Copilot Terms, Privacy Risks

A lot of the fear around “copilots” starts with one simple problem: the same brand name can cover very different products, and the contract can change depending on which one you opened. Microsoft’s public Copilot Terms of Use say they apply to its personal AI companion, while Microsoft 365 Copilot for work is governed instead by commercial product terms and a data protection addendum. (microsoft.com) (learn.microsoft.com) That sounds like legal housekeeping until someone pastes in something sensitive. In Microsoft 365 Copilot’s enterprise version, Microsoft says prompts, responses, and data accessed through Microsoft Graph are not used to train foundation models, but that promise is tied to the paid workplace product, not every Copilot-branded experience a user might encounter. (learn.microsoft.com 1) (learn.microsoft.com 2) The split gets sharper inside Microsoft’s own lineup. Microsoft 365 Copilot Chat says its prompts and responses stay inside the Microsoft 365 service boundary and are logged for auditing and electronic discovery, while web grounding can still send short search queries to Bing if that feature is enabled. (learn.microsoft.com) Microsoft also says those Bing queries do not include user or tenant identifiers. But the same document says users can pull in work files by uploading them, opening Copilot inside Word or Outlook, or using an agent with access to organizational content, which means the privacy answer depends on the exact path the user took. (learn.microsoft.com) GitHub Copilot shows why people get nervous when the defaults are hard to read. GitHub said in March 2026 that, starting April 24, 2026, individual users on Free, Pro, and Pro Plus plans can have interaction data used to develop and train Copilot models if the setting is enabled, while Business and Enterprise customer agreements prohibit that use. (github.com) GitHub’s own list of possible interaction data is broad. It includes prompts, code snippets shown to the model, nearby code context, comments, file names, repository structure, navigation patterns, and interactions with chat and inline suggestions. (github.com) Even when content is not kept for training, other records can still exist. GitHub documents a rolling 90-day retention period for Copilot activity and authentication metrics, which is a different bucket from model-training data but still matters in regulated environments that track where sensitive work happened. (docs.github.com) This is the part hospitals, banks, and law firms care about most. A contract that clearly says “not used for training” is only one layer; they also need to know what context the tool can see, what logs are kept, where data travels, which model provider touches it, and whether auditors can reconstruct what happened later. (learn.microsoft.com) (docs.github.com) The contrast with enterprise-focused products is why the criticism is landing now. OpenAI’s enterprise privacy page says business data is not used to train models by default and says customers can control retention in products like ChatGPT Enterprise and ChatGPT for Healthcare, while its application programming interface documentation says application programming interface data is not used for training unless a customer explicitly opts in. (openai.com) (developers.openai.com) So the real issue is less “copilots are secretly stealing everything” than “buyers need to know exactly which copilot they are buying.” When one product family mixes consumer terms, workplace terms, optional web search, audit logs, and plan-specific training rules, the safest assumption is that no one should paste in patient records, deal documents, or source code until the exact edition, settings, and contract are pinned down in writing. (microsoft.com) (learn.microsoft.com) (github.com)