Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Cursor

Cursor (Anysphere)

PartialEU: Not AvailableNo TrainingZero Retention (Privacy Mode)US Only

Status badges are conditional: validate the exact plan, DPA, subprocessors, retention, residency, and feature settings before using the tool with personal or confidential data.

Pricing / Contract Route

USD pricing varies by plan

Enterprise Features

Plan-dependent Privacy Mode, enterprise controls, temporary caching safeguards, local-only workflows where available

Last Updated

June 23, 2026

Cursor - GDPR & Data Privacy Overview for European Clients

Version: June 2026 - prepared by WAIMAKERS B.V.

1 Purpose

This overview explains how Cursor tiers (Hobby, Pro, Teams) handle data in relation to GDPR, with a focus on European customers. Cursor is an AI-powered code editor by Anysphere, Inc., operating from US infrastructure. Cursor 2.0 expanded multi-agent capabilities and the agent surface area. Cursor has crossed $1B annualised revenue (per its Series D announcement, November 2025), with millions of developers as customers.

2 Comparison of Cursor Tiers (EU focus)

Tier Privacy Mode Model retention Training on code? EU residency Compliance Price
Hobby ⚠️ Available; user-controlled ✅ ZDR at model providers when enabled ✅ No (when enabled) ❌ No (US infra) Basic Free
Pro ⚠️ Optional ✅ ZDR at model providers when enabled; Cursor may store feature data ✅ No (when enabled) ❌ No (US infra) SOC 2 Type II $20/month (includes $20 monthly credit pool)
Pro+ ⚠️ Optional ✅ ZDR at model providers when enabled; Cursor may store feature data ✅ No (when enabled) ❌ No (US infra) SOC 2 Type II $60/month (includes ~$70 monthly usage pool, ~3x Pro)
Ultra ⚠️ Optional ✅ ZDR at model providers when enabled; Cursor may store feature data ✅ No (when enabled) ❌ No (US infra) SOC 2 Type II $200/month (includes ~$400 monthly usage pool, ~20x Pro)
Teams ✅ Enforced ✅ Zero retention (contractual) ✅ No ❌ No (US infra) SOC 2 Type II $40/user/month (includes per-seat usage pools; no seat minimum)
Enterprise ✅ Enforced ✅ Zero retention (contractual) ✅ No ❌ No (US infra) SOC 2 Type II + CMEK Custom pricing

Notes for Europe

  • Privacy Mode (Teams/Enterprise): Enabled by default for team members and can be enforced by admins. Cursor says it uses technical controls and contractual ZDR terms with model providers so code data is not stored by model providers or used for training.
  • Privacy Mode (Free/Pro/Pro+/Ultra): Available to individual users and user-controlled. When enabled, Cursor says model-provider ZDR applies and code is not used for training, but Cursor may still store some code data to provide product features and may temporarily cache encrypted file contents during request handling.
  • Encryption: TLS 1.2+ in transit; AES-256 at rest.
  • Credit-based billing (Jun 2025): Cursor now uses credits for AI model access, charged at the model providers' public API rates. Frontier Claude models consume credits several times faster than cheaper models. Monitor credit usage to avoid overage costs.
  • Cursor 2.0 features: Multi-agent orchestration expanded Cursor's agent surface area. Treat any local-only or "Ghost Mode" workflow as a separate control that must be verified in the installed build and policy settings before relying on it.
  • Infrastructure: All Cursor processing occurs in US-based infrastructure operated by Anysphere, Inc. No EU data residency option available.
  • Backend routing: All requests are routed through Cursor's US backend for final prompt construction, even when using your own API keys (OpenAI, Anthropic, etc.).
  • Codebase indexing: When indexing your codebase, plaintext code is uploaded in chunks to compute embeddings but is deleted after the request lifecycle. Only embeddings and metadata (hashes, obfuscated filenames) are stored; no code content persists.
  • Pricing: Listed in USD. No EUR-specific pricing available. Plans: Pro $20/mo, Pro+ $60/mo, Ultra $200/mo, Teams $40/user/mo, Enterprise custom. Included monthly usage pools are not equal to the plan price for the higher tiers: Pro includes ~$20, Pro+ ~$70 (~3x Pro), and Ultra ~$400 (~20x Pro). Annual billing saves 20%. Teams plan has no minimum-seat requirement (Standard seat $40/user/month, or $120/user/month for the Premium seat). CMEK (Customer Managed Encryption Keys) is available for Enterprise.

