Privacy Policy

Last updated: May 31, 2026

Circle Internet Services, Inc. dba CircleCI, a Delaware corporation (“CircleCI”, “we” or “us”) provides this Privacy Policy to inform Users of its Services, as defined in CircleCI’s Software as a Service Agreement or other applicable governing documents (collectively, “Agreement”) of its policies and procedures regarding the collection, use and disclosure of Personal Data and other information. This Privacy Policy explains what data is collected when a person uses the Services, why and/or how it is used, and the User’s rights and choices. Capitalized terms used but not defined in this Privacy Policy will have the meanings as defined in the Agreement.

While providing Services, CircleCI may collect information about its Customers’ Users. Use of such information is governed by the Agreement with the applicable Customer and the Customer’s own privacy policies. CircleCI cannot control and is not responsible for Customer’s or any third party privacy policies or privacy practices.

Providing Personal Data when using or accessing CircleCI’s website or the Services indicates acceptance of this Privacy Policy and related processing of Personal Data as set forth below. For any questions or comments about this Privacy Policy or use of Personal Data, please contact CircleCI.

1. Categories of Information Collected and How it is Used

Several categories of information are collected from Users within the last twelve (12) months. CircleCI collects Personal Data only as necessary or appropriate to fulfill the purpose of a User’s interaction with CircleCI.

a. Personal Data. When a User interacts with the Services, CircleCI may collect the identifying information listed herein. This information is used to provide access to the Services, enable contact regarding access and use of the Services, and to notify of important changes to the Services. For EU and UK data subjects, such use of Personal Data is necessary to access or use the Services.

Personal Data may include the following, and may be used for the following reasons:

  1. Name, Email Address, Phone Number - to communicate regarding the Services, and for account management
  2. IP address/location data - to comply with laws and regulations and provide localized information
  3. Browser fingerprints - To understand technical compatibility of CircleCI’s product and website in the browser, to detect bots and to protect from fraus
  4. Cookies - To provide website functions, improve performance and functionality, and to target advertising. Please review CircleCI’s Cookie Policy for more information and current cookie list.
  5. Sign-On Information: API key identifiers, OAuth tokens and scopes, session tokens, SSH key fingerprints, SSO/SAML assertions, VCS tokens - to securely authenticate users and authorize access to the Services
  6. Customer Team Information: Audit log entries, User membership, role and activity information - to enable oversight by organization owners and administrators

On some sections of the Site, Personal Data may be used to complete a web form, on CircleCI’s “Contact CircleCI” page, in community forums and discussion boards, on social media, when requesting a product demo or to download content such as white papers, register for a webinar or other event, subscribe to email lists or follow a page to receive automatic updates electronically. CircleCI may publish any requests or questions regarding the use of the Services in anonymous form in order to help clarify or respond to the request or to help support other users. For EU and UK data subjects, such use of Personal Data is necessary to respond to or implement requests.

Users can always refuse to supply Personal Data, however doing so may prevent them from accessing the Services or engaging in certain activities.

b. Financial information. For Customers on a monthly Performance or annual Revenue-assisted plan, CircleCI will collect payment and billing information such as credit card details and/or billing address in order to receive payments for the Services. Credit card payments are managed through a third-party payment processor - CircleCI does not directly maintain credit card numbers.

Financial information may include the following, and may be used for the following reasons:

  1. Billing/shipping address - for sending invoices and notices
  2. Credit card number - managed by third-party payment processors to collect payments from Performance customers

c. Commercial information. CircleCI may receive Personal Data about Users from third-party applications. For example, if a User accesses the Services through a third-party service or interacts with the Services via a third-party service connected to the Services — such as by pushing code to a VCS repository configured to interact with the Services — that third party may pass certain Personal Data to CircleCI. This information could include any information the User has permitted the third party to share with CircleCI, and any information the User has made public in connection with that service. Please review and adjust the privacy settings on third-party websites and services before linking or connecting them to the Services.

