Privacy + data handling — Anthropic vs OpenAI vs GitHub?

All three offer enterprise privacy postures, but the defaults differ:

• Anthropic / Claude Code: by default, prompts are not used to train models. Enterprise plans include zero-data-retention (ZDR) toggle, SOC 2 Type II, optional region pinning. Most explicit privacy stance of the three.
• OpenAI / Cursor: Cursor wraps multiple models (OpenAI, Anthropic, custom). Default-off training opt-in, but the wrapper layer adds data passing through Cursor’s servers. Pro-tier privacy is decent; enterprise tier has stronger guarantees.
• Microsoft / GitHub Copilot: default-off training (suggestions are not used to train, per GitHub policy). Code goes to Microsoft cloud for inference. Enterprise tier adds IP indemnification (Microsoft will defend you if generated code triggers a copyright claim) — the strongest legal protection of the three.

Practical advice for ecommerce shops:

• Solo / small team: any of the three is fine on default settings — none train on your code by default
• Regulated industry / NDA-heavy work: enterprise tier on whichever you pick, ZDR on, region pinning if available
• Worried about IP indemnity: Copilot Enterprise has the clearest legal cover; Anthropic and Cursor have weaker indemnity language