Cursor · Cursor Terms of Service

Prohibition on Regulated Data Submission

High severity
Share 𝕏 Share in Share 🔒 PDF

What it is

You are prohibited from submitting health records, payment card data, or financial account data to Cursor. If you do, you are in breach of the Terms and bear all resulting liability.

Consumer impact (what this means for users)

This clause shifts all responsibility for regulated data onto the user — if you or your organization submits HIPAA, PCI, or GLBA-regulated data to Cursor (even accidentally), Anysphere bears no liability and you are in material breach of these Terms, potentially triggering regulatory enforcement against you.

Cross-platform context

See how other platforms handle Prohibition on Regulated Data Submission and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

Developers working in healthcare, fintech, or financial services who inadvertently paste regulated data into Cursor's AI prompts face significant regulatory liability with no contractual protection from Anysphere.

View original clause language
you may not: ... (x) send or otherwise provide to Anysphere data or information that is subject to specific protections under applicable laws beyond any requirements that apply to "personal information" or "personal data" generally, such as for illustrative purposes, information that is regulated by the Health Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standard, the Gramm-Leach-Bliley Act, and other U.S. federal, state or foreign laws applying specific security standards

Institutional analysis (Compliance & legal intelligence)

1. REGULATORY FRAMEWORK: This provision directly implicates HIPAA (45 CFR Parts 160 and 164 — Privacy and Security Rules), PCI DSS (Payment Card Industry Data Security Standard v4.0), and GLBA (15 U.S.C. §6801 — Safeguards Rule, 16 CFR Part 314). The prohibition operates as a contractual disclaimer shifting regulatory liability to the user. HHS OCR enforces HIPAA with fines up to $1.9M per violation category per year. The FTC enforces the GLBA Safeguards Rule. PCI DSS is enforced by card brands and acquiring banks. 2.

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • Hhs Ocr
    HHS OCR enforces HIPAA, and submission of protected health information to Cursor without a BAA constitutes a potential HIPAA violation by covered entities and business associates.
    File a complaint →
  • FTC
    The FTC enforces the GLBA Safeguards Rule (16 CFR Part 314) against financial institutions that fail to protect customer financial data, including through third-party AI tools.
    File a complaint →

Provision details

Document information
Document
Cursor Terms of Service
Entity
Cursor
Document last updated
April 29, 2026
Tracking information
First tracked
April 30, 2026
Last verified
April 30, 2026
Record ID
CA-P-004343
Document ID
CA-D-00453
Evidence Provenance
Source URL
https://www.cursor.com/terms-of-service
Wayback Machine
View archived versions →
SHA-256
43f1d1b81f2bbb689af2a3a9e66bd45d4b0226b8fabfcd5adee69e1049877d90
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: Cursor | Document: Cursor Terms of Service | Record: CA-P-004343
Captured: 2026-04-30 08:53:33 UTC | SHA-256: 43f1d1b81f2bbb68…
URL: https://conductatlas.com/platform/cursor/cursor-terms-of-service/prohibition-on-regulated-data-submission/
Accessed: May 2, 2026
Classification
Severity
High
Categories
Unknown

Other provisions in this document