Privacy Policy

On September 18, 2019, Semmle Ltd. was acquired by GitHub, Inc.

Semmle Ltd (trading as Semmle) whose head office is located in USA at 44 Montgomery St, Floor 3, San Francisco, registered with the Trade and Companies Registry of California under number c3904163 (“Semmle/we/us/our“), are committed to protecting and respecting your privacy. Semmle provides the service located at and (collectively, “Sites”). This policy (together with our terms of use and any other documents referred to on it) sets forth Semmle’s policy with respect to information, including personal data, collected from visitors to our Sites and users of the Semmle service. Please read the following carefully to understand our views and practices regarding personal data regarding you and how we will treat it.

If you are applying for a job with Semmle, we additionally draw your attention to our Recruitment Privacy Policy.

For the purpose of the EU General Data Protection Regulation 2016/679 (“GDPR”), the data controller is Semmle Ltd, Blue Boar Court, 9 Alfred Street, Oxford, Oxfordshire, OX1 4EH

Terms defined in the GDPR (including personal data, processing, controller and processor) have the same meaning in this Privacy Policy.

Personal data we may collect from you

We may collect and process the following personal data about you:

Information that you provide by filling in forms on our Sites such as the contact form. We may also ask you for information when you report a problem with our site. In the unlikely event we reject an application to subscribe to our newsletter we will not retain any personal data you have provided in your application.

If you contact us, we may keep a record of that correspondence.

If you register for a personal account on our support portal, we will store your name and email address on that portal and on other internal support systems so that we can provide support to you.

We do this in order to be able to run the Sites, in order to contact you on a tailored basis to let you know about our products, and in order to provide support if you represent a customer.

Information we may collect about you indirectly

As part of carefully managed, selective business to business marketing and sales activities, we may collect your contact details from third party sources such as LinkedIn and use it to contact you on a tailored basis about services which we think might be of interest.

Third-party data processing

We use the third-party Addsearch service to implement site search on and your use of that search functionality is subject to their privacy terms at We host our website using Cloudflare and Heroku.

We may store your contact details, and send you marketing emails using third-party service providers.

These services may transfer small amounts of personal data outside the European Economic Area (“EEA”), under strict privacy and security controls.

IP addresses

We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration and to ensure the proper operation of our site.

Cookies and similar technologies

In operating our Sites, we may use a technology called "cookies." A cookie is a piece of information that the computer that hosts our service gives to your browser when you access our Sites. When you interact with Semmle through our Sites, we receive and store certain cookies or similar technologies. Semmle may store such information itself or such information may be included in databases owned and maintained by Semmle affiliates (such as GitHub, Inc.), agents or service providers. Such information helps us improve our Sites and your experience thereon by customizing your experience, helping us analyse usage, technical and browsing metrics as well as detecting and preventing fraud.

Services cookies

These cookies are strictly necessary to provide you with our service available through our Sites and to secure our Sites. These cookies are set by Semmle as well as Cloudflare ( Because these cookies are strictly necessary to deliver the Sites to you, you cannot refuse them.

You can block or delete them by changing your browser settings, as described in the section "Your choices regarding cookies" below. However, blocking or deleting essential cookies may make browsing our Sites a less satisfying experience. In some cases, you may even find yourself unable to use all or part of our Sites.

Your choices regarding cookies

You may express your preferences regarding cookies using several options. Please note that changes you make to your cookie preferences may prevent all or part of our Sites from functioning as intended.

Browser and devices controls

Most web browsers provide settings that allow users to control or reject cookies or to alert users when a cookie is set on their computer. The procedure for managing cookies is slightly different for each internet browser, so please check the specific steps in the “help” menu of your web browser. Since cookies are browser-specific, you may need to manage your cookies preferences across all the web browsers you use.

You also may be able to reject device identifiers by activating the appropriate setting on your mobile device, as available. The procedure for managing device identifiers is slightly different for each device, so please check the specific steps in the documentation relating to the device you use.

