Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has jurisdiction over representations made by companies regarding the categories of data they collect and the accuracy of those representations under consumer protection law.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Sensitive Personal Information Non-Collection Commitment clause as low severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Sensitive Personal Information Non-Collection Commitment — Sourcegraph Cody

Share 𝕏 Share in Share 🔒 PDF

Monitor governance changes for Sourcegraph Cody Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

Sourcegraph states it does not intentionally collect sensitive categories of personal data such as health, biometric, or racial information, and that submitting such data violates the terms of service.

ⓘ

This analysis describes what Sourcegraph Cody's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision establishes a policy-level commitment not to collect sensitive data categories, but the qualifier 'intentionally' means that if such data is inadvertently submitted through code repositories or prompts, the policy does not guarantee it will not be processed.

⚠

Interpretive note: The 'not intentionally' qualifier creates ambiguity regarding whether inadvertent collection of sensitive data through AI prompts or repository content triggers the same protections, which may vary by jurisdiction.

Consumer impact (what this means for users)

Sourcegraph states it does not intentionally collect sensitive personal data, but users who submit code or prompts containing embedded sensitive data (such as health records or biometric identifiers) should be aware that the 'not intentionally' qualifier means inadvertent processing is not explicitly excluded.

Cross-platform context

See how other platforms handle Sensitive Personal Information Non-Collection Commitment and similar clauses.

Compare across platforms →

Monitoring

Sourcegraph Cody has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
Sourcegraph does not intentionally collect 'Sensitive Personal Information,' such as personal data revealing racial, ethnicity, political and religious beliefs, trade union membership, or genetic, biometric, health, or sexual data. Providing Sensitive Personal Information violates our Terms of Use.

— Excerpt from Sourcegraph Cody's Sourcegraph Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: Sensitive personal data categories are subject to heightened protection under GDPR Article 9, which generally requires explicit consent or a specific exemption for processing. CCPA and CPRA also impose additional obligations for sensitive personal information categories. If sensitive data is submitted inadvertently through code prompts or repositories, Sourcegraph's processing of such data may require evaluation under these frameworks regardless of intent. 2) GOVERNANCE EXPOSURE: Medium. The 'not intentionally' qualifier means that inadvertent sensitive data collection through AI coding prompts or repository content is not contractually excluded. Organizations in healthcare, financial services, or other regulated sectors should assess whether their developers may inadvertently include sensitive data in prompts or connected repositories. 3) JURISDICTION FLAGS: EU/EEA users benefit from GDPR Article 9 protections for special categories of data. Illinois BIPA may apply if biometric data is inadvertently processed. HIPAA may be implicated for US healthcare organizations if protected health information is included in code prompts. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers in regulated industries should include contractual prohibitions on sensitive data submission in their acceptable use policies for Sourcegraph deployments, and should consider data loss prevention controls to prevent inadvertent submission of sensitive data. 5) COMPLIANCE CONSIDERATIONS: Legal teams should confirm that employee training and technical controls are in place to prevent inadvertent submission of sensitive personal data through Sourcegraph's AI coding features.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Watcher free for 14 days

Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.

Applicable agencies

FTC

The FTC has jurisdiction over representations made by companies regarding the categories of data they collect and the accuracy of those representations under consumer protection law.
File a complaint →

Provision details

Document information

Document

Sourcegraph Privacy Policy

Entity

Sourcegraph Cody

Document last updated

May 12, 2026

Tracking information

First tracked

May 12, 2026

Last verified

May 12, 2026

Record ID

CA-P-011847

Document ID

CA-D-00799

Evidence Provenance

Source URL

https://sourcegraph.com/terms/privacy

Wayback Machine

View archived versions →

Content hash (SHA-256)

df2d4196ecea360b04ad9684b8e596ac2cfeb41cb2be50ace2b878d7c3dd599f

Analysis generated

May 12, 2026 15:34 UTC

Methodology

summarize_document-v8

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: Sourcegraph Cody
Document: Sourcegraph Privacy Policy
Record ID: CA-P-011847
Captured: 2026-05-12 15:34:28 UTC
SHA-256: df2d4196ecea360b…
URL: https://conductatlas.com/platform/sourcegraph-cody/sourcegraph-privacy-policy/sensitive-personal-information-non-collection-commitment/
Accessed: May 13, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Low

Other risks in this policy

Amp Free Mode Codebase Keyword Scanning for Advertising medium
Customer Personal Data Exclusion medium
Automated Usage Analytics and Event Tracking medium
Data Sharing with Service Providers and Subprocessors medium
Do Not Track Non-Response low
GDPR and Global Privacy Rights medium

Professional Governance Intelligence

Need to monitor specific governance provisions?

Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Professional free trial

Or start with Watcher →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Sourcegraph Cody's Sensitive Personal Information Non-Collection Commitment clause do?

How does this clause affect you?

Is ConductAtlas affiliated with Sourcegraph Cody?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Sourcegraph Cody.