By August 17, 2026, if you have recorded a sprint plan in Jira or written an internal document in Confluence, Atlassian will by default use that data to train its AI products. According to Atlassian’s official FAQ, metadata collection is mandatory for Free, Standard, and Premium tier customers — there is no off switch. Only by upgrading to Enterprise (minimum 801 users, custom pricing) can you opt out.
The same week, GitHub Copilot’s Free, Pro, and Pro+ users were also defaulted into the AI training pipeline. Slack had already done something similar in 2024, modifying its language after being exposed by Ars Technica. Figma’s non-Enterprise users have been default-trained since August 2024. Salesforce data has been used to train Einstein AI models for years.
On the other side, Google Workspace contractually commits to not using customer data to train foundational models. Microsoft 365 Copilot’s enterprise data protection promises are similarly enshrined in the Data Protection Addendum. GitLab has turned “we don’t train” into a core differentiator, publishing successive blog posts that directly compare against Atlassian and GitHub.
On the surface, this looks like a privacy crisis. But taken together, these events tell a more specific story: enterprise SaaS is converting data protection from a compliance obligation into a pricing dimension. Your data not being used for AI training is becoming a feature you pay for — much like SSO, audit logs, and SLAs.
This shift did not happen all at once. It unfolded across three generations of policy experimentation.
The first generation was Zoom’s land grab (July 2023). Zoom updated its terms of service, granting itself broad rights to use “service-generated data” for AI training with no customer-level opt-out. The Mozilla Foundation publicly questioned it, and the community erupted. Zoom backtracked within a month, adding boldface statements that it would not use audio, video, or chat content for AI training.
The lesson from Zoom was clear: offering no exit mechanism at all is politically untenable. But the episode proved a critical point — even when users object, they do not migrate at scale. Zoom’s user numbers showed no meaningful decline after the incident. This sent an important signal to later entrants: public backlash is temporary; lock-in is durable.
The second generation was Slack’s quiet normalization (May 2024). Slack’s privacy principles page contained a line: “To develop AI/ML models, our systems analyze Customer Data (e.g. messages, content, and files) submitted to Slack.” When a Hacker News user posted it late one night, the community exploded. Ars Technica’s headline read “Slack users horrified to discover messages used for AI training.”
Slack’s response strategy differed from Zoom’s. Rather than deleting the policy, it refined the wording — changing “AI/ML models” to “non-generative AI/ML models for features such as emoji and channel recommendations.” The company published a blog emphasizing it does not use customer data to train LLMs. But the opt-out mechanism remained cumbersome: workspace owners had to email feedback@slack.com with a specific subject line and wait for manual processing. No self-service button.
This round improved on Zoom: it proved that “default collection + theoretical opt-out + a hidden exit path” is a workable template. Slack suffered nothing close to Zoom’s public relations crisis, and its user base took no hit. The outrage on HN and Reddit was loud, but actual migration cases were vanishingly rare — a dedicated thread on r/Slack asked “Are people leaving Slack?”, and most replies concluded “no, because migrating to Matrix/Element is too painful.”
The third generation is Atlassian and GitHub’s systematic tier-gating (2026). This round is both more sophisticated and more aggressive. It is not blanket default collection, but tier-differentiated data protection.
Atlassian splits data into two categories: metadata (story points, sprint dates, SLA values, page complexity scores, high-frequency search terms across customers) and in-app content (Confluence page bodies, Jira issue titles, descriptions, and comments). The former is mandatory and cannot be disabled for Free, Standard, and Premium tiers; the latter is on by default but can be turned off. Only Enterprise customers get full opt-out. Data can be retained for up to seven years. More critically, Atlassian’s Teamwork Graph connectors pull relationship and activity signals from over 50 third-party tools — including Slack, Figma, Google Drive, and Salesforce — into the metadata collection scope. The exposure surface extends well beyond Atlassian products themselves.
Atlassian did something no previous vendor had done: it reversed an explicit prior commitment. Before November 2025, Atlassian’s help page was literally titled “Rovo and Atlassian Intelligence customer data is not used for AI model training,” and its body stated that “Customer data…is never used to train, fine-tune, or improve AI models or services.” This commitment had been repeatedly confirmed by official representatives in the Atlassian community forum. The move from “never” to “by default, unless you pay more” is a hard reversal.