3 Is Cursor GDPR-Compliant?

Short answer: Cursor can support GDPR compliance, but requires the Teams or Enterprise plan and accepting US-only infrastructure without EU data residency.

What applies to all plans (with Privacy Mode enabled):

  • Zero training - Cursor states code is not used to train Cursor's models or third-party LLMs when Privacy Mode is enabled.
  • Zero retention at model providers - With Privacy Mode enabled, Cursor says model providers do not store code data and do not use it for training.
  • Codebase indexing - Only embeddings/metadata stored; no plaintext code.

What's plan-dependent:

  • Teams/Enterprise plans: Privacy Mode enabled by default for team members, admin enforcement available, zero-retention contracts with model providers. Enterprise additionally supports CMEK.
  • Free/Pro/Pro+/Ultra plans: Privacy Mode is available but user-controlled. With Privacy Mode off, Cursor may use and store codebase data, prompts, editor actions, and code snippets to improve and train its AI features.

Infrastructure limitations (all plans):

  • No EU data residency - All processing/storage in US.
  • Backend routing - All requests (even with own API keys) routed through Cursor US backend.

What that means in practice:

  • Non-sensitive development: Pro plan with Privacy Mode may be acceptable with proper safeguards (DPA, SCCs, DPIA). Note that Cursor still routes requests through its US backend and may store feature data even when model-provider ZDR applies.
  • Regulated industries (healthcare, finance, public sector): Teams plan required, but US infrastructure may still pose compliance challenges.
  • Strictest GDPR requirements (data localisation mandates): Cursor may not meet requirements due to US-only infrastructure.

Buyer's note: Teams/Enterprise = GDPR-capable with caveats (US infra, no EU residency, Cursor backend routing); individual plans = higher residual risk because Privacy Mode is user-controlled.

4 Details by Offering

Cursor Hobby (Free)

  • Privacy Mode: Available but user-controlled.
  • Data collection: With Privacy Mode off, telemetry, usage data, code snippets, prompts, and editor actions may be used to improve and train Cursor AI features.
  • When to use: Personal projects, learning, non-commercial use.
  • When not to use: Any commercial development or proprietary codebases.

Cursor Pro

  • Privacy Mode: Optional (user must manually enable). When enabled, Cursor says code is not stored by model providers and is not used for training.
  • Important limitation: Even with Privacy Mode enabled, Cursor routes requests through its US backend and may store some code data for product features; admin enforcement requires Teams/Enterprise.
  • Pricing: $20/month (includes $20 monthly credit pool; annual billing saves 20%).
  • When to use: Individual developers on non-regulated projects.
  • When not to use: Regulated industries, client NDAs, contractual zero-retention requirements.

Cursor Pro+

  • Privacy Mode: Optional (user must manually enable). When enabled, Cursor says code is not stored by model providers and is not used for training.
  • Important limitation: Same residual risk as Pro - Privacy Mode is user-controlled and requests still route through Cursor's US backend.
  • Pricing: $60/month (includes ~$70 monthly usage pool, ~3x Pro; annual billing saves 20%).
  • When to use: Power users needing higher credit limits on non-regulated projects.
  • When not to use: Regulated industries, client NDAs, contractual zero-retention requirements.

