Windsurf changed its default data use policy for model training. Previously, the company stated it would not use customer data for model training unless users explicitly opted in. The updated policy states the company may use customer data for model training by default. Paid plan users can now opt out on the Data Controls settings page, and Enterprise customers require express written consent before any training use. Teams plan administrators control the opt-out setting for their organization.
The updated terms establish a default policy permitting Windsurf to use customer data for model training purposes to improve services. Previously, the company required explicit opt-in before any training use. Under the revised policy, data training occurs automatically for free and paid users unless they affirmatively opt out through the Data Controls settings page. Once disabled, the terms state your data will not be used for training and Zero Data Retention will be enabled with model providers. Enterprise customers operate under a different standard, requiring express prior written consent before any training use occurs.
This change reverses Windsurf's baseline data handling presumption for model training. Previously, users started with non-use and had to actively opt in; now they start with automatic use and must actively opt out. For organizations serving regulated customers or having committed to stricter data practices, the shift from opt-in to opt-out may trigger privacy policy updates and potential compliance review under GDPR, CCPA, and sector-specific frameworks. The explicit consent requirement for Enterprise customers indicates that consent-based processing is operationally available, which may create expectations that other tiers warrant similar controls.
→ Review your Windsurf account privacy settings within 30 days and navigate to Data Controls to decide whether to opt out of model training.
→ For Teams plan members, contact your administrator to confirm whether model training opt-out has been disabled for your organization.
→ If you require stricter data handling guarantees, evaluate whether your use case qualifies for Enterprise tier, which requires express written consent for model training.
→ Your data will be used by Windsurf for model training and AI improvement by default unless you affirmatively opt out in the Data Controls settings.
→ If you do not opt out, Zero Data Retention will not be enabled with Windsurf's model providers, and your data may persist in training datasets.
→ For Teams plan users, if your administrator does not exercise the opt-out option, all organizational data will be subject to model training use.
ConductAtlas has recorded 2 material changes to this document (since June 2026). An additional minor or cosmetic changes were excluded.
Across all monitored documents, Windsurf has made 3 significant changes.
Changed from explicit opt-in requirement to automatic authorization for all users except Enterprise; shifts presumption from data protection to data use.
Establishes right to disable model training via Data Controls settings and triggers Zero Data Retention with model providers.
Requires express prior written consent for Enterprise customers before any model training, creating a distinct tier of protection.
This change record describes what was added, removed, or modified in the document. Analysis reflects what the updated agreement states or permits. It does not constitute a legal determination about enforceability. Applicability may vary by jurisdiction. Methodology
Windsurf can now use your data to train and improve its AI models unless you turn this off in settings.
You no longer need to actively agree to let Windsurf use your data for training; it happens automatically.
+ 1 more obligation changes. Full breakdown available with Monitor.
Track changes →Windsurf reversed its model training default from opt-in to opt-out for general users while maintaining a stricter consent requirement for Enterprise customers. This change may implicate GDPR Article 6 (lawful basis for processing) and Article 13 (information to be provided to data subjects), as processing personal data for AI model training constitutes a material change in processing purpose. Under GDPR, organizations relying on this service to serve EU residents may need to reassess lawful basis documentation and update their own privacy notices to reflect the new default. The change also affects how data processing agreements or standard contractual clauses describe the scope of permitted uses. Non-Enterprise customers in the EU may face additional compliance obligations, as consent via opt-out may not satisfy GDPR's affirmative consent requirements depending on implementation and regulatory interpretation.
GDPR (Articles 6, 13, 21), CCPA (California Consumer Privacy Act), UK Data Protection Act 2018, sector-specific frameworks depending on customer industry
Full compliance analysis
Obligation analysis, escalation trigger, board language, and recommended action.
Monitor: regulatory citations + obligations. Compliance: full compliance memo.
ConductAtlas provides verified policy intelligence sourced directly from platform documents. All analysis is intended to support, not replace, legal and compliance review. Record CA-C-003485.
See the full side-by-side comparison of every sentence added, removed, and modified.
🔒 Full diff — MonitorWindsurf's Terms of Service were substantially rewritten on July 1, 2026. The updated terms rebrand the service from Windsurf to …
Windsurf updated its Terms of Service landing page on June 30, 2026, replacing 'Try Devin' with 'Log in' in the …
Windsurf replaced technical documentation about their Devin AI product with a comprehensive security and data handling disclosure. The previous document …
Get alerted when this policy changes again — including what changed and why it matters.
Prefer a weekly summary instead?
Get the biggest policy changes across 352+ platforms every Sunday.