In addition to @NobbZ’s advice, you can also set up your own private Go module proxy server.
Also, the proxy documentation describes what is being logged:
If I don’t set GOPRIVATE
and request a private module from these services, what leaks?
The proxy and checksum database protocols only send module paths and versions to the remote server. If you request a private module, the mirror will try to download it just as any Go user would and fail in the same way. Information about failed requests isn’t published anywhere. The only trace of the request will be in internal logs, which are governed by the privacy policy.
And the privacy policy says,
We use that data for monitoring and debugging. In general, we’ve built these services to retain as little information about usage as possible while still ensuring that we are able to detect and fix problems.
We do not store logged personally identifiable information such as IP addresses for more than 30 days. We also do not correlate or combine information from our request logs with any personal information that you have provided Google for other services.