mergers and acquisitions, (iii) or if you give your explicit consent.

    For more information please refer to this privacy policy or contact us via data@gitpod.io.

    Automated Decision Making including Profiling

    In general we do not process any personal data via automated decision making including profiling via the Website or Service. However, such profiling or automated decision making may happen by third party providers through the Website or Service. We will inform you about such fact if possible.

    Profiling means any automated processing of personal data consisting in the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the performance of work, economic situation, health, personal preferences, interests, reliability, behaviour, location or relocation of that natural person. Examples of such profiling include the analysis of data (e.g. based on statistical methods) with the aim of displaying personalized advertising to the user or giving shopping tips. The data subject shall not be subject to a decision based exclusively on automated processing, including profiling, which has legal effect against him or significantly affects him or her in a similar manner.

  8. Is my Data transferred outside the EU?

    When visiting the Website and using our Service data may be transferred to countries outside the EU by the third party services referred to in Section III.

    When using our Service your data may also be processed by our cloud service provider (namely: Google Cloud) on servers outside the EU.

    The US companies providing the services of Google, Customer.io, GitHub, Stripe, Segment.io, Mixpanel and Chargebee have each taken steps to comply with data protection standards applicable in the EU, as set out further within this privacy policy. For further information on securing your data when transferring it abroad please contact: data@gitpod.io.

    Your data may also be processed outside the EU when visiting our Social Media pages. For further information please refer to section VI.

  9. Your Rights

    As a data subject you have the right:

    • (where we are relying on your consent) to withdraw your consent to us at any time. As a result, we are no longer allowed to continue the processing of data based on this consent in the future;
    • to object to the processing of your personal data, if your personal data are processed on the basis of legitimate interests pursuant to Art. 6 (1) f. GDPR insofar as there are reasons for this arising from your particular situation;
    • to obtain from us access to your personal data;
    • to obtain from us without undue delay the rectification of inaccurate personal data concerning you;
    • to obtain the erasure of your personal data stored with us, unless the processing is necessary to exercise the right to free expression of opinion and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
    • to request the restriction of the processing of your personal data, if e.g. the accuracy of the data is disputed by you, the processing is unlawful, but you refuse its deletion and we no longer need the data, but you need it to assert, exercise or defend legal claims or you have filed an objection against the processing; and
    • to receive your personal data, which you have provided to us, in a structured, current and machine-readable format or to request the transmission to another controller.

    If you wish to make use of your rights mentioned above please send an email to data@gitpod.io.

    If you obtain access to your personal data you may, in particular, request access to the following information: the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipients to whom the personal data have been or will be disclosed.

    You have the right to lodge a complaint vis-à-vis a supervisory authority of your choice. For example for Berlin/Germany: https://www.datenschutz-berlin.de/kontakt.html. An overview of the European National Data Protection Authorities may be found here: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080

  10. Duration of Storing your Data; Data Security; Access and Changes to this Privacy Policy; Contact Details

    Duration of Storing your Data

    As a rule, we only store your personal data for as long as it is necessary for the execution of the contract or the respective purpose and limit the storage period to an absolutely necessary minimum. Your IP-address and server-log-files are stored for seven (7) days for security and technical reasons while an hashed version of your combined IP address and user agent is retained for one (1) year (as set forth above).

    In the case of long-term contractual relationships, such as the use of our Service, these storage periods may vary, but are generally limited to the duration of the contractual relationship or, with regard to the inventory data, to the maximum legal retention periods, e.g. in accordance with the German Commercial Code (Handelsgesetzbuch, HGB) and the Tax Code (Abgabenordnung, AO)

    Criteria for the storage period include whether the data are still up-to-date, whether the contractual relationship with us still exists, whether an inquiry has already been processed, whether a process has been completed or not, and whether legal retention periods for the personal data concerned are relevant or not.

    Data Security

    We have installed technical and organizational measures in order to safeguard our Website and/or Service against loss, destruction, access, changes or the distribution of your data by unauthorized persons.

    The Website and Service is operated through a safe SSL-connection. If an SSL-connection is activated third parties are prevented from reading any data that are transferred by you to us.

    We store Personal Information in encrypted format, leveraging state-of-the-art encryption algorithms. Gitpod is hosted inside Google’s secure and compliant data centres, for more information on Google’s Security & Compliance Standard, please visit https://cloud.google.com/security/compliance.

    We also maintain an Information Security & Privacy program with established policies and procedures that govern the confidentiality, integrity and availability of data.

    Access and Changes to this Privacy Policy

    This privacy policy is accessible via our Website under https://gitpod.io/privacy and may be downloaded and printed anytime.

    We reserve the right to change the regulations of this privacy policy at any time, taking into account currently applicable data protection provisions. In case of any changes, you will be notified inside our product.

    Contact Details

    For any inquiries and additional questions about processing personal data please contact data@gitpod.io.

    Further details may be found here: https://gitpod.io/imprint.