Commercial information may include the following, and may be used for the following reasons:

  1. Customer’s Purchase history - to track distribution of credits at the time of payment and ensure accuracy for contractual obligations and auditability
  2. Professional data, such as title and work email, of customer’s users, employees and representatives - to target the correct employees and communicate regarding the Services, and for account management
  3. Account health & risk information such as account and lead scores, sales call records, and usage predictions - to monitor account health and forecast usage trends to proactively address customer needs and engagement
  4. Marketing engagement information such as email and hyperlink interactions, phone engagement, data from third-party sources, channel partner, reseller and referral data; and training, event and webinar registration, attendance and participation - to measure and optimize marketing campaigns, support sales prospecting and lead qualification, and to improve educational and promotional content

CircleCI may also obtain professional information about a User from other third-party sources such as public sources, social media platforms like LinkedIn and X, and third-party data providers. This may include company name, company size, job title and seniority, industry, and other profile information. CircleCI uses this information to better understand User profiles and interests to deliver customized offers and personalized services, such as relevant offers via email, chatbots, phone, or personalized advertising.

When a person communicates with CircleCI via social media and chooses to share their user-generated content with CircleCI, CircleCI receives that content, such as posts, photos or videos, the person’s account name, and comments about CircleCI.

In providing the Services to Customers, CircleCI also processes information that may include Personal Data relating to Customers’ employees, contractors, or other Users that they transmit or submit to the Service. This information typically includes email addresses and information relating to test results. CircleCI collects and stores metrics and usage data relating to Customers’ use of the Services in order to provide, maintain, support, enhance, and improve the Services. CircleCI will not disclose individual metric or usage data other than in aggregated and de-identified form.

d. Services-Specific Information. Information CircleCI processes in connection with the Services spans the full lifecycle of software development and delivery. This includes the code, configurations, and credentials that power a Customer’s CI/CD pipelines; the integrations that connect CircleCI to Customer’s broader toolchain; and the interactions that help CircleCI support and improve the platform. Each category reflects a distinct aspect of how teams build, deploy, and manage software at scale.

Services-Specific information may include the following, and may be used for the following reasons:

  1. Source code commits, pull requests, issues, comments, build logs, test results, deployment configurations, usage metadata, and customer-stored artifacts - To run pipelines, store build outputs and artifacts, and provide build history for debugging
  2. Deployment keys, cloud provider credentials, API keys, database connection strings, signing certificates, Terraform configurations, Kubernetes manifests, and metadata about secret usage and rotation - To authenticate and connect pipelines to third-party services, enable secure deployments, and manage secret lifecycle for auditability
  3. Webhook payloads, API callbacks, and event notifications exchanged with VCS providers, cloud platforms, chat applications, issue trackers, and secret managers - to power bidirectional integrations with your tools and trigger or report on pipeline events
  4. Support tickets, error and debug logs, screenshots, temporary shared access credentials, support portal activity, forum posts, product feedback, social media mentions, and community contributions - To resolve technical issues, inform product improvements, and facilitate community engagement

e. Behavioral Information. CircleCI automatically collects information of the sort that web browsers and servers typically make available, such as browser type, language preference, referring site, and the date and time of each visitor request, stored in log files. CircleCI also collects IP addresses, which can be used to identify the location from which your computer is connecting to the Site, for providing the Services and for support purposes.

Behavioral information may include the following, and may be used for the following reasons:

  1. Internet or other similar network activity, such as browsing history - to understand usage of the Services, limited to CircleCI’s domain
  2. Interaction with circleci.com or chunk.ai - to analyze interaction in order to improve function and performance of the Services
  3. Referring site - to understand sources of traffic for marketing and fraud prevention
  4. Product usage & performance information, such as API call volumes, build counts, Credits, features and Support use, performance metrics, resource consumption data, and feature flag assignments - to monitor platform adoption, performance and reliability, and optimize resource allocation
  5. Product development information such as enhanced telemetry for beta/preview features, feature-specific feedback, experimental data collection - to evaluate and improve pre-release features and assess feature readiness for general availability

