Privacy Policy

Last modified: April 5, 2023

See the changes since the previous version or visit our archives.

At Sourcegraph, Inc. ("Sourcegraph," "we," "our," or "us"), we value the privacy of our website visitors and Sourcegraph Cloud users (collectively for the purposes of this Privacy Policy, our "Website") and our self-hosted Sourcegraph instances users (collectively with our Website, our "Service" or "Services"). This Privacy Policy explains how we collect, use, share and protect your personal information that we collect through our Service. This Privacy Policy applies to our Website, Sourcegraph Cloud, and our self-hosted Sourcegraph instances. By using our Service, you agree to the terms of this Privacy Policy and our Terms of Service.

Capitalized terms that are not defined in this Privacy Policy have the meaning given them in our Terms of Service.

Short version

  • We do not sell your information. We don’t help companies advertise their products to you. (read more)
  • We use a number of trusted third parties to help provide our products. (read more)
  • We use cookies to provide, protect, and promote our own products. (read more)
  • You can exercise your rights under privacy laws. (read more)

What is Sourcegraph’s business model?

We make money through paid subscriptions to use our Services. We do not sell your information.

What information do we collect, and for what purpose

When you interact with our Services, we collect information that could be used to identify you (“Personal Information”). Examples include a username and password, an email address, a name, and an IP address.

Some of the information we collect is stored in a manner that cannot be linked back to you (“Non-Personal Information”). Non-Personal Information includes aggregated, non-personally identifying information that does not identify a user or cannot otherwise be reasonably linked or connected with them. We may use such aggregated, non-personally identifying information to improve our Services.

Information you provide to us directly

When you register for a Sourcegraph account, participate in forums, comment on blog posts, submit a feedback survey, interact with the chat bot on our Website, or correspond with us, we may collect account information (username, password, email), profile information (display name, avatar URL), Content you post, add, receive, or share on our hosted services, and any payment information. We do not process or store your payment information, but our third-party payment processor does.

Information we receive from third parties

We may receive information about you from third-party services if you log in or otherwise interact with our Website or Services through a code host or social media, for example, by liking us on Facebook or following us on Twitter. The data we receive depends on your privacy settings with the third party but can include your name, email, third-party user ID, and location. Review, and if necessary, adjust your privacy settings on third-party websites and services before linking or connecting them to the Service.

How does Sourcegraph use my information provided directly by me and third parties?

We use information provided directly by you and third parties to operate, maintain, improve, and provide to you the features of the Services. We may use this information to communicate with you, such as to send you email messages, and to follow up with you to offer news and information about our Services. We may also send you Service-related emails or messages (e.g., account verification, change or updates to features of the Services, technical and security notices). For more information about your communication preferences, see Will Sourcegraph send me emails below.

Automatically collected information

Usage data

When you use our Services, Sourcegraph automatically collects data about the Services and how they are used, including:

  • Aggregated and high-level information about usage through a server ping. The server ping sends a payload containing data such as total number of users and whether certain features are enabled or in use. For more information about the specific information we have access to, see our server pings documentation. Customers can contact Sourcegraph at support@sourcegraph.com to opt out of server pings.
  • Event analytics data and metadata to better understand usage within the Services, including click patterns and length and frequency of feature utilization, tied to an internally-generated user ID number.

For self-hosted instances, the only personal information collected is the email address of the initial Sourcegraph installer and site admin (or, if that user is deleted or demoted to not be an admin, the first such active site admin). This information allows us to contact the technical administrator of the Sourcegraph instance to deliver information about product updates and policy changes, and for customer development purposes. Other than the initial site admin email address, only aggregates of usage data are sent: no usernames, user emails, user personal information, code, repository names, file names, URLs, or other such private content is sent to Sourcegraph.

With regards to connections to the Sourcegraph Cloud extension registry, even from self-hosted Sourcegraph instances, the automatically collected data below will apply.

When you visit or use our Website, including when you access the Sourcegraph Cloud extension registry from your self-hosted instance, we may automatically collect the following information.

Cookies

When you visit or use our Website, we may send one or more cookies — a small text file containing a string of alphanumeric characters — to your computer that uniquely identifies your browser and lets us help you log in faster and enhance your navigation through the Website. A cookie may also convey information to us about how you use the Website(e.g., the pages you view, the links you click, how frequently you access the Website, and other actions you take on the Website), and allow us to track your usage of the Website over time. For more information, see “Third-party tracking and online advertising” below and our Cookie Policy.

