Download Cursor

Privacy Policy — How Cursor Handles Your Data

This privacy policy explains how Cursor, operated by Anysphere Inc., collects, processes, stores, and protects your personal data and source code. Cursor is committed to transparency about data handling practices, particularly regarding code submitted to AI models for features like Tab completions, Composer, agent mode, and @codebase chat. Privacy Mode ensures your code is never stored on Cursor's servers or used for AI model training.

Cursor complies with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and maintains SOC 2 Type II certification for enterprise-grade data security. This policy covers account data, code data, usage analytics, cookies, third-party AI model providers, data retention, user rights, and international data transfers. Last updated: April 7, 2026.

Cursor Privacy Policy Overview — April 2026

  • Privacy Mode: code is not stored on Cursor servers and not used for AI model training
  • GDPR compliant: access, rectification, erasure, portability rights for EU users
  • CCPA compliant: right to know, delete, opt-out of sale for California residents
  • SOC 2 Type II certified: audited data security controls for enterprise requirements
  • AI model providers (Anthropic, OpenAI, Google) process code ephemerally via API agreements
  • Cookies: essential only by default, analytics and marketing require explicit consent
  • Data retention: account data retained while account is active, deleted upon request

1. Data We Collect

Cursor collects different categories of data depending on how you use the editor and which features are active. This section details each category, the purpose of collection, and the legal basis under GDPR.

Account Data

When you create a Cursor account, we collect your email address, display name, and authentication credentials (or OAuth tokens for Google/GitHub login). For paid plans, we collect billing information through our payment processor (Stripe) — Cursor does not store full credit card numbers. Account data is used for authentication, subscription management, and communication about your account. Legal basis: contractual necessity (GDPR Art. 6(1)(b)). Account data is retained while your account is active and deleted within 30 days of account deletion. Login details are secured with OAuth 2.0 and optional two-factor authentication.

Code Data

When you use AI features (Tab completions, Composer, agent mode, @codebase chat), code snippets from your editor are sent to AI model providers for processing. With Privacy Mode enabled, this data is processed ephemerally — sent to the model, used to generate a response, and discarded. Cursor's API agreements with Anthropic, OpenAI, and Google prohibit these providers from using your code for model training. Without Privacy Mode, Cursor may temporarily cache code context to improve response quality, but never uses it for training. Legal basis: legitimate interest (GDPR Art. 6(1)(f)).

Usage Analytics

Cursor collects anonymized usage telemetry: feature usage frequency (Tab completions, Composer, agent mode), error reports, performance metrics (response latency, crash data), and session duration. This data does not include code content — only aggregate metrics about how features are used. Telemetry helps prioritize feature development and identify performance regressions. You can opt out of telemetry in Settings > Privacy. Legal basis: legitimate interest (GDPR Art. 6(1)(f)). Enterprise customers can disable telemetry organization-wide. According to NIST SP 800-53 guidelines, anonymized telemetry collection aligns with privacy-by-design principles when opt-out is available.

Cookie Data

The Cursor website (cursor.com) uses essential cookies for authentication and session management. Analytics cookies (Google Analytics) and marketing cookies are only set after explicit consent via the cookie banner. The Cursor desktop application does not use browser cookies — authentication tokens are stored securely in the operating system's credential manager (macOS Keychain, Windows Credential Manager, Linux Secret Service). You can manage cookie preferences at any time through the cookie settings link in the website footer.

2. Privacy Mode — Code Data Protection

Privacy Mode is Cursor's flagship privacy feature. When enabled, your source code receives the strongest data protection guarantees available in any AI code editor.

How Privacy Mode Works

Enable Privacy Mode in Settings > Privacy > Enable Privacy Mode. When active, code snippets sent to AI model providers for Tab completions, Composer, agent mode, and @codebase chat are processed ephemerally. The AI model receives the code, generates a response, and the input is discarded — no server-side storage, no logging, no caching. Cursor's API agreements with Anthropic, OpenAI, and Google contractually enforce this ephemeral processing. Privacy Mode applies to all AI features uniformly and can be toggled per-project using Cursor Rules.

