Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
GitHub Pages is a free static site hosting service provided by GitHub (a Microsoft subsidiary) that serves websites directly from a GitHub repository. The hosting platform itself sets no tracking cookies and requires no user consent by default. However, IP addresses are logged on US-based GitHub infrastructure, and any third-party scripts added to the site (analytics, chat, advertising) will require their own consent handling under GDPR.
GitHub Pages is a free static website hosting service offered by GitHub, which is owned by Microsoft. It allows developers and organisations to publish websites directly from a GitHub repository, supporting static HTML, CSS, and JavaScript as well as sites built with Jekyll or other static site generators. GitHub Pages is widely used for open-source project documentation, developer portfolios, and small business websites. The platform serves content via GitHub''s global CDN infrastructure, which is based primarily in the United States and operated by Fastly.
GitHub Pages itself sets no tracking cookies on visitors. The hosting infrastructure collects standard server-side access logs including visitor IP addresses, request timestamps, browser user agents, and pages accessed. This data is processed by GitHub on US-based infrastructure and is subject to GitHub''s privacy policy. If the website hosted on GitHub Pages includes third-party scripts such as Google Analytics, a live chat widget, or advertising tags, those third parties will collect additional data and set their own cookies, requiring separate consent handling.
GitHub Pages has a relatively simple GDPR compliance profile. The platform processes IP addresses as server-side access logs, which is standard for any web hosting service and can rely on legitimate interest under GDPR Article 6(1)(f) for network security and infrastructure management. No consent banner is required for the hosting platform itself. The main GDPR considerations are the US data transfer (GitHub is a US company subject to FISA 702 and other US surveillance laws) and the disclosure obligation to inform visitors of the hosting provider in the privacy policy.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
GitHub Pages itself does not require a cookie consent banner. Consent is only required if additional third-party scripts or cookies are loaded on the site. Organisations hosting on GitHub Pages should audit all scripts included in their site and determine which require consent. Common scripts that require consent include Google Analytics, Facebook Pixel, Intercom, Hotjar, and any advertising or retargeting tools. The GitHub Pages hosting itself can be disclosed in the privacy policy without a separate consent mechanism.
GitHub is a Microsoft subsidiary headquartered in the United States. Server access logs including IP addresses are processed on US-based infrastructure. GitHub''s Data Processing Agreement and Standard Contractual Clauses apply for EU customers under GDPR. Organisations should reference GitHub''s DPA in their Records of Processing Activities and disclose GitHub as a hosting provider and data processor in their privacy policy.
To use GitHub Pages compliantly: disclose GitHub as your hosting provider in your privacy policy, describing the server-side IP logging and US transfer; reference GitHub''s SCC-based DPA as the transfer safeguard; audit all third-party scripts on your site and implement a consent management platform for any non-essential cookies; document GitHub as a processor in your RoPA; and consider whether your site collects personal data through forms or user interactions that require additional GDPR measures beyond the hosting layer.
Websites using GitHub Pages must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for basic GitHub Pages deployments. The risk profile is low as the platform sets no tracking cookies and collects only server-side access logs. A DPIA may become relevant if the site hosted on GitHub Pages processes large volumes of personal data through forms, user accounts, or third-party integrations.
Sample consent text
This website is hosted on GitHub Pages (GitHub Inc., a Microsoft subsidiary). GitHub logs server access data including your IP address on US-based infrastructure. No tracking cookies are set by the hosting platform itself. Any additional services on this website are listed separately in our cookie policy.
Third-party domains contacted
github.iopages.github.comgithub.github.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _gh_sess | session | Session | GitHub session cookie set only when visitors access github.com directly, not set by GitHub Pages hosted sites |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
No. GitHub Pages itself does not set any tracking cookies. The hosting infrastructure only processes server-side access logs. If your site includes third-party scripts (analytics, chat, advertising), those tools set their own cookies and require separate consent handling.
Not for the hosting itself. GitHub Pages does not set cookies, so no consent banner is required for the platform. However, if your site loads third-party scripts that set cookies or track users, those require a consent management platform. The hosting provider should still be disclosed in your privacy policy.
Legitimate interest under Article 6(1)(f) GDPR applies to the server-side IP address logging inherent to any web hosting service. This is standard infrastructure processing necessary for network security and site operation. No separate consent is required for this processing, but it must be disclosed in your privacy policy.
Yes. GitHub is a Microsoft subsidiary based in the United States. Server access logs including IP addresses are processed on US-based infrastructure covered by GitHub's Data Processing Agreement and Standard Contractual Clauses. This transfer should be documented in your Records of Processing Activities.
Generally no, for basic static site hosting. The risk profile is low since no tracking cookies are set and only standard server access logs are collected. A DPIA may become necessary if your GitHub Pages site processes substantial personal data through forms, user authentication, or integrated third-party services.
Disclose GitHub as your hosting provider in your privacy policy with a description of the IP logging and US transfer. Reference GitHub's SCC-based DPA. Audit all third-party scripts on your site. Implement a consent management platform for any analytics or tracking tools. Ensure any contact forms have appropriate privacy notices. Document GitHub in your RoPA as a hosting processor.
Yes. GitLab Pages can be deployed on self-managed GitLab instances hosted in the EU. Netlify and Vercel both offer EU region deployments for static sites. Cloudflare Pages has EU data processing options. For full data sovereignty, self-hosted static site servers on EU infrastructure (OVHcloud, Hetzner) eliminate all third-country transfer concerns.
Add a section covering your web hosting provider. State that your website is hosted on GitHub Pages (GitHub Inc., a Microsoft subsidiary, San Francisco CA USA), that GitHub processes server access logs including visitor IP addresses, that the legal basis is legitimate interest for infrastructure security, that the transfer to the US is covered by Standard Contractual Clauses under GitHub's DPA, and provide a link to GitHub's privacy policy at docs.github.com/en/site-policy/privacy-policies/github-general-privacy-statement.