cursor.com privacy policy — score 62/100 (medium risk)
Último análisis
El contenido del informe (resumen, hallazgos, citas) se generó en inglés y no está localizado.
Anysphere, Inc. · cursor.com
Detalles del informe
medium riesgoCursor (Anysphere) promises not to use your code inputs for AI training by default and doesn't sell your data, but it collects a sweeping range of personal and usage data, ships it to the US with vague transfer safeguards, and leaves key details like retention periods and legal bases unspecified.
The privacy policy for Cursor (Anysphere, Inc.) covers a broad spectrum of data collection from account details to all user inputs and suggestions. While the policy stands out positively for its default prohibition on using Inputs/Suggestions for model training and its commitment not to sell data or engage in targeted advertising, significant gaps remain. Retention periods are undefined, the legal bases for processing are referenced in an empty table, international transfer mechanisms are unspecified beyond generic assurances, and several critical documents (Privacy Overview, Cookie Policy, subprocessor list) are referenced but not provided. The broad collection of Inputs—which in a coding tool may contain proprietary or sensitive information—combined with sharing to model providers and cloud infrastructure partners raises data minimization concerns.
Evaluación por categoría
Desglose de la política en las principales áreas de cumplimiento. Bueno = sólido, regular = mixto, deficiente = preocupante.
The policy collects all user Inputs and Suggestions, device/log/usage data, and location information without clearly limiting collection to what is strictly necessary for service provision.
The policy is clearly written and structured, but it references multiple external documents (Privacy Overview, Cookie Policy, subprocessor list) that are not included, and the jurisdiction-specific legal basis table appears empty.
Data is shared with a broad range of service providers including model providers and cloud infrastructure, but no specific subprocessors are named in the policy itself and the referenced list is external.
EEA users' data is transferred to US servers with only a generic commitment to 'legally valid transfer mechanisms' and 'adequate level of data protection'—no specific mechanism (SCCs, DPF, BCRs) is identified.
Inputs and Suggestions are explicitly not used for model training by default, with only narrow exceptions (security review, explicit Feedback, or explicit opt-in), and users can manage their preferences.
The policy lists access, deletion, correction, portability, objection, restriction, and consent withdrawal rights, but provides only a generic email contact and does not mention a DPO or EU representative.
Hallazgos clave
Cláusulas destacadas, problemas o buenas prácticas detectadas (críticos primero)
Broad collection of user Inputs and Suggestions without clear minimization
Section 1(A) states that all Inputs (content submitted by the user) and Suggestions (AI-generated responses) are collected. For a coding tool, Inputs may contain proprietary source code, API keys, credentials, or other sensitive data. The policy does not describe any technical measures to filter or minimize what is retained from Inputs, only that they are collected in full.
Vague and undefined retention periods
Section 4 states only that data is retained 'as long as necessary to operate the Service effectively and to support legitimate business needs' and that 'the appropriate retention period varies.' No specific timeframes or criteria are provided for any data category, making it impossible for users to understand how long their data persists.
International transfer mechanism unspecified
Section 6 acknowledges that EEA users' data is transferred to US servers but only states that 'we only transfer data in accordance with legally valid transfer mechanisms' and 'we require an adequate level of data protection.' The specific legal mechanism (Standard Contractual Clauses, EU-US Data Privacy Framework certification, Binding Corporate Rules) is not identified, which is a GDPR transparency requirement.
Jurisdiction-specific legal basis table is empty or not provided
Section 7 references a table that 'supplements this Privacy Policy by providing additional details about the purpose of data collection, type of data collected, and legal basis,' but the table content is not included in the provided text. Without this, GDPR Article 13 requirements for specifying legal bases are unmet.
Security review exception could expand data use beyond user expectations
Section 2's first exception to the no-training rule allows use of Inputs/Suggestions 'flagged for security review' to 'improve our ability to detect and enforce our Terms of Service.' This is a potentially broad exception that could allow model training on user data without explicit consent if it is deemed a security concern.
No Data Protection Officer or EU representative identified
The policy provides only a generic contact email (hi@cursor.com) and does not identify a Data Protection Officer, EU representative under GDPR Article 27, or any dedicated privacy contact role, which may be required given processing of EEA residents' data.
