Privacy Policy

Last modified: June 12, 2026

Visit our archives for prior versions of this policy.

This Privacy Policy explains how Sourcegraph, Inc. ("Sourcegraph", "we", "our", or "us") collects, uses, shares, and protects personal data when we act as a Data Controller, including when individuals:

visit our website, www.sourcegraph.com (the "Website")
use our Services
receive communications from us.

This Privacy Policy does not cover User Content processed through our Services, such as customer Code. When we process User Content and related personal data on behalf of our customers, we act as a Data Processor, and that processing is governed by our customer agreements.

Capitalized terms that are not defined in this Privacy Policy have the meaning given to them in our Terms of Service.

Index

Definitions
Personal Data We Collect
Personal Data You Provide To Us
Personal Data We Receive Automatically
How We Use Cookies and Similar Technologies
Personal Data We Receive from Third Parties
Personal Data We Derive from Your Use of the Services
Personal Data We Collect As Defined Under CCPA
Personal Data We Do Not Collect
How We Use Personal Data
How We Share Personal Data
Your Rights
How to Exercise Your Rights
Data Transfers
Legal Bases for Processing
Data Storage, Security, and Retention
Children's Privacy
Changes to this Privacy Policy

Definitions

Throughout this Privacy Policy, we use the following defined terms:

Account Information means information necessary to create, authenticate, and maintain your account, such as account credentials, user profile information, role and permission settings, and authentication data.
Activity Data means data about how visitors interact with our Website, such as pages viewed, features accessed, click data, session duration, referral sources, search queries, and navigation patterns.
Analytics Data means data collected in connection with your use of the Services, including anonymized, per-instance numeric user identifiers and limited, non-sensitive string data fields tied to feature interaction events, as well as user-identifying information, including usernames and email addresses associated with user accounts. Analytics Data does not include User Content or Code.
Billing and Payment Information means information necessary to process payments and maintain billing records, such as billing contact details, purchase order numbers (if applicable), and payment processing information.
Communications Information means information you provide or that is generated when you contact us through any channel, such as messages sent via email, contact forms, chat, social media, or other communication methods, including the contents of those messages, attachments, related metadata, or call recordings or transcripts.
Contact Information means information that allows us to identify and communicate with you or your organization, such as your name, job title, organizational affiliation, work email address, and phone number. Where we obtain Contact Information from publicly available sources, professional contact information may also include any email addresses or phone numbers associated with your professional profile. Contact Information also includes the email address of the site installer and site administrators, which we collect automatically to support product updates, security notices, and license management.
Device and Connection Data means technical information about the devices and connections used to access our Website and Services, such as IP addresses, browser type and version, operating system, device identifiers, and network connection data.
Feedback means information you submit about the Services, such as comments, suggestions, reviews and other input.
Inferences means conclusions or predictions we derive about your preferences, interests, or behaviors based on Usage Data, Analytics Data, or Marketing Information.
Location Data means geographic location information derived from IP addresses and similar sources.
Log Data means records of activity on our Website and Services, such as access logs, authentication and authorization events, security events, and audit trails.
Marketing Information means information about your marketing preferences and engagement, such as your communication preferences and details about how you interact with our sales and marketing efforts.
Performance and Diagnostic Information means information about the performance and reliability of our Website and Services, such as error logs, crash reports, response times, and system performance metrics.
Support Data means information necessary to diagnose and resolve issues, such as support ticket details, correspondence, diagnostic and technical information about your use of the Services, and the context you provide to us as part of a support request, such as code snippets and error messages.
Usage Data means data we generate or derive from your use of the Services that reflects how you interact with and use the Services, such as feature interaction data and usage patterns (including user identifiers associated with feature usage), feature flags and configuration settings, AI feature usage (including types of Inputs submitted, prompt titles, prompt categories, query-derived metadata, and interaction patterns), deployment information, system configuration data, session data, operational signals, and service health metrics. Usage Data includes Analytics Data and Inferences, but does not include User Content or customer Confidential Information.

Personal Data We Collect

We collect personal data in several ways:

Directly from you
From your organization's administrators
From third-party services
Automatically from your use of our Website and Services

Personal Data You Provide To Us

When you use our Website or Services, we may collect:

Account Information
Billing and Payment Information
Communications Information
Contact Information
Device and Connection Data
Feedback
Marketing Information
Support Data

When you authenticate through third-party services (such as single sign-on providers), those providers' privacy policies govern what information is shared with us.

Personal Data We Receive Automatically

When you use our Website or Services, we automatically collect:

Analytics Data
Activity Data (from Website visitors)
Device and Connection Data
Performance and Diagnostic Information
Location Data
Log Data
Information through Cookies and Similar Technologies

How We Use Cookies and Similar Technologies

We may use cookies, web beacons, pixels, and similar tracking technologies to collect information about your use of our Website, our Services, and your interactions with our marketing communications. Types of technologies we may use include:

Essential cookies, which are necessary for the Website and Services to function, such as session management and authentication.
Analytics cookies, which help us understand how you use the Website and Services and identify areas for improvement.
Marketing cookies, which help us track engagement with our marketing communications and measure campaign effectiveness.

