cursor.com privacy policy — score 62/100 (medium risk)

Senast analyserad

Rapportinnehållet (sammanfattning, fynd, citat) genererades på engelska och är inte lokaliserat.

Kör en ny analys på en annan policy

Anysphere, Inc. · cursor.com

Rapportdetaljer

medium risk

Cursor (Anysphere) promises not to use your code inputs for AI training by default and doesn't sell your data, but it collects a sweeping range of personal and usage data, ships it to the US with vague transfer safeguards, and leaves key details like retention periods and legal bases unspecified.

The privacy policy for Cursor (Anysphere, Inc.) covers a broad spectrum of data collection from account details to all user inputs and suggestions. While the policy stands out positively for its default prohibition on using Inputs/Suggestions for model training and its commitment not to sell data or engage in targeted advertising, significant gaps remain. Retention periods are undefined, the legal bases for processing are referenced in an empty table, international transfer mechanisms are unspecified beyond generic assurances, and several critical documents (Privacy Overview, Cookie Policy, subprocessor list) are referenced but not provided. The broad collection of Inputs—which in a coding tool may contain proprietary or sensitive information—combined with sharing to model providers and cloud infrastructure partners raises data minimization concerns.

Senast analyserad
KällaURL
Längd18,566 tecken

Bedömning per kategori

Uppdelning av policyn över viktiga efterlevnadsområden. Bra = stark, rimlig = blandad, dålig = oroande.

Data Minimizationpoor

The policy collects all user Inputs and Suggestions, device/log/usage data, and location information without clearly limiting collection to what is strictly necessary for service provision.

Transparencyfair

The policy is clearly written and structured, but it references multiple external documents (Privacy Overview, Cookie Policy, subprocessor list) that are not included, and the jurisdiction-specific legal basis table appears empty.

Third-party Sharingfair

Data is shared with a broad range of service providers including model providers and cloud infrastructure, but no specific subprocessors are named in the policy itself and the referenced list is external.

International Transferspoor

EEA users' data is transferred to US servers with only a generic commitment to 'legally valid transfer mechanisms' and 'adequate level of data protection'—no specific mechanism (SCCs, DPF, BCRs) is identified.

AI/Model Traininggood

Inputs and Suggestions are explicitly not used for model training by default, with only narrow exceptions (security review, explicit Feedback, or explicit opt-in), and users can manage their preferences.

User Rightsfair

The policy lists access, deletion, correction, portability, objection, restriction, and consent withdrawal rights, but provides only a generic email contact and does not mention a DPO or EU representative.

Viktiga fynd

Anmärkningsvärda klausuler, problem eller positiva rutiner (kritiska först)

Varning

Broad collection of user Inputs and Suggestions without clear minimization

Section 1(A) states that all Inputs (content submitted by the user) and Suggestions (AI-generated responses) are collected. For a coding tool, Inputs may contain proprietary source code, API keys, credentials, or other sensitive data. The policy does not describe any technical measures to filter or minimize what is retained from Inputs, only that they are collected in full.

Varning

Vague and undefined retention periods

Section 4 states only that data is retained 'as long as necessary to operate the Service effectively and to support legitimate business needs' and that 'the appropriate retention period varies.' No specific timeframes or criteria are provided for any data category, making it impossible for users to understand how long their data persists.

Varning

International transfer mechanism unspecified

Section 6 acknowledges that EEA users' data is transferred to US servers but only states that 'we only transfer data in accordance with legally valid transfer mechanisms' and 'we require an adequate level of data protection.' The specific legal mechanism (Standard Contractual Clauses, EU-US Data Privacy Framework certification, Binding Corporate Rules) is not identified, which is a GDPR transparency requirement.

Varning

Jurisdiction-specific legal basis table is empty or not provided

Section 7 references a table that 'supplements this Privacy Policy by providing additional details about the purpose of data collection, type of data collected, and legal basis,' but the table content is not included in the provided text. Without this, GDPR Article 13 requirements for specifying legal bases are unmet.

Varning

Security review exception could expand data use beyond user expectations

Section 2's first exception to the no-training rule allows use of Inputs/Suggestions 'flagged for security review' to 'improve our ability to detect and enforce our Terms of Service.' This is a potentially broad exception that could allow model training on user data without explicit consent if it is deemed a security concern.

Varning

No Data Protection Officer or EU representative identified

The policy provides only a generic contact email (hi@cursor.com) and does not identify a Data Protection Officer, EU representative under GDPR Article 27, or any dedicated privacy contact role, which may be required given processing of EEA residents' data.

Info

Default opt-out from AI training is a strong positive

Section 2 explicitly states: 'We do not use Inputs or Suggestions to train our models, or permit third parties to use them for training, unless: (1) they are flagged for security review... (2) you explicitly report them to us... or (3) you've explicitly agreed to their use for such training purposes.' This is a privacy-protective default that exceeds industry norms for AI tools.

Sammanfattning för användaren

Your code and prompts are not used to train Cursor's AI by default, which is a rare and welcome protection, but everything you type still flows through their systems and can be accessed for security review, and your data is sent to the US without clear legal safeguards.

Efterlevnadsställning

Partially compliant with GDPR principles; strong on purpose limitation for AI training but weak on data minimization, storage limitation, and international transfer specificity.