CircleCI collects statistics about the behavior of visitors to the Services through cookies and similar technologies in order to better understand how visitors use the Services and to improve your access to and use of the Services. CircleCI may also receive information about persons and their engagement with CircleCI’s advertisements from ad servers, ad networks, social media platforms, and other sources, including the websites a person visited before coming to CircleCI, so that CircleCI can determine advertising effectiveness and pay its referral partners. If a person prefers not to have their information used for personalized advertising, they can opt out or Targeting Cookies by visiting CircleCI’s website and clicking on the black paperclip button at the bottom left of the page and updating their Cookie preferences.

f. Employment information. When a person submits a job application through the Site, CircleCI will collect the resume and any additional information they elect to provide, including but not limited to employment history and education. CircleCI will use the provided contact details and data about past employment history and education to evaluate the application, conduct job interviews, and as otherwise needed for recruitment purposes to manage applicants who apply for positions at CircleCI.

2. Other Areas Where Personal Data May be Collected

a. AI-Powered Features. When a User employs CircleCI’s Chunk and/or Chunk sidecars or other AI/ML features, Personal Data will be processed in accordance with this Privacy Policy. CircleCI will transmit the Inputs submitted to the Services to CircleCI’s AI Providers. CircleCI may collect AI Input and Output and Usage Data to debug and troubleshoot the services, and to identify and develop product improvements and assessing features engagement. This data may be collected in both the SaaS and Self-managed products where AI features are enabled. CircleCI’s AI Providers do not train on any data that inputted into Chunk or Chunk sidecars. Customers may have the option to employ their own AI for use with Chunk and/or Chunk sidecars. In such case, Customer’s AI Provider will process Personal Information in accordance with their AI Provider’s Privacy Policy, and CircleCI will not collect AI Input, Output or Usage Data.

b. Cookies, Browser Fingerprinting and Social Media. CircleCI and its partners use cookies or similar technologies to optimize the functionality of the Site, help CircleCI understand how the Site is used and provide Users with interest-based advertising based upon a user’s browsing activities and interests. Cookies are small, informational text files that may be used to create a unique identifier. They are automatically created by a web server and stored on a User’s device by User’s browser when you visit a website and may be set directly by the site visited (first-party cookies) or by service providers embedded in that site (third-party cookies). There are five (5) cookie types – Strictly Necessary – necessary for the Services to work, Performance – optional for improve CircleCI’s website and Services, Functional – optional to enhance User experience, Targeting – optional to make advertising more relevant to a User, and Unclassified – cookies which have not yet been classified. Browser fingerprinting uses characteristics of a User’s device and browser to create a unique identifier that can be used to recognize that device across visits. Finally, the Services may include social media features, such as an X, Instagram or Facebook button, and widgets, such as the “share this” button or interactive mini-programs. Social media features and widgets are either hosted by a third party or hosted directly on the Services. A User’s interactions with these features are governed by the privacy policy of the company providing it. For more information about the cookies and similar technologies CircleCI uses, please refer to CircleCI’s Cookie Policy.

c. Audit Logs and Access Tracking. CircleCI maintains comprehensive records of user actions, administrator activity, API access events, authentication events, configuration changes, and security events occurring across the platform. These records serve to preserve security accountability, satisfy FedRAMP continuous monitoring requirements, and provide organization administrators with the visibility necessary to oversee platform activity. Audit log data also supports incident investigation and compliance audit functions as required.

