Skip to main content

GitHub Copilot Business Privacy Statement

Effective Date: August 31, 2023

Use of GitHub Copilot Business is also subject to the GitHub Privacy Statement, the Acceptable Use Policies and the GitHub Copilot Business license terms.

What personal data does Copilot Business collect?

GitHub Copilot Business collects personal data from three categories of data: User Engagement Data, Prompts and Suggestions.

User engagement data

User engagement data is usage information about events generated when interacting with a code editor. These events include user edit actions (for example completions accepted and dismissed), error messages, and general usage data to identify user metrics such as latency and feature engagement. This information may include personal data, such as pseudonymous identifiers.

Prompts

A prompt is the collection of code and supporting contextual information that the GitHub Copilot extension sends to GitHub to generate suggestions. The extension sends a prompt when a user working on a file pauses typing, or uses a designated keyboard shortcut to request a suggestion.

Suggestions

A suggestion is one or more lines of proposed code and other output returned to the Copilot extension after a prompt is received and processed by the AI models that power Copilot.

How long does GitHub Copilot Business retain personal data?

User engagement data

User engagement data is retained by GitHub for 24 months.

Prompts

Prompts are discarded once a suggestion is returned.

Suggestions

Suggestions are not retained by GitHub.

What processing role does GitHub play with respect to personal data collected by GitHub Copilot Business?

For purposes of this section, we use “processor" in the meaning of the EU’s General Data Protection Regulation.

For enterprises using Copilot Business, GitHub acts primarily as a processor for personal data.

GitHub’s data protection commitments to our enterprise customers are laid out in GitHub’s Data Protection Agreement (“GitHub DPA”). Per the GitHub DPA, GitHub acts primarily as a processor (or subprocessor to enterprise customers who are processors) whenever it processes personal data to provide Copilot. “Providing” Copilot includes processing activities, such as delivering functional capabilities, troubleshooting, and making ongoing improvements.

GitHub processes personal data as a controller in limited, contractually agreed circumstances including billing and account management, and to produce aggregated reports for capacity planning, product development and regulatory financial reports.

How does Copilot Business use and share personal data?

Prompts and Suggestions are used only to provide the service and are not retained.

User Engagement Data is used by GitHub, and Microsoft to provide the service and to enable improvements. Such uses may include:

  • Evaluating GitHub Copilot, for example, by measuring the positive impact it has on the user
  • Fine tuning ranking and sorting algorithms and prompt crafting
  • Detecting potential abuse of GitHub Copilot or violation of Acceptable Use Policies.
  • Conducting experiments and research related to developers and their use of developer tools and services.

How can users of Copilot Business control use of their data?

User engagement data (which includes pseudonymous identifiers and general usage data), is required for the use of GitHub Copilot and will continue to be collected, processed, and shared with Microsoft when you use GitHub Copilot.

For more information on how GitHub processes and uses personal data, please see the GitHub Privacy Statement.