Which AI coding tools train on your code? A 2026 privacy guide
Whether an AI coding assistant trains on your code or keeps it private usually comes down to one thing: your subscription tier, not the tool. Here's a current, tier-by-tier breakdown of what GitHub Copilot, Cursor, Claude Code, ChatGPT and Gemini actually do with the code you send them — how to lock each one down, and when the only real guarantee is a local model.
AI coding assistants are the most useful new tool developers have adopted in years — and the fastest way to hand your employer's source code to a third party without noticing. The good news is that the privacy question has a surprisingly crisp answer, and it is almost never "which tool." It is which tier.
The short version: your subscription tier is your privacy policy
Across every major assistant, the same pattern holds: the free and personal consumer plans are the ones most likely to train on your input, while the business, enterprise and API tiers carry explicit no-training commitments. The tool is identical. The terms attached to your account are not. A developer using Claude Code on a personal Pro subscription to debug company code is on consumer terms; the same developer using Claude Code through their company's API is not.
So the single most important habit is boring but decisive: use the account your organization provides, on a commercial or enterprise plan, and never sign a work machine into a personal consumer subscription. Everything below is the detail behind that rule.
What actually happens to the code you send
When you accept a completion or ask an agent to refactor a file, that file (or a relevant slice of it, plus surrounding context) is transmitted to a cloud inference endpoint — GitHub/Microsoft, OpenAI, Anthropic, or Google — where a model generates the response. Two separate questions decide how private that is:
- Training. Is your input added to the data used to train future models? This is the one that permanently bakes a fragment of your code into a model other people use.
- Retention.How long is your input stored on the vendor's servers — for abuse monitoring, debugging, or legal reasons — even when it is not used for training?
"We do not train on your data" and "we do not retain your data" are different promises. The strongest tiers make both; consumer tiers often make neither by default.
Tool by tool (as of mid-2026)
Policies change — the dates and defaults below are current as of this writing and every claim links to the vendor's own documentation. Re-check the source before you rely on it, because these terms have moved more than once in the last year.
GitHub Copilot
On Copilot Business and Enterprise, GitHub does not retain prompts or suggestions and does not use your code to train models; it maintains no-training or zero-data-retention agreements with the providers it routes to. On the free/individual plan, a single setting — "Allow GitHub to use my code snippets" — governs whether your snippets feed product improvement; turn it off. You can also configure content exclusion to keep whole paths out of Copilot entirely. The catch worth internalizing: content exclusion does not apply in agent mode or the Copilot CLI— an agent can still read an "excluded" file by running cat or git show. See GitHub's Copilot Trust Center for the current commitments.
Cursor
Cursor's Privacy Mode is the whole ballgame. With it enabled — available on free and Pro, and on by default for Enterprise — your code is never used for training by Cursor or its model providers, under zero-data-retention agreements. With Privacy Mode off, Cursor's data-use policy says it may store and train on your codebase, prompts and editor actions. Two footnotes: codebase indexing uploads chunks to compute embeddings (the plaintext is discarded after the request, but embeddings and file metadata are stored), and a few newer models require provider-side retention and stay disabled until an admin approves them. Cursor is SOC 2 Type II.
Claude Code (Anthropic)
This is the one that changed most recently, and it trips people up. As of Anthropic's August 2025 consumer-terms update, the consumer plans (Free, Pro, Max) — including Claude Code used from those accounts — will train on your chats and coding sessions unless you opt out, and leaving the setting on extends data retention to five years (opting out keeps the previous 30-day window). The commercial plans (Team, Enterprise, the API, Bedrock, Vertex) are not trained on by default, per the Claude Code data-usage docs. One more detail: Claude Code caches session transcripts in plaintext under ~/.claude/projects/, so treat your own disk as part of the threat model too.
ChatGPT and the OpenAI API
In consumer ChatGPT (Free, Plus, Pro), pasted code can be used to train OpenAI's models unless you turn off "Improve the model for everyone" or use a Temporary Chat. ChatGPT Team, Enterprise, Edu and the API do not train on your inputs by default (the API has not since March 2023). A retention nuance worth knowing: during the New York Times lawsuit, OpenAI was under a court order to retain even deleted and temporary consumer/API content; that specific obligation ended in September 2025, and standard 30-day deletion resumed. "Delete" is only ever as durable as the current legal weather.
Google Gemini
Consumer Gemini appskeep your activity and may use it — including human review — to improve Google's products unless you turn off Gemini Apps Activity. On the paid Gemini API through Google Cloud / Vertex AI, Google commits not to use your prompts or responses to train its models; the free AI Studio tier is treated more like a consumer product, so read its terms before pasting anything sensitive.