Log data

As with most websites and technology services delivered over the internet, when you access or use our Website, our servers automatically collect data and record it in log files. This log data may include your web request, IP address, browser type and settings, date and time of use, information about browser configuration, error data, repository name, user ID, and cookie data.

Access, authorization, and activity audit logs

When you visit or use our Website, we may collect information related to accessing systems and data, including IP addresses, usernames, and data accessed. This information is only retained for the purposes of identifying, analyzing, and resolving potential security incidents. Access to this information is limited to those who require access for these purposes and will only be shared with the relevant customers in the event of a security incident.

Device data

When you visit or use our Website, we automatically collect information about your device, which may include the type of hardware and software you are using (for example, your operating system and browser type), IP address, and other unique identifiers for devices used to access our Website and Hosted Services.

Location data

This is the geographic area where you use your computer or mobile devices (as indicated by an IP address or similar identifier) when interacting with our Website.

Email beacons

When we send you emails, we may employ clear gifs (also known as web beacons) in HTML-based emails sent to our users to track which emails are opened and which links are clicked by recipients. The information allows for more accurate reporting and improvement of the Website.

Web analytics

We may also collect analytics data, or use third-party analytics tools, to help us measure traffic and usage trends for the Website. These tools collect information sent by your browser or mobile device, including the pages you visit, your use of third-party applications, and other information that assists us in analyzing and improving the Website.

Although we do our best to honor the privacy preferences of our users, we are not able to respond to Do Not Track signals from your browser at this time.

How does Sourcegraph use my automatically collected data?

We may use the automatically collected data to:

  1. remember information so that you will not have to re-enter it during your visit or the next time you visit the site;
  2. provide custom, personalized content and information;
  3. provide and monitor the effectiveness of our Website;
  4. monitor aggregate metrics such as total number of visitors, traffic, usage, and demographic patterns on our website and our Service;
  5. understand user behaviors when using the Services to drive product development and business strategies
  6. Identify, diagnose and fix technology problems and security risks;
  7. plan for and enhance our service;
  8. comply with our legal obligations; and
  9. for other purposes with your consent.

What we do not collect

Sensitive Personal Information

Sourcegraph does not intentionally collect “Sensitive Personal Information,” such as personal data revealing racial, ethnicity, political and religious beliefs, trade union membership, or genetic, biometric, health, or sexual data. Providing Sensitive Personal Information violates our Terms of Use.

Personal Information in Repositories

We do not intentionally collect any Personal Information that is stored in your repositories or other free-form content inputs. Any Personal Information within a user's repository is the responsibility of the repository owner.

Bases for processing your information

Where laws like GDPR govern our processing of your Personal Information, Sourcegraph must tell you about the legal basis under which we process your Personal Information. Sourcegraph processes Personal Information under the following legal bases:

Performance of a contract: We use your Personal Information to provide the Services you subscribe to and to fulfill requests you make of us.

Legitimate interests: We use your Personal Information for our legitimate interests, such as security and fraud prevention, product improvement, and communications about your use of our Services.

Consent: We may rely on your consent to use your personal information for certain direct marketing purposes, such as sending you newsletter updates about Sourcegraph products. You may withdraw your consent at any time through the unsubscribe feature provided with each marketing email or by contacting us at the address given at the end of this Privacy Policy.

Does Sourcegraph review my repository contents?

Public repositories

If your repository is public, anyone may view its contents.

Private repositories

If you have a private repository on Sourcegraph Cloud or a Sourcegraph managed instance, Sourcegraph personnel do not review your repository contents or any other Content you store or transfer through our Services, except for the following purposes:

  • to investigate and respond to a security incident
  • to assist the repository owner with a support matter
  • to comply with our legal obligations such as responding to a court order
  • if we have reason to believe the contents violate the law, or
  • with your consent.

We may scan our servers and content to detect certain tokens or security signatures of known active malware, known vulnerabilities in dependencies, or other content known to violate our Terms of Service, based on algorithmic fingerprinting techniques (collectively, "automated scanning").

Does Sourcegraph share my information?

We may share your personal information with third parties in the instances described below.

Service providers

Our service providers process your Personal Information as needed to provide our Services to you, including hosting and customer support ticketing. They may only process your Personal Information pursuant to our instructions and to perform their duties to us. See our Subprocessors page for a list of our service providers.

