Detailed Analysis
Anthropic's data usage policies for Claude Code establish a two-tier framework that distinguishes sharply between consumer and commercial users, reflecting the company's broader effort to balance AI model development with enterprise privacy obligations. Consumer users on Free, Pro, and Max plans are given an opt-in/opt-out choice regarding whether their data — including prompts and code interactions — may be used to train future Claude models, with a five-year retention period applying to those who consent and a 30-day retention period for those who decline. Commercial users on Team, Enterprise, and API plans, by contrast, operate under a default policy in which Anthropic does not train generative models on their code or prompts unless they explicitly participate in the Development Partner Program, a voluntary opt-in mechanism available exclusively through Anthropic's first-party API and not through cloud provider integrations such as Amazon Bedrock or Google Vertex.
The data retention and feedback architecture reveals a sophisticated layering of privacy controls designed to serve different user needs and regulatory environments. Enterprises can access zero data retention through Claude for Enterprise, enabled on a per-organization basis by Anthropic's account teams. In parallel, Claude Code caches session transcripts locally in plaintext at `~/.claude/projects/` for 30 days by default — a design choice that enables session resumption but requires users to actively manage local storage hygiene. The feedback system introduces further nuance: the `/feedback` command shares session transcripts with Anthropic for five years, while the in-session "How is Claude doing this session?" survey collects only a numeric rating with no conversation data, and does not influence model training. This granularity allows Anthropic to collect product satisfaction signals without compromising data preferences, a distinction that will matter increasingly as regulators scrutinize AI data pipelines.
The cloud execution model for Claude Code on the web introduces additional data considerations absent from purely local deployments. When sessions run in Anthropic-managed virtual machines, a user's repository is cloned into an isolated VM, and all outbound network traffic routes through a security proxy for audit logging and abuse prevention. GitHub credentials are handled through a secure proxy and never enter the sandbox environment itself. This architecture attempts to replicate the data policy promises made for local Claude Code usage — including account-type-specific retention rules — while enabling browser-accessible, infrastructure-free sessions. The explicit note that Claude only accesses repositories in which a session has been actively initiated, and not merely connected repositories, represents a meaningful boundary that addresses a common concern about AI coding tools with broad repository permissions.
Zooming out, Anthropic's policy framework for Claude Code reflects a wider industry reckoning with how AI companies handle code, which is uniquely sensitive because it often contains proprietary business logic, credentials, and trade secrets. The company's choice to default commercial users to a no-training posture — while building opt-in pathways like the Development Partner Program — mirrors approaches taken by OpenAI and Google with their enterprise tiers, and signals that enterprise trust is increasingly a competitive axis in the AI coding tools market. The telemetry architecture, which logs operational metrics such as latency and usage patterns through Statsig but explicitly excludes code and file paths, and which can be disabled via environment variables, further illustrates how Anthropic is navigating the tension between product improvement and customer data sovereignty. As Claude Code expands across deployment surfaces — terminal, IDE plugins, web, CI/CD pipelines — the clarity and granularity of these policies will likely become a decisive factor for organizations evaluating AI-assisted development at scale.
Read original article →