What can I do about this clause?

{'method': 'EMAIL', 'recipient': 'privacy@windsurf.com', 'difficulty': 'MODERATE', 'action_type': 'CLOSE_ACCOUNT', 'instructions': "If you wish to separate your account from your employer's enterprise account or close your account entirely, contact privacy@windsurf.com. Use a personal email address and request account separation or deletion, specifying your concern about employer access.", 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has jurisdiction over unfair or deceptive practices if employees are not adequately informed that their employer can access their AI prompts through Windsurf enterprise accounts.', 'complaint_url': 'https://reportfraud.ftc.gov/'}, {'agency': 'State_AG', 'reason': 'State attorneys general in California, Illinois, and New York have jurisdiction over workplace privacy and employee monitoring disclosure requirements under state law.', 'complaint_url': 'https://www.naag.org/find-my-ag/'}

What is the severity of this clause?

ConductAtlas classifies this Employer/Enterprise Administrator Access to Prompts and Outputs clause as high severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Employer/Enterprise Administrator Access to Prompts and Outputs — Windsurf

Share 𝕏 Share in Share 🔒 PDF

What it is

If you use Windsurf with your work email address, your employer's account administrators can access everything you have typed into the AI assistant, including all your code prompts and AI-generated responses.

Consumer impact (what this means for users)

Using Windsurf with a work email means your employer's administrators can access all your AI prompts and generated outputs, including any sensitive, personal, or confidential information you may have typed into the tool.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Close Your Account

If you wish to separate your account from your employer's enterprise account or close your account entirely, contact privacy@windsurf.com. Use a personal email address and request account separation or deletion, specifying your concern about employer access.

Cross-platform context

See how other platforms handle Employer/Enterprise Administrator Access to Prompts and Outputs and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Enterprise users have no expectation of private conversations with the AI tool — their employer can read all their prompts and outputs, which could include sensitive personal communications, whistleblower concerns, or confidential ideas.

View original clause language

Your employer or related organization - If you create an account using an email address belonging or relating to your employer or another organization, we may share the fact that you have an account and certain Registration Information (such as your email address) with your employer or organization to, for example, enable you to be added to their business or enterprise account. In addition, administrators of any enterprise or business account may be able to access certain information associated with your account, including your Prompts and Output Information, and be able to control your account and such information.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: This provision implicates GDPR Article 88 (processing in employment context), national employment privacy laws in EU member states (e.g., German Betriebsverfassungsgesetz works council consultation requirements, French Labour Code L.2323-47), and Article 13 transparency obligations to employee-users. In the US, the Electronic Communications Privacy Act (ECPA, 18 U.S.C. §2510) and state wiretapping laws may apply depending on monitoring disclosures. California Labor Code §980 and Illinois workplace monitoring laws are also relevant. The FTC Act Section 5 applies if employees are not adequately informed. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

The FTC has jurisdiction over unfair or deceptive practices if employees are not adequately informed that their employer can access their AI prompts through Windsurf enterprise accounts.
File a complaint →
State AG

State attorneys general in California, Illinois, and New York have jurisdiction over workplace privacy and employee monitoring disclosure requirements under state law.
File a complaint →

Provision details

Document information

Document

Windsurf Privacy Policy

Entity

Windsurf

Document last updated

April 29, 2026

Tracking information

First tracked

April 30, 2026

Last verified

April 30, 2026

Record ID

CA-P-004017

Document ID

CA-D-00486

Evidence Provenance

Source URL

https://codeium.com/privacy-policy

Wayback Machine

View archived versions →

SHA-256

ca691298a1c366388f0a1f48ecc65849f0a7d07d6de5b840c646e62cf6239715

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Windsurf | Document: Windsurf Privacy Policy | Record: CA-P-004017
Captured: 2026-04-30 05:21:09 UTC | SHA-256: ca691298a1c36638…
URL: https://conductatlas.com/platform/windsurf/windsurf-privacy-policy/employerenterprise-administrator-access-to-prompts-and-outputs/
Accessed: May 2, 2026

Classification

Severity

High

Employer/Enterprise Administrator Access to Prompts and Outputs