3. Rights of Certain California Residents

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide certain California residents with the additional rights listed below. ‘Personal Data’ as defined by CircleCI generally equates to the CCPA definition of ‘Personal Information,’ but in all cases the CCPA definition prevails when it is narrower than CircleCI’s definition.

a. Categories of Personal Information collected by CircleCI. For more details on how CircleCI uses Personal Information, who CircleCI discloses it to for a business purpose, and for how long CircleCI keeps it, please review Sections 1 and 7 herein.

b. Categories of Personal Information disclosed for a business purpose. California residents have the right to request that CircleCI limit the use and disclosure of sensitive personal information. CircleCI currently does not request or retain sensitive personal information as defined under CCPA.

c. Right to Access. California residents have the right to request that CircleCI disclose certain information about its collection and use of their personal information over the past 12 months. Once CircleCI receives and confirms a verifiable consumer request from a California resident, CircleCI will disclose:

  • The categories of personal information CircleCI collected,
  • The categories of sources for the personal information CircleCI collected,
  • CircleCI’s business or commercial purpose for collecting that personal information,
  • The categories of third parties with whom CircleCI share that personal information, and
  • The specific pieces of personal information CircleCI collected about the requestor (which will also allow that person to exercise their data portability right).

d. Right to Delete. California residents have the right to request that CircleCI delete any of their personal information that CircleCI collected and retained, subject to certain exceptions. Once CircleCI receives and confirms a verifiable consumer request from a California resident, CircleCI will delete (and direct its service providers to delete) that person’s personal information from CircleCI’s records, unless an exception applies. California residents must contact the applicable business customers directly to delete information that applicable business customers have in their respective systems.

CircleCI may deny a California resident’s deletion request or not delete some personal information, if retaining the information is necessary for CircleCI or its service provider(s) to:

  1. Complete the transaction for which CircleCI collected the personal information, provide a good or service requested by the California resident, take actions reasonably anticipated within the context of CircleCI’s ongoing business relationship with the California resident, or otherwise perform under CircleCI’s contract with the California resident.
  2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  3. Debug products to identify and repair errors that impair existing intended functionality.
  4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if the California resident previously provided informed consent.
  7. Enable solely internal uses that are reasonably aligned with consumer expectations based on the California resident‘s relationship with CircleCI.
  8. Comply with a legal obligation.
  9. Make other internal and lawful uses of that information that are compatible with the context in which the California resident provided it.

CircleCI may also limit its deletion to the extent permitted by applicable law.

e. Right to Update. California residents have the right to request that inaccurate personal information that CircleCI hold about them be corrected.

f. Right to restrict the use and disclosure of your sensitive information. California residents have the right to request that CircleCI limit its use and disclosure of their sensitive personal information. CircleCI currently does not request or retain any sensitive personal information as defined under CCPA.

g. Data Portability Right. California residents have the right to request that CircleCI provide access to the information above (under Right to Access) in a readily useable format that allows transmission (i.e., port) of the information to another entity without hindrance. If a California resident makes a request under CCPA’s Right to Request Access, the California resident will receive access to the information in a readily useable format.

h. Exercising Rights. California residents have the right to direct CircleCI not to share their personal information for cross-context behavioral advertising. Where required by applicable law, CircleCI also honors browser-based opt-out preference signals for sharing. California residents opt-outs will apply to the browser or device, and in some cases the account, associated with such request.

California residents may exercise their rights under CCPA as follows:

  • Submit a request by visiting CircleCI’s Privacy Center and selecting the specific request(s) (e.g., right to access, right to correct, or right to delete); or
  • Email CircleCI and provide the following information:
    • Full name and email address associated with the use of CircleCI’s Services, and
    • The specific request (e.g., right to access, right to portability, right to update or right to delete).

CircleCI will attempt to respond to a consumer request for access or deletion within forty-five (45) days of receiving that request. If CircleCI requires more time, CircleCI will inform the California resident of the reason and extension period in writing.

Only California residents, or someone legally authorized to act on their behalf, may make a verifiable consumer request related to their personal information.

