Windsurf updated its Security & Data Handling policy on May 16, 2026 to disclose two practices involving data exposure. The policy now states that Windsurf uses Raindrop, a third-party service, to view usage analytics and aggregate statistics, and that users not using Zero-data retention mode may have their logs exposed for debugging purposes. Previously, this disclosure was not present in the policy.
The updated policy now explicitly states that Windsurf uses Raindrop to view usage analytics and aggregate statistics, and that debug logs may be exposed for users not on zero-data retention mode. Previously these practices were not disclosed in the policy. The policy establishes that Zero-data retention mode provides more restricted log access, while standard users operate under different log exposure terms. You can switch to Zero-data retention mode to limit debug log exposure.
The updated policy establishes explicit disclosure of third-party analytics tool usage and debug log exposure practices, which affects transparency regarding how user data is processed and accessed. Users operating without Zero-data retention mode should understand that their logs may be exposed for debugging purposes under the revised terms.
→ Review whether Zero-data retention mode is available and whether enabling it meets your data retention preferences.
→ Users not on zero-data retention mode will operate under the terms stated in the updated policy, which permits debug log exposure as described.
→ The disclosed practices will apply as written to all users who do not take steps to change their retention settings.
Explicitly states that Raindrop is used for dashboards to view usage analytics and aggregate statistics.
States that logs may be exposed for debugging purposes from users not using Zero-data retention mode.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Windsurf added explicit disclosure of third-party analytics tool usage (Raindrop) and debug log exposure practices. This represents a clarification of data handling practices rather than a substantive operational change. The disclosure may engage GDPR Articles 13-14 (transparency obligations) and CCPA disclosure requirements, depending on jurisdiction. Review whether existing privacy notices and vendor documentation accurately reflect these practices and whether user consent or notification protocols need update.
GDPR (Articles 13-14, transparency and lawful basis), CCPA (disclosure of data practices), state privacy laws (Virginia VCDPA, Colorado CPA, Utah UCPA), PIPEDA (where applicable)
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Watcher: regulatory citations + obligations. Professional: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-002146.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — WatcherHow Meta, TikTok, and Supabase restructured governance language across documents, jurisdictions, and consent frameworks through incremental…
How 10 AI platforms describe the use of user data for model training, improvement, and development, based on archived governance provisions.
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 320+ platforms every Sunday.