⚠ Key Privacy Concerns

Three verified points drive this score. GitHub's Copilot documentation states that from April 24, 2026, interactions on Copilot Free, Pro, Pro+, and Max plans, including inputs, outputs, and code snippets, may be used to train and improve AI models unless the user opts out. The Privacy Statement (effective April 27, 2026) states personal data may be shared with GitHub affiliates, including Microsoft, for purposes that include training and improving artificial intelligence and machine learning technologies. And the collection list expressly reaches code, inputs, and AI outputs. On the favorable side, prompts for code completions are described as encrypted in transit and deleted once suggestions are generated, subject to listed exceptions. Automated assessment, as of July 8, 2026; verify the current sources.

Data They Collect

What GitHub's published documents describe collecting from your development environment and account. Automated assessment, as of July 8, 2026.

📊 Data Collection Scope (25%) 32/100

What the Privacy Statement lists: account data (handle, name, email, payment and transaction information); user content and files, described as "code, inputs, AI outputs, text, documents, images, or feedback"; profile information; demographic details you provide; feedback and support data; and automatically collected service usage information including IP address, device information, and session details. For Copilot itself, prompts include the code and supporting context your editor sends.

👥 Third-Party Sharing (20%) 35/100

Who the policy says can get your data: GitHub affiliates, including Microsoft, for purposes the statement lists as including product development and improvement (with AI training named), marketing, billing, support, and legal compliance; subprocessors and service providers (hosting, marketing, analytics, support, payment, security); and competent authorities on lawful requests.

🕐 Retention & Deletion (20%) 38/100

How long: as long as the account is active, plus what is needed for legal obligations, disputes, and enforcement. After termination, the Terms of Service describe deleting the full profile and repository content within 90 days, barring legal requirements, with some information remaining in encrypted backups. Copilot completion prompts are described as deleted once suggestions are generated, except for listed retention cases.

☑ User Control & Consent (15%) 40/100

Your controls: an "Allow GitHub to use my data for AI model training" toggle (the documented default from April 24, 2026 is that individual-plan interactions may be used unless you opt out), the "Suggestions matching public code" Allow/Block filter, and access, correction, deletion, and portability rights exercised through GitHub's privacy contact. The training default lands on, which is what caps this category.

🔒 Security & Breach (10%) 45/100

Security posture per the documents: the Privacy Statement describes appropriate administrative, technical, and physical controls; the Copilot terms describe prompts as encrypted in transit and not stored at rest without permission; and international transfers rely on EU standard contractual clauses and the Data Privacy Framework. This sub-score moved up from 38 in this refresh to reflect those verified statements.

🔍 Transparency & Access (10%) 32/100

Clarity: the operative rules sit across at least four documents (the Privacy Statement, the Terms of Service, the Copilot Product Specific Terms, and the Copilot settings documentation), and the April 24, 2026 training change lives in a docs page rather than the Privacy Statement itself. Individually the documents are readable; assembled, the data picture takes real work, which is what this category measures.

Compare With Other AI Services