Last Updated: November 9, 2023
While providing our Services, we may collect information about our customers’ Users on behalf of our customers. Our use of information on behalf of our customers is governed by our agreement with the applicable customer and the customer’s own privacy policies. We cannot control and are not responsible for the privacy policies or privacy practices of our customers or any other third parties.
Information We Collect And How We Use It
Collection of Information
We have collected the following categories of information from our users within the last twelve (12) months:
- Identifiers, including name, email address, phone number, IP address and cookie identifiers,
- Certain financial-related information, including credit card number and billing and shipping address,
- Protected classification information, such as age and gender,
- Commercial information, including purchasing history of our business customer’s employees and representatives who use our Service,
- Internet or other similar network activity, such as browsing history, information on your interaction with our Site, browser type, and referring site,
- Location data, and
- Professional or employment related data with respect to our job applicants and our business customer’s employees and representatives who use our Services, such as professional title.
Categories of Sources
We obtain the personal information of our users from the following categories of sources:
I. Personal Data That You Provide To Us
When you interact with the Services, CircleCI may gather information that, alone or in combination with other information, could be used to identify you (“Personal Data”), as described below. If you are an EU or UK data subject, please see the “EU and UK Data Subject” section below for information on your rights in relation to the Personal Data we hold about you.
a) Personal Data used to provide the Service and respond to requests
When signing up for the Services, users are required to either provide their email address and a password while creating an account with us, or authenticate with their version control system identity (GitHub, GitLab, or Bitbucket). When users log in to the Services using sign-in services such as OAuth (for example, login with a GitHub account), these services will authenticate a user’s identity and provide the user with the option to share certain Personal Data, such as name and email address(es), with us. If you purchase one of our paid plans, we will also collect payment and billing information such as credit card details and billing address. We use this data to provide you with access to the Services, contact you regarding your access and use of the Services or to notify you of important changes to the Services. For EU and UK data subjects, such use is necessary for the performance of the contract between you and us.
On some sections of the Site, you may complete a web form to give your Personal Data to us directly, such as on our “Contact Us” page. We also collect Personal Data (e.g., your name, email, and phone number) when you request information, including a product demo, ask to download content (such as white papers), register for a webinar or other event, or subscribe to email lists. We will use your contact information to respond to your request. For EU and UK data subjects, such use is necessary to respond to or implement your request. If you send us a request or question regarding the use of the Services (for example via a support email or via one of our feedback mechanisms), we may publish it (in anonymous form only) in order to help us clarify or respond to your request or to help us support other users.
CircleCI collects Personal Data that you provide through the Services only insofar as is necessary or appropriate to fulfill the purpose of your interaction with CircleCI, such as providing you with the Services and/or answering any requests regarding the Service as described above. You can always refuse to supply Personal Data, however doing so may prevent you from accessing the Services or engaging in certain activities on the Services.
b) Personal Data we receive from third party applications
CircleCI may receive Personal Data about you from third parties. For example, if you access the Services through a third-party service or interact with the Services via a third-party service connected to the Services (e.g., by pushing code to a VCS repository configured to interact with the Services), that third party may pass certain Personal Data you provided to its service to CircleCI. This information could include, but is not limited to, the user ID associated with your account, your name and email address, any information that you have permitted the third party to share with CircleCI, and any information you have made public in connection with that service. You should always review, and if necessary, adjust your privacy settings on third-party websites and services before linking or connecting them to the Services. Ultimately, the terms governing your use of a third-party service will control what Personal Data, if any, that third party shares with CircleCI. If you communicate with CircleCI via social media, and choose to share your user generated content with CircleCI, CircleCI may receive information such as posts or videos you’ve created, your photo, your account name and your comments about CircleCI.
c) Personal Data we receive from other third parties
CircleCI may obtain information about you from third-party sources, such as public sources, social media platforms (like LinkedIn, Twitter and other platforms) and third-party data providers and information services. Examples of the information we may obtain from such third parties include your company, company size, job title and seniority, industry and other profile information. We do this to better understand your profile and interests so that we can deliver customized offers and other personalized services to you, such as to serve relevant offers to you via email, chatbots, phone or personalized advertising. We may also receive information about you and your engagement with our advertisements from our ad servers, ad networks, social media platforms, and other sources. This may include the websites you visited before coming to CircleCI so that we can determine advertising effectiveness and pay our referral partners. If you prefer not to have your information used for this purpose, you can opt out at any time by emailing us.