California residents may only make a verifiable consumer request for access or data portability twice within a 12-month period.

i. Non-Discrimination. CircleCI will not discriminate against California residents for exercising any of their rights under the CCPA or CPRA. Unless permitted by the CCPA or CPRA, CircleCI will not:

  • Deny California residents goods or services,
  • Charge California residents different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties,
  • Provide California residents with a different level or quality of goods or services than other Customers, or
  • Suggest that a California resident may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, CircleCI may offer California residents certain financial incentives permitted by the CCPA and CPRA that can result in different prices, rates, or quality levels. Any CCPA or CPRA-permitted financial incentive CircleCI offer will reasonably relate to the California resident’s personal information’s value to CircleCI and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires the California resident’s prior opt in consent, which may be revoked at any time. CircleCI currently does not provide any financial incentives.

j. No Sale of Personal Information, as defined under CCPA. CircleCI does not sell California residents’ personal information, as defined under CCPA. CircleCI may share a California resident’s personal information for the purpose of cross-context behavioral advertising, unless the California resident opts out of Targeting Cookies.

4. Rights of EU and UK Data Subjects

a. Scope. This section applies to EU or UK data subjects, which, for these purposes, references to the EU also includes the European Economic Area countries of Iceland, Liechtenstein, Norway and, where applicable, Switzerland) (collectively, “Data Subjects”).

b. Data Controller. CircleCI is the data controller of Personal Data provided to, or collected by or for, CircleCI’s Services, but CircleCI may act as data processor on behalf of Data Subjects for Personal Data that CircleCI process on their behalf when providing the Services.

c. Data Subjects’ Rights. Subject to applicable law, Data Subjects have the following rights in relation to Data Subjects’ Personal Data:

  • Right of access: If Data Subjects ask CircleCI, CircleCI will confirm whether CircleCI is processing their Personal Data and, if so, provide Data Subjects with a copy of that Personal Data along with certain other details. If Data Subjects require additional copies of the data, CircleCI may need to charge a reasonable fee.
  • Right to rectification: If Data Subjects’ Personal Data is inaccurate or incomplete, they are entitled to ask that CircleCI correct or complete it. If CircleCI shared Data Subjects’ Personal Data with others, CircleCI will tell them about the correction where possible. If Data Subjects ask CircleCI, and where possible and lawful to do so, CircleCI will also tell them with whom CircleCI shared their Personal Data so Data Subjects can contact them directly.
  • Right to erasure: Data Subjects may ask CircleCI to delete or remove their Personal Data, such as where Data Subjects withdraw Data Subjects’ consent. If CircleCI shared Data Subjects’ data with others, CircleCI will tell them about the erasure where possible. If Data Subjects ask CircleCI, and where possible and lawful to do so, CircleCI will also tell them with whom CircleCI shared their Personal Data so Data Subjects can contact them directly.
  • Right to restrict processing: Data Subjects may ask CircleCI to restrict or ‘block’ the processing of their Personal Data in certain circumstances, such as where Data Subjects contest the accuracy of the data or object to CircleCI processing it. CircleCI will tell Data Subjects before CircleCI lifts any restriction on processing. If CircleCI shared Data Subjects’ Personal Data with others, CircleCI will tell them about the restriction where possible. If Data Subjects ask CircleCI, and where possible and lawful to do so, CircleCI will also tell them with whom CircleCI shared Data Subjects’ Personal Data so they can contact the other party directly.
  • Right to data portability: Effective 25 May 2018, Data Subjects have the right to obtain their Personal Data from CircleCI that they consented to give CircleCI or that was provided to CircleCI as necessary in connection with CircleCI’s contract with them. CircleCI will give Data Subjects their Personal Data in a structured, commonly used and machine-readable format. Data Subjects may reuse it elsewhere.
  • Right to object: Data Subjects may ask CircleCI at any time to stop processing their Personal Data, and CircleCI will do so if CircleCI are processing Data Subjects’ Personal Data for direct marketing and otherwise. However, if CircleCI relies on a legitimate interest to process Data Subjects’ Personal Data and CircleCI demonstrates compelling legitimate grounds for the processing, CircleCI may continue.
  • Rights in relation to automated decision-making and profiling: Data Subjects have the right to be free from decisions based solely on automated processing of their Personal Data, including profiling, that produce a significant legal effect on them, unless such profiling is necessary for entering into, or the performance of, a contract between Data Subjects and CircleCI, or Data Subjects provide their explicit consent.
  • Right to withdraw consent: If CircleCI relies on Data Subjects’ consent to process their Personal Data, Data Subjects have the right to withdraw that consent at any time. Withdrawal of consent will not affect any processing of Personal Data before CircleCI received notice that Data Subjects wished to unsubscribe.
  • Right to lodge a complaint with the data protection authority: If Data Subjects have a concern about CircleCI’s privacy practices, including the way CircleCI handled their Personal Data, they can report it to the data protection authority that is authorized to hear those concerns.

