Cursor states it does not use the code or text you type (Inputs) or the AI responses you receive (Suggestions) to train its models by default. This protection has three exceptions: if content is flagged for security review, if you report it as feedback, or if you explicitly opt in.
This analysis describes what Cursor's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The security review exception means that Inputs flagged for Terms of Service enforcement purposes may be analyzed by Anysphere, which is a conditional pathway that applies even without the user's explicit consent to training use.
The policy states your submitted code and AI-generated responses are excluded from model training by default, but content flagged for security review or reported as Feedback may be used for analysis. Users can manage their training preferences through in-Service settings.
How other platforms handle this
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
Cursor has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We do not use Inputs or Suggestions to train our models, or permit third parties to use them for training, unless: (1) they are flagged for security review (in which case we may analyze them to improve our ability to detect and enforce our Terms of Service), (2) you explicitly report them to us (for example, as Feedback), or (3) you've explicitly agreed to their use for such training purposes. You can find instructions in the Service on how to manage your preferences regarding the use of Inputs and Suggestions for training.— Excerpt from Cursor's Cursor Privacy Policy
(1) REGULATORY LANDSCAPE: This provision engages GDPR principles of purpose limitation and data minimization (Articles 5 and 6) for EEA users, as well as CCPA provisions governing use of personal data. The opt-in structure for training use aligns with consent-based processing requirements under GDPR Article 6(1)(a). The FTC has authority over deceptive practices related to data use representations for US users. (2) GOVERNANCE EXPOSURE: Medium. The provision creates a clearly defined opt-in default for training use, which reduces exposure for standard use cases. However, the security review exception introduces a processing pathway under which Inputs may be analyzed without user consent to training. Organizations handling proprietary or sensitive source code should evaluate whether this exception is compatible with their confidentiality obligations and data classification policies. (3) JURISDICTION FLAGS: EEA and UK users may evaluate whether the security review exception constitutes a separately identified legal basis under GDPR, given that it is not framed as consent. California users should note the policy's alignment with CCPA restrictions on use of personal data beyond disclosed purposes. Organizations in regulated industries (financial services, healthcare, legal) face heightened exposure if sensitive code or data is submitted as Inputs and subsequently falls within the security review exception. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should confirm whether customer agreements with Anysphere provide contractual limitations on the security review exception or additional protections for submitted code. The provision does not assert that flagged Inputs are retained or used for training, but the language authorizes analysis for enforcement purposes, which should be addressed in DPA negotiations. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should map internal data classification categories against the types of Inputs users submit to Cursor, and assess whether any categories of sensitive code could trigger the security review pathway. Consent mechanism reviews should confirm that the opt-in for training use is implemented as a genuine affirmative action rather than a pre-checked setting. Employee notification obligations may apply in jurisdictions requiring disclosure of workplace monitoring if administrators can access Input history.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The security review exception means that Inputs flagged for Terms of Service enforcement purposes may be analyzed by Anysphere, which is a conditional pathway that applies even without the user's explicit consent to training use.
The policy states your submitted code and AI-generated responses are excluded from model training by default, but content flagged for security review or reported as Feedback may be used for analysis. Users can manage their training preferences through in-Service settings.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cursor.