You can control cookies through your browser settings. Note that disabling certain cookies may limit the functionality of our Website and Services.

Personal Data We Receive from Third Parties

We may receive personal data from:

Your Organization, such as Contact Information and Account Information necessary to provision and manage your access to the Services.
Authentication and Identity Providers, such as Account Information when you use SSO or similar authentication mechanisms.
Service Providers, such as Support Data, usage analytics, and performance metrics from providers who help us deliver and improve our Website and Services.
Billing and Payment Providers, such as Billing and Payment Information for processing payments according to our customer agreements.
Security and Fraud Prevention Providers, such as information about potential risks or threats to our Services.
Sales and Marketing Service Providers, such as Contact Information and Marketing Information to identify prospective customers and understand market engagement.
Third-Party Data Providers, such as professional and organizational information about users and contacts to better understand how our Services are used.
Publicly Available Sources, such as Contact information and organizational information.

Personal Data We Derive from Your Use of the Services

We derive Usage Data from your use of the Services to help us operate, maintain, and improve the Services.

Personal Data We Collect As Defined Under CCPA

If you are located in California, we collect the following categories of personal data as defined under the California Consumer Privacy Act (CCPA):

Identifiers: Contact Information, Account Information, Analytics Data, Device and Connection Data, Location Information
Commercial Information: Billing and Payment Information, Marketing Information
Internet or Network Activity: Usage Data, Activity Data, Log Data, Performance and Diagnostic Information
Professional or Employment Information: Job title, organizational affiliation, work contact information
Inferences: Usage patterns and preferences derived from Usage Data, Marketing Data, or Analytics Data.
Geolocation Data: Location Data derived from IP addresses and similar sources.

We disclose these categories of personal information to our service providers.

We retain each category of personal information for as long as reasonably necessary to fulfill the purposes for which it was collected, including to satisfy legal, tax, audit, and accounting obligations, resolve disputes, and enforce our agreements. When personal information is no longer needed for these purposes, we delete or de-identify it in accordance with our standard data management practices.

Personal Data We Do Not Collect

Sensitive Personal Data. We do not intentionally collect government-issued identification numbers, health information, or other sensitive personal data as defined under applicable law. Providing Sensitive Personal Data to us as part of your use of the Services violates our Terms of Service.
Personal Data in User Content. User Content may contain personal data such as developer names, email addresses in code comments, or other identifiers. We process User Content to provide and improve the Services as described in our customer agreements. However, we do not intentionally extract, store, or use personal data from User Content for any purpose.

How We Use Personal Data

We use personal data to:

Provide, operate, and maintain the Services, including enabling access, administering accounts, supporting features, and delivering functionality to our customers.
Secure and protect the Services, including monitoring for misuse, detecting and investigating security incidents, maintaining audit logs, and enforcing our policies.
Understand and improve how customers use the Services, including analyzing aggregated usage patterns, performance metrics, and reliability data to develop new features, improve existing functionality, and support product planning.
Conduct research and analysis, including analyzing trends and publishing findings based on aggregated or de-identified data and deriving Inferences about how customers and users interact with our products and Services, including usage preferences, feature adoption patterns, and engagement trends, to improve our products and Services.
Track Analytics, including tracking feature adoption and usage, understanding usage patterns across users and teams, and measuring engagement to improve the functionality of existing features and develop new products and features.
Operate and improve our Website and marketing activities, including understanding Website usage, measuring engagement, and promoting the Services.
Communicate with you, including responding to inquiries or form submissions, providing support and customer success services (which may include proactive outreach based on usage patterns to offer guidance, training, or assistance), sending service-related notices, and sharing information about updates or changes to the Services.
Process billing and commercial transactions, including issuing invoices, receiving payments, and maintaining financial records.
Comply with legal obligations and protect our rights, including responding to lawful requests, resolving disputes, and enforcing applicable agreements.

For information about the legal bases on which we process your personal data, please see the Legal Bases for Processing section of this Privacy Policy.

