Cursor: Privacy, Training & Output Ownership

Sensitive Data

Confidentiality is contingent on enabling 'Privacy Mode' (free for all users) and is not HIPAA-certified for PHI by default.

Training

Data is not used for training if 'Privacy Mode' is enabled; however, standard telemetry and code data are collected in default mode.

In its default configuration, Cursor may collect telemetry, usage data, prompts, editor actions, and code snippets to improve its underlying models. By activating 'Privacy Mode' in Settings > General, users trigger Zero Data Retention (ZDR) agreements with upstream providers like OpenAI and Anthropic — all requests route through separate server replicas where logging is disabled, and no data is stored or utilized for future model training. 'Local/Ghost Mode' goes further by processing everything on-device with no external server communication, using local open-source models like Llama, Mistral, or DeepSeek.

Output Ownership

Users retain full ownership of both their codebase inputs and the AI-generated suggestions.

The Terms of Service explicitly state that users own all intellectual property generated by the tool. Anysphere, Inc. retains rights only to the software itself and any user-submitted feedback, ensuring that the generated code belongs to the developer or their employer.

Data Retention

Retention policies depend on the tier and mode. In standard mode (Privacy Mode off), prompts may be stored for up to 30 days for safety monitoring by third-party subprocessors. In Privacy Mode, Cursor guarantees transient processing where original code is discarded immediately after the request is fulfilled. For Business accounts, Privacy Mode is enforced by default via organizational policy and verified every 5 minutes.

Security Measures

Cursor is SOC 2 Type II certified (verifiable at trust.cursor.com) and utilizes encryption for data in transit. For codebase indexing, it uses a one-way mathematical embedding process with client-side file path obfuscation, ensuring the vector database never stores raw source code. Annual third-party penetration testing is conducted. However, critical vulnerabilities were discovered in 2025: CurXecute (CVE-2025-54135) demonstrated that malicious Slack messages summarized by Cursor could rewrite MCP configurations and execute arbitrary commands, and MCPoison (CVE-2025-54136) enabled persistent team-wide compromise through shared repository configurations.

Your Rights & Control

Users maintain the right to export or delete their data. Account deletion ensures the full removal of indexed codebases and metadata from primary systems and backups within a 30-day compliance window.

Special Considerations

For legal and medical professionals, standard use of Cursor (with Privacy Mode off) may constitute disclosure to a third party, potentially waiving attorney-client or physician-patient privilege. Professional use should be restricted to Business tier deployments where Privacy Mode is enforced by default. Auto-Run Mode should always be disabled in professional settings to prevent Cursor from executing unauthorized commands without developer review. Cursor now uses a compute-credit pricing model (Pro ~$20/mo, Ultra ~$200/mo) rather than fixed request caps.