Security purposes

If you are a member of an Organization, we may share your username, email, IP address, and any collected logs about the user associated with that Organization with an owner or administrator of the Organization to investigate or respond to a security incident that affects or compromises the security of that particular Organization.

We may share your Personal Information with law enforcement and other third parties if required by law or subpoena or if we reasonably believe that such action is necessary to (a) comply with the law, legal process, and the reasonable requests of law enforcement; (b) to enforce our Terms of Service or to protect the security or integrity of our Service with regard to suspected fraud or other illegal activities; or (c) to exercise or protect the rights, property, or personal safety of Sourcegraph, our users, or others.

Mergers and common ownership

We may share your Personal Information with another entity in connection with a company transaction, such as a merger, acquisition, sale of assets or shares, reorganization, or bankruptcy. In these cases we may transfer some or all of your Personal Information to another entity, subject to this Privacy Policy. We may also share your Personal Information with any companies owned by or under common ownership with Sourcegraph, subject to this Privacy Policy.

With your consent, we may share your Personal Information with other third parties. If you join an Organization, you agree to provide the administrator of the Organization with the ability to view your activity in the Organization’s access log. Any information or content that you voluntarily disclose by posting to the Website becomes available to the public, as controlled by your privacy settings. If you remove information or content that you posted to the Website, copies may remain viewable in cached and archived pages of the Website, or if other users have copied or saved that information.

Does Sourcegraph share aggregate, Non-Personal Information with third parties?

We share aggregated, Non-Personal Information with others about our product usage like number of users, user growth, and lines of indexed code.

Does Sourcegraph sell or rent my Personal Information?

No. We do not sell or rent your Personal Information for monetary or other consideration under the CCPA (California Consumer Privacy Act of 2018) or other data privacy laws.

Will Sourcegraph send me emails

From time to time, we may share information about product announcements, product use, and special offers. You may opt out of our promotional email communications at any time by clicking the “unsubscribe” link provided in such communications.

Sourcegraph users will continue to receive transactional messages related to your use of our Services such as account management, technical, and security notices, even if you unsubscribe from promotional emails.

Third-party tracking and online advertising

We participate in interest-based advertising and use third-party advertising companies to serve you targeted advertisements based on your online browsing history and your interests. We permit third-party online advertising networks, social media companies, and other third-party services, to collect information about your use of our Website over time so that they may play or display ads for our products on other websites, apps, or services you may use and on other devices you may use.

We and our third-party partners may use cookies and tracking technologies on our Website for the purpose of tracking the effectiveness of our own ads placed on Google, Twitter, etc. (never on private or self-hosted instances). We and our third-party partners use this information to make the advertisements you see online more relevant to your interests, as well as to provide advertising-related services such as reporting, attribution, analytics and market research.

To learn more about interest-based advertising and how you may be able to opt-out of some of this advertising, you may wish to visit the Network Advertising Initiative’s online resources, at http://www.networkadvertising.org/choices, and/or the DAA’s resources at www.aboutads.info/choices. You may also be able to set your browser to delete or notify you of cookies by actively managing the settings on your browser or mobile device. Please note that some advertising opt-outs may not be effective unless your browser is set to accept cookies. Furthermore, if you use a different device, change browsers or delete the opt-out cookies, you may need to perform the opt-out task again.

You may also be able to limit certain interest-based mobile advertising through the settings on your mobile device by selecting “limit ad tracking” (iOS) or “opt-out of interest based ads” (Android).

Google Analytics and Advertising. We may also utilize certain forms of display advertising and other advanced features through Google Analytics, such as Remarketing with Google Analytics, Google Display Network Impression Reporting, and Google Analytics Demographics and Interest Reporting. These features enable us to use first-party cookies (such as the Google Analytics cookie) and third-party cookies to inform, optimize, and display ads based on your past visits to the Sites. You may control your advertising preferences or opt-out of certain Google advertising products by visiting the Google Ads Preferences Manager, currently available at https://google.com/ads/preferences, or by vising NAI’s online resources at http://www.networkadvertising.org/choices.Google provides further information about its own privacy practices and offers a browser add-on to opt out of Google Analytics tracking at https://tools.google.com/dlpage/gaoptout.

