The Price of Privacy: A 2025 Audit of AI Code Editors

This analysis is based on our interpretation of the Terms of Service available as of November 2025. Users should verify current terms independently.

Every time you hit Tab to autocomplete a function, you are sending a piece of your intellectual property to a third-party server. For individual developers, this is often a fair trade for 10x productivity. For enterprises, startups, and privacy-conscious engineers, it is a compliance nightmare waiting to happen.

We analyzed the Terms of Service (ToS), Privacy Policies, and architectures of the top AI coding tools: Google Antigravity, Claude (Anthropic), Windsurf, Cursor, and Zed.

Here is the unfiltered reality of where your code goes.

1. Google: The "Core" vs. "Additional" Shell

Google’s privacy terms are a labyrinth of distinctions between "Core Services" and "Additional Services." Understanding this distinction is critical for Workspace users.

The "Antigravity" & "Additional Services" Trap

If you are using Google’s cutting-edge AI coding tools (often branded under Antigravity, Labs, or AI Ultra), you are likely not protected by the standard Workspace privacy umbrella.

• The "Interactions" Clause: Terms for these specific services state that Google collects "Interactions" (your prompts, code snippets, and usage patterns) to "evaluate, develop, and improve Google... machine learning technologies."
• Human Review: Crucially, these terms often allow human reviewers to access this data.
• The Administrator's Dilemma: Even if you pay for Google Workspace Enterprise, if your Admin enables these "Additional Services" (which are often required to get the best AI features), you may be inadvertently consenting to data collection that violates your own internal compliance policies.

The "Core Services" Safe Harbor

In contrast, Gemini for Google Workspace (the standard enterprise add-on integrated into Docs/Gmail/Drive) is classified as a "Core Service."

• Privacy Promise: "Your content is not used for any other customers."
• Training: Google explicitly states that Core Service data is not used to train their foundational models.
• The Verdict: You are safe only if you stay strictly within the "Core Services" boundary. Stepping outside into "Antigravity" or "Labs" features strips away these protections.

2. Claude (Anthropic): The "Feedback" Loophole

Anthropic has one of the best reputations for safety, but their October 8, 2025 policy updates have introduced specific traps for the unwary.

Consumer vs. Commercial

• Free/Pro Users: The Terms of Service (Oct 2025) default to training on your data. You must manually navigate to your account settings to opt-out. If you don't, your chat history feeds their next model.
• Commercial/API Users: If you use the Anthropic API (e.g., via a BYO-Key editor) or the Team plan, Anthropic acts as a "Data Processor." They do not train on your data by default.

The "Thumbs Up" Trap

This is the hidden clause that catches almost everyone. Even on a commercial plan with strict privacy settings, explicit feedback overrides your privacy settings.

• The Mechanism: If you click "Thumbs Up" or "Thumbs Down" on a code snippet, you are explicitly telling Anthropic: "Please review this specific interaction."
• The Consequence: That specific conversation slice—including the proprietary code involved—is sent to their alignment team for review and potential training. Never rate responses containing sensitive IP.

The "Right to Switch" (New)

A unique pro-consumer addition to Anthropic's Terms (Section 12) is the Switching Request. It allows users to request the porting of all exportable data to an on-premise infrastructure upon termination. This offers a rare exit ramp for data lock-in.

3. Windsurf: The "Pay-to-Play" Privacy

Windsurf (by Codeium) offers a "Flow" state experience, but they monetize privacy more aggressively than anyone else.

The "Ultimatum" (Free Tier)

Windsurf splits training into two buckets: Discriminative (Autocomplete ranking) and Generative (Chat).

• Autocomplete: You can opt-out of training, and the feature should still work (data sent but not retained).
• Chat (Cascade): The Terms (Section 10.2) contain a "poison pill": "If you opt out, you will not have access to Chat Services." You effectively cannot use the product's main feature without paying with your data.

Pro Plan Exemption

True privacy is locked behind the Pro Plan. Paying users can enable "Zero Data Retention" (ZDR), contractually ensuring no training and no logging.

• Watch the Model: Even on Pro, ensure you do not select models labeled (no ZDR), as these bypass your privacy settings.

The Voice Trap

The Privacy Policy explicitly classifies text transcriptions of your voice commands as "Log and Usage Information." Section 2 confirms this specific category of data is used to "train, develop, and improve" their models. Speaking your code is less private than typing it.

4. Cursor: The "Trust Me" Proxy

Cursor is a fork of VS Code that routes your requests through their own backend to perform "Prompt Building" and RAG (retrieval) before sending them to OpenAI/Anthropic.

• The Architecture: Even with "Bring Your Own Key," your code hits Cursor's servers first. You cannot architecturally bypass them while using their AI features.
• The Metadata Trap: Even if you delete your code from their servers, if you use the "Indexing" feature (Codebase Awareness), Cursor stores embeddings and metadata (file names, hashes) in their database. For high-security threat models, file names alone can reveal proprietary architecture.
• Privacy Mode: They offer a "Privacy Mode" (even for free users) that enforces zero retention. This is better than Windsurf’s free tier, but it relies entirely on trust in Cursor's internal security rather than architectural guarantees.
• Security: Cursor is SOC 2 Type II Certified, which provides a verified level of security maturity.

5. Zed: The Architectural Privacy Champion

If you want to ensure the editor creator cannot see your code, Zed is the only choice that wins on architecture.

• Direct Connection: When you enter your OpenAI or Anthropic API key, Zed stores it in your OS’s secure keychain. When you chat, the request goes directly from your machine to the LLM provider. Zed's servers are effectively bypassed for the inference.
• Zero Retention Default: Unlike the others, Zed’s default stance is "we don't want your data." They don't train on your code, and they don't store it.
• The "Crash Report" Leak: Be aware that Zed's terms note that Crash Reports are collected automatically and may inadvertently contain file paths. Sensitive project names could theoretically leak here unless you disable telemetry.

The Verdict

The Evaluation Matrix

Recommendation

• For the Privacy Absolutist: Zed. It is the only tool that allows you to completely bypass the editor creator's servers. Combine Zed with an Anthropic API Key (which has strict commercial zero-retention rules) for the gold standard in AI privacy.
• For the Enterprise CISO: Cursor. Their SOC 2 Type II certification, combined with a "Privacy Mode" that works without breaking features, makes them the most compliant-friendly option for teams that need paper trails.
• For the Workspace Shop: Google, but only if you strictly limit users to "Core Services" and disable "Additional Services/Labs."

Final Warning: Regardless of the tool, never click the "Thumbs Up" button on a generated code snippet if that snippet contains your proprietary logic. It is the one universal backdoor to privacy policies.

References:

https://www.anthropic.com/legal/archive/cbf30172-78ac-43b7-8161-bd230de7cec9
https://www.anthropic.com/legal/privacy
https://windsurf.com/terms-of-service-individual
https://windsurf.com/privacy-policy
https://cursor.com/data-use
https://cursor.com/privacy
https://cursor.com/terms-of-service
https://zed.dev/privacy-policy
https://zed.dev/terms