Data Subjects may exercise their rights under GDPR by visiting CircleCI’s Privacy Center at https://privacy.circleci.com/ and selecting the specific request(s) (e.g., right of access, right to erasure, etc.).

d. Legitimate Interest. “Legitimate interests” means the interests of CircleCI in conducting and managing CircleCI’s organization. For example, CircleCI has a legitimate interest in processing Data Subjects’ Personal Data to analyze how the Services are being used by Data Subjects, and to ensure network and information security, as described in this Privacy Policy. When CircleCI processes Data Subjects’ Personal Data for CircleCI’s legitimate interests, CircleCI makes sure to consider and balance any potential impact on Data Subjects, and their associated rights under data protection laws. CircleCI’s legitimate interests do not automatically override Data Subjects’ interests. CircleCI will not use Data Subjects’ Personal Data for activities where CircleCI’s interests are overridden by the impact on Data Subjects, unless CircleCI has Data Subjects’ consent or those activities are otherwise required or permitted to by law. Data Subjects have the right to object to processing that is based on CircleCI’s legitimate interests.

e. International Data Transfers from Europe. Data Subjects’ personal information may be transferred to CircleCI and its service providers in countries other than the country in which Data Subjects are resident, including in the United States, and other locations where CircleCI has offices or employees. These countries may have data protection laws that are different from the laws of Data Subjects’ country and may not provide the same level of protection as Data Subjects’ country.

e. Model Clauses. If Data Subjects are located in the European Economic Area, the UK or Switzerland, CircleCI will protect Data Subjects’ personal information when it is transferred outside of Data Subjects’ jurisdiction by (a) processing it in a territory that provides an adequate level of protection based on its data protection laws; (b) implementing appropriate safeguards to protect Data Subjects’ personal information, such as relying on the European Commission’s standard contractual clauses (“Model Clauses”); (c) by seeking Data Subjects’ consent for transfers of their Personal Data for specific purposes; and/or (d) by relying on other transfer mechanisms approved by authorities in the country from which data are transferred. CircleCI relies on the Model Clauses for data transfers.

5. Data Privacy Frameworks

Data Privacy Frameworks (each, a “DPF”), as set forth by the US Department of Commerce, provide reliable mechanisms for personal data transfers to the United States from the European Union / European Economic Area, the United Kingdom and Gibraltar that are consistent with EU, and UK law, respectively; and for personal data transfers to the United States from Switzerland that is consistent with Swiss law. The Federal Trade Commission has jurisdiction over CircleCI’s compliance with each of the DPFs as further described below. In certain situations, CircleCI may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

a. European Union / European Economic Area, the United Kingdom (and Gibraltar). CircleCI complies with the EU-US Data Privacy Framework (“EU-US DPF”), and the UK Extension to the EU-US DPF. CircleCI is responsible for the processing of personal data it receives under the EU-US DPF and the UK Extension to the EU-US DPF and subsequently transfers to a third party acting as an agent on its behalf.

CircleCI has certified to the US Department of Commerce that it adheres to the EU-US Data Privacy Framework Principles (“EU-US DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) under the UK Extension to the EU-US DPF. CircleCI complies with the EU-US DPF Principles for all onward transfers of personal data from the EU, UK, and Gibraltar, including the onward transfer liability provisions.

b. Switzerland. CircleCI complies with the Swiss-US Data Privacy Framework (“Swiss-US DPF”). CircleCI is responsible for the processing of personal data it receives, under the Swiss-US DPF and subsequently transfers to a third party acting as an agent on its behalf.

