How to request data deletion / cleanup if I suspect a privacy issue with Share Data?

How To
1

Hi Cursor team :waving_hand:

I have a question about Share Data / Privacy Mode and what to do if I ever suspect a privacy or data-leak issue.

Imagine this situation:

  • I was working on a repository while Share Data was enabled (or Privacy Mode was off).

  • Later, I realize that this repo may contain sensitive information (for example: connection strings, API keys in appsettings, or confidential business logic).

  • Iā€™m worried that some of this content might have been sent to Cursorā€™s servers, stored, or used as telemetry / logs / embeddings, etc.

In this kind of case, Iā€™d like to clearly understand what I should do and what the official process is.

Could you please clarify the following:

  1. Official contact & channel

    • If I suspect a privacy / data-leak issue related to Share Data,
      which channel should I use to contact Cursor officially?

      • A specific email address (e.g. security / privacy / support)?

      • In-app support only?

    • Is there a recommended subject line or template for ā€œdata deletion / privacy incidentā€ requests?

  2. What information should I provide?

    • To help your team locate and clean up the relevant data,
      what details do you need from me? For example:

      • Account email / organization ID / workspace ID

      • Rough time window when Share Data was enabled (e.g. YYYY-MM-DD ~ YYYY-MM-DD)

      • Which repository or project path was involved

      • Whether codebase indexing was enabled

      • Any specific files Iā€™m most worried about (e.g. appsettings.json, .env, secrets, etc.)

  3. Exact deletion / cleanup steps

    • From the userā€™s side, what are the recommended steps?

      • Turn on Privacy Mode?

      • Turn off codebase indexing for that repo?

      • Delete the repository from Cursorā€™s side (if applicable)?

      • Delete my account?

    • From Cursorā€™s side, what exactly can be deleted on request?

      • Raw code / prompts stored by Cursor

      • Embeddings and metadata

      • Logs / telemetry that might contain snippets

      • Backups

  4. Time window / deadline

    • Is there a recommended time window for making a deletion request to maximize the chance that:

      • all relevant data (including backups) can be removed, and

      • logs / telemetry are still traceable to my account?

    • For example:
      ā€œPlease contact us within X days from the incident so we can fully remove data from backupsā€
      or any similar official guidance.

  5. Effect of deleting the account

    • If I delete my Cursor account after noticing the issue:

      • Does this automatically trigger deletion of all data associated with my account
        (including indexed codebases, embeddings, logs, etc.)?

      • Or do I still need to explicitly open a ticket to request additional cleanup?

  6. Business vs non-Business plans

    • Are there any differences between:

      • Business plan (with zero-retention models, etc.), and

      • Regular individual plans

    • ā€¦in terms of what can be deleted and how long data may be retained?

Iā€™m asking because I want to have a clear, official procedure to follow in case I ever discover a potential privacy issue (for myself or my company), and I think a public answer here would also help other users who worry about Share Data and data retention.

Thank you in advance for any clarification, and if there is already an official document describing this process (step-by-step) and retention timelines, Iā€™d really appreciate a link to it.

2

I have the same question. I hope this gets resolved soon.

1 Like