Cursor states it does not use the code or text you type (Inputs) or the AI responses you receive (Suggestions) to train its models by default. This protection has three exceptions: if content is flagged for security review, if you report it as feedback, or if you explicitly opt in.
This analysis describes what Cursor's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The security review exception means that Inputs flagged for Terms of Service enforcement purposes may be analyzed by Anysphere, which is a conditional pathway that applies even without the user's explicit consent to training use.
The policy states your submitted code and AI-generated responses are excluded from model training by default, but content flagged for security review or reported as Feedback may be used for analysis. Users can manage their training preferences through in-Service settings.
How other platforms handle this
Writer does not use Customer Data to train its AI models without explicit customer permission. Customer Data means the data, content, and information that customers and their end users submit to or through the Services.
We may use the content you provide to us, including prompts and generated images, to train and improve our AI models and services.
We are simplifying our Terms of Use, including clarifications around the use of AI tools, and their data use. We have moved the terms that describe AI Features, which were previously written for a Creator audience and located under the AI-Based Tools Supplemental Terms and Disclaimer, into the User ...
Monitoring
Cursor has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We do not use Inputs or Suggestions to train our models, or permit third parties to use them for training, unless: (1) they are flagged for security review (in which case we may analyze them to improve our ability to detect and enforce our Terms of Service), (2) you explicitly report them to us (for example, as Feedback), or (3) you've explicitly agreed to their use for such training purposes. You can find instructions in the Service on how to manage your preferences regarding the use of Inputs and Suggestions for training.— Excerpt from Cursor's Cursor Privacy Policy
(1) REGULATORY LANDSCAPE: This provision engages GDPR principles of purpose limitation and data minimization (Articles 5 and 6) for EEA users, as well as CCPA provisions governing use of personal data. The opt-in structure for training use aligns with consent-based processing requirements under GDPR Article 6(1)(a). The FTC has authority over deceptive practices related to data use representations for US users. (2) GOVERNANCE EXPOSURE: Medium. The provision creates a clearly defined opt-in default for training use, which reduces exposure for standard use cases. However, the security review exception introduces a processing pathway under which Inputs may be analyzed without user consent to training. Organizations handling proprietary or sensitive source code should evaluate whether this exception is compatible with their confidentiality obligations and data classification policies. (3) JURISDICTION FLAGS: EEA and UK users may evaluate whether the security review exception constitutes a separately identified legal basis under GDPR, given that it is not framed as consent. California users should note the policy's alignment with CCPA restrictions on use of personal data beyond disclosed purposes. Organizations in regulated industries (financial services, healthcare, legal) face heightened exposure if sensitive code or data is submitted as Inputs and subsequently falls within the security review exception. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should confirm whether customer agreements with Anysphere provide contractual limitations on the security review exception or additional protections for submitted code. The provision does not assert that flagged Inputs are retained or used for training, but the language authorizes analysis for enforcement purposes, which should be addressed in DPA negotiations. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should map internal data classification categories against the types of Inputs users submit to Cursor, and assess whether any categories of sensitive code could trigger the security review pathway. Consent mechanism reviews should confirm that the opt-in for training use is implemented as a genuine affirmative action rather than a pre-checked setting. Employee notification obligations may apply in jurisdictions requiring disclosure of workplace monitoring if administrators can access Input history.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
How 10 AI platforms describe the use of user data for model training, improvement, and development, based on archived governance provisions.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The security review exception means that Inputs flagged for Terms of Service enforcement purposes may be analyzed by Anysphere, which is a conditional pathway that applies even without the user's explicit consent to training use.
The policy states your submitted code and AI-generated responses are excluded from model training by default, but content flagged for security review or reported as Feedback may be used for analysis. Users can manage their training preferences through in-Service settings.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cursor.