We disclose personal data only as described in this Privacy Policy and only when necessary to operate our Website, provide the Services, or meet legal and security obligations, including to the following third parties and in the following circumstances:

Affiliates and Related Entities. We may disclose personal data between and among our affiliates and related entities. If we are involved in a merger, acquisition, reorganization, or sale of business assets, we may disclose personal data as part of that transaction. The acquiring entity will handle personal data in accordance with privacy obligations at least as protective as those in this Privacy Policy.
Service Providers. We may disclose personal data to third-party service providers that help us operate our Website and Services. Service providers process personal data only as necessary to perform their contractual obligations to us and pursuant to our instructions. A list of our service providers is available on our Subprocessor Page.
Legal and Regulatory Obligations. We may disclose personal data when required by law or legal process, to respond to lawful requests from public authorities, or to comply with applicable regulations.
Protection of Services. We may disclose personal data to protect the security or integrity of our Services or to prevent fraud or abuse.
Protection of Rights. We may disclose personal data to enforce or defend our legal rights or enforce our agreements.
Professional Advisors. We may disclose personal data to professional advisors such as lawyers, auditors, accountants, and consultants when necessary for the services they provide to us.
Third-Party Integrations. Our Services may integrate with third-party websites, applications, or services such as code repositories (e.g., GitHub), development tools (e.g., JetBrains), and AI coding agents that connect to our Services through our MCP. When you or your organization enable an integration, personal data may be shared with that third party under their privacy practices. We do not control how third parties collect, use, or share personal data. Review each third party's privacy policy and terms of service before enabling integrations.
With Your Consent. We may disclose personal data when you provide consent or direct us to share information with third parties.
Aggregated or De-Identified Data. We may aggregate or de-identify Usage Data so that it no longer identifies any individual or organization. Once de-identified, that data is no longer personal data under applicable privacy laws, and we may use or disclose it for any purpose, including analyzing usage patterns, developing new features, and conducting research.

Your Rights

You have certain rights regarding your personal data, depending on where you live and applicable laws. Because our Services are provided to enterprise customers, your rights may be exercised individually or in coordination with your organization. These rights apply to personal data we process as a Data Controller as described in this Privacy Policy. If your personal data is contained within User Content (such as customer source code) that we process as a Data Processor on behalf of our customers, please direct your request to the relevant customer organization. We will assist the customer in responding to your request in accordance with our customer agreements and applicable law.

Access and Portability. You have the right to access and receive a copy of the personal data we hold about you in a structured, commonly used, machine-readable format. Where technically feasible, you may request that we transmit your personal data directly to another controller.
Correction. You have the right to request correction of inaccurate or incomplete personal data. If you use our Services, you can update certain Account Information and Contact Information through your account settings.
Deletion. You have the right to request deletion of your personal data, subject to certain limitations.
- For Website visitors: We will delete your personal data upon request, subject to our need to retain certain information to comply with legal obligations or fulfill legitimate business interests.
- For users of our Services: Because our Services are provided to your organization and your work product is owned by your organization, we retain limited data elements necessary to maintain the integrity of the organizational workspace for as long as your organization maintains an active workspace with us. We process this retained data for our legitimate interest in supporting our customers. When your access is deprovisioned, your Contact Information may be anonymized, but your work product remains accessible to your organization as part of the organizational workspace. You can delete certain data yourself through your account's privacy settings, but note that these limited data elements may still be accessible to your organization's administrators as necessary to maintain the organizational workspace.
Restriction. You have the right to request that we restrict the processing of your personal data where you contest its accuracy, the processing is unlawful, we no longer need it but you require it for legal claims, or you have objected to processing pending verification of our legitimate grounds.
Objection. You have the right to object to processing of your personal data based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.
Withdrawal of Consent. Where we process your personal data based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.
Automated Decision-Making. We do not use your personal data for decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you. If this changes, we will update this Privacy Policy and provide appropriate safeguards as required by applicable law.
Marketing Communications. You may opt out of promotional communications at any time by using the "unsubscribe" link in our emails or by contacting us. Opting out of promotional communications does not affect service-related or transactional messages.
No Sale or Targeted Advertising. We do not sell or share personal data for cross-context behavioral advertising as defined under applicable privacy laws.
Lodge a Complaint. If you are located in the EEA, UK, or Switzerland, you have the rights described above under the General Data Protection Regulation and, where applicable, UK GDPR. You also have the right to lodge a complaint with your local supervisory authority if you believe that we have processed your personal data unlawfully or have failed to respond adequately to your request.

How to Exercise Your Rights

To exercise your rights, email us at [email protected]. If you use our Services, you may also manage certain settings through the privacy controls in your account. We will respond to verified requests within one month of receipt. If we require additional time due to the complexity of your request or the number of requests, we will notify you within the initial one-month period and may extend the response time by up to two additional months.

Because our Services are provided to enterprise organizations, if you are a Services user, we may handle your request in coordination with your organization's administrator or direct you to your administrator where appropriate. We may need to verify your identity before responding to your request. We may also deny a request if we have a lawful reason for doing so. If we deny your request, you have the right to appeal that decision by contacting us at [email protected].

To exercise your California privacy rights, email us at [email protected] or use the privacy controls in your account settings. If you are a resident of Virginia, Colorado, Connecticut, Utah, or another state with a comprehensive privacy law, you may exercise your rights by contacting us at [email protected].

