cursor-privacy-settings

# Cursor Privacy Settings

Configure Cursor's privacy controls to protect your code and data. Covers Privacy Mode, data handling policies, file exclusion, telemetry, and enterprise security settings.

## Privacy Mode

### What Privacy Mode Does

| With Privacy Mode ON | With Privacy Mode OFF |
|---------------------|----------------------|
| Zero data retention at model providers | Providers may retain data per their policies |
| Code not used for training (Cursor or providers) | Code may be used to improve AI models |
| Embeddings computed without storing source | Same embedding behavior |
| Telemetry: anonymous usage only | Telemetry may include code snippets |

### Enabling Privacy Mode

**Individual:**
`Cursor Settings` > `General` > `Privacy Mode` > ON

**Team enforcement (Business/Enterprise):**
Admin Dashboard > Privacy > "Enforce Privacy Mode for all members"

When team-enforced:
- Individual users cannot disable Privacy Mode
- Client pings server every 5 minutes to verify enforcement
- New members automatically have Privacy Mode enabled

### Verifying Privacy Mode

1. `Cursor Settings` > `General` -- check Privacy Mode toggle
2. [cursor.com/settings](https://cursor.com/settings) -- shows account-level status
3. For teams: Admin Dashboard shows enforcement status per member

## Data Flow: Where Your Code Goes

```
Your Code in Editor
       │
       ├─► Tab Completion ──► Cursor's proprietary model server
       │                      (zero retention with Privacy Mode)
       │
       ├─► Chat/Composer ──► Model provider (OpenAI/Anthropic/Google)
       │                     (zero retention agreements in place)
       │
       ├─► Codebase Index ─► Cursor embedding API ─► Turbopuffer (vector DB)
       │                     (embeddings only, no plaintext code)
       │
       └─► BYOK ───────────► Your API provider directly
                             (your provider's data policy applies)
```

### What IS Stored

| Data | Stored Where | Retention |
|------|-------------|-----------|
| Embeddings (vectors) | Turbopuffer (cloud) | Until project re-indexed |
| Obfuscated file metadata | Cursor servers | Active session only |
| Anonymous telemetry | Cursor analytics | Aggregated, no PII |
| Account info | Cursor auth servers | While account active |

### What Is NOT Stored (Privacy Mode ON)

- Plaintext source code
- Chat prompts and responses
- File contents sent for completion
- Code snippets from Tab suggestions

## Sensitive File Exclusion

### .cursorignore (Best-Effort AI Exclusion)

```gitignore
# .cursorignore -- prevent files from AI features + indexing

# Credentials and secrets
.env
.env.*
.env.local
.env.production
**/secrets/
**/credentials/
**/*.pem
**/*.key
**/*.p12

# Regulated data
**/pii/
**/hipaa/
**/financial-data/

# Internal configuration
.cursor-config-private
infrastructure/terraform.tfvars
```

**Important:** `.cursorignore` is best-effort. Due to LLM unpredictability, it is not a hard security boundary. Do not rely solely on `.cursorignore` to protect truly sensitive data.

### Defense in Depth

```
Layer 1: .gitignore        → Secrets never in repo
Layer 2: .env files        → Config via environment variables
Layer 3: .cursorignore     → Best-effort AI exclusion
Layer 4: Privacy Mode      → Zero data retention at providers
Layer 5: BYOK + Azure      → Route through your own infrastructure
```

## Telemetry Configuration

### What Cursor Collects

With Privacy Mode ON, telemetry is limited to:
- Feature usage counts (how often Chat/Composer/Tab used)
- Error reports (crashes, not code content)
- Performance metrics (response times)
- Extension compatibility data

### Disabling Telemetry

```json
// settings.json
{
  "telemetry.telemetryLevel": "off"
}
```

Or: `Cursor Settings` > search "telemetry" > set to "off"

**Note:** Disabling telemetry may reduce Cursor's ability to diagnose issues affecting your account.

## Network Security

### Required Domains

Allowlist these domains in corporate firewalls/proxies:

```
api.cursor.com           → AI API requests
api2.cursor.com          → AI API requests (fallback)
auth.cursor.com          → Authentication
*.turbopuffer.com        → Codebase indexing (embeddings)
download.cursor.com      → Updates
```

### Proxy Configuration

```json
// settings.json
{
  "http.proxy": "http://proxy.corp.com:8080",
  "http.proxyStrictSSL": true,
  "http.proxyAuthorization": "Basic base64-encoded-credentials"
}
```

### TLS/SSL

All Cursor API communication uses TLS 1.2+. Certificate pinning is not supported, so corporate SSL inspection proxies work (add proxy CA to system trust store).

## Compliance Mapping

### SOC 2

| Control | Cursor Coverage |
|---------|----------------|
| CC6.1 Logical access | SSO, RBAC, MFA via IdP |
| CC6.6 System boundaries | Privacy Mode, .cursorignore |
| CC6.7 Data transmission | TLS 1.2+ for all API calls |
| CC7.2 Monitoring | Admin dashboard usage analytics |

### GDPR

| Requirement | Cursor Coverage |
|-------------|----------------|
| Data minimization | Privacy Mode: zero retention |
| Right to erasure | Account deletion removes all server-side data |
| Data processing agreement | Available on request (Enterprise) |
| Sub-processor list | Published at cursor.com/privacy |

### HIPAA

Cursor does not have a BAA (Business Associate Agreement) as of early 2026. For HIPAA-regulated code:
- Enable Privacy Mode
- Use `.cursorignore` for PHI-containing files
- Consider BYOK through Azure with BAA
- Consult your compliance team before use

## Enterprise Considerations

- **SOC 2 Type II report**: Available on request for Enterprise customers
- **Penetration test results**: Annual pen tests, results shared under NDA
- **Data residency**: Cursor processes requests via US and EU infrastructure. No region pinning available yet
- **Encryption**: AES-256 at rest, TLS 1.2+ in transit
- **Incident response**: Cursor maintains a security incident response plan (details in SOC 2 report)

## Resources

- [Cursor Privacy and Data Use](https://cursor.com/data-use)
- [Cursor Security](https://cursor.com/security)
- [Privacy and Data Governance Docs](https://docs.cursor.com/enterprise/privacy-and-data-governance)
- [Account Privacy Settings](https://docs.cursor.com/account/privacy)