EU-överföringar

Data is explicitly transferred to the US. The policy states transfers use 'legally valid transfer mechanisms' and require 'an adequate level of data protection' but does not specify whether Standard Contractual Clauses, the EU-US Data Privacy Framework, or other mechanisms are relied upon. This is a significant gap for GDPR compliance.

Upptäckta signaler

Specifika datapunkter och rutiner identifierade i texten

Insamlad data
NameEmail addressPayment informationUser Inputs (code, prompts, content)AI Suggestions (generated responses)Communication contentFeedback and rated exchangesDevice type and browser informationOperating system informationMobile network or ISPIP addressBrowser type and settingsError logsBrowsing historySearch queriesLinks clickedPages viewedUsage timestampsCookie and tracking pixel dataApproximate geographic location
Behandlingsändamål
Service provision and maintenanceAccount creation and administrationPayment processingService improvement and researchDebugging and issue repairCommunications about the ServiceFraud detection and preventionSecurity incident investigationLegal complianceTerms of Service enforcementDispute resolutionSafety monitoringAggregated analytics
Delning med tredje part
Third-party vendors and service providers (hosting, cloud infrastructure, model providers, analytics, customer support, safety monitoring, communications, payment processing, compliance, IT)Affiliates under common controlGovernment authorities and law enforcementBusiness transfer counterparties and advisersThird-party services and integrationsBusiness account administratorsOther users (via sharing features)
Internationella överföringar
Data transferred to US serversTransfers outside EEA and UKGeneric commitment to 'legally valid transfer mechanisms'Generic commitment to 'adequate level of data protection'No specific mechanism identified (SCCs, DPF, BCRs)
AI / Modellträning
Inputs and Suggestions NOT used for model training by defaultException: data flagged for security review may be analyzedException: explicitly reported Feedback may be usedException: explicit user opt-in/agreementUsers can manage preferences regarding training use of Inputs/SuggestionsThird parties not permitted to use Inputs/Suggestions for training unless exceptions apply

Bevisutdrag

Direkta citat från policyn som stödjer dessa fynd

We do not use Inputs or Suggestions to train our models, or permit third parties to use them for training, unless: (1) they are flagged for security review (in which case we may analyze them to improve our ability to detect and enforce our Terms of Service), (2) you explicitly report them to us (for example, as Feedback), or (3) you've explicitly agreed to their use for such training purposes.

Anysphere retains your personal data only for as long as necessary to operate the Service effectively and to support legitimate business needs such as legal compliance, safety, dispute resolution, and enforcement of our agreements.

For users in the European Economic Area, ('EEA'), when you access our Service, your personal data may be transferred to our United States servers to other countries outside the EEA and the UK. Where information is transferred outside the EEA or the UK, we require an adequate level of data protection.

We do not 'sell' or 'share' personal data for cross-contextual behavioral advertising, and we do not process personal data for 'targeted advertising' purposes (as those terms are defined under applicable US state privacy laws).

The Service allows you to submit content ('Inputs'), which generate responses ('Suggestions') based on your Inputs. If you include personal data or reference external content in your Inputs, we will collect that information and it may be reproduced in the Suggestions we provide.

Saknas eller otydligt

  • Specific legal bases for each processing purpose (GDPR Article 13(1)(c))
  • Specific retention periods or criteria per data category
  • Identification of Data Protection Officer
  • Identification of EU representative under GDPR Article 27
  • Specific international transfer mechanism (SCCs, DPF, BCRs)
  • Content of the jurisdiction-specific disclosures table referenced in Section 7
  • Privacy Overview document referenced in the Introduction for model training details
  • Cookie Policy details
  • Subprocessor list content
  • Details on how security review flagging works and its scope
  • Whether DPIAs have been conducted

Frågor att ställa

  • What specific legal transfer mechanism do you rely on for EEA-to-US data transfers (Standard Contractual Clauses, EU-US Data Privacy Framework, or other), and can you provide the relevant documentation?
  • What are the specific retention periods for each category of personal data, particularly for Inputs and Suggestions?
  • Under what specific criteria is an Input 'flagged for security review,' and can you provide statistics on how often this exception is invoked?
  • Who is your designated Data Protection Officer or EU representative, and how can data subjects contact them directly?
  • Can you provide the complete subprocessor list including model providers, and specify which subprocessors have access to user Inputs?
  • Have you conducted a Data Protection Impact Assessment for the processing of user Inputs, given the potential for sensitive or proprietary code content?
  • What are the specific legal bases (consent, legitimate interest, contract performance) for each processing purpose listed in Section 2?
  • How does the 'manage your preferences' mechanism for AI training opt-in/opt-out work technically, and is it enabled by default for all users?
Den här analysen genereras av AI och är inte juridisk rådgivning. Rådfråga alltid en kvalificerad jurist för efterlevnadsbeslut.

Dela den här analysen

Alla med den här länken kan se resultatet ovan.

Byggd av DentroChat

100 % europeisk AI-chatt för alla

Chatta med AI, arbeta med filer, generera bilder och sök på webben. Data stannar i Europa.

Infrastruktur hostad i EUText, filer, bilder och webbsökningSnabb-, Tänk- och Kreativ-lägenIntegritet först som standardIngen data lämnar Europa
Prova gratis →