Is Claude Code Safe? What It Stores, How Long, and How to Lock It Down

Two places your data lives

The first thing that helped me think clearly about this was splitting it in two. Claude Code data lives in two separate places, and they have completely different rules (everything here lines up with Anthropic's own Claude Code data usage documentation):

• On your machine: transcripts, settings, and some history files Claude Code writes to disk so it can resume sessions and remember context.
• On the model provider's servers: the prompts and replies that have to travel over the network for the model to answer you at all.

Most of the worry I see online mixes these up. “Is it stored forever?” has a different answer for each. Let's take them one at a time.

What Claude Code keeps on your machine

Look inside ~/.claude/ and you can see most of it for yourself. The part people care about is ~/.claude/projects/: that's where Claude Code stores your session transcripts, as plaintext .jsonl files, one folder per project. Open one in a text editor and you'll read back the whole conversation, including the file contents and commands that scrolled past during the session.

Two things matter here. First, plaintext: the files are stored as plain JSONL, so protecting them relies on your OS account security and whatever disk-encryption technology you use, like FileVault or BitLocker. There's no separate app-level encryption layer on top. Second, they don't live forever. By default Claude Code keeps local transcripts for 30 days and then cleans them up. You can shorten or lengthen that with the cleanupPeriodDays setting in your settings file.

Alongside the transcripts, ~/.claude/ holds your settings, shell snapshots, a file-history/backups area Claude Code uses to undo edits, and local telemetry buffers. None of that is secret to anyone but you, but it is worth knowing it exists before you, say, sync your home directory to a shared drive.

What actually leaves your machine

To answer a prompt, the model has to see it. So your prompts and the model's outputs are sent over the network to your model provider, encrypted in transit with TLS. That part is unavoidable. It's how the tool works. Everything else that leaves is optional and worth knowing about by name:

• Telemetry: operational metrics like latency and reliability. Anthropic's docs are explicit that this does not include your code or file paths. Opt out with DISABLE_TELEMETRY.
• Error reporting: crash data sent to Sentry. Opt out with DISABLE_ERROR_REPORTING.
• The /feedback command: this one is different. Running it sends a copy of your conversation history, including code, to Anthropic. It only happens when you run the command, and you choose how much history to include. Those transcripts are kept for 5 years. Opt out entirely with DISABLE_FEEDBACK_COMMAND.
• Session quality surveys: the “How is Claude doing?” prompt records only your rating, not your conversation. There's a separate follow-up that asks to look at your transcript, and it uploads nothing unless you click yes. If you do opt into it, your conversation transcripts, any subagent transcripts, and the raw session log can be uploaded and are kept for up to 6 months.
• WebFetch safety check: before fetching a URL, Claude Code sends just the hostname (not the path or page) to check it against a safety blocklist.

The pattern is reassuring once you see it: the heavy stuff (your code) only leaves when you deliberately send it, and the always-on traffic is metrics without code attached.

How long the server keeps it

This is the question I most wanted a straight answer to, and it comes down to your plan (the numbers below are from Anthropic's data retention policy):

• Free, Pro, Max (consumer plans): 30 days if you haven't allowed your data to be used for model improvement, and 5 years if you have. That second number surprises people, so it's worth checking which side of it you're on.
• Team, Enterprise, API (commercial plans): a standard 30-day retention period. Qualified Enterprise organizations can turn on Zero Data Retention, which is designed to avoid the standard server-side retention of transcripts on Anthropic's systems.

A couple of edges worth knowing. When you delete a conversation, it leaves your history immediately and is purged from back-end storage within 30 days. And if something gets flagged for a policy violation, that content can be kept longer: per Anthropic's retention policy linked above, inputs and outputs for up to two years, and trust and safety classification scores for up to seven years. Normal work isn't in that bucket, but it's honest to mention the exception exists.

Is your code used to train models?