Devin, Amazon Q, JetBrains AI and the rest
Agentic tools like Devin and enterprise assistants like Amazon Q Developer and JetBrains AI each publish their own terms, but the tier logic is the same everywhere: check whether your specific plan carries a no-training commitment and a defined retention window, and default to the business or enterprise tier for anything proprietary. If a tool cannot tell you plainly whether it trains on your input, treat that as a "yes."
The comparison table
The same information, at a glance. "Trained on by default" means what happens if you install the tool, sign in, and change no settings.
| Tool / tier | Trained on by default? | How to keep it private | Typical retention |
|---|---|---|---|
| Copilot — Individual/Free | Possible (snippet setting) | Turn off "use my code snippets" | Vendor-defined |
| Copilot — Business/Enterprise | No | Default; add content exclusion | Not retained (ZDR) |
| Cursor — Privacy Mode on | No | Default; enforce org-wide | Zero (ZDR) |
| Cursor — Privacy Mode off | Yes | Enable Privacy Mode | Stored |
| Claude Code — Free/Pro/Max | Yes (opt-out) | Opt out of model training | 5 years on / 30 days off |
| Claude Code — Team/Enterprise/API | No | Default; ZDR for eligible Enterprise | ~30 days |
| ChatGPT — Free/Plus/Pro | Yes (opt-out) | Turn off training or use Temporary Chat | ~30 days after delete |
| ChatGPT Team/Enterprise + API | No | Default; ZDR endpoints for API | ~30 days / zero (ZDR) |
| Local model (Ollama, Tabby, llama.cpp) | No (no egress) | Default — nothing leaves the device | None (local only) |
The agent-mode gap nobody puts on the pricing page
Content-exclusion and file-ignore features were built for the old world of inline completions and chat. In agent mode, an assistant calls tools — it reads files, greps the tree, runs shell commands — and those code paths often bypass the platform's exclusion rules. If you block a file from completions but the agent can still git show it, the file is not actually protected. Two practical consequences:
- Secrets in context are secrets sent. An agent that reads a
.env, a config file, or a log with a token in it has just put that secret in a prompt. Keep credentials out of the working tree, not just out of git. - Prompt injection is real. Instructions hidden in a README, a dependency, or a pasted issue can steer an agent into reading and exfiltrating data. The more autonomy you grant, the more this matters.
The only real guarantee: run it locally
Every cloud tier above is a promise about what a company will and will not do with code you nonetheless sent them. If your requirement is that the code never leaves your machine, no promise is equivalent to no transmission. That is what a local model gives you:
- Ollama or LM Studio + Continue. A local runtime serving an open-weight model, wired into VS Code or JetBrains via the Continue extension. Inference happens on your hardware.
- Tabby. A self-hosted completion server you can run on a workstation or an on-prem box for a whole team.
- llama.cpp. The low-level runtime under much of the local-model ecosystem, if you want maximum control.
The trade is real — a 7-to-70-billion-parameter local model is not frontier-class, and you supply the GPU or the patience. But the privacy guarantee is absolute and, crucially, verifiable: open your network monitor, use the assistant, and confirm zero outbound requests. That is the exact test we recommend for any tool that claims to be private — the same one we invite you to run on this site's tools.
A decision framework by data sensitivity
You do not need the strictest option for everything. Match the tier to what the code actually is:
| What you are working on | Minimum safe option |
|---|---|
| Regulated or classified data (HIPAA, ITAR, trading systems) | Local model only — no third party |
| Core IP, trade secrets, pre-patent work | Local, or self-hosted / private-cloud endpoint |
| Internal, non-regulated code (dashboards, scripts) | Commercial/enterprise tier with a DPA and no-training terms |
| Open-source or already-public code | Any tier — the data is not sensitive |
A 10-minute lockdown checklist
- Sign work machines into work accounts only. No personal ChatGPT/Claude/Copilot logins on a device that touches proprietary code.
- Confirm you are on a commercial/enterprise tier with a no-training commitment — not a personal subscription.
- Enable the privacy switch where one exists: Cursor Privacy Mode on, Claude/ChatGPT training toggles off, Copilot snippet setting off.
- Add content exclusion / ignore files for secrets and sensitive paths — and remember they may not cover agent mode.
- Keep secrets out of the working tree. Anything an agent can read, it can send. Decode and inspect tokens locally with a tool like the JWT decoder instead of pasting them into a chat.
- For your most sensitive repos, go local. Stand up a local model and verify zero egress in your network monitor.