Cursor Ultra

  • Privacy Mode: Optional (user must manually enable). When enabled, Cursor says code is not stored by model providers and is not used for training.
  • Important limitation: Same residual risk as Pro/Pro+ - Privacy Mode is user-controlled and requests still route through Cursor's US backend.
  • Pricing: $200/month (includes ~$400 monthly usage pool, ~20x Pro; annual billing saves 20%).
  • When to use: Heavy individual users on non-regulated projects.
  • When not to use: Regulated industries, client NDAs, contractual zero-retention requirements.

Cursor Teams (formerly Business)

  • Privacy Mode: Enabled by default for team members and enforceable by admins. Cursor says code is not stored by model providers or used for training when Privacy Mode is active.
  • Model retention: Cursor describes Privacy Mode as using zero-retention arrangements with model providers.
  • Codebase indexing: Plaintext code deleted after embedding computation; only embeddings/metadata stored.
  • Admin controls: Centralised billing, user management, usage analytics.
  • Compliance: SOC 2 Type II certified. DPA available on request.
  • Pricing: $40/user/month Standard seat (or $120/user/month Premium seat with 5x usage); no seat minimum; annual billing saves 20%. Each seat includes usage pools for first-party (Composer/Auto) and third-party API models. Credit-based billing for AI models; frontier Claude models consume credits several times faster than cheaper models.
  • Cursor 2.0 features: Multi-agent workflows available; verify any local-only or Ghost Mode workflow separately before treating it as a compliance control.

Cursor Enterprise

  • Privacy Mode: Enabled by default for team members and enforceable by admins. Cursor says code is not stored by model providers or used for training when Privacy Mode is active.
  • Model retention: Cursor describes Privacy Mode as using zero-retention arrangements with model providers.
  • Encryption: TLS 1.2+ in transit, AES-256 at rest. CMEK (Customer Managed Encryption Keys) available for maximum data sovereignty.
  • Admin controls: Advanced SSO, audit logs, centralised billing and user management.
  • Compliance: SOC 2 Type II certified. DPA available. CMEK for key management control.
  • Pricing: Custom (contact enterprise@cursor.com).
  • When to use: Large organisations with strict security, compliance, or key management requirements.

5 Data Processing Flow

User prompt/code in editor
  ↓
Cursor backend (US-based)
  ├─ Final prompt construction
  ├─ (Optional) Codebase indexing → embeddings stored, plaintext deleted
  ├─ LLM call (OpenAI, Anthropic, etc.)
  │   ├─ Teams/Enterprise: zero retention at provider (contractual)
  │   └─ Free/Pro/Pro+/Ultra (Privacy Mode): model-provider ZDR, but user-controlled
  └─ Response returned to editor

*All requests routed through Cursor backend, even with own API keys*

6 Recommendations (GDPR-first)

  • For business processing of proprietary code, prefer Cursor Teams for enforced Privacy Mode and contractual zero-retention. For organisations requiring key management control, Cursor Enterprise adds CMEK.
  • For regulated data (healthcare, finance, public sector), complete a DPIA and Transfer Impact Assessment (TIA) to assess US processing risks under GDPR Chapter V. Request DPA with SCCs from enterprise@cursor.com.
  • For maximum local privacy, verify any local-only or "Ghost Mode" workflow in the installed Cursor build before relying on it for highly sensitive code.
  • For strictest data localisation requirements, Cursor may not be suitable due to US-only infrastructure.
  • Do not use Pro, Pro+, Ultra, or Hobby plans for client projects under NDA or regulated workloads unless Privacy Mode is enabled and the residual risks of user-controlled settings, US backend routing, and feature-data storage are accepted.
  • Monitor credit consumption - frontier Claude models consume credits several times faster; set spending limits in the Teams admin console.

