What can I do about this clause?

{'method': 'EMAIL', 'recipient': 'hi@cursor.com', 'difficulty': 'MODERATE', 'action_type': 'DELETE_DATA', 'instructions': 'Contact Cursor at hi@cursor.com to request deletion of stored codebase embeddings and metadata associated with your account.', 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'The FTC has jurisdiction over data retention practices and the adequacy of disclosures regarding what data is stored and for how long.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Codebase Indexing and Embedding Storage clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Codebase Indexing and Embedding Storage — Cursor

Share 𝕏 Share in Share 🔒 PDF

Monitor governance changes for Cursor Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

If you use Cursor's codebase indexing feature, your code is uploaded in chunks to Cursor's servers; the plaintext code is deleted after each request, but embeddings and metadata including file names and hashes may be stored indefinitely.

ⓘ

This analysis describes what Cursor's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision establishes that codebase indexing results in persistent storage of embeddings and metadata (including file names and hashes) even though plaintext code is not retained, which may have implications for users with confidential codebases.

⚠

Interpretive note: The document does not specify a retention period for stored embeddings and codebase metadata, creating ambiguity about how long this data is held.

Consumer impact (what this means for users)

The document states that using codebase indexing results in the storage of embeddings and metadata including file hashes and file names in Cursor's database, even though plaintext code is not retained after the request; users with proprietary or confidential codebases should assess the sensitivity of this metadata.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Contact Cursor at hi@cursor.com to request deletion of stored codebase embeddings and metadata associated with your account.

Cross-platform context

See how other platforms handle Codebase Indexing and Embedding Storage and similar clauses.

Compare across platforms →

Monitoring

Cursor has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.

Start Watcher free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
If you choose to index your codebase, Cursor will upload your codebase in small chunks to our server to compute embeddings, but all plaintext code for computing embeddings ceases to exist after the life of the request. The embeddings and metadata about your codebase (hashes, file names) may be stored in our database.

— Excerpt from Cursor's Cursor Data Use & Privacy Overview

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY LANDSCAPE: Persistent storage of embeddings and file metadata may constitute processing of personal or commercially sensitive data depending on the codebase content and applicable jurisdiction. GDPR data minimization and storage limitation principles apply to the retention of embeddings and metadata. CCPA disclosure requirements apply to this storage practice. The document does not specify a retention period for stored embeddings and metadata. (2) GOVERNANCE EXPOSURE: Medium. While plaintext code is not retained after the request lifecycle, the persistent storage of embeddings and file-level metadata (names, hashes) may enable reconstruction of structural information about a codebase, which is commercially sensitive for many organizations. The document does not address deletion of stored embeddings upon account closure or user request. (3) JURISDICTION FLAGS: EU/EEA users may raise GDPR storage limitation concerns given the absence of a defined retention period for embeddings and metadata. Organizations in regulated industries should assess whether file names or structural metadata constitute confidential information under applicable regulatory frameworks. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise contracts should address the retention and deletion of codebase embeddings and metadata, particularly upon contract termination. Procurement teams should confirm whether deletion of stored embeddings is available upon request and what timeline applies. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should assess whether embeddings and file metadata from organizational codebases are covered by existing DPAs, and confirm whether a deletion mechanism exists for this stored data. The absence of a stated retention period for embeddings and metadata should be clarified with Cursor.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Watcher free for 14 days

Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.

Applicable agencies

FTC

The FTC has jurisdiction over data retention practices and the adequacy of disclosures regarding what data is stored and for how long.
File a complaint →

Provision details

Document information

Document

Cursor Data Use & Privacy Overview

Entity

Cursor

Document last updated

May 11, 2026

Tracking information

First tracked

May 11, 2026

Last verified

May 12, 2026

Record ID

CA-P-011154

Document ID

CA-D-00764

Evidence Provenance

Source URL

https://cursor.com/data-use

Wayback Machine

View archived versions →

Content hash (SHA-256)

7bd016281b3f2dcf271223558f9511f2d93cc13a84b3a147251127ce1af62024

Analysis generated

May 11, 2026 13:09 UTC

Methodology

summarize_document-v8

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: Cursor
Document: Cursor Data Use & Privacy Overview
Record ID: CA-P-011154
Captured: 2026-05-11 13:09:42 UTC
SHA-256: 7bd016281b3f2dcf…
URL: https://conductatlas.com/platform/cursor/cursor-data-use-privacy-overview/codebase-indexing-and-embedding-storage/
Accessed: May 13, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Medium

Other risks in this policy

Professional Governance Intelligence

Need to monitor specific governance provisions?

Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Professional free trial

Or start with Watcher →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does Cursor's Codebase Indexing and Embedding Storage clause do?

How does this clause affect you?

Is ConductAtlas affiliated with Cursor?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cursor.