If your employer or another organization set up your Cursor account, this privacy policy may not apply to you. Instead, how your data is handled is governed by the contract between Anysphere and that organization.
This analysis describes what Cursor's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Employees or users whose accounts are provisioned by an organization may not have the same rights or protections described in this policy; their data rights depend entirely on the terms of the agreement between their employer and Anysphere.
The policy states it does not govern data processing for employer-provisioned accounts; those users' data rights depend on the employer's customer agreement with Anysphere, which the employee may not have direct access to.
How other platforms handle this
Our Service allows customers to submit, manage or otherwise use content relating to others, such as end users of applications built and managed through the Service or their employees and contractors ("Customer Data"). We use such Customer Data primarily as a processor, meaning we process such Custom...
When Okta provides its products and services to its customers (e.g., organizations that use Okta to manage their workforce or Auth0 to manage their customer identity), Okta processes personal data on behalf of those customers as a data processor. In those cases, the customer is the data controller a...
We may de-identify, anonymize, or aggregate information we collect so the information cannot reasonably identify you or your device, or we may collect information that is already in de-identified form. For example, we may disclose performance benchmark data and other aggregated, anonymized, or de-id...
Monitoring
Cursor has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Please note that this Privacy Policy does not apply where Anysphere acts as a data processor and processes personal data on behalf of commercial customers using our commercial services, for example, if your employer has provisioned a Cursor account for you to use at work. Our use of that data is governed by our customer agreements covering access to and use of those offerings.— Excerpt from Cursor's Cursor Privacy Policy
(1) REGULATORY LANDSCAPE: This provision engages GDPR Article 28 (processor obligations) for EEA users, as commercial customer agreements must include Data Processing Agreement terms meeting GDPR requirements. CCPA similarly distinguishes between business-to-consumer and business-to-business data processing contexts. The carve-out means the enterprise customer (employer) bears primary GDPR controller responsibility for employee data processed through Cursor. (2) GOVERNANCE EXPOSURE: High for enterprise procurement. Organizations deploying Cursor for employees must ensure their customer agreement with Anysphere includes an adequate DPA, defines permitted processing purposes, addresses the security review exception, and establishes audit rights and breach notification procedures. Absence of a compliant DPA creates GDPR Article 28 exposure for the employer-controller. (3) JURISDICTION FLAGS: EEA and UK organizations face the highest exposure, as GDPR Article 28 mandates specific contractual terms for processor relationships. California employers should verify CCPA service provider agreement requirements are met. Organizations in regulated industries (financial services, healthcare, legal) must assess whether use of Cursor by employees constitutes processing of regulated data categories under applicable sector law. (4) CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should request Anysphere's standard DPA, review subprocessor authorization and notification procedures (trust.cursor.com/subprocessors), and assess whether the security review exception is subject to contractual limitation. Liability allocation and indemnification terms in the customer agreement are not addressed in this policy. (5) COMPLIANCE CONSIDERATIONS: Organizations should conduct a data mapping exercise to identify what categories of personal data employees submit as Inputs, assess adequacy of the Anysphere DPA against GDPR Article 28 requirements, and consider whether employee privacy notices need updating to disclose Cursor's data processing activities.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Employees or users whose accounts are provisioned by an organization may not have the same rights or protections described in this policy; their data rights depend entirely on the terms of the agreement between their employer and Anysphere.
The policy states it does not govern data processing for employer-provisioned accounts; those users' data rights depend on the employer's customer agreement with Anysphere, which the employee may not have direct access to.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cursor.