7 EU Rollout Checklist (Practical)

  1. Choose Teams plan (formerly Business) - For enforced Privacy Mode and zero-retention. For key management requirements, consider Enterprise (adds CMEK).
  2. Conduct DPIA & TIA - Document US processing risks (GDPR Chapter V); determine if SCCs + supplementary measures are sufficient. For special category data or strict localisation mandates, Cursor may not be suitable.
  3. Execute contractuals - Request and sign DPA with SCCs (enterprise@cursor.com); add explicit zero-retention and no-training clauses.
  4. Configure controls - Verify Privacy Mode enforced; educate developers on safe practices (no API keys, credentials, or personal data in prompts).
  5. Sensitive data handling - Do not include GDPR Art. 9 special categories in prompts. Use .cursorrules to exclude sensitive files from indexing.

8 Procurement Quick Answers (EU)

Is my code used to train Cursor's models?

With Privacy Mode enabled (enforced on Teams/Enterprise; optional on Pro/Pro+/Ultra), Cursor says no: model providers do not store code data and code is not used for training.

Can we keep EU data at rest in the EU?

No. Cursor operates from US infrastructure only; no EU data residency option.

What's the difference between Pro/Pro+/Ultra and Teams Privacy Mode?

  • Free/Pro/Pro+/Ultra: Optional; when enabled, model-provider ZDR applies and code is not used for training, but the setting is user-controlled and requests still route through Cursor's backend.
  • Teams (formerly Business): Enabled by default for team members and can be enforced by admins; Cursor describes Privacy Mode as using zero-retention arrangements with model providers.
  • Enterprise: Same as Teams, plus CMEK for customer-managed encryption keys.

How long do model providers keep code?

  • Teams/Enterprise: Cursor states model-provider zero retention applies when Privacy Mode is active
  • Free/Pro/Pro+/Ultra (Privacy Mode): Model-provider ZDR, but user-controlled and still routed through Cursor backend
  • Hobby: Standard policies (typically 30 days)

What about codebase indexing?

Plaintext code deleted after embedding computation. Only embeddings and metadata (hashes, obfuscated filenames) stored.

What compliance standards?

SOC 2 Type II certified. SOC 2 report available at trust.cursor.com (requires request).

Are all requests routed through Cursor's backend?

Yes. Even with your own API keys, all requests go through Cursor's US backend for prompt construction.

9 Notes & Caveats

  • US infrastructure: All processing in US; may be problematic for strict localisation requirements.
  • Backend dependency: All requests routed through Cursor backend, even with own API keys.
  • Free/Pro/Pro+/Ultra Privacy Mode: Optional; when enabled, model-provider ZDR applies and code is not used for training, but admin enforcement requires Teams/Enterprise and requests still route through Cursor's US backend.
  • Plan rename: "Business" plan was renamed "Teams" - same $40/user/month price.
  • CMEK: Customer Managed Encryption Keys available on Enterprise plan for organisations requiring key management sovereignty.
  • Encryption: TLS 1.2+ in transit; AES-256 at rest (all plans).
  • Revenue milestone: Cursor crossed $1B annualised revenue (per its Series D announcement, November 2025).
  • Credit-based billing: Introduced June 2025; credits are charged at the model providers' public API rates. Frontier Claude models consume credits several times faster than cheaper models. Monitor usage via admin console.
  • Local-only / Ghost Mode claims: Verify this in the installed Cursor build and current official docs before relying on it as a compliance control.
  • Limited public documentation: Request DPA and privacy details from enterprise@cursor.com.
  • GDPR Chapter V transfers: EU customers must conduct Transfer Impact Assessment (TIA) and implement supplementary measures beyond SCCs.

10 Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Cursor in production environments - especially when proprietary or sensitive code is processed. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - June 2026.

References

  • Cursor Privacy Overview - https://cursor.com/privacy-overview
  • Cursor Privacy Policy - https://cursor.com/privacy
  • Cursor Data Use & Privacy Overview - https://cursor.com/data-use
  • Cursor Security & Compliance - https://www.cursor.com/en/security
  • SOC 2 Report - https://trust.cursor.com (requires request)

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique · Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast ↗

© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy