When Privacy Mode is on, Cursor contractually requires its AI model providers not to store your code or use it to train their models. This mode is on automatically for team members and can be turned on manually by any individual user.
This analysis describes what Cursor's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The document states that without Privacy Mode, code data may be stored or used for training by model providers; enabling it triggers contractual ZDR obligations on those third-party providers.
Interpretive note: The document does not specify which model providers are subject to ZDR terms, the precise scope of 'code data,' or what data handling applies when Privacy Mode is inactive.
This provision directly affects how code data submitted through Cursor is handled by third-party AI model providers: the document states that Privacy Mode prevents storage and training use of code data by those providers through contractual ZDR terms. Users on individual plans should verify Privacy Mode is enabled in Settings if they do not want their code processed beyond immediate inference.
Cross-platform context
See how other platforms handle Privacy Mode and Zero Data Retention and similar clauses.
Compare across platforms →Monitoring
Cursor has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Privacy Mode can be enabled in settings or by a team or enterprise admin. When enabled, we implement technical controls and contractual requirements - such as Zero Data Retention (ZDR) terms with our model providers - so that code data is not stored by our model providers or used for training. Privacy Mode is available to anyone (free or Pro) and is enabled by default for members of a team.— Excerpt from Cursor's Cursor Security Practices
(1) REGULATORY LANDSCAPE: This provision engages GDPR Article 28 processor and sub-processor obligations, as ZDR contractual terms with model providers constitute a data processing control that data controllers relying on Cursor may need to reflect in their own DPAs. CCPA service provider restrictions on secondary use of personal information are also relevant where code data contains personal information. The FTC Act's prohibition on unfair or deceptive practices applies to the accuracy of the ZDR commitment as disclosed. (2) GOVERNANCE EXPOSURE: Medium. The provision asserts a contractual commitment to ZDR with model providers when Privacy Mode is active, but the document does not name those providers, specify the scope of 'code data' covered, or address what happens to data processed before Privacy Mode is enabled. The gap between the stated commitment and the absence of supporting documentation creates governance risk for enterprise customers who rely on this representation in their own compliance frameworks. (3) JURISDICTION FLAGS: EU and EEA customers processing personal data in code will face heightened scrutiny under GDPR if ZDR terms are not reflected in documented sub-processor agreements. California customers should evaluate whether code data constitutes personal information under CCPA for purposes of service provider restrictions. Enterprise customers in regulated industries (financial services, healthcare) should assess whether ZDR alone satisfies their sector-specific data handling requirements. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should request written confirmation of ZDR terms from Cursor and ask for the identity of model providers subject to those terms. The provision asserts a contractual obligation on model providers but does not grant customers direct audit or enforcement rights against those providers. This is a standard limitation in SaaS sub-processor arrangements but may require explicit DPA language to satisfy GDPR Article 28 obligations. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should map which Cursor usage scenarios fall within Privacy Mode scope and which do not. Teams should confirm that Privacy Mode is enforced at the organizational level via admin controls rather than relying on individual user settings. The document should be reviewed against the actual DPA or terms of service for any additional representations about data use outside of Privacy Mode.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The document states that without Privacy Mode, code data may be stored or used for training by model providers; enabling it triggers contractual ZDR obligations on those third-party providers.
This provision directly affects how code data submitted through Cursor is handled by third-party AI model providers: the document states that Privacy Mode prevents storage and training use of code data by those providers through contractual ZDR terms. Users on individual plans should verify Privacy Mode is enabled in Settings if they do not want their code processed beyond immediate …
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Cursor.