What are the institutional and regulatory implications of this document?

REGULATORY LANDSCAPE: This policy engages GDPR and UK GDPR for EEA and UK residents, citing consent, contractual necessity, legal obligation, and legitimate interests as legal bases; it also engages the CCPA and CPRA for California residents via a separate referenced California Resident Privacy Notice, and references other U.S. state comprehensive privacy laws. The use of Prompts and Outputs for AI training purposes and the disclosure of personal data to enterprise account administrators may re…

How does Windsurf's Windsurf Privacy Policy affect users?

Users of Windsurf operate under terms that authorize the collection and retention of prompts and generated outputs for model training purposes beyond the immediate session. Users with enterprise or work accounts operate under additional terms permitting their employers or account administrators to access their prompts and outputs and to exercise administrative control over their accounts. Users may submit requests to review, update, or delete their personal data by contacting privacy@windsurf.c…

How often is Windsurf's Windsurf Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Windsurf updates this document?

Yes. Monitor subscribers ($19/month) can add Windsurf to their watchlist and receive same-day email alerts whenever this document or any other Windsurf document changes.

CA-D-000486

Windsurf Privacy Policy

Windsurf

Last change detected June 2, 2026 Privacy policy

SHA-256: 93eedc64d91db65bdfb… 3 versions captured 1 change documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at Windsurf ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

2 High severity

7 Medium severity

1 Low severity

Summary

This document establishes Windsurf's data collection and usage practices for users of its AI-powered coding tool, website, and IDE extension provided by Exafunction, Inc. The policy authorizes collection of user-submitted prompts and AI-generated outputs for purposes of training and improving Windsurf's AI models. For users accessing Windsurf through enterprise or work accounts, the policy permits account administrators and employers to access prompts, outputs, and account controls.

Technical / Legal Breakdown

This document is Windsurf's (Exafunction, Inc.) privacy policy, last updated October 21, 2025, governing the collection, use, and disclosure of Personal Information through the windsurf.com website, downloadable extensions, APIs, and associated software and services. The agreement states that Windsurf collects Registration Information, Communications Information, Log and Usage Information, Prompts and Outputs Information, voice command transcriptions, and information from third-party integrations; the terms authorize use of Log and Usage Information and Prompts and Outputs Information to train, develop, and improve AI and machine learning models, and permit disclosure to partners, affiliates, vendors, analytics providers, and enterprise account administrators who may access user Prompts and Outputs. The policy authorizes disclosure of any categories of Personal Information to current or future partners and affiliates for any purpose described in the policy, and enterprise account administrators are stated to have access to individual Prompts and Output Information, which is operationally distinct from policies that restrict employer access to derived or aggregated data only; the document also asserts that Standard Contractual Clauses govern EEA-to-US transfers, though the document does not specify which SCCs or the supervisory authority responsible. The policy engages GDPR and UK GDPR for EEA and UK residents, the California Consumer Privacy Act and California Privacy Rights Act for California residents (with a separate California Resident Privacy Notice referenced), and various other U.S. state comprehensive privacy laws; COPPA-adjacent age restriction provisions apply to users under 18. Compliance considerations include the use of AI training as a stated purpose for processing user Prompts and Outputs without a clear opt-out mechanism disclosed in the main policy text, enterprise data access provisions that may require evaluation under employment law and data processor agreement requirements in the EU and UK, and the absence of a specified retention schedule beyond a general necessity standard.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

1 important change detected

3 versions captured · Last updated: June 2026

June 2, 2026

low

What changed Windsurf removed the 'Windsurf' navigation link from the header menu in their privacy policy document on June 2, 2026. The updated privacy policy header now omits the redundant Windsurf link that previously appeared after 'Contact Devin'. This is a formatting change with no operational impact on the privacy terms themselves, their scope, or user protections.

Why this matters This change is a formatting update to the privacy policy document header and does not modify any privacy terms, data handling practices, or consumer protections. The substantive privacy policy language remains unchanged. No consumer action is required.

View full change record →

Recent Provision Changes Jun 2, 2026

10 provisions unchanged.

View full change record →

High — 2 provisions

AI Model Training Using Prompts and Outputs Compare →

Windsurf states it may use the text you type into the tool as prompts, along with the AI-generated responses, to train and improve its AI models.

Added April 30, 2026 Standard Seen across 284 platforms
Enterprise Administrator Access to User Prompts and Outputs Compare →

If you use Windsurf through a workplace or enterprise account, your employer's account administrators may be able to read the prompts you entered and the AI outputs you received, and may be able to control your account.

Added May 12, 2026 Standard Seen across 284 platforms

Medium — 7 provisions

Broad Partner and Affiliate Disclosure Compare →

Windsurf may share any category of personal information it collects with current or future business partners and affiliated companies for any of the purposes listed in the policy.

Added May 12, 2026 Standard Seen across 252 platforms
International Data Transfer via Standard Contractual Clauses Compare →

Windsurf states that personal data from EEA, Switzerland, and UK users may be transferred to the United States and other countries, relying on Standard Contractual Clauses as the transfer mechanism.

Added May 12, 2026 Standard Seen across 284 platforms
Prompts and Outputs as Personal Information Compare →

Windsurf collects and retains the text you type into its AI tool and the responses the AI generates; the policy acknowledges this content may qualify as personal information depending on how it is linked to your account.

Added May 12, 2026 Standard Seen across 284 platforms
Cookies and Third-Party Tracking Technologies Compare →

Windsurf and its third-party partners use cookies, web beacons, and pixel tags to collect information about your browser, IP address, page interactions, and online activity across different services over time.

Added May 12, 2026 Standard Seen across 284 platforms
Business Transfer Disclosure Compare →

In the event of a merger, acquisition, or sale, Windsurf may transfer all categories of personal information it holds to the acquiring or merging company, including during the negotiation phase before any transaction is completed.

Added April 30, 2026 Standard Seen across 252 platforms
Voice Command Data Collection and Retention Compare →

When you use voice input in Windsurf, the audio recording is processed and then deleted, but the text transcription generated from your voice is retained and treated the same as other usage log data.

Added May 12, 2026 Standard Seen across 284 platforms
User Privacy Rights and Data Deletion Compare →

Windsurf states that users in the US, EEA, Switzerland, and UK have certain data rights under applicable law, including the ability to review, update, or request deletion of their personal data by contacting the company.

Added May 12, 2026 Standard Seen across 284 platforms

Low — 1 provision

Age Restriction for Minors Compare →

Windsurf states its services are not intended for users under 18, and requires users to represent they are at least 18 or have parental consent; parents who believe their child's data was collected can contact privacy@windsurf.com.

Added May 12, 2026 Standard Seen across 284 platforms

Monitoring

Windsurf has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle AI Model Training Using Prompts and Outputs and similar clauses.

Compare across platforms →