How to Configure GitHub Copilot Privacy: Step by Step Guide
Once you enable GitHub Copilot for a team, the configuration questions come fast. What data leaves the IDE? Which repos should be off-limits to suggestions? What happens when a suggestion matches public code? Whether you are a developer managing your own setup or an admin rolling Copilot out across an organization, understanding the privacy and safety surface is part of using the tool well. This step by step guide walks you through exactly how Copilot handles your data, how to configure privacy settings, content exclusions, and safeguards like the duplication filter, plus how to troubleshoot the most common issues when things stop working.
What You Will Learn:
- How GitHub Copilot handles your data and what counts as interaction data
- How to opt out of model training on individual plans
- How to configure content exclusions at repo and organization level
- How the duplication filter and IP indemnity work
- How to manage Copilot policies and troubleshoot common issues
How GitHub Copilot Handles Your Data
Copilot sends a snapshot of the surrounding code context to GitHub's servers whenever you type in your IDE. The model processes that context and returns a suggestion. This is the interaction data that powers the experience. For individual plan users (Free, Pro, and Pro+), GitHub's Privacy Statement permits this interaction data to be used for model training. Users can opt out at any time through their personal privacy settings. Business and Enterprise plans operate under separate contractual terms that exclude interaction data from training entirely with no user action required.
| Dimension | Free / Pro / Pro+ | Business | Enterprise |
|---|---|---|---|
| Used for model training | Opt-out required | No. Contractually excluded | No. Contractually excluded |
| Private repo code at rest | Not used | Not used | Not used |
| Content exclusions | Not available | Repo and org level | Enterprise-wide |
| IP indemnity | Not included | Yes, with duplication filter enabled | Yes, with duplication filter enabled |
| Admin controls | Individual only | Org-level policies | Enterprise-wide policy inheritance |
When you use Copilot, the system collects several types of data: inputs and prompts (commands or questions sent to Copilot chat or the CLI), outputs (code suggestions or text responses including whether you accepted or rejected them), code context (code snippets surrounding your cursor and the contents of open files), metadata and structure (file names, repository structure, navigation patterns), and user feedback (thumbs up or down ratings and comments). Private repository code stored at rest is not used, but interaction data generated while actively using Copilot in a private repository can be used for training unless you opt out.
Step 1: Configure Privacy Settings on Individual Plans
Configure Privacy Settings on Individual Plans
Navigate to your GitHub Settings page. Under the Copilot section, find the setting labeled Allow GitHub to use my data for AI model training and set it to Disabled. This opt-out applies immediately to future data collection and does not reduce Copilot functionality. However, GitHub cannot guarantee the removal of data already used in prior training, so previously collected data may remain in existing training sets. Business and Enterprise users are already contractually excluded from model training and do not need to change any settings.
Org and Enterprise Policies Override Individual Preferences
Org Settings, then Copilot, then Policies lets you manage feature toggles, seat assignments, and model selection for all members. Org-level policies override individual preferences, so any setting you configure here applies across the board. Enterprise owners can set policies that inherit across multiple orgs and audit the current state from a single dashboard.
Step 2: Set Up Content Exclusions
You can decide not to allow Copilot to access certain content. For excluded files, inline suggestions will not be available, their content will not be used to offer suggestions in other files, their content will not be used for Copilot Chat responses, and Copilot code review will not be done on those files. Exclusions can be configured by repository administrators, organization owners, and enterprise owners.
Set Up Content Exclusions
At the repo level, go to Settings, Copilot, Content Exclusion and specify paths using glob patterns. Common patterns include **/secrets/** to exclude any path containing a secrets directory and *.env to exclude all environment files. The REST API gives you a programmatic option if you are managing exclusions across many repos. At the org level, the path is Org Settings, Copilot, Content Exclusion. Rules set here apply across all repos in the org. Org-level and repo-level rules are additive, so both apply simultaneously. Enterprise-level rules take precedence over org and repo-level rules.
# Exclude all files in any secrets directory
**/secrets/**
# Exclude environment variable files
*.env
# Exclude specific file types
*.pem
*.key
*.cert
# Exclude an entire directory
/scripts/deploy/**
/config/production/**
Testing Content Exclusions
After adding or changing content exclusions, it can take up to 30 minutes to take effect. To apply changes immediately: in VS Code, open the Command Palette and run Developer: Reload Window. In JetBrains IDEs and Visual Studio, close and reopen the application. To test: open the excluded file and ask Chat to explain this file. If Chat provides a meaningful response about the file content, the exclusion is not applied.
Step 3: Understand the Duplication Filter and IP Indemnity
When Copilot generates a suggestion, it runs a filter against known public code. If the suggestion matches a public repository above a similarity threshold, the suggestion is either blocked or flagged with attribution. When you accept the suggestion, Copilot logs the date and time of acceptance, the file where the suggestion was added, an extract of the code that was added, and the license and URL of the code source.