Our Legal Basis for Processing

Under certain international laws (including GDPR), Semmle must have a legal basis to process personal data regarding you. There are different legal bases that we rely on to process such personal data, namely:

a. Performance of a contract

The processing of your information may be necessary to perform the terms and conditions or other contractual obligations and policies under which We provide our Sites to you;

b. Consent

We will rely on your consent to process (i) technical information such as cookie and similar technologies; and (ii) your information for marketing and advertising purposes. You may withdraw your consent at any time by contacting us using the information at the end of this Privacy Policy or by following an unsubscribe link in any marketing communication you receive from Us;

c. Legitimate interests

We process personal data regarding you for our legitimate interests to improve our Sites, security purposes, and to share information with our affiliates. In such circumstances it is for us to ensure that these interests are not overridden by your data protection interests or fundamental rights and freedoms; and

d. Legal obligation and public interest

In some cases, we may also have a legal obligation to collect personal data regarding you or may otherwise need personal data regarding you to protect your vital interests or those of another person.

Your Rights


Various different jurisdictions require us to inform you about your rights as a user. The GDPR is one of the most strict data regulations, therefore we decided to use that as a guideline here.

We will comply with the following requests, unless such requests are prohibited by law, or there is a legitimate purpose or mandatory provision justifying retention of personal data regarding you, in which case we will inform you without undue delay. We reserve the right to verify your identity before complying with any request relating to personal data regarding you processed by us. Please direct any questions about personal data regarding you using the contact details provided at the end of this Privacy Policy.

Right to be informed

This document is designed to inform you exactly how Semmle processes personal data regarding you.

Right of access

Our Sites allow you to provide us with a very limited amount of personal data regarding you, which we store to provide you with our Sites as well as a good user experience. You have the right to access and obtain a copy of personal data regarding you that is processed by us.

Please contact us if you would like us to provide you with this personal data.

Right to rectification

The data held by us on our Sites is provided by yourself. You can, free of charge, update this personal data regarding you at any point by logging in to our Sites. Feel free to contact us if you require assistance.

Right to object, right to erasure, and right to restrict processing

Subject to any relevant legal requirements and exemptions applicable to us, you may oppose to or limit the processing or personal data regarding you or request that certain personal data regarding you be deleted from our files.

Right to data portability

If you reside within the EU, you may also exercise the right of portability of personal data regarding you where the lawful basis for the processing is (i) (a) a contract or (b) your consent and (ii) by automated means. Please note that such a request could be limited to the sole personal data you provided us with or that we hold at that given time and subject to any relevant legal requirements and exemptions, including identity verification procedures.

Rights in relation to automated decision making and profiling

Our Sites do not perform any automated decision making or profiling.


The California Consumer Privacy Act of 2018 (“CCPA”) requires businesses to state in their privacy policy whether or not they disclose personal information in exchange for monetary or other valuable consideration. We do not sell your personal information for monetary or other consideration. While CCPA only covers California residents, when it goes into effect we will voluntarily extend its core rights for people to control their data to all of our users in the United States, not just those who live in California.

You can learn more about the CCPA and how we comply with it here:

Our disclosure of Personal Data regarding you and other information

Semmle is not in the business of selling personal data regarding you. We consider this information to be a vital part of our relationship with you. There are, however, certain circumstances in which we may share personal data regarding you with certain third parties whether located inside or outside of the European Union and European Economic Area, as set forth below.

We will perform any cross-borders transfer in compliance with applicable privacy and data protection regulations, including the GDPR. Where mandated by applicable law, to ensure that personal data regarding you receives an adequate level of protection, we implement the appropriate measures to ensure that personal data regarding you is processed across our affiliated entities, including GitHub, Inc., and by the following third parties in a way that is consistent with and which respects the applicable privacy and data protection laws. Measures include Data Processing Agreements (“DPAs”) and EU Standard Contract Clauses.

Business transfers

As we develop our business, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, personal data may be part of the transferred assets.

Corporate affiliates

We may also share personal data regarding you with our corporate affiliates, including GitHub, Inc., for purposes consistent with this Privacy Policy.

Agents, consultants and related third parties

Semmle, like many businesses, sometimes hires other companies to perform certain business-related functions. Examples of such functions include maintaining databases. When we employ another entity to perform a function of this nature, we only provide them with the information that they need to perform their specific function.

Legal requirements

Semmle may disclose personal data regarding you if required to do so by law or in the good faith belief that such action is necessary to (i) comply with legal process, applicable laws or government requests; (ii) enforce our Terms of Service; or (iii) protect the rights, property, or personal safety of Semmle, its users or the public.