Where a site like this one fits
A surprising amount of what people paste into an AI chat does not need a model at all — it needs a deterministic tool. Decoding a JWT, hashing a string, generating a secure password, formatting a JSON blob, testing a regex: these are exact, well-defined operations with a single correct answer, and doing them locally means the sensitive input never leaves your tab. Reach for the JWT decoder, hash generator, password generator, JSON formatter or regex testerbefore you hand a secret to someone else's server. It is the same principle as a local model, applied to the small stuff: the safest data is the data you never transmit.
For the bigger picture on why local-first is the right default, see why offline-first developer tools matter, and if you are building whole features with AI, read how to vibe-code safely next.
Frequently asked questions
Does GitHub Copilot train on my code?
It depends on your plan. On Copilot Business and Copilot Enterprise, GitHub does not retain your prompts or suggestions and does not use your code to train models — it holds no-training and zero-data-retention agreements with the model providers it routes to. On the free/individual plan there has historically been a single setting, 'Allow GitHub to use my code snippets,' that governs whether snippets can be used for product improvement; turn it off. Note that content-exclusion rules do not currently apply in agent mode or the Copilot CLI.
Does Cursor store or train on my code?
Only if Privacy Mode is off. Cursor's Privacy Mode — available on free and Pro, and on by default for Enterprise teams — guarantees your code is not used for training by Cursor or its model providers, backed by zero-data-retention agreements. With Privacy Mode off, Cursor may store and train on your codebase, prompts and editor actions. A few newer models require provider-side retention and are disabled until an admin approves them.
Does Claude Code train on my code?
On a consumer plan (Free, Pro, Max), yes by default since Anthropic's August 2025 terms update, unless you opt out — and leaving it on extends retention to five years. On commercial plans (Claude Team, Enterprise, the Anthropic API, and Bedrock/Vertex) Anthropic does not train on your code by default. The tool is identical across plans; the data handling is not.
Does ChatGPT train on the code I paste into it?
In consumer ChatGPT (Free, Plus, Pro), yes, unless you turn off 'Improve the model for everyone' in Data Controls or use a Temporary Chat. ChatGPT Team, Enterprise and Edu, and the OpenAI API, do not train on your inputs by default (the API has not since March 2023).
Is it safe to use a personal AI subscription for my employer's code?
Usually not, and it is the most common mistake. A personal Claude Pro, ChatGPT Plus or individual Copilot account runs under consumer terms, where your inputs can be used for training unless you have explicitly opted out. The same tool on a company-provided commercial or enterprise account carries a no-training commitment. Use the account your organization provides, not your own.
Does 'zero data retention' mean my code is completely private?
It means the vendor does not store your prompts and outputs after serving the request, and does not train on them — which is strong. But your code is still transmitted to and processed on a third party's servers to generate the answer, and abuse-detection classifiers may still inspect it in transit. If your requirement is that code never leaves your machine at all, the only guarantee is a locally hosted model.
What is the only way to guarantee my code never leaves my machine?
Run the model locally. A local runtime like Ollama, LM Studio or llama.cpp paired with an editor extension such as Continue, or a self-hosted assistant like Tabby, performs inference on your own hardware with no network egress. You trade some model capability for an absolute privacy guarantee you can verify in your network monitor — the same test you would run on any offline tool.
Tools mentioned in this post
Concepts in this post
JSON Web Token
A JSON Web Token (JWT) is a compact, URL-safe credential made of three Base64URL-encoded segments — header, payload, and signature — that an API issues so a client can prove who it is on subsequent requests without re-authenticating each time.
Cryptographic Hash
A cryptographic hash function takes any input and produces a fixed-length pseudo-random output (the 'digest') that uniquely identifies the input — and is computationally infeasible to reverse, making hashes the foundation of integrity checks, content addressing, and password storage.
Related posts
Why offline-first developer tools matter in 2026
Paste-and-upload developer tools have a long history of accidental leaks. Browser-only utilities sidestep the entire category of risk by computing locally — here's the case for offline-first, the actual incidents that motivate it, and how to verify a tool is what it claims to be.
Is offlineutils.com safe? An honest, verifiable answer
Yes — offlineutils.com is safe to use. Every tool runs entirely inside your browser, so the files and text you work with are never uploaded to a server, and there are no accounts, no cookies, and no tracking scripts. Here's exactly why it's safe, what data is and isn't collected, and how to verify every claim yourself in under a minute.
Vibe coding safely: shipping an AI-built app without leaking secrets or bugs
Vibe coding — describing what you want and letting an AI write most of the code — is a genuinely fast way to build. It is also a fast way to leak API keys, install a hallucinated package, and ship an app you do not understand well enough to secure. Here is a practical threat model and a safe workflow that keeps the speed without the accidents.