GitHub updates Copilot policy to train on Free, Pro, and Pro+ interactions

• GitHub says that starting April 24, 2026, Copilot interaction data from Free, Pro, and Pro+ accounts can be used to "train and improve AI models" unless users opt out in Privacy settings, while Business and Enterprise data stays excluded according to GitHub policy.
• The policy covers more than prompts alone: GitHub's policy update lists inputs, outputs, accepted code, file names, comments, surrounding code context, interactions, and feedback.
• GitHub says prior opt-outs are preserved, but the HN thread summary and user comments show some developers were surprised the training setting was already enabled by default on their accounts.
• In the thread discussion, engineers focused on boundary risks around mixed personal and work usage, with one commenter warning there is "no way to ignore sensitive files" in normal Copilot IDE use.

GitHub's policy update makes the scope explicit: for individual paid and free tiers, Copilot interaction data will be used for model improvement by default unless the user disables "Allow GitHub to use my data for AI model training" under Privacy. The same post says Business and Enterprise customers are not included, and that previously saved opt-out choices will carry forward.

The data boundary is broad. According to the HN summary, it includes prompts, code context, outputs, and feedback; GitHub's own list also names accepted suggestions, comments, file names, and interaction metadata. GitHub says the data may be shared with affiliates such as Microsoft, but not third parties, as described in the policy post.

In the discussion roundup, one user said the training toggle was "enabled by default," and another said they "just checked" and found sharing was on. That reaction matters because many engineers use the same GitHub identity across hobby repos, side projects, and employer-adjacent work.

The thread also surfaces a more operational concern: whether sensitive code or secrets can be exposed through ordinary Copilot usage. One commenter argued there is "no way to ignore sensitive files with API keys" in the IDE flow, as quoted in the thread summary, while another questioned how confidently enterprises can separate corporate IP from personal-account activity when only Business and Enterprise plans are excluded.