d) Personal Data used to process applications for employment
When you submit a job application through the Site, we will collect your resume and any additional information that you elect to provide to us, including but not limited to employment history and education. We will use your contact details and data about your employment history and education to conduct job interviews, evaluate your application, and as is otherwise needed for recruitment. For EU and UK data subjects, this use is necessary to respond to your request to process your application for employment.
e) Personal Data used for marketing
We will use your email to tell you about your usage of the Services, new features, solicit your feedback, or just keep you up to date with what’s going on with CircleCI and our products, upcoming events or other promotions. If you change your mind about receiving information from us or about the use of information volunteered by you, please send us a request specifying your new choice. Please contact us as specified under the “Contact Us” section. You may also choose to opt out of receiving such emails by following the unsubscribe instructions included in these emails, or by accessing the email preferences in your account settings page. If you download content from the Site, we may also use your phone number to contact you directly by phone, in connection with such new products and services, upcoming events or other promotions.
Where required by applicable law (for example, if you are an EU or UK data subject), we will only send you marketing information by email or mail, or contact you by phone, if you consent to us doing so. When you provide us with your consent to be contacted for marketing purposes, you have the right to withdraw your consent at any time by following the instructions to “opt out” of receiving marketing communication in each marketing email we send you. In addition, if at any time you do not wish to receive future marketing communications or wish to have your name deleted from our mailing or calling lists, please click on the “Make a Privacy Request” button at https://privacy.circleci.com/. Please note that if you opt out from marketing communications, we may still contact you regarding issues related to our Services and to respond to your requests.
II. Automatically Collected Information
Like most hosted service operators, CircleCI collects information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site and the date and time of each visitor request and store it in log files. CircleCI also collects Internet Protocol (“IP”) addresses, which can be used to identify the location from which your computer is connecting to the Site, for providing the Services and for support purposes.
Use of such automatically collected information is necessary for the performance of the contract between you and us, to the extent we process information that is needed for providing the Services and for support purposes, or is in our legitimate interest in understanding how the Services are being used by you and enhancing your experience when using our Services.
III. Information We Process On Behalf Of Our Customers
In providing the Services to our customers, we process on behalf of customers certain information that may include Personal Data, relating to customers’ employees, contractors or other users (“Users”) they transmit or otherwise submit to our Service. While our customers or Users decide what data to submit, this information typically includes email address and information relating to tests results.
CircleCI collects and stores metrics and data relating to, generated by, provided in connection with, or derived from customers’ use of the Services (“Usage Data”) in order to provide, maintain, support, enhance, develop and improve the Services and CircleCI’s service offerings. CircleCI will not disclose individual metric or usage data other than in an aggregated and de-identified form. For EU and UK data subjects, this use of your Personal Data is necessary for our legitimate interests in understanding how the Services are being used by you and to improve your experience on it.
Bulletin Boards/Chat Rooms
If you submit a post or participate in a discussion on a bulletin board or chat room on the Services, you should be aware that any Personal Data you submit there can be read, collected, or used by other users of these forums, and could be used to send you unsolicited messages. We are not responsible for the Personal Data you choose to submit in these forums.
Disclosure Of Personal Data
In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:
- Certain financial-related information,
- Protected classification information,
- Commercial information,
- Internet or other similar network activity,
- Location data, and
- Professional or employment related data.
We share personal information for a business purpose with various categories of third parties. CircleCI discloses Personal Data only to those of its employees, contractors, and service providers that (1) need to know that data in order to perform certain services and functions on CircleCI’s behalf and (2) have agreed to data protection and confidentiality obligations requiring them to protect that data. Third-party service providers include: (i) providers of payment processing, customer support services and hosting (which support us in the provision and maintenance of the Services), (ii) web analytics service providers (which help us collect statistics and other information, including through cookies, about the behavior of users of the Services - for more details, please see the “Cookies” section below); (iii) marketing and sales automation tools that allow us to manage marketing and sales processes; (iv) phone and chat communication tools that allow us to communicate with prospects and customers; (v) integration tools that allow us to capture data in one platform and send it to another; (vi) survey and poll tools that allows us to capture information about our Services; and (vii) event and meeting platforms that allow us to host and manage virtual and in-person events. Pursuant to our instructions, these parties may access, process or store Personal Data in the course of performing their duties to us and only as necessary to provide the services we request.
CircleCI may also disclose Personal Data when required to do so by law, such as to comply with a subpoena, bankruptcy proceedings, or similar legal process, or in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, or when CircleCI believes in good faith that disclosure is reasonably necessary to protect the property or rights of CircleCI, third parties, or the public at large.
In the preceding twelve (12) months, we have not sold our users’ personal information.