Default opt-out from AI training is a strong positive
Section 2 explicitly states: 'We do not use Inputs or Suggestions to train our models, or permit third parties to use them for training, unless: (1) they are flagged for security review... (2) you explicitly report them to us... or (3) you've explicitly agreed to their use for such training purposes.' This is a privacy-protective default that exceeds industry norms for AI tools.
Resumen para el usuario
Your code and prompts are not used to train Cursor's AI by default, which is a rare and welcome protection, but everything you type still flows through their systems and can be accessed for security review, and your data is sent to the US without clear legal safeguards.
Postura de cumplimiento
Partially compliant with GDPR principles; strong on purpose limitation for AI training but weak on data minimization, storage limitation, and international transfer specificity.
Transferencias en la UE
Data is explicitly transferred to the US. The policy states transfers use 'legally valid transfer mechanisms' and require 'an adequate level of data protection' but does not specify whether Standard Contractual Clauses, the EU-US Data Privacy Framework, or other mechanisms are relied upon. This is a significant gap for GDPR compliance.
Señales detectadas
Datos y prácticas específicas identificadas en el texto
Fragmentos de evidencia
Citas directas de la política que respaldan estos hallazgos
We do not use Inputs or Suggestions to train our models, or permit third parties to use them for training, unless: (1) they are flagged for security review (in which case we may analyze them to improve our ability to detect and enforce our Terms of Service), (2) you explicitly report them to us (for example, as Feedback), or (3) you've explicitly agreed to their use for such training purposes.
Anysphere retains your personal data only for as long as necessary to operate the Service effectively and to support legitimate business needs such as legal compliance, safety, dispute resolution, and enforcement of our agreements.
For users in the European Economic Area, ('EEA'), when you access our Service, your personal data may be transferred to our United States servers to other countries outside the EEA and the UK. Where information is transferred outside the EEA or the UK, we require an adequate level of data protection.
We do not 'sell' or 'share' personal data for cross-contextual behavioral advertising, and we do not process personal data for 'targeted advertising' purposes (as those terms are defined under applicable US state privacy laws).
The Service allows you to submit content ('Inputs'), which generate responses ('Suggestions') based on your Inputs. If you include personal data or reference external content in your Inputs, we will collect that information and it may be reproduced in the Suggestions we provide.
Ausente o poco claro
- Specific legal bases for each processing purpose (GDPR Article 13(1)(c))
- Specific retention periods or criteria per data category
- Identification of Data Protection Officer
- Identification of EU representative under GDPR Article 27
- Specific international transfer mechanism (SCCs, DPF, BCRs)
- Content of the jurisdiction-specific disclosures table referenced in Section 7
- Privacy Overview document referenced in the Introduction for model training details
- Cookie Policy details
- Subprocessor list content
- Details on how security review flagging works and its scope
- Whether DPIAs have been conducted
Preguntas que hacer
- What specific legal transfer mechanism do you rely on for EEA-to-US data transfers (Standard Contractual Clauses, EU-US Data Privacy Framework, or other), and can you provide the relevant documentation?
- What are the specific retention periods for each category of personal data, particularly for Inputs and Suggestions?
- Under what specific criteria is an Input 'flagged for security review,' and can you provide statistics on how often this exception is invoked?
- Who is your designated Data Protection Officer or EU representative, and how can data subjects contact them directly?
- Can you provide the complete subprocessor list including model providers, and specify which subprocessors have access to user Inputs?
- Have you conducted a Data Protection Impact Assessment for the processing of user Inputs, given the potential for sensitive or proprietary code content?
- What are the specific legal bases (consent, legitimate interest, contract performance) for each processing purpose listed in Section 2?
- How does the 'manage your preferences' mechanism for AI training opt-in/opt-out work technically, and is it enabled by default for all users?
Compartir este análisis
Cualquiera con este enlace puede ver el resultado anterior.
Creado por DentroChat
Chat de IA 100 % europeo para todos
Chatea con la IA, trabaja con archivos, genera imágenes y busca en la web. Los datos permanecen en Europa.