What are the institutional and regulatory implications of this document?

(1) REGULATORY EXPOSURE: This document engages GDPR Articles 6, 13, 17, 20, 28, and 44-46 (with the ICO as UK supervisory authority and relevant EEA DPAs); CCPA/CPRA California Civil Code §1798.100-1798.199 (enforced by the California Privacy Protection Agency and California AG); Virginia CDPA, Colorado CPA, Connecticut CTDPA, and Texas TDPSA for US state-level rights; COPPA (15 U.S.C. §6501) implicated by the under-18 exclusion; and FTC Act Section 5 for unfair or deceptive data practices. (2)…

How does Windsurf's Windsurf Privacy Policy affect users?

Windsurf collects and uses everything you type into its AI coding assistant — including prompts, generated code, and voice transcriptions — to train and improve its AI models, and this data may be accessed by your employer if you use an enterprise account. If you are an EU, UK, or certain US state resident, you have rights to access, correct, delete, or opt out of certain processing of your personal data. You can exercise your data rights by emailing privacy@windsurf.com or using the account de…

How often is Windsurf's Windsurf Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when Windsurf updates this document?

Yes. Watcher subscribers ($9.99/month) can add Windsurf to their watchlist and receive same-day email alerts whenever this document or any other Windsurf document changes.

Windsurf Privacy Policy — Windsurf

9 Total

3 High severity

6 Medium severity

0 Low severity

Summary

This is Windsurf's (Exafunction, Inc.) privacy policy explaining how the company collects and uses your personal data when you use their AI-powered coding assistant, including the IDE extension and website. Most importantly, if you use Windsurf through your employer's enterprise account, your employer's administrators can access your AI prompts and outputs — including the code and questions you type into the tool. If you are an enterprise user, you should assume your employer can see everything you type into Windsurf and act accordingly.

Technical Summary

This Privacy Policy, published by Exafunction, Inc. (operating as Windsurf), governs the collection, use, and disclosure of Personal Information for users of the windsurf.com website, downloadable IDE extension, APIs, and related developer services, with legal bases for EU/EEA/UK processing grounded in GDPR Article 6 (consent, contractual necessity, legal obligation, and legitimate interests). The document creates significant obligations including collecting and using Prompts and Outputs (user-submitted code and AI responses) for AI/ML model training, sharing user data with employers or enterprise administrators who may access Prompts and Output Information, and transferring data internationally to the US via Standard Contractual Clauses. Notably, enterprise account administrators are explicitly granted access to individual users' Prompts and Output Information — a provision with material workplace privacy implications that deviates from typical consumer-facing privacy policies — and voice audio is processed and discarded while text transcriptions are retained as Log and Usage Information. The document engages GDPR (Articles 6, 13, 28, 44-46), CCPA/CPRA (California Civil Code §1798.100 et seq.), and state comprehensive privacy laws (Virginia CDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA); compliance teams should note that the dual role as both data controller and processor — depending on whether enterprise customers are involved — creates layered obligations requiring distinct consent mechanisms and DPA agreements.

Evidence Provenance

Captured April 29, 2026 08:19 UTC

Document ID CA-D-000486

Version ID CA-V-001055

Source URL https://codeium.com/privacy-policy

Wayback Machine View archived versions →

SHA-256 edd3d5146a4a61d0ce53df79b085b72f125dcee37b880fc5d3967f6230aa4952

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Cryptographically signed

Institutional Analysis

🔒 Institutional analysis locked

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Professional.

Upgrade to Professional — $149/mo

Change Timeline

April 29, 2026 — Initial capture

Initial snapshot — monitoring begins

edd3d514…

View full version history (0 captures) →

High Severity — 3 provisions

AI Model Training Using Prompts and Outputs

Windsurf uses everything you type into the AI coding assistant — your questions, code snippets, and the AI's responses — to train and improve its AI models.

Added April 30, 2026
Employer/Enterprise Administrator Access to Prompts and Outputs

If you use Windsurf with your work email address, your employer's account administrators can access everything you have typed into the AI assistant, including all your code prompts and AI-generated responses.

Added April 30, 2026
Dual Controller/Processor Role Disclaimer

When Windsurf processes your data on behalf of your employer, Windsurf's own privacy policy does not protect you — your employer's privacy policy governs instead, and Windsurf takes no responsibility for how your employer handles your data.

Added April 30, 2026

Medium Severity — 6 provisions

International Data Transfers

If you are based in Europe or the UK, your personal data is transferred to and stored on servers in the United States, which has different (generally weaker) data protection laws than the EU.

Added April 30, 2026
Voice Data Processing

Windsurf can record your voice to generate text prompts, then deletes the audio but keeps the text transcript — and that transcript is used like any other usage data, including potentially for AI training.

Added April 30, 2026
Business Transfer Disclosure

If Windsurf is sold, merged, or acquired, all of your personal data — including your AI prompts, code, and account information — can be transferred to the acquiring company without your consent.

Added April 30, 2026
User Privacy Rights (US States and EU/UK)

Depending on where you live, you may have rights to access, correct, delete, or opt out of certain uses of your personal data — but only if you are in the EU, UK, California, or certain other US states.

Added April 30, 2026
Cookie and Cross-Site Tracking

Windsurf and its third-party analytics partners (including Google Analytics) use cookies and tracking pixels to monitor your activity on the website and across other websites over time.

Added April 30, 2026
Security Disclaimer and Risk Allocation

Windsurf says it uses security measures but explicitly tells you that data transmission is 'at your own risk' and they cannot guarantee your data will not be stolen or compromised.

Added April 30, 2026

Cross-platform context

See how other platforms handle AI Model Training Using Prompts and Outputs and similar clauses.

Compare across platforms →