Tell HN: Cursor exposes side projects to your employer

I went to see my Cursor (the AI IDE) analytics and clicked a banner advertising their new company-level analytics dashboard. It now has a section “AI Edits by repository” that includes all the repositories used with Cursor, including your personal side projects. [0] I suspect they scrape the name of the repository from the list of GIT remotes, without explicit consent or notice.

If you're using Cursor with a company (teams, enterprise) subscription, information of all your code commits is sent to their API. This telemetry cannot be disabled and is available in a highly granular format in their API. [1]

The dashboard includes also includes information on when you were writing code. [2] The data is available in a highly granular format in their API. [3]

[0]: https://cursor.com/docs/account/teams/analytics#repository-insights [1]: https://cursor.com/docs/account/teams/ai-code-tracking-api#get-ai-commit-metrics-json-paginated [2] https://cursor.com/docs/account/teams/analytics#daily-usage [3] https://cursor.com/docs/account/teams/ai-code-tracking-api#get-ai-code-change-metrics-json-paginated

29 points | by throwawaybbbbbb 2 days ago

14 comments

  • giantg2 1 day ago
    "If you're using Cursor with a company (teams, enterprise) subscription, information of all your code commits is sent to their API."

    Yeah... get your own personal subscription. Creating side projects on company resources could lead to ownership disputes - you could lose it to your company.

    [-]
    • tyleo 1 day ago
      Agreed with this point. I try to separate everything possible from my company with multiple accounts. It’s annoying, sure, but you’ve got to protect yourself.
      [-]
      • giantg2 1 day ago
        I won't even connect my cell phone to the company wifi. Anyone concerned about the surveillance state or big tech and privacy would likely do the same as they can be very invasive.
  • codegeek 1 day ago
    "If you're using Cursor with a company (teams, enterprise) subscription, information of all your code commits is sent to their API."

    Good. As much as we are all privacy freaks, if you are using company resources to do your own side projects, it is fair that the company should have visibility to it. Otherwise, get a separate personal subscription.

    Note that you should not only have a separate subscription to things like cursor for non company work, you should also have a separate laptop/machine for doing anythng non company. One of the reasons why so many companies are cracking down on remote work is due to these types of violations in addition to other things.

  • suobset 14 hours ago
    This is why please have a personal account and personal devices for anything that does not relate to your company or work. This is super critical.

    Heck I'd often carry 2 devices if I was traveling, there's no way in hell I would use company laptops. Anything I did on my work Mac, I assumed everyone relevant at work can access into. Kandji already hands over a ton of data wrt this, and I am sure every other MDM solution does too.

    You gave your consent when you got the work device and probably signed a document/stated that this was to only be used for work purposes.

  • Iolaum 2 days ago
    Am I wrong in understanding you were using the company account with the enterprise subscription while you were working on those side projects? Or were you using a different account?
    [-]
    • binsquare 1 day ago
      Sounds like he was using a company account? In that case, the default is always to expect that the company will see everything including personal projects.
      [-]
      • nis0s 1 day ago
        Uh, no? I don’t think that’s a thing in any JetBrains IDE, unless I am mistaken.
        [-]
        • bloppe 1 day ago
          Does your employer provide you with a laptop? In that case you should assume they have access to the hard drive at least.
          [-]
          • nis0s 1 day ago
            Oh, that’s a different scenario. I would never do personal work on someone else’s laptop. But I think what’s being described in this case is that if you use this IDE, even on a personal machine where your license is from another source, then your personal data is somehow exposed to others.
            [-]
            • binsquare 14 hours ago
              Would we agree with this statement?: if you use a tool licensed by your company your work still belongs to the company.
              [-]
              • nis0s 7 hours ago
                Maybe you’re right, in this case it’s like if a plumbing company loans out plumbers tools. You’re not necessarily allowed to use loaned tools for personal work, but in that case it’s usually due to degradation. I am not sure that applies to digital tools. It’s an interesting question.
  • speedgoose 2 days ago
    If you can’t trust your company with your side projects, you should perhaps not do side projects on your company provided computer and AI subscriptions.
  • greekcoder 12 hours ago
    If you're good to your job and your manager find out you're building a side project, they may think you prepare to leave so you might take a salary raise for not leaving. Let's take the risk and continue using company's AI accounts, they are Free!
  • iExploder 1 day ago
    Legal and HR department would like to have a word.
  • ifh-hn 1 day ago
    I find it hard to see how this isn't user error? Don't use company hardware and software... Problem solved.
  • satvikpendem 1 day ago
    Well yeah, you're using company hardware and software for personal use, of course they'd be able to see.
  • kylehotchkiss 1 day ago
    Software developers should generally have their own computers that aren't wired into company subscriptions. M-Series MacBook Air is really all most people could ever need.
  • muzani 1 day ago
    Well, they are paying for the tokens, so it's only fair. If you were on the company phone, they should see who you're calling.
  • al_borland 1 day ago
    Why are you using your company account for personal projects?
    [-]
  • bitbasher 1 day ago
    Cursor didn't expose it, you did when you decided to use Cursor. You're using an editor that is owned by a company with analytics built in. You're handing over your data.

    Stop using company hardware, software and subscriptions to do _anything_ personal.

    [-]
    • atrettel 1 day ago
      Yes, this is the right answer. Compartmentalization is a basic principle in security. I never do anything personal on company hardware and vice versa. I keep both separate. It just makes things so much easier to manage in the long term.
    • GenericDev 1 day ago
      [dead]
  • zemakasi 2 days ago
    [flagged]