Privacy Mode for Enterprise

Enterprise customers receive additional privacy guarantees: dedicated API endpoints, custom data processing agreements (DPAs), the ability to restrict AI model providers to specific vendors, and audit logs for all AI interactions. SOC 2 Type II certification covers Cursor's data handling infrastructure — the annual audit verifies access controls, encryption, monitoring, and incident response procedures. Teams ($40/user/month) and Enterprise plans can enforce Privacy Mode organization-wide through admin settings, ensuring all team members operate under the same data protection standard. The security page details compliance certifications.

3. Third-Party AI Model Providers

Cursor integrates with multiple AI model providers. Each provider has its own data processing terms, governed by Cursor's API agreements.

Anthropic (Claude)

Claude Sonnet and Opus models are accessed via Anthropic's API. Under Cursor's commercial API agreement, Anthropic does not use API inputs (your code) for model training. Code is processed to generate responses and not retained beyond the request lifecycle. Anthropic's data handling is governed by their commercial API terms which provide zero-retention guarantees for API customers.

OpenAI (GPT)

GPT-4o and GPT-5.4 models are accessed via OpenAI's API. Under Cursor's API agreement, OpenAI does not use API inputs for model training. The commercial API terms include a zero-data-retention policy for enterprise API customers. Code submitted for completions and agent mode is processed ephemerally. OpenAI's data handling practices are detailed in their API data usage policy.

Google (Gemini)

Gemini models are accessed via Google Cloud's API. Under Cursor's agreement, Google does not use API inputs for model training. Google Cloud's AI Platform terms provide data processing guarantees aligned with Google's enterprise data commitments. Code processed through Gemini receives the same ephemeral treatment as code sent to Anthropic and OpenAI — processed, response generated, input discarded.

4. Your Rights Under GDPR and CCPA

Cursor respects your data rights under applicable privacy regulations. Exercise any of these rights by contacting privacy@cursor.com or through the in-app privacy settings.

GDPR Rights (EU/EEA Users)

Right to Access (Art. 15): Request a copy of all personal data Cursor holds about you. Right to Rectification (Art. 16): Correct inaccurate personal data. Right to Erasure (Art. 17): Request deletion of your personal data — account, usage data, and any cached code context. Right to Portability (Art. 20): Receive your data in a machine-readable format. Right to Object (Art. 21): Object to processing based on legitimate interest. Right to Restrict (Art. 18): Limit how your data is processed. Cursor responds to all GDPR requests within 30 days. File requests at privacy@cursor.com or through the contact page.

CCPA Rights (California Residents)

Right to Know: Request disclosure of personal information collected, used, and shared. Right to Delete: Request deletion of personal information. Right to Opt-Out: Opt out of the sale of personal information — Cursor does not sell personal information, but this right is available as required by CCPA. Right to Non-Discrimination: Cursor does not discriminate against users who exercise their CCPA rights. Authorized Agents: You may designate an authorized agent to submit requests on your behalf. Cursor verifies all CCPA requests within 10 business days and completes them within 45 days.

5. SOC 2 Compliance and Security Measures

Cursor maintains SOC 2 Type II certification, demonstrating ongoing compliance with industry-standard security controls for data protection.

SOC 2 Type II Certification

Cursor's SOC 2 Type II audit covers five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. The annual audit, conducted by an independent CPA firm, verifies that Cursor's data handling infrastructure meets or exceeds industry standards. Enterprise customers can request the SOC 2 report under NDA. The certification covers all systems involved in processing user data — authentication servers, API gateways, model routing infrastructure, and billing systems. The security page provides a detailed overview of Cursor's security posture.

Technical Security Measures

All data in transit is encrypted with TLS 1.3. Data at rest is encrypted with AES-256. Authentication tokens use OAuth 2.0 with short-lived access tokens and refresh token rotation. Infrastructure runs on SOC 2 compliant cloud providers with geographic redundancy. Access to production systems requires multi-factor authentication and follows the principle of least privilege. Security incidents trigger automated alerting with defined response procedures. Vulnerability management includes regular penetration testing and a responsible disclosure program. Contact security@cursor.com for security inquiries.

6. Data Retention and Deletion

Cursor retains data only as long as necessary for the purposes described in this policy. Here is how long each data category is retained.