Short version: on commercial plans (Team, Enterprise, API), no. Your code and prompts aren't used to train models unless your organization explicitly opts in, for example through the Development Partner Program.

On consumer plans (Free, Pro, Max), it's a setting you control. When the model-improvement setting is on, data from those accounts can be used to train new models, and that includes your Claude Code sessions. The control lives at claude.ai/settings/data-privacy-controls, and you can change it whenever you like. It only affects new or resumed sessions, not ones you never touch again.

How to delete your data

There's no single button, because the data lives in two places. To clear it properly you handle both:

• Local transcripts: delete the files under ~/.claude/projects/, or lower cleanupPeriodDays so they age out faster. If you want a clean slate, removing that folder wipes the local history (you lose the ability to resume those sessions, which is the only thing it costs you).
• Server-side conversations: delete them from your Claude history. They disappear from view immediately and are removed from back-end storage within 30 days. Claude Code on the web sessions can be deleted individually too.
• Stop future retention: turning off the training setting moves a consumer account back to the shorter 30-day window going forward.

How to make it more secure

None of this requires a security team. Here's the checklist I actually use, roughly in order of impact:

• Pick the right plan. If the work is sensitive, a commercial plan keeps your code out of training by default, and Zero Data Retention on Enterprise is the strongest option.
• Turn off the training setting on consumer plans if you'd rather not contribute data, and it drops your retention to 30 days as a bonus.
• Keep full-disk encryption on. Those local transcripts are plaintext, so the encryption that protects them is your laptop's. FileVault on macOS, BitLocker on Windows.
• Shorten cleanupPeriodDays so old conversations don't pile up on disk longer than you need.
• Trim the optional traffic. CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC switches off the non-essential calls in one move; or set DISABLE_TELEMETRY, DISABLE_ERROR_REPORTING, and DISABLE_FEEDBACK_COMMAND individually.
• Don't paste real secrets into prompts. Use environment variables and .env files that stay out of the conversation. A key you never type can't be logged anywhere.
• Mind your repo. Keep secrets in .gitignore, and don't commit the ~/.claude transcripts if they ever land inside a project. The same discipline I wrote about for using AI on WordPress projects applies here too. Review what the AI touches before it ships.

What not to paste into the chat

The single best habit is upstream of every setting: be deliberate about what you type in the first place. A value you never send can't be retained, logged, or read back from a transcript. The things I keep out of the chat:

• Live credentials. API keys, access tokens, passwords, private SSH or signing keys, and database connection strings with real hosts. If you need Claude to work with one, reference it as an environment variable (process.env.STRIPE_KEY) instead of pasting the value.
• Whole .env and secrets files. Share the variable names you need help with, not the file with every value filled in.
• Real personal data. Customer names, emails, phone numbers, health or financial records, anything covered by an NDA or a privacy law. When you need realistic input to debug with, make up fake data that has the same shape.
• Code you're not cleared to share. On client or employer work, check whether sending the codebase to a third-party tool is allowed before you do. A commercial plan with Zero Data Retention is often what makes that a yes.
• Production infrastructure details you wouldn't post publicly: internal hostnames, server IPs, access URLs. They rarely help the answer and they sit in the transcript afterward.

A simple test before you hit enter: would you be fine with this text sitting in a plaintext file on your disk for a month, and on a server for as long as your plan's retention allows? If not, redact it or swap in a placeholder first. Good news here is that Claude Code already redacts known API key and token patterns before anything is uploaded through /feedback, but that's a safety net, not a substitute for keeping secrets out of the conversation.

So, is it safe?

For my work, yes — with the settings above in place. The honest summary is that Claude Code is reasonable by default and configurable when default isn't enough. Your code only leaves when you send a prompt or deliberately run /feedback; the always-on traffic is metrics without code; retention is finite and, on commercial plans, can be zero. The one habit worth building is the same one that makes any tool safe: know where the data goes, and decide on purpose instead of by default.