Understand the Duplication Filter and IP Indemnity
The duplication filter matches verbatim and near-verbatim matches, not conceptual similarity. Short snippets and common patterns that are too generic are not flagged. Code that was restructured or partially modified from a source is also not caught. For full IP protection, GitHub offers IP indemnity to Copilot Business and Enterprise customers. If a suggestion triggers an IP claim, GitHub covers the legal defense. Two conditions apply: the duplication filter must be enabled and you must be on an eligible plan. Free and Pro users are not covered.
Step 4: Manage Copilot Policies on GitHub.com
The Copilot policy page on GitHub.com is where org and enterprise admins control what Copilot can do across the team. Admins can toggle code completions, Chat, code review, the GitHub CLI integration, and agent mode independently. This granularity matters if you want to roll out features progressively or restrict certain capabilities for specific teams.
Feature Toggles
Toggle code completions, Chat, code review, GitHub CLI integration, and agent mode independently. Roll out features progressively or restrict capabilities for specific teams based on their maturity and requirements.
Allowed AI Models
Restrict which underlying models are available to the org. Lock it to a specific model or allow all options and let developers choose. For government and regulated environments, FedRAMP-compliant model options are available.
Audit and Compliance
Usage metrics including completion rates, active user counts, and feature and model trends are available under the Insights tab at enterprise and organization level. The Copilot usage metrics policy must be enabled before the dashboard is accessible.
Seat Assignment
Control which members get access and assign seats by user or by group. Seat and license data live under Org Settings, Copilot, Access, separate from usage metrics.
Step 5: Troubleshoot Common Copilot Issues
When Copilot stops working, the cause is almost always one of a few common issues. Work through these before opening a support ticket.
Troubleshoot Common Copilot Issues
Missing or stopped suggestions: Start with the Copilot status icon in your IDE status bar. A diagonal line through the icon means a content exclusion is active. Update your IDE and the Copilot extension. Verify your subscription is active and check content exclusion rules. Proxy and VPN configurations are a common silent blocker. Authentication issues: Sign out via the Accounts icon, reload the window (F1 then Developer: Reload Window in VS Code), then sign back in. Rate limiting: Switch to Auto model selection or a model with a smaller multiplier. Check githubstatus.com before spending time debugging locally.
1. Check the Copilot status icon in your IDE status bar
- Diagonal line = content exclusion active on current file
2. Update your IDE and Copilot extension to latest version
3. Verify subscription is active and seat is assigned
4. Check content exclusion rules for the current file and repo
5. Test network connection and corporate proxy/VPN settings
6. Sign out and sign back in to refresh authentication
7. Reload the IDE window (Ctrl+Shift+P -> Developer: Reload Window)
8. Switch to Auto model selection if rate limited
9. Check githubstatus.com for service outages
Content Exclusion Limitations
As of mid-2026, three Copilot features do not support content exclusions: Copilot CLI, Copilot coding agent (cloud-based autonomous agent), and Agent mode in Copilot Chat in IDEs. If you are seeing unexpected file access in any of these, that is not a misconfiguration. Additionally, semantic leakage means type information and hover definitions from excluded files can still inform suggestions indirectly. Symlinks and remote filesystems are not covered either.
Frequently Asked Questions
Does GitHub Copilot send my private repository code to GitHub's servers?
Copilot sends the immediate code context from your open editor to GitHub's servers to generate a suggestion. It does not pull code from private repositories sitting at rest on GitHub. Interaction data includes prompts, code context, metadata, and user feedback, which on individual plans may be used for model training unless you opt out.
How do I stop GitHub from using my Copilot data for model training?
Go to GitHub Settings, then Copilot, and turn off Allow GitHub to use my data for AI model training. This opt-out applies immediately to future data collection. Copilot Business and Enterprise users are automatically excluded from training data use and do not need to change any settings.
What is a content exclusion and how do I set one up?
A content exclusion is a rule that prevents Copilot from reading or generating suggestions from specific files or paths. Configure it at the repo level under Settings, Copilot, Content Exclusion using glob patterns like *.env or /secrets/. Organization owners can set exclusions that apply across all repos. Enterprise-level rules take precedence over org and repo-level rules.
Does agent mode respect content exclusion rules?
No. As of mid-2026, Copilot agent mode, Cloud Agents, and Copilot CLI do not respect content exclusion rules. Only inline completions, Copilot Chat in IDEs, and Copilot code review respect exclusions. If you are seeing unexpected file access in agent mode, that is not a misconfiguration.
What is GitHub Copilot IP indemnity and who gets it?
IP indemnity means GitHub covers legal defense costs if a Copilot suggestion triggers an intellectual property claim. It is available to Copilot Business and Copilot Enterprise customers with two conditions: the duplication filter must be enabled and the suggestion must be unmodified. Free and Pro plan users are not covered.
Need Help with GitHub Copilot Privacy and Compliance?
Our experts can help you configure Copilot privacy settings, set up content exclusions, implement duplication filters, and ensure your organization meets compliance requirements.
About the author
Co-founder & AI Practice Lead, Braincuber Technologies
Co-founder at Braincuber. Builds production AI agents (Anthropic Claude, OpenAI, AWS Bedrock) for US fintech, healthcare, and retail clients with SOC 2 Type II / HIPAA-scope deployments. Joins every architecture review personally.