cursor.com privacy policy — score 62/100 (medium risk)

Zuletzt analysiert

Der Berichtsinhalt (Zusammenfassung, Befunde, Zitate) wurde auf Englisch erstellt und ist nicht lokalisiert.

Neue Analyse für eine andere Richtlinie starten

Anysphere, Inc. · cursor.com

Berichtsdetails

medium Risiko

Cursor (Anysphere) promises not to use your code inputs for AI training by default and doesn't sell your data, but it collects a sweeping range of personal and usage data, ships it to the US with vague transfer safeguards, and leaves key details like retention periods and legal bases unspecified.

The privacy policy for Cursor (Anysphere, Inc.) covers a broad spectrum of data collection from account details to all user inputs and suggestions. While the policy stands out positively for its default prohibition on using Inputs/Suggestions for model training and its commitment not to sell data or engage in targeted advertising, significant gaps remain. Retention periods are undefined, the legal bases for processing are referenced in an empty table, international transfer mechanisms are unspecified beyond generic assurances, and several critical documents (Privacy Overview, Cookie Policy, subprocessor list) are referenced but not provided. The broad collection of Inputs—which in a coding tool may contain proprietary or sensitive information—combined with sharing to model providers and cloud infrastructure partners raises data minimization concerns.

Zuletzt analysiert
QuelleURL
Länge18,566 Zeichen

Kategoriebewertung

Aufschlüsselung der Richtlinie nach zentralen Compliance-Bereichen. Gut = stark, mittel = gemischt, schlecht = bedenklich.

Data Minimizationpoor

The policy collects all user Inputs and Suggestions, device/log/usage data, and location information without clearly limiting collection to what is strictly necessary for service provision.

Transparencyfair

The policy is clearly written and structured, but it references multiple external documents (Privacy Overview, Cookie Policy, subprocessor list) that are not included, and the jurisdiction-specific legal basis table appears empty.

Third-party Sharingfair

Data is shared with a broad range of service providers including model providers and cloud infrastructure, but no specific subprocessors are named in the policy itself and the referenced list is external.

International Transferspoor

EEA users' data is transferred to US servers with only a generic commitment to 'legally valid transfer mechanisms' and 'adequate level of data protection'—no specific mechanism (SCCs, DPF, BCRs) is identified.

AI/Model Traininggood

Inputs and Suggestions are explicitly not used for model training by default, with only narrow exceptions (security review, explicit Feedback, or explicit opt-in), and users can manage their preferences.

User Rightsfair

The policy lists access, deletion, correction, portability, objection, restriction, and consent withdrawal rights, but provides only a generic email contact and does not mention a DPO or EU representative.

Wichtigste Befunde

Bemerkenswerte Klauseln, Probleme oder positive Praktiken (kritische zuerst)

Warnung

Broad collection of user Inputs and Suggestions without clear minimization

Section 1(A) states that all Inputs (content submitted by the user) and Suggestions (AI-generated responses) are collected. For a coding tool, Inputs may contain proprietary source code, API keys, credentials, or other sensitive data. The policy does not describe any technical measures to filter or minimize what is retained from Inputs, only that they are collected in full.

Warnung

Vague and undefined retention periods

Section 4 states only that data is retained 'as long as necessary to operate the Service effectively and to support legitimate business needs' and that 'the appropriate retention period varies.' No specific timeframes or criteria are provided for any data category, making it impossible for users to understand how long their data persists.

Warnung

International transfer mechanism unspecified

Section 6 acknowledges that EEA users' data is transferred to US servers but only states that 'we only transfer data in accordance with legally valid transfer mechanisms' and 'we require an adequate level of data protection.' The specific legal mechanism (Standard Contractual Clauses, EU-US Data Privacy Framework certification, Binding Corporate Rules) is not identified, which is a GDPR transparency requirement.

Warnung

Jurisdiction-specific legal basis table is empty or not provided

Section 7 references a table that 'supplements this Privacy Policy by providing additional details about the purpose of data collection, type of data collected, and legal basis,' but the table content is not included in the provided text. Without this, GDPR Article 13 requirements for specifying legal bases are unmet.

Warnung

Security review exception could expand data use beyond user expectations

Section 2's first exception to the no-training rule allows use of Inputs/Suggestions 'flagged for security review' to 'improve our ability to detect and enforce our Terms of Service.' This is a potentially broad exception that could allow model training on user data without explicit consent if it is deemed a security concern.

Warnung

No Data Protection Officer or EU representative identified

The policy provides only a generic contact email (hi@cursor.com) and does not identify a Data Protection Officer, EU representative under GDPR Article 27, or any dedicated privacy contact role, which may be required given processing of EEA residents' data.

Info

Default opt-out from AI training is a strong positive

Section 2 explicitly states: 'We do not use Inputs or Suggestions to train our models, or permit third parties to use them for training, unless: (1) they are flagged for security review... (2) you explicitly report them to us... or (3) you've explicitly agreed to their use for such training purposes.' This is a privacy-protective default that exceeds industry norms for AI tools.

Fazit für Nutzer

Your code and prompts are not used to train Cursor's AI by default, which is a rare and welcome protection, but everything you type still flows through their systems and can be accessed for security review, and your data is sent to the US without clear legal safeguards.

Compliance-Posture

Partially compliant with GDPR principles; strong on purpose limitation for AI training but weak on data minimization, storage limitation, and international transfer specificity.