Data CategoryRetention PeriodDeletion TriggerNotes
Account data (email, name)While account activeAccount deletion requestDeleted within 30 days of request
Billing data7 years (tax compliance)Legal obligation expiryStored by Stripe, Cursor retains references
Code data (Privacy Mode ON)Not retainedImmediate (ephemeral)Processed and discarded by AI providers
Code data (Privacy Mode OFF)Up to 30 days (cache)Cache expiry or deletion requestNever used for model training
Usage telemetry24 months (anonymized)Automatic expiryAnonymized — no code content included
Cookie data (website)Session to 12 monthsCookie expiry or browser clearAnalytics cookies require explicit consent
Support tickets36 monthsAutomatic expiryRetained for quality assurance and legal
Audit logs (Enterprise)Custom (up to 7 years)Per enterprise agreementConfigurable retention per DPA terms

7. International Data Transfers

Cursor is operated by Anysphere Inc., headquartered in the United States. For users outside the US, personal data may be transferred internationally.

EU/EEA Data Transfers

For EU/EEA users, data transfers to the United States are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission. Cursor executes SCCs with all data processors and sub-processors. Enterprise customers can request a Data Processing Agreement (DPA) that includes SCCs, supplementary measures, and transfer impact assessments. Cursor monitors regulatory developments and updates transfer mechanisms as required. The GDPR resource center provides additional guidance on international data transfers under the regulation.

Sub-Processors

Cursor uses the following sub-processors for data handling: Anthropic (AI model processing, USA), OpenAI (AI model processing, USA), Google Cloud (AI model processing and infrastructure, USA/global), Stripe (payment processing, USA), and cloud infrastructure providers for hosting. Each sub-processor is bound by data processing agreements that enforce security, confidentiality, and data protection standards equivalent to those described in this policy. A current list of sub-processors is available upon request at privacy@cursor.com.

8. Changes to This Policy

Cursor may update this privacy policy to reflect changes in data practices, legal requirements, or product features. Material changes are communicated via email to registered users and through an in-app notification. The "Last Updated" date at the top of this policy indicates when the most recent changes were made. Continued use of Cursor after policy changes constitutes acceptance of the updated terms. Previous versions of this policy are available upon request.

Contact for Privacy Inquiries

For questions about this privacy policy, data subject requests, or privacy concerns, contact Cursor's privacy team at privacy@cursor.com. For general inquiries, use the contact page. For security vulnerabilities, contact security@cursor.com. Cursor aims to respond to all privacy inquiries within 5 business days and completes data subject requests within the timeframes required by applicable law (30 days GDPR, 45 days CCPA).

Data Protection Officer

Cursor has designated a Data Protection Officer (DPO) responsible for overseeing compliance with GDPR and other data protection regulations. The DPO can be reached at dpo@cursor.com. EU/EEA users have the right to lodge a complaint with their local supervisory authority if they believe their data protection rights have been violated. Cursor cooperates fully with supervisory authority inquiries and investigations.

Frequently Asked Questions About Cursor Privacy

Answers to the most common privacy and data handling questions from Cursor users.

Does Cursor store my source code on its servers?

With Privacy Mode enabled, no. Code is sent to AI providers for processing and discarded after generating a response. Without Privacy Mode, Cursor may temporarily cache code context (up to 30 days) but never uses it for AI model training. Enable Privacy Mode in Settings > Privacy.

Is Cursor GDPR compliant?

Yes. Cursor complies with GDPR. Users can exercise access, rectification, erasure, and portability rights. Data processing agreements and Standard Contractual Clauses govern international transfers. Contact privacy@cursor.com for data subject requests.

Does Cursor use my code to train AI models?

No. Cursor does not use your code for model training. AI providers (Anthropic, OpenAI, Google) process code under commercial API agreements that prohibit training on API inputs. With Privacy Mode, processing is ephemeral. Read the security page for additional details.

Your Privacy Matters to Cursor

Cursor is built with privacy-by-design principles. Enable Privacy Mode for ephemeral code processing. Your source code is never used for AI model training. SOC 2 Type II certification ensures enterprise-grade security. Download Cursor and configure Privacy Mode in Settings. For questions, contact privacy@cursor.com or visit the contact page.

Download Cursor Security Details