Access and Deletion Requests
You may click on the “Make a Privacy Request” button at https://privacy.circleci.com/ to request that we provide you with a copy of your Personal Data or that we delete your Personal Data that we maintain on our systems. We will respond to your request within a reasonable timeframe. If you are an EU or UK data subject or California resident, see your additional rights below.
Rights of Certain California Residents
The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide certain California residents with the additional rights listed below.
Right to Access. You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The categories of personal information we collected about you,
- The categories of sources for the personal information we collected about you,
- Our business or commercial purpose for collecting that personal information,
- The categories of third parties with whom we share that personal information, and
- The specific pieces of personal information we collected about you (which will also allow you to exercise your data portability right).
Data Portability Right. You have the right to request that we provide you with access to the information above (under Right to Access) in a readily useable format that allows you to transmit (i.e., port) the information to another entity without hindrance. If you make a request under your right to request access, you will receive access to your information in a readily useable format.
Right to Delete. You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. You must contact the applicable business customers directly to delete your information that they have in their systems.
We may deny your deletion request or not delete some of your personal information, if retaining the information is necessary for us or our service provider(s) to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
We may also limit our deletion to the extent permitted by applicable law.
Right to Update. You have the right to request that inaccurate personal information that we hold about you be corrected.
Right to restrict the use and disclosure of your sensitive information. You have the right to request that we limit our use and disclosure of your sensitive personal information. We currently do not request or retain any sensitive personal information from our customers.
Categories of Personal Data collected by CircleCI. For more details on how we use the Personal Data, who we disclose it to for a business purpose, and how long we keep it for, please see the sections “Categories of Sources”, “Disclosure of Personal Data”, and “Data Retention” set forth above.
Categories of Personal Data disclosed for a business purpose. You have the right to request that we limit our use and disclosure of your sensitive personal information. We currently do not request or retain any sensitive personal information from our customers.
Exercising Your Rights. To exercise your rights, please contact us as follows:
- Submit your request by visiting our Privacy Center at https://privacy.circleci.com/ and clicking on the “Make a Privacy Request” button where you can select your specific request (e.g., right to access, right to portability, or right to delete); or
- Email us at email@example.com and provide the following information:
- Full name and email address associated with your use of our Services, and
- Your specific request (e.g., right to access, right to portability, right to update or right to delete).
We will attempt to respond to a consumer request for access or deletion within 45 days of receiving that request. If we require more time, we will inform you of the reason and extension period in writing.
Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period.
Non-Discrimination. We will not discriminate against you for exercising any of your rights under the CCPA or CPRA. Unless permitted by the CCPA or CPRA, we will not:
- Deny you goods or services,
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties,
- Provide you a different level or quality of goods or services, or
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
However, we may offer you certain financial incentives permitted by the CCPA and CPRA that can result in different prices, rates, or quality levels. Any CCPA or CPRA-permitted financial incentive we offer will reasonably relate to your personal information's value to CircleCI and contain written terms that describe the program's material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time. We currently do not provide any financial incentives.
No Sale or Sharing of Personal Information. We do not sell or share (for the purpose of cross-context behavioral advertising) your personal information, as those terms are defined under the CCPA/CPRA.
EU and UK Data Subjects
Scope: This section applies if you are an EU or UK data subject (for these purposes, reference to the EU also includes the European Economic Area countries of Iceland, Liechtenstein, Norway and, where applicable, Switzerland).
Data Controller: CircleCI is the data controller of Personal Data provided to, or collected by or for, our Services, but we may act as data processor on behalf of our customers for Personal Data that we process on their behalf when providing the Services.
Your Rights: Subject to applicable law, you have the following rights in relation to your Personal Data:
- Right of access: If you ask us, we will confirm whether we are processing your Personal Data and, if so, provide you with a copy of that Personal Data along with certain other details. If you require additional copies of the data, we may need to charge a reasonable fee.
- Right to rectification: If your Personal Data is inaccurate or incomplete, you are entitled to ask that we correct or complete it. If we shared your Personal Data with others, we will tell them about the correction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data so you can contact them directly.
- Right to erasure: You may ask us to delete or remove your Personal Data, such as where you withdraw your consent. If we shared your data with others, we will tell them about the erasure where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data so you can contact them directly.
- Right to restrict processing: You may ask us to restrict or ‘block’ the processing of your Personal Data in certain circumstances, such as where you contest the accuracy of the data or object to us processing it. We will tell you before we lift any restriction on processing. If we shared your Personal Data with others, we will tell them about the restriction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data so you can contact them directly.