Global privacy practices

Information we collect will be stored and processed in the United States in accordance with this Privacy Policy but we understand that users from other countries may have different expectations and rights with regard to their privacy. For all Website visitors and users and self-hosted Sourcegraph users, no matter their country of location, we will:

  • provide clear methods of unambiguous, informed consent when we do collect your personal information;
  • only collect the minimum amount of personal data necessary for the purpose it is collected for, unless you choose to provide us more;
  • offer you simple methods of requesting access, correction, or deletion your information that we have collected, which we will make reasonable efforts to accommodate; and
  • provide Service users notice, choice, accountability, security, and access, and we limit the purpose for processing. We also provide our users a method of recourse and enforcement.

If you are located in the European Union, you are entitled to the following rights with regard to your personal information and data:

  • Right of access to your personal data, to know what information about you we hold
  • Right to correct any incorrect or incomplete personal data about yourself that we hold
  • Right to restrict/suspend our processing of your personal data
  • Right to complain to a supervisory authority if you believe your privacy rights are being violated

Additional rights that may apply to you in certain instances:

  • Right of data portability (if our processing is based on consent and automated means)
  • Right to withdraw consent at any time (if processing is based on consent)
  • Right to object to processing (if processing is based on legitimate interests)
  • Right to object to processing of personal data for direct marketing purposes
  • Right of erasure of your personal data from our system (“right to be forgotten”) if certain grounds are met

To exercise your privacy rights, you can contact us directly at support@sourcegraph.com.

Data storage, security, deletion, and retention

Where is my information stored?

We store and process the information that we collect in the United States in accordance with this Privacy Policy, though our employees, contractors, and service providers may store and process data outside the United States.

When we transfer the personal data of EEA, Swiss, and UK residents outside of those regions, we do so via appropriate user privacy safeguards, such as using Standard Contractual Clauses or obtaining your consent.

How secure is my information?

We secure your information by implementing technical and organizational security controls that you can read about in Security is core to everything we do.

When we receive your information, we protect it on our servers using technical, physical, and logical security safeguards. For information stored in any Software installed in your computing system, you are responsible for its security by making use of the security features of your device. We recommend that you take the appropriate steps to secure all computing devices that you use in connection with our Services.

Sourcegraph cares about the security of your information, and uses commercially reasonable physical, administrative, and technological safeguards to preserve the integrity and security of all information collected through the Service. However, no security system is impenetrable and we cannot guarantee the security of our systems 100%. In the event that any information under our control is compromised as a result of a breach of security, Sourcegraph will take reasonable steps to investigate the situation and where appropriate, notify those individuals whose information may have been compromised and take other steps, in accordance with any applicable laws and regulations.

How do I update or delete my Personal Information from Sourcegraph?

You can update or remove your Personal Information from Sourcegraph at any time by logging into your account and updating your profile settings, including deleting your account.

How long does Sourcegraph retain my Personal Information?

You can remove your Personal Information from Sourcegraph at any time by deleting your account as described above. Sourcegraph will retain your information for as long as your account is active or as needed to perform our contractual obligations, provide you services, to comply with tax, legal, and audit obligations, resolve disputes, preserve legal rights, or enforce our agreements.

For questions about reviewing, modifying, or deleting your account information, contact us at support@sourcegraph.com.

Children's privacy

Sourcegraph does not knowingly collect or solicit any information from anyone under the age of 13 or knowingly allow such persons to register as Users. If you are based in the European Union, we will not knowingly collect your information if you are under the age of 16. Different countries may have different minimum age limits. If you are below the minimum age for providing consent for data collection in your country, you may not have a Sourcegraph account. In the event that we learn that we have collected personal information from a child under age 13 or the applicable minimum age limit, we will delete that information as quickly as possible. If you believe that we might have any information from a child under 13 or otherwise under the applicable minimum age limit, please contact us at support@sourcegraph.com.

Our Service may integrate with or contain links to other third-party sites and services. We are not responsible for the practices employed by third-party websites or services embedded in, linked to, or linked from the Service and your interactions with any third-party website or service are subject to that third-party's own rules and policies.

How to contact us

If you have any questions about this Privacy Policy or the Service, please contact us at support@sourcegraph.com.

Changes to our privacy policy

Sourcegraph will update this Privacy Policy to keep up with the changes in our business, Services, and applicable laws. When we do so, we will revise the "last modified" date at the top of this page. Every time we update this policy, you will be able to review the changes since the previous version.