Kukui IT · Information Security Bulletin

Claude Code Data Collection Advisory

What Anthropic's Claude Code collects, retains, and uses to train its models — a plain-language snapshot of where things stand, and how to lock it down for maximum privacy.

Status as of July 2026 · Claude Code

1What's Collected — and Where It's Sent

Claude Code sends two separate kinds of data to two separate places. Operational telemetry (metadata about your work) goes to a third-party analytics service, Datadog. Your actual content — prompts, code, conversations — goes to Anthropic's servers and, on personal plans, is used to train the model. Here is every key item and exactly where it lands.

Datadog third-party analytics Sentry error reporting Anthropic vendor servers / training Local stays on your machine
Data being collectedWhat it exposesSent to
Account email & org/user IDsTies the whole stream to you — not anonymousDatadog
Working directory pathsThe shape of your filesystem & project namesDatadog
Repository & branch namesYour git repo identity and branch namesDatadog
Tool names, timing, exit codesThe rhythm of your work: what ran, how long, pass/failDatadog
Model, token counts, message lengthHow long your prompts were — a number, not the wordsDatadog
Crash & error reportsStack traces; may incidentally include a path fragmentSentry
Your full prompts & conversationsEvery word you type and receive, verbatimAnthropic
Your code & coding sessionsThe actual source you paste, generate, or editAnthropic
Files & context you shareAnything you attach or reference in a sessionAnthropic
→ Used to train future models (personal plans, default ON)Your content becomes training data for the next modelAnthropic
Tool output / resultsNot sent to telemetry — measured only (exit code, token count)Local
⚠ Personal plans (Free, Pro, Max): the content rows are ON by default Since a policy change in late 2025, personal plans have the data-training setting turned ON by default — an opt-out, not opt-in. If you never touched it, assume the Anthropic rows above are live: your conversations and code are being retained and used to train the model, with retention stretched from ~30 days to up to 5 years. The Datadog rows are on by default on all plans until you disable telemetry.
✓ Two separate switches The Datadog rows are killed by telemetry environment variables. The Anthropic content/training rows are killed by a separate account privacy setting (or by using a protected plan). Turning one off does nothing to the other — both sections below.

2Training Exposure by Plan

Whether the Anthropic content rows above are used to train the model depends entirely on your plan. Personal plans default ON; commercial plans are protected.

How it breaks down by plan

PlanIs your content used for training?
FreeOn by default Your chats and coding sessions are used to train the model unless you opt out. Retention extends to up to 5 years.
ProOn by default Same as Free — content is used for training unless you switch the setting off. The burden is on you. Retention up to 5 years.
MaxOn by default Same as Free and Pro — a paid personal plan does not exempt you. Training is on unless you opt out; retention up to 5 years.
TeamProtected Not used for training by default under commercial terms — unless your organization opts in to a data-sharing program.
EnterpriseProtected Not used for training by default. Zero-Data-Retention terms available for qualified accounts. The recommended tier for sensitive work.
API / Business
(incl. Bedrock, Vertex)
Protected Not used for training by default under commercial terms — unless you explicitly opt in to a development-partner program.
The takeaway Privacy of your content is an account & setting question, not a telemetry question. Use a commercial / business tier for real work, and — because the toggle now defaults ON for personal plans — actively verify the data-training setting is off rather than assuming it. A personal plan used for work with the default left in place is the single highest-exposure configuration.

Watch the side channels, too

Beyond the two main streams, individual features can send content on demand — for example, a “send feedback” or “share this session” command that uploads your conversation, or an optional post-session survey that offers to upload a transcript. These are opt-in per use, but staff should know that clicking “yes” ships content regardless of your other settings.

3Configuring for Maximum Privacy

Maximum privacy means addressing both streams plus the side channels. Here is the checklist we apply for our clients.

A. Shut off operational telemetry

Most tools honor environment variables that disable the metadata stream at the process level. Set them where your tool runs so every session inherits them. Common industry-standard switches:

Environment variables (representative)
DISABLE_TELEMETRY=1 DISABLE_ERROR_REPORTING=1 DISABLE_BUG_COMMAND=1 DISABLE_NONESSENTIAL_TRAFFIC=1  # umbrella: covers the above + updater + experiments + surveys

Trade-off to know: an “umbrella” flag that blocks all non-essential traffic often also disables the auto-updater. On a controlled server that is arguably a feature — no silent version changes — but it means updates become a deliberate, manual step.

B. Lock down the content / training setting

🔑 Turn it off in Claude's settings (personal accounts)

Open your Privacy / Data controls and switch these two off:

  1. Toggle Help improve our AI models OFF — stops your chats and code from being used to train the model (and shortens retention).
  2. Toggle Location metadata OFF — stops coarse location data from being attached to your usage.
Open Claude Data & Privacy Controls →

C. Handle the side channels

Deployment order that actually sticks

  1. Set the telemetry environment variables at the service / system level so every subprocess inherits them — a shell export alone often will not reach background workers.
  2. Restart the service cleanly so the new environment takes effect.
  3. Confirm the account data-training toggle is off, on a commercial tier.
  4. Verify: check for outbound connections to the telemetry host after a real run — silence confirms success.

Bottom line

Your secrets, code, and prompts are safe from telemetry — but they are not automatically safe from model-training. Those are two different doors. Close both.

Kukui IT configures these controls for our managed clients as part of a standard secure-development posture. If you would like us to audit and lock down the AI tooling in your environment, reach out to your account team.

Sources

Facts in this report are drawn from Anthropic's own documentation and public reporting on the late-2025 consumer-terms change. Settings, defaults, and terms can change — always confirm against the current source.