Is GitHub Copilot safe with your data?

GitHub Copilot

GitHub (Microsoft)

66/100

Partial disclosure · medium confidence

Partly. GitHub Copilot earns a C (66/100) for what it discloses about your data: the statement uses Personal Data, including code, inputs, and AI outputs, to develop and improve artificial intelligence and machine learning technologies, including training models, under legitimate interests.

Dealbreaker flag

The governing GitHub General Privacy Statement processes user content, including code, inputs, and AI outputs, to train AI and machine-learning models under legitimate interests, applying de-identification only where feasible, with no named consumer training opt-out in the captured text.

#32

of 69 apps ranked

score · Coding avg 54

+12

vs category average

Grade scaleA · 85–100B · 70–84C · 55–69D · 40–54F · 0–39

GitHub Copilot runs under a detailed Microsoft and GitHub privacy statement that meets GDPR standards. It gives users the full set of data-subject rights, names standard contractual clauses and Data Privacy Framework safeguards for international transfers, and states data categories and legal bases clearly. The same statement says it uses user content, including code, inputs, and AI outputs, to train AI and machine learning models under legitimate interests. De-identification applies only where feasible, the captured text names no consumer training opt-out, and retention is described only in vague terms with no day count or deletion timeline.

What GitHub Copilot's privacy policy says about your data

Trains on user content, opt-out not named

The statement uses Personal Data, including code, inputs, and AI outputs, to develop and improve artificial intelligence and machine learning technologies, including training models, under legitimate interests. Aggregation and de-identification apply only where feasible, and no consumer mechanism is named to exclude inputs from training.

Full set of data-subject rights

Users can access, rectify, erase, restrict, object, withdraw consent, and request portability in a machine-readable format by emailing privacy at github. The statement names a DPO and a right to complain to a Data Protection Authority.

Strong international transfer safeguards

Transfers from the EU, UK, and Switzerland rely on the European Commission standard contractual clauses under Decision 2021/914, and GitHub certifies to the EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Framework under FTC enforcement.

Retention stays vague

Data is kept as long as the account is active and as needed for contractual, legal, and dispute purposes. US-state text mentions brief retention terms by design, and the governing statement gives no day count or deletion timeline.

What the policy is silent or vague on

Doesn't clearly: keeps user inputs out of model training, or makes training opt-in
Doesn't clearly: names a way to opt out of or into training
Doesn't clearly: says whether training use differs by plan or tier
Doesn't clearly: states a deletion timeline after closure or request

GitHub Copilot privacy rating

Training-data use1 of 4 disclosed

Keeps user inputs out of model training, or makes training opt-inAdverse

Names a way to opt out of or into trainingSilent

Says whether training use differs by plan or tierSilent

Lets the user keep ownership of generated outputsDisclosed

Data-subject rights5 of 5 disclosed

Grants a right to access your dataDisclosed

Grants a right to delete your dataDisclosed

Offers data portability in a usable formatDisclosed

Grants a right to correct your dataDisclosed

Grants a way to object to or opt out of processingDisclosed

Retention and deletion1 of 4 disclosed

States a retention period for your dataDisclosed

States a deletion timeline after closure or requestSilent

Sets a shorter retention for AI conversation logsDisclosed

Commits to collecting only the data it needsDisclosed

Third-party sharing5 of 5 disclosed

Lists the categories of third parties it shares withDisclosed

References a sub-processor list or data processing agreementDisclosed

Does not sell or share data for advertising, or offers opt-outDisclosed

Names a safeguard for international data transfersDisclosed

States a standard for government and law-enforcement accessDisclosed

Transparency4 of 4 disclosed

Discloses that you are interacting with AIDisclosed

Marks AI-generated or synthetic outputNot applicable

Enumerates the categories of data it collectsDisclosed

Maps processing purposes to legal basesDisclosed

Is versioned and dated, with change noticeDisclosed

Sensitive data and children1 of 2 disclosed

Discloses automated decisions and a human-review pathNot applicable

Limits the use of special-category dataDisclosed

Governs biometric data specificallyNot applicable

States protections for children's dataDisclosed

Security and accountability1 of 3 disclosed

Describes its security safeguardsDisclosed

Commits to breach notificationDisclosed

Names a certification or a privacy contactDisclosed

DisclosedPartialSilentAdverseNot applicable

Details

Category: Coding
Modalities: text
Processes biometrics: No
Policy last updated: 2026-04-27
Region scored: Global / US-default
Assessed: 2026-06-20

Read GitHub Copilot's privacy policy

Other coding apps

OpenHandsD

Each grade reflects our analysis of what an app states in its public privacy policy and terms as of the assessment date. It measures the transparency of those documents, not the company's actual data practices, security, or compliance. Grades are our opinion, offered for general information. Full disclaimer.