GitHub Copilot’s contemporaneous policy change follows the same structure: Free, Pro, and Pro+ user interaction data is used for training by default, while Business and Enterprise customers are protected by contract. Martin Woodward confirmed this boundary in a HN comment.
The industry has clearly split on AI data strategy.
Default collection (or default training): Atlassian, GitHub Copilot (non-Enterprise), Slack (non-generative ML), Figma (non-Enterprise), Salesforce, LinkedIn.
Explicitly no training (contract-level commitment): Google Workspace, Microsoft 365 Copilot, GitLab, Notion, Dropbox, ServiceNow, OpenAI Enterprise.
This split is not a moral stance. The companies choosing “no training” each have different reasons.
Google and Microsoft are simultaneously AI infrastructure providers. Their foundational models (Gemini, deep integration with OpenAI) already have ample training data sources: public internet indexes, consumer product data, synthetic data, licensing agreements. Enterprise customer data contributes negligible marginal value to model quality, but the trust risk is enormous — if enterprise data were exposed as training input, the collective departure of Fortune 500 CIOs would be singularly expensive. They embed commitments in contracts (CDPA Training Restriction clauses, DPA) not out of ethics, but out of commercial calculus.
GitLab’s position is different. It does not develop foundational models; all its AI features run through third-party models from Anthropic, OpenAI, and Mistral. It occupies the middleware layer. Collecting customer data to train its own models was never part of its business — but this conveniently allows it to package “cannot” as “will not” and use it as a differentiator against GitHub and Atlassian.
On the other side, Atlassian and GitHub are pushed toward more aggressive positions by structural necessity. Their AI products (Rovo, Copilot) need to keep pace with Google and Microsoft, but they lack independent training data pipelines. Proprietary workflow data is their only source of differentiation. Default collection from smaller customers, with contract-level protection for large ones, represents their compromise between “we need training data” and “we cannot lose enterprise trust.”
At this point, the story still sits at the level of privacy policy. But from a business logic perspective, something more fundamental is happening.
The SaaS industry has historically treated data protection as infrastructure-level commitment: your data is encrypted in the cloud, SOC 2 and ISO 27001 compliant, baseline terms everyone gets. But Atlassian has now reclassified data protection from “not used for AI training” — from infrastructure promise to premium feature. Like SSO, audit logs, and SLAs, it requires a certain tier or higher.
The significance of this shift is not that it violates privacy, but that it creates a new pricing dimension with no market pricing mechanism whatsoever. Atlassian unilaterally decides what “your metadata is worth,” embedded in the tier price differential, while buyers have no way to independently assess their data’s value, nor any leverage to negotiate. If you are a Premium customer whose metadata Atlassian collects by force, you may be unhappy but you have no bargaining power — there is no line item on the price sheet called “data contribution discount.”
This is not Atlassian’s problem alone. From Zoom to Slack to GitHub to Figma, the entire industry is converging on the same default model: smaller customers pay with data as an implicit price; larger customers pay with money for data sovereignty. The structure mirrors exactly the open-source license fragmentation of the 2010s — MongoDB, Elastic, and Redis shifted to BSL/SSPL to restrict cloud vendors from free repackaging, while the Linux Foundation and Apache projects held to traditional open-source. The market did not produce a winner-take-all outcome then, and it will not now. The likely result is a stratified coexistence: data protection becomes a premium feature for enterprise products, while smaller customers’ data contributions serve as an implicit payment mechanism for the platform.
Just as open-source fragmentation produced license compatibility nightmares, enterprises now face cross-vendor data policy fragmentation — your Jira metadata feeds Atlassian’s training pool, your GitHub interaction data enters Microsoft’s models, but your Google Docs secrets and GitLab code remain protected. Who inside an organization is responsible for managing this fragmented exposure surface? There is currently no answer.
Even from a purely commercial perspective — setting aside privacy and ethics — the practical impact of this trend deserves serious attention.
The most immediate effect is compliance cost stratification. Atlassian previously offered all customers the same data commitment — “never used to train.” Now data protection has been pulled up to the Enterprise tier, meaning a large number of small and mid-sized organizations face a binary choice: accept that their data will be trained on, or bear the massive cost of upgrading (Enterprise requires 801+ users, custom pricing). This is not a gentle price gradient — it is a cliff.