EU-Übermittlungen

Data is explicitly transferred to the US. The policy states transfers use 'legally valid transfer mechanisms' and require 'an adequate level of data protection' but does not specify whether Standard Contractual Clauses, the EU-US Data Privacy Framework, or other mechanisms are relied upon. This is a significant gap for GDPR compliance.

Erkannte Signale

Konkrete Datenpunkte und Praktiken im Text identifiziert

Erhobene Daten
NameEmail addressPayment informationUser Inputs (code, prompts, content)AI Suggestions (generated responses)Communication contentFeedback and rated exchangesDevice type and browser informationOperating system informationMobile network or ISPIP addressBrowser type and settingsError logsBrowsing historySearch queriesLinks clickedPages viewedUsage timestampsCookie and tracking pixel dataApproximate geographic location
Verarbeitungszwecke
Service provision and maintenanceAccount creation and administrationPayment processingService improvement and researchDebugging and issue repairCommunications about the ServiceFraud detection and preventionSecurity incident investigationLegal complianceTerms of Service enforcementDispute resolutionSafety monitoringAggregated analytics
Weitergabe an Dritte
Third-party vendors and service providers (hosting, cloud infrastructure, model providers, analytics, customer support, safety monitoring, communications, payment processing, compliance, IT)Affiliates under common controlGovernment authorities and law enforcementBusiness transfer counterparties and advisersThird-party services and integrationsBusiness account administratorsOther users (via sharing features)
Internationale Übermittlungen
Data transferred to US serversTransfers outside EEA and UKGeneric commitment to 'legally valid transfer mechanisms'Generic commitment to 'adequate level of data protection'No specific mechanism identified (SCCs, DPF, BCRs)
KI / Modelltraining
Inputs and Suggestions NOT used for model training by defaultException: data flagged for security review may be analyzedException: explicitly reported Feedback may be usedException: explicit user opt-in/agreementUsers can manage preferences regarding training use of Inputs/SuggestionsThird parties not permitted to use Inputs/Suggestions for training unless exceptions apply

Textbelege

Direkte Zitate aus der Richtlinie, die diese Befunde stützen

We do not use Inputs or Suggestions to train our models, or permit third parties to use them for training, unless: (1) they are flagged for security review (in which case we may analyze them to improve our ability to detect and enforce our Terms of Service), (2) you explicitly report them to us (for example, as Feedback), or (3) you've explicitly agreed to their use for such training purposes.

Anysphere retains your personal data only for as long as necessary to operate the Service effectively and to support legitimate business needs such as legal compliance, safety, dispute resolution, and enforcement of our agreements.

For users in the European Economic Area, ('EEA'), when you access our Service, your personal data may be transferred to our United States servers to other countries outside the EEA and the UK. Where information is transferred outside the EEA or the UK, we require an adequate level of data protection.

We do not 'sell' or 'share' personal data for cross-contextual behavioral advertising, and we do not process personal data for 'targeted advertising' purposes (as those terms are defined under applicable US state privacy laws).

The Service allows you to submit content ('Inputs'), which generate responses ('Suggestions') based on your Inputs. If you include personal data or reference external content in your Inputs, we will collect that information and it may be reproduced in the Suggestions we provide.

Fehlend oder unklar

  • Specific legal bases for each processing purpose (GDPR Article 13(1)(c))
  • Specific retention periods or criteria per data category
  • Identification of Data Protection Officer
  • Identification of EU representative under GDPR Article 27
  • Specific international transfer mechanism (SCCs, DPF, BCRs)
  • Content of the jurisdiction-specific disclosures table referenced in Section 7
  • Privacy Overview document referenced in the Introduction for model training details
  • Cookie Policy details
  • Subprocessor list content
  • Details on how security review flagging works and its scope
  • Whether DPIAs have been conducted

Fragen zum Nachfragen

  • What specific legal transfer mechanism do you rely on for EEA-to-US data transfers (Standard Contractual Clauses, EU-US Data Privacy Framework, or other), and can you provide the relevant documentation?
  • What are the specific retention periods for each category of personal data, particularly for Inputs and Suggestions?
  • Under what specific criteria is an Input 'flagged for security review,' and can you provide statistics on how often this exception is invoked?
  • Who is your designated Data Protection Officer or EU representative, and how can data subjects contact them directly?
  • Can you provide the complete subprocessor list including model providers, and specify which subprocessors have access to user Inputs?
  • Have you conducted a Data Protection Impact Assessment for the processing of user Inputs, given the potential for sensitive or proprietary code content?
  • What are the specific legal bases (consent, legitimate interest, contract performance) for each processing purpose listed in Section 2?
  • How does the 'manage your preferences' mechanism for AI training opt-in/opt-out work technically, and is it enabled by default for all users?
Diese Analyse wird von KI erstellt und ist keine Rechtsberatung. Konsultiere für Compliance-Entscheidungen immer eine qualifizierte Rechtsfachkraft.

Diese Analyse teilen

Jeder mit diesem Link kann das Ergebnis oben einsehen.

Entwickelt von DentroChat

100 % europäischer KI-Chat für alle

Chatte mit KI, arbeite mit Dateien, generiere Bilder und suche im Web. Daten bleiben in Europa.

In der EU gehostete InfrastrukturText, Dateien, Bilder & WebsucheSchnell-, Denk- und Kreativ-ModusDatenschutz zuerstKeine Daten verlassen Europa
Kostenlos testen →