If you are located in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, you have the right to lodge a complaint with your local supervisory authority if you believe that we have processed your personal data unlawfully or failed to respond adequately to your request.

Data Transfers

Our servers and operations are located in the United States, and we have team members located around the world. If you access our Website or Services from outside the United States, your personal data will be transferred to, stored, and processed in the United States and potentially in other countries where our teammates are located.

Transfers from the European Economic Area, United Kingdom, and Switzerland. For personal data originating from the EEA, UK, or Switzerland, we rely on the Standard Contractual Clauses approved by the European Commission and the UK Information Commissioner's Office as the legal mechanism for transferring your personal data to the United States.
United States Privacy Rights. If you are a resident of California or another U.S. state with comprehensive privacy legislation, please note that we may transfer your personal data to Service Providers and other third parties as described in the How We Share Personal Data section above.

Legal Bases for Processing

Purpose	Type of Data	Legal Basis
Provide, operate, and maintain the Services	Contact Information Account Information Billing and Payment Information Usage Data Analytics Data Activity Data Communications Information Support Data Inferences Third-Party Data Provider Information	Performance of Contract
Secure and protect the Services	Contact Information Account Information Usage Data Activity Data Log Data Device and Connection Data Support Data	Legitimate Interests Legal Obligation We have a legitimate interest to protect our business, users, and systems from unauthorized access, fraud, and security threats. We also have a legal obligation to provide adequate security safeguards.
Understand and improve the Services	Usage Data Analytics Data Performance and Diagnostic Information Feedback Support Data Inferences Third-Party Data Provider Information	Legitimate Interests We have a legitimate interest and the interest of our users to analyze how customers use the Services and to improve functionality, develop new features, and enhance user experience based on that understanding.
Conduct research and analysis	Usage Data Analytics Data Activity Data Feedback Inferences	Legitimate Interests We have a legitimate interest in conducting research that improves our Services and contributes to industry knowledge.
Analyze feature usage and user engagement	Usage Data Activity Data Analytics Data Contact Information Account Information Device & Connection Data Inferences	Performance of Contract Legitimate Interests We have a legitimate interest to understand how customers use certain features of our Services, including AI features, to improve functionality and develop new capabilities.
Operate our Website and improve our marketing activities	Contact Information Marketing Information Usage Data Activity Data Device and Connection Data Inferences Third-Party Data Provider Information	Legitimate Interests We have a legitimate interest in promoting our Services and understanding website engagement.
Communicate with customers or users of the Services	Contact Information Communications Information Marketing Information Third-Party Data Provider Information	Performance of Contract (for Services-related communications) Consent (for marketing communications) Legitimate Interests (for marketing communications) We have a legitimate interest in communicating with customers about their use of the Services and sending direct marketing communications where permitted.
Process billing and commercial transactions	Contact Information Billing and Payment Information	Performance of Contract
Comply with legal obligations and protect our rights	Contact Information Account Information Billing and Payment Information Communications Information Usage and Activity Data	Legal Obligation Legitimate Interests We have legal obligations to respond to lawful requests and maintain certain records. We also have a legitimate interest in enforcing our agreements and protecting our legal rights.

Data Storage, Security, and Retention

Data Storage. We store personal data on servers located in the United States.
Data Security. We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, alteration, or destruction. We maintain a comprehensive information security program that includes administrative, technical, and physical safeguards to protect the personal data we collect and process. For detailed information about our security practices, please refer to our Security Page. While we are committed to maintaining industry-standard or better security practices and continuously work to protect your data, no method of transmission over the Internet is completely secure. We cannot guarantee absolute security of your personal data.
Your Security Responsibilities. You are responsible for maintaining the confidentiality of your Account Information and for any activity that occurs under your account. If you believe your account has been compromised, please contact us immediately at [email protected]. Enterprise customers and their administrators are responsible for managing user access, permissions, and security configurations within their organizational workspace.
Data Retention. We retain your personal data for as long as necessary to perform our contractual obligations and provide the Services to you and your organization. When personal data is no longer necessary for these purposes, we delete it in accordance with our data retention policies, though we may retain certain information necessary to attribute work product to and maintain the integrity of the organizational workspace. We may also retain personal data as necessary to comply with our legal, tax, audit, and accounting obligations, to resolve disputes, to preserve our legal rights, or to enforce our agreements.

Children's Privacy

Our Services are not directed to children, and we do not knowingly collect personal data from children under 18. If you have reason to believe that a child under the age of 18 has provided any personal data to us, please contact us at [email protected], and we will investigate and, if appropriate, delete the personal data.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last modified" date at the top of this Privacy Policy and, if appropriate, provide notice through our Website or Services. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

Contact Us

If you have any questions about this Privacy Policy, contact us at [email protected].