This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
EU and UK users' data is subject to U.S. data access laws and surveillance frameworks once transferred, and the adequacy of Standard Contractual Clauses as a transfer mechanism requires that Windsurf has assessed and documented those transfer risks.
Interpretive note: The policy does not specify whether Transfer Impact Assessments have been conducted, whether the EU-U.S. Data Privacy Framework is relied upon, or which specific third countries beyond the U.S. may receive transferred data, leaving the full scope of transfer mechanisms uncertain.
The policy states that prompts submitted to Windsurf and the AI-generated outputs may be collected and used to train and improve the company's AI and machine learning models, meaning code, queries, or other text entered into the tool may be retained and used beyond the immediate session. If you use Windsurf through an employer or enterprise account, the policy states that account administrators may be able to access your prompts and output information and control your account. You can request review, update, or deletion of your personal data by contacting privacy@windsurf.com.
How other platforms handle this
When we transfer personal data outside the European Economic Area, United Kingdom, or Switzerland, we use appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data is protected.
Personal data collected by Unity may be transferred to and processed in countries outside of the European Economic Area, including the United States, where data protection laws may differ from those in your country. Where we transfer personal data from the EEA or the UK, we rely on appropriate safeg...
We may transfer, process, and store all personal information we collect anywhere in the world. Different countries have different data protection laws. If we transfer personal information from the European Economic Area, Switzerland, Brazil and/or the United Kingdom to a country that does not provid...
Monitoring
Windsurf has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Our servers are located in the United States. If you are accessing our Services from outside the United States, please be aware that your Personal Information may be transferred to, stored, and processed by us in our facilities and by those third parties to whom we may disclose your Personal Information (see "WILL YOUR INFORMATION BE DISCLOSED TO ANYONE?" above) in the United States, and other countries. If you are a resident in the EEA, Switzerland or the UK, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. We may transfer Personal Information from the EEA, Switzerland or the UK to the U.S. and other third countries based on approved Standard Contractual Clauses, or otherwise in accordance with applicable data protection laws.— Excerpt from Windsurf's Windsurf Privacy Policy
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
EU and UK users' data is subject to U.S. data access laws and surveillance frameworks once transferred, and the adequacy of Standard Contractual Clauses as a transfer mechanism requires that Windsurf has assessed and documented those transfer risks.
ConductAtlas has identified this type of provision across 12 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.