4.1.1. Data Usage, Flow, and Sharing
💡 First Principle: What Copilot "shares" is the context it needs to answer, sent transiently over an encrypted channel — not your repository handed over for keeps. Understanding usage as transient-context-for-completion dissolves most privacy fears.
The data Copilot handles falls into a few buckets the exam expects you to distinguish:
- Prompt/context data — the code and metadata assembled to make a request (open files, selection, neighboring tabs, file paths). Sent over HTTPS to the proxy and model to generate a suggestion.
- Suggestions — what comes back, after filtering.
- Telemetry — usage signals such as whether a suggestion was accepted or dismissed (acceptance rate is GitHub's main quality signal). Often anonymized.
Crucial sharing facts: all editor-to-Copilot traffic is encrypted (HTTPS/TLS); for the real-time suggestion flow, prompts and responses are not retained at the proxy or model; and on paid plans your code is not used to train models. Content exclusions can stop specified files from ever entering the prompt in the first place.
| Data type | Used for | Training? (paid plans) |
|---|---|---|
| Prompt/context | Generating a suggestion (transient) | No |
| Suggestions | Returned to your editor | No |
| Telemetry (accept/dismiss) | Quality measurement | N/A (not model training of your code) |
💡 Key Point: "Sent" is not "stored," and "processed" is not "trained on." The exam often hinges on keeping these distinct.
⚠️ Exam Trap: Don't conflate plans. The "we don't train on your code" guarantee is a paid-plan property; Free-tier data handling has different terms, which is why organizations often disable Free in managed settings.
Reflection Question: Why is it accurate to say Copilot "shares" your context without "giving away" your repository, and what makes the paid-plan training guarantee different from the Free tier?