What can I do about this clause?

{'method': 'EMAIL', 'recipient': 'privacy@windsurf.com', 'difficulty': 'EASY', 'action_type': 'DELETE_DATA', 'instructions': 'EU/UK users can request deletion of their personal data including any data transferred to US servers by emailing privacy@windsurf.com. Reference your right to erasure under GDPR Article 17 and request confirmation of which safeguards apply to your data transfers.', 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has jurisdiction over US-based data practices and can act on inadequate international transfer safeguards under FTC Act Section 5.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this International Data Transfers clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar International Data Transfers clauses across approximately 29 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

International Data Transfers — Windsurf

Share 𝕏 Share in Share 🔒 PDF

What it is

If you are based in Europe or the UK, your personal data is transferred to and stored on servers in the United States, which has different (generally weaker) data protection laws than the EU.

Consumer impact (what this means for users)

EU and UK users' personal data, including sensitive coding prompts, is transferred to the United States and processed under US law, relying on Standard Contractual Clauses as the legal transfer mechanism.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

EU/UK users can request deletion of their personal data including any data transferred to US servers by emailing privacy@windsurf.com. Reference your right to erasure under GDPR Article 17 and request confirmation of which safeguards apply to your data transfers.

Cross-platform context

See how other platforms handle International Data Transfers and similar clauses.

Compare across platforms →

Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

EU and UK users' personal data — including AI prompts and outputs — is transferred to the US, where it may be subject to US government surveillance laws that do not offer equivalent EU-level protections.

View original clause language

Our servers are located in the United States. If you are accessing our Services from outside the United States, please be aware that your Personal Information may be transferred to, stored, and processed by us in our facilities and by those third parties to whom we may disclose your Personal Information (see "WILL YOUR INFORMATION BE DISCLOSED TO ANYONE?" above) in the United States, and other countries. If you are a resident in the EEA, Switzerland or the UK, then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. We may transfer Personal Information from the EEA, Switzerland or the UK to the U.S. and other third countries based on approved Standard Contractual Clauses, or otherwise in accordance with applicable data protection laws.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: This provision engages GDPR Chapter V (Articles 44-46) governing international data transfers, specifically Article 46(2)(c) Standard Contractual Clauses (SCCs — updated June 2021 Commission Decision 2021/914). UK equivalent mechanisms under the UK GDPR and ICO International Data Transfer Agreement (IDTA) are also implicated. The adequacy decision framework and post-Schrems II requirements (CJEU Case C-311/18) apply, including the requirement for Transfer Impact Assessments (TIAs). (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

FTC

The FTC has jurisdiction over US-based data practices and can act on inadequate international transfer safeguards under FTC Act Section 5.
File a complaint →

Provision details

Document information

Document

Windsurf Privacy Policy

Entity

Windsurf

Document last updated

April 29, 2026

Tracking information

First tracked

April 30, 2026

Last verified

April 30, 2026

Record ID

CA-P-004019

Document ID

CA-D-00486

Evidence Provenance

Source URL

https://codeium.com/privacy-policy

Wayback Machine

View archived versions →

SHA-256

ca691298a1c366388f0a1f48ecc65849f0a7d07d6de5b840c646e62cf6239715

Verified

✓ Snapshot stored ✓ Change verified

How to Cite

ConductAtlas Policy Archive
Entity: Windsurf | Document: Windsurf Privacy Policy | Record: CA-P-004019
Captured: 2026-04-30 05:21:09 UTC | SHA-256: ca691298a1c36638…
URL: https://conductatlas.com/platform/windsurf/windsurf-privacy-policy/international-data-transfers/
Accessed: May 2, 2026

Classification

Severity

Medium

International Data Transfers