- Right to data portability: Effective 25 May 2018, you have the right to obtain your Personal Data from us that you consented to give us or that was provided to us as necessary in connection with our contract with you. We will give you your Personal Data in a structured, commonly used and machine-readable format. You may reuse it elsewhere.
- Right to object: You may ask us at any time to stop processing your Personal Data, and we will do so if we are processing your Personal Data for direct marketing and otherwise. However, if we are relying on a legitimate interest to process your Personal Data and we demonstrate compelling legitimate grounds for the processing we may continue.
- Rights in relation to automated decision-making and profiling: You have the right to be free from decisions based solely on automated processing of your Personal Data, including profiling, that produce a significant legal effect on you, unless such profiling in necessary for entering into, or the performance of, a contract between you and us or you provide your explicit consent.
- Right to withdraw consent: If we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect any processing of your data before we received notice that you wished to unsubscribe.
- Right to lodge a complaint with the data protection authority: If you have a concern about our privacy practices, including the way we handled your Personal Data, you can report it to the data protection authority that is authorized to hear those concerns.
You may exercise your rights by visiting our Privacy Center at https://privacy.circleci.com/ and clicking on the “Make a Privacy Request” button where you can select your specific request (e.g., right of access, right to erasure, etc.).
International Data Transfers from Europe
Your personal information may be transferred to CircleCI and its service providers in countries other than the country in which you are resident, including in the United States, and other locations where we have offices or employees. These countries may have data protection laws that are different from the laws of your country and may not provide the same level of protection as your country.
If you are located in the European Economic Area, the UK or Switzerland, we will protect your personal information when it is transferred outside of your jurisdiction by (a) processing it in a territory that provides an adequate level of protection based on its data protection laws; (b) implementing appropriate safeguards to protect your personal information, such as relying on the European standard contractual clauses (“Model Clauses”); (c) by seeking your consent for transfers of your personal information for specific purposes; and/or (d) by relying on other transfer mechanisms approved by authorities in the country from which data are transferred. CircleCI relies on the Model Clauses for data transfers.
EU-U.S. Data Privacy Framework with UK Extension, and Swiss-U.S. Data Privacy Framework
CircleCI is responsible for the processing of personal data it receives, under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF and subsequently transfers to a third party acting as an agent on its behalf. CircleCI complies with the EU-U.S. DPF Principles and the Swiss-U.S. DPF Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions.
The Federal Trade Commission has jurisdiction over CircleCI’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In certain situations, CircleCI may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
- Email: firstname.lastname@example.org
- Phone: +1-800-585-7075
- Postal Mail:
Circle Internet Services, Inc.
201 Spear Street, Ste 1200
San Francisco, CA, 94105
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, CircleCI commits to refer unresolved complaints concerning its handling of non-HR related personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. For clarity, Non-HR related data includes all personal data processed by CircleCI on behalf of its customers. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint. The services of TRUSTe are provided to you at no cost.
Further, CircleCI commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
For complaints regarding EU-U.S. DPF, the UK Extension to the EU-U.S DPF, and Swiss-U.S. DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.
Links to Other Websites
CircleCI, with its partnership and commitment to Security and Privacy with Microsoft, also provides a link to their Privacy Statement .
Social Media Widgets
Do Not Track
Currently, various browsers - including Microsoft Edge, Firefox, and Safari - offer a “do not track” or “DNT” option that relies on technology known as a DNT header, which sends a signal to the websites visited by the user about the user’s browsers DNT preference setting. CircleCI does not currently commit to responding to browser’s DNT preference across its Services, because no common industry standard for DNT has been adopted by industry groups, technology companies or regulators, including no consistent standard of interpreting user intent. CircleCI takes privacy and choices regarding privacy seriously and will make efforts to continue to monitor the development around DNT browser technology and the implementation of a standard for DNT.
We take precautions to ensure the security of your Personal Data. We follow generally accepted standards to protect the Personal Data submitted to us, both during transmission and once we receive it. When you enter your login information on the Service, all information to and from the service is encrypted using Transport Layer Security (TLS). For more information on our data security policies, please check here.
That said, like any hosted service provider, we cannot guarantee that unauthorized third parties or unauthorized personnel will not gain access to your Personal Data despite our efforts. You should note that in using the Services, your information will travel through third-party infrastructures which are not under our control.
If you have any questions about the security of the Services, you can contact us.
If you wish to make a request regarding your personal information, please visit our Privacy Center at https://privacy.circleci.com/ and click on the “Make a Privacy Request” button where you can select your specific request.
Circle Internet Services, Inc.
201 Spear Street, Ste 1200
San Francisco, CA, 94105