Visual Studio Family Data Subject Requests for the GDPR and CCPA

The European Union General Data Protection Regulation (GDPR) gives rights to people (known in the regulation as data subjects) to manage their personal data. Personal data is defined broadly under the GDPR as any data that relates to an identified or identifiable natural person. The GDPR gives data subjects specific rights to their personal data; these rights include obtaining copies of personal data, requesting corrections to it, restricting the processing of it, deleting it, or receiving it in an electronic format. A formal request by a data subject to a data controller (an employer or other type of agency or organization that has control over personal data) to take an action on that data subject's personal data is called a data subject request or DSR.

Similarly, the California Consumer Privacy Act (CCPA), provides privacy rights and obligations to California consumers, including rights similar to GDPR's Data Subject Rights, such as the right to delete, access, and receive (portability) their personal information. The CCPA also provides for certain disclosures, protections against discrimination when electing exercise rights, and "opt-out/ opt-in" requirements for certain data transfers classified as "sales". Sales are broadly defined to include the sharing of data for a valuable consideration. For more information about the CCPA, see the California Consumer Privacy Act and the California Consumer Privacy Act FAQ.

For general information about GDPR, see the GDPR section of the Service Trust portal.

Products covered by this guide

This guide discusses how to use Microsoft tools to export or delete personal data collected during authenticated (signed-in) session usage of Visual Studio and Visual Studio for Mac (through December 2024), as well as for Microsoft extensions for these products. This guide also covers how to make data subject requests for personal data collected when using Visual Studio Developer Community, NuGet.org, and the ASP.NET website. These products may enable the use of non-Microsoft tools and extensions, and Microsoft is not a data processor or controller for these tools and extensions. Users should contact the tool or extension provider to understand the personal data and collection policies for these tools and extensions.

• For Azure DevOps, see Azure DevOps Services Data Subject Requests for the GDPR and CCPA.
• For Visual Studio Code, see GDPR and VS Code.

Additional privacy information

The Microsoft Software License Terms accompanying the products, the Microsoft Privacy Statement, and Microsoft's GDPR Commitments describe our data processing practices.

Visual Studio and Visual Studio for Mac

Personal data we collect

As a data processor under the GDPR, Microsoft collects the data we need from users to provide experiences for and improve Visual Studio and Microsoft extensions for Visual Studio. (We also collect telemetry data for Visual Studio for Mac through December 2025.) There are two categories of data: customer data and system-generated logs. Customer data includes user-identifiable transactional and interactional data that these products need to perform the service they provide. For example, to provide users with personalized experiences such as roaming settings, we need to collect user account information and settings data. System-generated logs are usage or diagnostic data that are used to help identify and troubleshoot problems and improve our products and services, and may also contain identifiable information about end users, such as a user name. System-generated logs are retained for no more than 18 months. As an example, system-generated logs are aggregated for each day of product usage and include the usage date, the product used (for example, "Visual Studio 2022"), the action you took (for example, "vs/core/packagecostsummary/solutionload"), and the number of times the action was taken, as shown in this sample:

{Time":"2/23/2018 12:00:00 AM","AppName":"Visual Studio 2017","Action":"vs/core/packagecostsummary/solutionload","Target":"1 times",
"DevicePlatform":"Windows 10 Enterprise","IP":null,"InputMethod":null,
"SearchTerm":null,"SearchResult":null}

{Time":"2/23/2018 12:00:00 AM","AppName":"Visual Studio 2017","Action":"vs/ide/connected/accountmanagement/account","Target":"1 times",
"DevicePlatform": "Windows 10 Enterprise","IP":null,"InputMethod":null,
"SearchTerm":null,"SearchResult":null}

{"Time":"2/27/2018 12:00:00 AM","AppName":"Visual Studio 2017","Action":"vs/core/perf/satellitepagefileusage","Target":"23 times",
"DevicePlatform":"Windows 10 Enterprise","IP":null,"InputMethod":null,
"SearchTerm":null,"SearchResult":null}

For more information, see System-generated logs collected by Visual Studio.

Only personal data that is attached to authenticated identities can be serviced by a DSR. So, for example, because Visual Studio Code does not support sign-in, system-generated logs from it are not attached to an authenticated identity and cannot be serviced. For more information, see GDPR and Visual Studio Code. In general, we do not store data for Visual Studio 2013 and earlier; however, certain extensions and components may provide data attached to authenticated identities and can be serviced by a DSR as outlined below.

How users can control personal data

Visual Studio 2015 and later, Visual Studio for Mac, and Visual Studio Code provide the following means for your users to stop data collection. In addition, Visual Studio and Visual Studio for Mac allow you as controller to export, or delete data that has already been gathered.

In-app settings

Users can control the privacy settings for these products. For more information, see the following

• How to manage privacy settings in Visual Studio.
• How to manage privacy settings in Visual Studio for Mac.
• How to disable telemetry reporting in Visual Studio Code.

Exporting or deleting data

Controllers can manage customer data and system-generated logs collected from their data subjects by one of two methods, depending upon how their Visual Studio Family product or Microsoft extensions were registered. In some cases, both methods must be used. Both methods allow Controllers to download a copy of their activity history managed by that method. Closure of an AAD or MSA account deletes associated Visual Studio customer data, and anonymizes personally identifiable data in system-generated logs pertaining to these products. Anonymized system-generated logs are retained for no more than 18 months.

• Users that have registered a Visual Studio Family product (excluding VS Code) by using an account that is backed by an Azure tenant, for example, AAD account or MSA account associated with an Azure subscription, can follow the instructions in Azure Data Subject Requests for the GDPR.
• Users that have registered a Visual Studio Family product (excluding VS Code) without an account that is backed by an Azure tenant, for example many accounts using a Microsoft Account (MSA), can use the web-based Microsoft Privacy Response Center available through their Microsoft account to view, control, and delete activity data tied to their Microsoft account across multiple Microsoft services. In this scenario, the user is a controller for their own personal data.

Note

When an MSA account holder deletes their account, all their personally identifiable data pertaining to these products is deleted, whether the account is backed by an Azure tenant or not, and system-generated logs are anonymized.

For Visual Studio 2013, the data we collect is anonymized. For Visual Studio 2012 and prior releases, we immediately delete the data upon receipt. In both cases, there is nothing to view, export, or delete at a later time.

Visual Studio Developer Community

We support General Data Protection Regulation (GDPR) requests through the Developer Community website. You can View, Export, or Delete your feedback data. For more information, see Developer Community GDPR Data Subject Request processing.

NuGet

For more information on DSR for NuGet.org, see NuGet User Data Requests.

ASP.NET

For information on DSR for the ASP.NET website, see The ASP.NET Website and GDPR Data Subject Request processing.

IIS.NET

For information on DSR for the IIS.NET website, see The IIS.NET Website and GDPR Data Subject Request processing.

Feedback mechanisms used by Visual Studio Family Services

Survey Monkey

From time to time, we invite customers to provide feedback on these products via Survey Monkey. This data is deleted from Survey Monkey within 28 days. Microsoft may retain this data internally for up to 18 months. If survey responses are authenticated, then we include them in export and delete data subject requests when servicing data subject requests for these products.

Usabilla (Get Feedback)

Data is deleted within a month.

Qualitrics

Qualtrics provides the ability to request data subject requests from within the tool.

Learn more

• Microsoft's GDPR Commitments to Customers of our Generally Available Enterprise Software Products
• Microsoft Trust Center
• Service Trust portal
• Microsoft Privacy Dashboard
• Microsoft Privacy Response Center
• Azure Data Subject Requests for the GDPR