Windsurf states it may use the text you type into the tool as prompts, along with the AI-generated responses, to train and improve its AI models.
This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision states that content users enter into Windsurf, which may include proprietary code, sensitive queries, or personal information, can be retained and used to train the company's AI systems beyond the immediate session.
The policy authorizes collection and use of Prompts and Outputs Information for AI training purposes; users who enter sensitive, confidential, or proprietary content into Windsurf should be aware that this content may be retained and used for model development under the terms of this policy.
How other platforms handle this
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
Windsurf has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"To train, develop, and improve the artificial intelligence, machine learning, and models that we use to support our Services. We may use your Log and Usage Information and Prompts and Outputs Information for this purpose.— Excerpt from Windsurf's Windsurf Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Articles 5, 6, and 13 for EEA and UK users, requiring a valid legal basis and transparent disclosure of processing purposes. The policy cites legitimate interests as a legal basis for product development and analytics; the use of personal data in AI training under legitimate interests may require a documented Legitimate Interests Assessment and may face scrutiny from data protection authorities including the UK ICO and EU supervisory authorities. For U.S. users, the FTC Act and applicable state comprehensive privacy laws (CCPA, CPRA, and similar statutes) may govern whether this use is consistent with disclosed purposes and whether adequate notice has been provided. GOVERNANCE EXPOSURE: High. The use of user-submitted Prompts and Outputs for AI training creates material compliance exposure because the policy does not disclose a specific opt-out mechanism for this use in the main policy body. Enterprise customers whose employees use Windsurf may be unaware that business-sensitive or proprietary code entered as prompts is subject to this use. Regulatory guidance from the UK ICO and EU data protection authorities on AI training data has increasingly focused on purpose limitation, data minimization, and consent requirements. JURISDICTION FLAGS: EEA and UK users face heightened exposure given GDPR purpose limitation and data minimization requirements. California residents may have rights under CPRA to limit the use of sensitive personal information, depending on whether prompt content qualifies. Enterprise customers in regulated industries such as healthcare, finance, or legal services may face additional restrictions on data submitted to AI tools under sector-specific regulations. CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should assess whether a Data Processing Agreement is available that addresses the AI training use of Prompts and Outputs, and whether that use can be contractually restricted or disabled. The policy acknowledges that Windsurf may act as a data processor on behalf of enterprise customers, but the main policy does not contain a carve-out excluding enterprise-processed data from AI training uses, which may create a conflict between the processor role and the stated AI training purpose. COMPLIANCE CONSIDERATIONS: Legal teams should evaluate whether the legitimate interests basis for AI training is adequately documented and whether a Legitimate Interests Assessment has been conducted. Data mapping updates should reflect Prompts and Outputs as a category subject to AI training use. Organizations with confidentiality obligations should assess whether use of Windsurf is consistent with those obligations given this provision.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision states that content users enter into Windsurf, which may include proprietary code, sensitive queries, or personal information, can be retained and used to train the company's AI systems beyond the immediate session.
The policy authorizes collection and use of Prompts and Outputs Information for AI training purposes; users who enter sensitive, confidential, or proprietary content into Windsurf should be aware that this content may be retained and used for model development under the terms of this policy.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.