CircleCI has certified to the US Department of Commerce that it adheres to the Swiss-US Data Privacy Framework Principles (“Swiss-US DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-US DPF. CircleCI complies with the Swiss-US DPF Principles for all onward transfers of personal data from Switzerland, including the onward transfer liability provisions.

c. Recourse, Enforcement, Liability under the DPFs. If there are any conflicts between the terms between this Privacy Policy and the EU-US DPF Principles and/or the Swiss-US DPF Principles, the applicable Principles shall govern. To learn more about the Data Privacy Framework program, and to view CircleCI’s certification, please visit https://www.dataprivacyframework.gov/.

Under the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF, CircleCI commits to resolve complaints about a User’s privacy and CircleCI’s collection or use of the User’s Personal Data.

European Union, UK (and Gibraltar) or Swiss individuals with inquiries or complaints regarding this Privacy Policy should first contact CircleCI as follows:

Address:

Circle Internet Services, Inc.

2261 Market Street, #22561

San Francisco, CA, 94114

Attention: Privacy

Email: privacy@circleci.com

Phone: +1-800-585-7075

In compliance with the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF, CircleCI commits to refer unresolved complaints concerning its handling of non-HR related personal data received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF to TRUSTe, an alternative dispute resolution provider based in the United States. For clarity, Non-HR related data includes all personal data processed by CircleCI on behalf of its Customers.

If timely acknowledgment of a DPF Principles-related complaint is not received from CircleCI, or if CircleCI has not addressed such DPF Principles-related complaint satisfactorily, please visit TRUSTe Feedback and Resolution System for more information or to file a complaint. The services of TRUSTe are provided to complainants at no cost.

For complaints regarding DPF compliance not resolved by any of the other DPF mechanisms, complainants have the possibility, under certain conditions, to invoke binding arbitration.

In compliance with the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF, CircleCI commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPA_), the UK Information Commissioner’s Office (ICO), the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning CircleCI’s handling of human resources personal data received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF in the context of the employment relationship.

Further information can be found on the official DPF website: https://www.dataprivacyframework.gov.

6. Other Information and Disclaimers

a. 12-Month Disclosure Of Personal Data. In the preceding twelve (12) months, CircleCI has disclosed the following categories of personal information for a business purpose:

• Personal Data • Certain financial-related information, • Protected classification information, • Commercial information, • Internet or other similar network activity, • Location data, and • Professional or employment related data.

CircleCI shares personal information for a business purpose with various categories of third parties. CircleCI discloses Personal Data only to those of its employees, contractors, and service providers that (1) need to know that data in order to perform certain services and functions on CircleCI’s behalf and (2) have agreed to data protection and confidentiality obligations requiring them to protect that data.

Third-party service providers include: (i) providers of payment processing, customer support services and hosting (which support CircleCI in the provision and maintenance of the Services), (ii) web analytics service providers (which help CircleCI collect statistics and other information, including through cookies, about the behavior of users of the Services - for more details, please see the “Cookies” section herein); (iii) marketing and sales automation tools that allow CircleCI to manage marketing and sales processes; (iv) phone and chat communication tools that allow CircleCI to communicate with prospects and customers; (v) integration tools that allow CircleCI to capture data in one platform and send it to another; (vi) survey and poll tools that allow CircleCI to capture information about CircleCI’s Services; and (vii) event and meeting platforms that allow CircleCI to host and manage virtual and in-person events. Pursuant to CircleCI’s instructions, these parties may access, process or store Personal Data in the course of performing their duties to CircleCI and only as necessary to provide the services CircleCI request.

CircleCI may also disclose Personal Data when required to do so by law, such as to comply with a subpoena, bankruptcy proceedings, or similar legal process, or in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, or when CircleCI believes in good faith that disclosure is reasonably necessary to protect the property or rights of CircleCI, third parties, or the public at large.