Our Sites are designed for adult user interaction. Semmle does not knowingly collect personal data regarding children under the age of 13, or other minimum age for providing consent to data collection under local law. We encourage parents and legal guardians to monitor their children under the age of 13's internet usage and to help enforce our Privacy Policy. If you have reason to believe that a child under the age of 13 has provided personal data to Semmle through the Sites, please contact us, and we will endeavour to delete that information from our databases.

Links to other websites

This Privacy Policy applies only to the Sites. Our Sites may contain links to other web sites not operated or controlled by Semmle (the "Third Party Sites"). The policies and procedures we described here do not apply to the Third Party Sites. The links from our Sites do not imply that we endorse or have reviewed the Third Party Sites. We take no responsibility whatsoever for the content or information practices of such Third Party Sites. We suggest contacting those sites directly for information on their privacy policies.


The security and confidentiality of personal data regarding you is important to us. Semmle implements appropriate physical, administrative, and technical measures and safeguards designed to protect the personal data provided via the Sites from loss, theft, misuse, and unlawful or unauthorized access, disclosure, alteration, or destruction. The Internet and any communication thereon cannot be guaranteed to be secure at all times, and we cannot ensure or warrant the security of any personal data you provide us through this technology. In particular, email sent to or from the Sites may not be secure. Therefore, you should take special care in deciding what information you send to us via email. Please keep this in mind when disclosing any personal data to Semmle via the internet.

Changes to Semmle's Privacy Policy

The Sites and our business may change from time to time. As a result, at times it may be necessary for Semmle to make changes to this Privacy Policy. Semmle reserves the right to update or modify this Privacy Policy at any time and from time to time. We will post the revised version on the Sites, with an updated revision date. Please review this Privacy Policy periodically, and especially before you provide any personal data. This Privacy Policy was last updated on the date indicated below. Where such changes to our Privacy Policy are substantial, we will also notify you by other means prior to the changes taking effect, such as by sending you an email notification. Your continued use of the Sites after any changes or revisions to this Privacy Policy shall indicate your acceptance of the terms of such revised Privacy Policy.

Contacting us

To keep personal data regarding you accurate, current, and complete, or more generally if you would like to make a request according to your rights above or to enquire about our privacy practices, please contact us as specified below. We will take steps to update or correct personal data in our possession that you have previously submitted via the Sites. Please also feel free to contact us if you have any questions about Semmle's Privacy Policy or the information practices of the Sites.

Please contact us at or at Privacy Team, Semmle Ltd, Blue Boar Court, 9 Alfred Street, Oxford, Oxfordshire, OX1 4EH with any questions regarding this Privacy Policy. You can also use this address to contact our Data Protection Officer.

Filing a complaint

If you are unhappy about any part of this Privacy Policy, please contact our Data Protection Officer by sending a message to You can file a complaint with a data protection authority or a Court of competent jurisdiction. If you reside within the European Union, a list of national data protection authorities can be found here:

History of this Privacy Policy

This policy was last modified on 25 November 2019. Here's what changed:

  • Add notice of acquisition by GitHub
  • Removed mentions of webinars
  • Clarify use of storing contact details for marketing
  • Remove mentions of HubSpot, and replace with Eloqua
  • Add CCPA details
  • Explicitly mention GitHub, Inc. in a number of places.

23 August 2019:

  • Added head office address
  • Removed technologies/companies we no longer use
  • Clarify use of cookies to separate service cookies from analytics
  • Added choices regarding cookies
  • Added our legal basis for processing personal data
  • Added our disclosure of personal data regarding you and other information
  • Added section on business transfers
  • Clarify how we handle changes to our privacy policy

15 May 2019:

  • Added information about Zoom webinars

5 April 2019:

  • Clarify that Semmle's website includes subdomains

14th January 2019:

  • Added link to Semmle's Recruitment Privacy Policy

20 August 2018:

  • Added information about Hubspot tracking

21 June 2018:

  • Updated third party processors

25 May 2018:

  • Explicitly state the lawful basis upon which Semmle processes user data, and mention the rights of individuals under the GDPR.
  • Add information about third party processors
  • Provide additional information about how we process data about customer contacts and sales leads
  • Clarify position on analytics

Get started

Please provide your contact information below, and we will follow up shortly.

Semmle uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, please review our privacy policy and our terms of use.