If you use an individual Windsurf plan, your code and activity data may be retained by default unless you manually turn on zero-data retention in your profile settings. Business and team plans have this protection on by default.
This analysis describes what Windsurf's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The document establishes different default data retention treatment for individual versus team and enterprise users, meaning individual users who take no action may have code snippets and usage logs stored and accessible to internal systems.
Individual plan users who have not enabled zero-data retention mode may have logs containing code snippets and user trajectories stored and potentially accessible via internal analytics and communications tools. Enabling the setting in your profile page is the mechanism the document identifies for individual users to activate zero-data retention protections.
How other platforms handle this
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements. The criteria used to determine our retention periods include: the length of ...
Managing And Deleting Your Information. You have the right to access, correct, or delete your information in certain circumstances. We store information until it is no longer necessary to provide our Services or until your account is deleted, whichever comes first. You can delete your WhatsApp accou...
We may retain de-identified or aggregated information that can no longer be used to identify you for any period of time, including indefinitely.
Monitoring
Windsurf has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"For any teams or enterprise plans, all inputs and outputs to these requests follow zero-data retention policies by default. For any individual plan, users can opt-in to zero-data retention mode from their profile page. A large fraction of individual users have zero-data retention mode enabled.— Excerpt from Windsurf's Windsurf Security & Data Handling
(1) REGULATORY LANDSCAPE: This provision implicates GDPR data minimization and purpose limitation principles for EU-based individual users, as well as CCPA rights regarding the collection and retention of personal information for California residents. The relevant enforcement authorities are EU supervisory authorities under GDPR and the California Attorney General or California Privacy Protection Agency under CCPA. Where opt-in consent is the operative mechanism, its adequacy under GDPR Article 7 may require evaluation by legal teams. (2) GOVERNANCE EXPOSURE: Medium. The asymmetric default between individual and enterprise plans creates a potential gap for organizations whose developers use individual accounts rather than team or enterprise plans. The document does not specify a retention period for logs stored under individual plans without zero-data retention mode enabled, which may create uncertainty for data mapping and deletion obligations. (3) JURISDICTION FLAGS: EU/EEA individual users face heightened exposure given GDPR data minimization requirements. California residents may have CCPA rights to know about and delete retained data. Organizations operating in regulated industries such as healthcare or finance whose developers use individual plans should assess whether retained code logs could implicate sector-specific data protection requirements. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams evaluating Windsurf for organizational use should confirm that their developers are provisioned under team or enterprise plans to benefit from zero-data retention defaults. Individual plan usage by employees may fall outside the data processing agreements negotiated at the enterprise level, creating a potential contractual gap. (5) COMPLIANCE CONSIDERATIONS: Legal teams should audit whether the opt-in mechanism for individual users constitutes adequate consent and transparency under applicable law. Data mapping exercises should distinguish between individual and enterprise plan users and reflect the different retention defaults. Where developers use individual plans, organizations may need to implement policy controls requiring zero-data retention opt-in as a condition of use.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The document establishes different default data retention treatment for individual versus team and enterprise users, meaning individual users who take no action may have code snippets and usage logs stored and accessible to internal systems.
Individual plan users who have not enabled zero-data retention mode may have logs containing code snippets and user trajectories stored and potentially accessible via internal analytics and communications tools. Enabling the setting in your profile page is the mechanism the document identifies for individual users to activate zero-data retention protections.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Windsurf.