CircleCI may disclose Personal Data in connection with a merger, acquisition, or sale of all or a portion of its assets (a “Corporate Transaction”). If CircleCI is involved in a Corporate Transaction, Customers will be notified either via email and/or a prominent notice through the Service of any change in ownership or uses of Personal Data, as well as any choices Users may have regarding their Personal Data, or CircleCI will require any such buyer to agree to treat Personal Data transferred during change of ownership in accordance with this Privacy Policy.

In the preceding twelve (12) months, CircleCI has not sold CircleCI’s users’ personal information.

b. Children’s Privacy. CircleCI’s Services are not directed to children, and CircleCI does not knowingly collect, sell or share Personal Data from children or other individuals below the age at which they can lawfully consent to the processing of their personal data in their jurisdiction, and such underage persons should not use the Services unless permitted by applicable law. If you believe we may have collected such information, please contact us at privacy@circleci.com.

c. Sensitive Personal Data/Personal Information. CircleCI does not knowingly collect or process sensitive personal information (as defined under the CCPA/CPRA) or special categories of personal data (as defined under the GDPR and UK GDPR).

d. Access and Deletion Requests. Users may visit CircleCI’s Privacy Center to request that CircleCI provide a copy of their Personal Data or that CircleCI delete Personal Data that CircleCI maintains on CircleCI’s systems. CircleCI will respond to such request within a reasonable timeframe. If an EU or UK data subject or California resident, please see the applicable sections above.

e. Data Retention. CircleCI will retain Personal Data that Customers provide to CircleCI through the Services for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law. CircleCI will retain Personal Data that CircleCI process on behalf of CircleCI’s customers for the duration set forth in the applicable Customer contract or as otherwise instructed by the Customer.

f. Security. CircleCI takes precautions to ensure the security of Users’ Personal Data. CircleCI follows generally accepted standards to protect the Personal Data submitted to it, both during transmission and once it is received. When a User enters login information on the Service, all information to and from the service is encrypted using Transport Layer Security (TLS). For more information on CircleCI’s data security policies, please visit CircleCI’s Security page.

That said, like any hosted service provider, CircleCI cannot guarantee that unauthorized third parties or unauthorized personnel will not gain access to User’s Personal Data despite CircleCI’s efforts. In using the Services, User’s information will travel through third-party infrastructures which are not under CircleCI’s control.

CircleCI cannot protect, nor does this Privacy Policy apply to, any information that Users transmit to other users of the Services. Users should never transmit personal or identifying information to other users.

If you have any questions about the security of the Services, you can contact CircleCI Security.

g. Privacy Policy Changes. CircleCI may change its Privacy Policy from time to time, in CircleCI’s sole discretion. All changes will be effective immediately upon publication on CircleCI’s website. Material changes will be conspicuously posted on the Services or otherwise communicated to Customers, or as otherwise required by the applicable law. Access to or use of the Services after any change in this Privacy Policy takes effect will constitute your acceptance of such change. CircleCI encourages periodic review of CircleCI’s website for the latest information on CircleCI’s privacy practices.

h. Do Not Track. CircleCI does not currently commit to responding to browser’s DNT preference across its Services. CircleCI takes privacy and choices regarding privacy seriously and will make efforts to continue to monitor the development around DNT browser technology and the implementation of a standard for DNT.

i. Links to Other Websites. This Privacy Policy applies only to the Services and not to any third-party sites or hosted services a User may find or access through CircleCI’s Site. Personal Data submitted to any of those sites or services will be governed by their privacy policies.

j. Contact CircleCI. For any requests regarding personal information, please visit CircleCI’s Privacy Center. For any other questions or concerns about this Privacy Policy, please contact CircleCI at:

Circle Internet Services, Inc.

2261 Market Street, #22561

San Francisco, CA, 94114

Phone: +1-800-585-7075

Email: privacy@circleci.com