TL;DR
Trae IDE is not safe for privacy-sensitive work. ByteDance's free AI coding tool was caught collecting telemetry data (file paths, hardware specs, behavioral metrics) even after users disabled the telemetry toggle. The AI code generation works, but the data collection practices make it a poor choice for anyone building production apps with sensitive code. Use Cursor or Windsurf if privacy matters to you.
What is Trae IDE?
Trae is a free AI-powered code editor from ByteDance, the company behind TikTok. It launched in early 2025 as a VS Code fork with built-in access to Claude 3.7 Sonnet and GPT-4o, both at zero cost. That pricing makes it one of the most attractive options for vibe coders building apps on a budget.
The catch? Security researchers have uncovered serious concerns about what Trae does with your data behind the scenes.
Our Verdict
What's Good
- Free access to Claude 3.7 Sonnet and GPT-4o
- Familiar VS Code interface
- AI chat, autocomplete, and multi-file editing
- No subscription required
- Active development with frequent updates
What to Watch
- Collects telemetry even after opt-out
- Tracks file paths, keyboard/mouse activity
- ByteDance operates the servers (Chinese data laws apply)
- 5.7GB memory usage (3x more than Cursor)
- No Privacy Mode or code exclusion features
- No SOC 2 or comparable security certification
Privacy and Data Collection
This is where Trae falls apart for security-conscious developers.
What Data Does Trae Collect?
Security researchers at Unit 221B analyzed Trae's network traffic and found it collects far more than what's needed for AI features:
- File system paths including your username and project names
- Hardware specifications (CPU, memory, OS, architecture)
- Behavioral metrics like keyboard and mouse activity patterns
- Window focus states tracking when you're actively coding
- Editor visibility data showing which files you have open
- Precise timing data recording when you start and stop working
This goes well beyond what Cursor or Windsurf collect. Those tools send code context for AI processing, which is expected. Trae sends behavioral surveillance data that has nothing to do with code completion.
Trae's telemetry exposes your full file paths, which can reveal project names, client names, and directory structures. If you're building something under NDA or pre-launch, this metadata alone could be a problem.
The Telemetry Opt-Out Problem
Trae has a telemetry toggle in its settings. Turning it off should stop data collection. It doesn't.
Researchers found that the toggle only controls VS Code's built-in telemetry system. ByteDance's own data collection layer runs independently and keeps transmitting regardless of your settings. ByteDance eventually acknowledged this, updating the toggle's description to say it only controls "first-party extension telemetry." In practice, that means the setting is close to useless.
Even with telemetry "disabled," Trae continues sending data to ByteDance's servers. There is no current way to fully opt out of their proprietary data collection.
Performance and Resource Usage
Privacy isn't the only concern. Trae is significantly heavier than its competitors.
| Metric | Trae IDE | Cursor | VS Code |
|---|---|---|---|
| Processes spawned | 33 | 11 | 9 |
| Memory usage | 5.7 GB | 1.9 GB | 0.9 GB |
| Relative overhead | 6.3x VS Code | 2.1x VS Code | Baseline |
Loading the same codebase, Trae uses three times more memory than Cursor and over six times more than plain VS Code. Some of that overhead comes from AI features. Some of it comes from the extensive telemetry system running in the background.
For vibe coders working on laptops or machines with 8-16GB of RAM, Trae can eat a significant chunk of your available memory before you even start coding.
Security of Generated Code
Setting privacy aside, how safe is the code Trae generates?
The AI models powering Trae (Claude 3.7 Sonnet and GPT-4o) are the same ones available through Cursor and other tools. The generated code carries the same risks:
| Risk | Likelihood | What to Do |
|---|---|---|
| Hardcoded API keys | Medium | Move secrets to environment variables. See our guide to hiding API keys |
| Missing authentication | Medium-High | Always specify auth requirements in your prompts |
| SQL injection | Low-Medium | Use parameterized queries |
| XSS vulnerabilities | Medium | Sanitize and escape all user output |
| Overly permissive CORS | Medium | Restrict origins to your actual domains |
The code quality isn't the differentiator here. The same AI model produces similar code whether you access it through Trae, Cursor, or the API directly. The real question is what happens to your code and metadata while you're writing it.
Trae vs Cursor vs Windsurf
| Aspect | Trae IDE | Cursor | Windsurf |
|---|---|---|---|
| Price | Free | $20/month | Free tier + $15/month |
| AI models | Claude 3.7, GPT-4o | Claude 3.7, GPT-4o, custom | Claude 3.7, GPT-4o |
| Parent company | ByteDance (China) | Anysphere (US) | Codeium (US) |
| SOC 2 certified | No | Yes | Yes |
| Privacy Mode | No | Yes | No |
| Code exclusion (.cursorignore) | No | Yes | Partial |
| Telemetry opt-out | Broken | Working | Working |
| Training on user code | Unknown | Opt-out available | Claims no |
| Memory usage | 5.7 GB | 1.9 GB | ~2.1 GB |
The price difference is real. Cursor costs $20/month. Trae costs nothing. But when you factor in what ByteDance collects from your development environment, "free" starts to look expensive.
If cost is your primary concern, Windsurf's free tier offers AI coding features with better privacy practices than Trae. It's not as generous as Trae's offering, but it doesn't come with the same data collection baggage.
Using Trae IDE Safely (If You Choose To)
If you decide to use Trae despite the privacy concerns, take these precautions:
1. Never Use It for Sensitive Projects
Keep Trae for learning, side projects, and throwaway prototyping. Don't use it for client work, apps with user data, or anything you wouldn't want ByteDance to know about.
2. Use a Separate Machine or VM
Run Trae in an isolated environment where it can't see your other projects, SSH keys, or configuration files. The telemetry collects file paths, so keep your real work elsewhere.
3. Strip Sensitive Data from Your Workspace
Before opening a project in Trae, remove or rename any files that contain client names, API keys, or proprietary information. Even file names and directory structures are transmitted.
4. Review Generated Code Thoroughly
This applies to every AI coding tool, not just Trae. Don't ship AI-generated authentication, database queries, or API handlers without reviewing them. Run a security scan before deploying.
5. Monitor Network Traffic
Use a tool like Little Snitch (macOS) or Wireshark to see exactly what Trae sends and where. If you're uncomfortable with what you find, switch to a different tool.
Does Trae IDE send my code to ByteDance servers?
Yes. Like all AI-powered IDEs, Trae sends code context to remote servers for AI processing. The difference is that Trae's servers are operated by ByteDance, and researchers have found the tool collects additional telemetry data beyond what's needed for AI features.
Is Trae IDE really free?
Trae offers Claude 3.7 Sonnet and GPT-4o at no cost, which is unusual in the AI coding tool market. Free products typically monetize through data collection, advertising, or upselling. ByteDance has not fully disclosed how Trae's free tier is sustained.
Can I disable telemetry in Trae IDE?
Trae has a telemetry toggle in settings, but researchers found it only controls VS Code's built-in telemetry. ByteDance's own data collection continues regardless of this setting. There is currently no way to fully opt out of Trae's proprietary telemetry.
Is Trae IDE safe for production code?
The AI-generated code itself has the same risks as any AI coding tool. The bigger concern is the privacy side: Trae collects file paths, project metadata, and behavioral data that could reveal what you're building. For production projects with sensitive code or trade secrets, consider tools with stronger privacy controls like Cursor's Privacy Mode.
Built Something with an AI Coding Tool?
Whether you used Trae, Cursor, or any other AI tool, your generated code could have security gaps. Find them in 60 seconds.