Second, the pace of these policy changes is accelerating. Zoom retreated in one month, Slack refined its language in one week, GitHub gave a 30-day opt-out window, and Atlassian provided a 90-day review period. Each round is more “orderly” than the last, but all share the same essence: unilateral terms modification, with the burden of noticing and responding falling entirely on the customer. Enterprise SaaS contract cycle time is typically 12-36 months — by the time you realize you need to react, you may already be locked into terms you do not want.
There is also a subtler risk. Atlassian’s metadata definition includes story points, sprint end dates, SLA metrics, page complexity, and semantic similarity scores. De-identified, these look harmless in single dimensions. But with enough dimensions, pattern and structure reconstruction becomes feasible. When Atlassian holds aggregated data across 300,000 organizations, whether de-identification promises hold up against multi-dimensional pattern reconstruction is an engineering question, not a legal one.
When evaluating any SaaS company’s AI data risk, the most effective predictive variable is not its privacy policy language, but its position in the AI technology stack: the further a company is from owning foundational models, the more aggressive its data collection policy tends to be. This pattern is useful not because it is absolutely precise, but because it redirects attention from PR statements to business structure — and the latter is harder to fake.
Three important things have not happened.
First, no mass enterprise migration has occurred. The Hacker News thread on Atlassian’s policy drew 604 upvotes and 136 comments; the GitHub Copilot discussion drew 745 upvotes and 316 comments — strong sentiment by any measure. But verifiable migration cases are vanishingly rare. Simon Willison put his finger on it in an HN comment: “I don’t think there’s nearly as much value in this stuff as AI training data as people often assume.” If the training value of this data is itself overestimated, then the panic around it may also be excessive.
But the absence of migration does not mean the absence of impact. Migration costs are too high — Jira, Confluence, and Slack are deeply embedded in enterprise workflows, and migration is a 6-12 month project-level undertaking. Most organizations will not initiate migration solely because of a data policy change, but they will add AI data policy to their contract renewal negotiation checklist. This lag effect means 2027-2028 is the real pressure-testing window.
Second, no unified regulatory response has emerged. GDPR was drafted before LLMs existed. When Atlassian uses customer data to train AI, it shifts from data processor to independent data controller — this is the most substantive GDPR risk identified by Seibert Group’s legal analysis. But the EDPB has issued no specific guidance on the matter, and no member state DPA has taken formal enforcement action against SaaS vendors for AI training behavior. The EU AI Act requires transparency for high-risk AI systems, but whether a SaaS vendor training recommendation models on aggregated customer metadata qualifies as high-risk is legally far from settled.
Third, no cross-vendor data policy compatibility standard has emerged. An organization simultaneously using Jira, Slack, Figma, and GitHub today faces four different AI data policies, four different opt-out mechanisms, and four different data retention periods. Who within the organization is responsible for managing this fragmented exposure surface? No one — it is not the CISO’s traditional remit, not the CPO’s, and not procurement’s. Neither the market nor the regulators have caught up to this fragmentation.
GitLab CEO Bill Staples’ repeatedly stated position on LinkedIn represents one end of this divide: unconditional contract-level commitment — no training at any tier, full stop, with AI vendors also contractually prohibited from using customer data. Google and Microsoft have done the same thing at the architectural level — physically isolating enterprise data processing pipelines from consumer data processing pipelines. These approaches cost considerably more than an opt-out toggle, but they represent a choice: building trust on non-overridable constraints rather than changeable settings.
The other end presents a more uncomfortable reality. If small and mid-sized organizations can neither afford the Enterprise-tier premium nor execute a full vendor migration, their only option is to accept that their data will be trained on. This group happens to lack bargaining power in both the legal and court-of-public-opinion arenas.
This tension will not resolve itself in the near term. The speed of regulatory intervention, the willingness of enterprises to migrate, and whether smaller customers actually care will determine the industry landscape of 2027-2028. But one thing is already settled: asking “what is your AI data policy?” before purchasing any enterprise SaaS is no longer pedantic — it is as fundamental as asking “do you support SSO.”