What are the institutional and regulatory implications of this document?

1) REGULATORY LANDSCAPE: This policy references GDPR (citing contract performance, legitimate interests, and consent as legal bases), CCPA and US state privacy laws including Colorado, Connecticut, and Virginia, and references EU data subject rights including access, deletion, correction, portability, and objection. The FTC has jurisdiction over consumer data practices in the United States. The policy's assertion that Amp Free Mode keyword scanning involves no personal data collection may requi…

How does Sourcegraph Cody's Sourcegraph Privacy Policy affect users?

For Amp Free Mode users, the policy establishes that connected codebases are subject to periodic automated keyword scanning to serve targeted advertisements, though no personal data is extracted or retained from these scans. Users operating under paid Sourcegraph plans are not subject to this codebase scanning mechanism. The policy establishes that Sourcegraph collects and associates account information, IP addresses, device data, log data, usage analytics, and click patterns with internally-ge…

How often is Sourcegraph Cody's Sourcegraph Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Sourcegraph Cody updates this document?

Yes. Monitor subscribers ($19/month) can add Sourcegraph Cody to their watchlist and receive same-day email alerts whenever this document or any other Sourcegraph Cody document changes.

CA-D-000799

Sourcegraph Privacy Policy

Sourcegraph Cody

Last change detected June 16, 2026 Privacy policy

SHA-256: ec7bb7a853a6b85791d… 2 versions captured 1 change documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Sourcegraph Cody ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

8 Total

0 High severity

5 Medium severity

3 Low severity

Summary

This document establishes Sourcegraph's privacy practices for its website, Cody AI assistant, Amp coding tool, and related services, disclosing collection and use of personal information across these platforms. The policy permits automated keyword scanning of connected files and codebases for Amp Free Mode users to facilitate targeted advertisement delivery from Advertising Partners, with scan results not retained or shared with advertisers. The policy authorizes collection of account information, IP addresses, device data, log data, usage analytics, and event analytics tied to an internally-generated user ID across all service tiers.

Technical / Legal Breakdown

This document is Sourcegraph, Inc.'s Privacy Policy (last modified October 15, 2025), governing personal information collected through the company's website and products, excluding Customer Personal Data processed under separate customer agreements. The policy states that Sourcegraph collects account information (username, password, email), profile information, log data (IP address, browser type, date and time of use, cookie data), device data, location data derived from IP address, usage analytics tied to internally-generated user IDs, and event analytics including click patterns and feature utilization frequency; the policy also authorizes automated keyword scanning of files, codebases, and connected data sources for users of Amp Free Mode in order to deliver targeted advertisements. The Amp Free Mode advertising mechanism is operationally distinct from commonly observed developer tool privacy practices, in that the policy states Sourcegraph performs periodic automated keyword searches of user files and connected data sources for advertisement placement, while asserting that no personal data is collected or retained from these scans and that scan results are not shared with Advertising Partners. The policy identifies GDPR legal bases (contract performance, legitimate interests, and consent) and references California, Colorado, Connecticut, Virginia, and other US state privacy laws, as well as EU data subject rights. Compliance teams should note that the policy explicitly carves out Customer Personal Data from its scope, meaning enterprise customers operating under separate data processing agreements are subject to different frameworks, and that the Amp Free Mode advertising model may require evaluation under applicable consumer protection and privacy regulations depending on user jurisdiction.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

1 important change detected

2 versions captured · Last updated: June 2026

June 16, 2026

low

What changed Sourcegraph updated its Privacy Policy on June 16, 2026 with substantial restructuring and expanded definitions. The policy previously stated it did not apply to customer data processed under business agreements; the updated version now explicitly distinguishes between data Sourcegraph collects as a controller (covered by the policy) and user content processed on behalf of customers (covered by separate customer agreements). The policy added a detailed index, expanded definitions of data types (Account Information, Activity Data, Analytics Data), and clarified the scope of coverage for website visitors, service users, and communication recipients.

Why this matters The updated policy clarifies that Sourcegraph's Privacy Policy covers personal data it collects directly when individuals visit the website, use services, or receive communications. The policy explicitly states it does not cover user content (such as code) processed through services on behalf of customers, which is instead governed by separate customer agreements. The restructuring adds detailed definitions of data categories and creates a navigable index, but does not appear to materially change what data is collected or how it is used.

View full change record →

Recent Provision Changes Jun 16, 2026

8 provisions unchanged.

View full change record →

Medium — 5 provisions

Amp Free Mode Codebase Keyword Scanning for Advertising Compare →

If you use the free version of Amp, Sourcegraph may automatically scan your connected files and code for keywords to decide which ads to show you, though the policy states it does not retain or share what it finds.

Added May 12, 2026 Standard Seen across 284 platforms
Customer Personal Data Exclusion Compare →

Data that enterprise or business customers submit through Sourcegraph's business products is governed by separate contracts with those customers, not by this public privacy policy.

Added May 12, 2026 Standard Seen across 284 platforms
Automated Usage Analytics and Event Tracking Compare →

Sourcegraph automatically tracks how you use its services, including what you click on and how often you use specific features, and links this activity to an internal identifier assigned to you.

Added May 12, 2026 Standard Seen across 284 platforms
Data Sharing with Service Providers and Subprocessors Compare →

Sourcegraph shares your personal information, including the prompts you submit when writing code, with third-party service providers that help operate the services, subject to restrictions on how those providers can use the data.

Added May 12, 2026 Standard Seen across 252 platforms
GDPR and Global Privacy Rights Compare →

Sourcegraph processes your personal data under three legal bases under GDPR: contract performance, legitimate interests, and consent for marketing. You can withdraw consent for marketing at any time.

Added May 12, 2026 Standard Seen across 284 platforms

Low — 3 provisions

Do Not Track Non-Response Compare →

Sourcegraph does not honor browser-level Do Not Track settings, meaning tracking may continue even if your browser is configured to request no tracking.

Added May 12, 2026 Standard Seen across 284 platforms
Log Data and Access Audit Logs Collection Compare →

Sourcegraph automatically records your IP address, browser details, repository names you access, and other technical data in server logs, and retains access audit logs including what data you accessed for security incident investigation.

Added May 12, 2026 Standard Seen across 284 platforms
Sensitive Personal Information Non-Collection Commitment Compare →

Sourcegraph states it does not intentionally collect sensitive categories of personal data such as health, biometric, or racial information, and that submitting such data violates the terms of service.

Added May 12, 2026 Standard Seen across 284 platforms