Legal
Data Use
Detailed breakdown of what data Cursorist processes and why.
This page provides a transparent overview of every category of data the Cursorist platform processes, where it is stored, and how long it is retained.
Data Categories
Identity Data
| Field | Source | Purpose | Retention |
|---|---|---|---|
| GitHub user ID | GitHub OAuth | Unique account identifier | Until account deletion |
| GitHub username | GitHub OAuth | Display name in UI, plugin attribution | Until account deletion |
| Email address | GitHub OAuth | Account notifications | Until account deletion |
| Avatar URL | GitHub OAuth | Profile display | Until account deletion |
Organization and Team Data
| Field | Source | Purpose | Retention |
|---|---|---|---|
| Organization name, slug | User input | Workspace grouping | Until org deletion |
| Team name, slug | User input | Plugin ownership grouping | Until team deletion |
| Membership roles | System-assigned | Access control (RLS) | Until membership removal |
Plugin Data
| Field | Source | Purpose | Retention |
|---|---|---|---|
| Plugin name, slug, description | Author input | Discovery and display | Until plugin deletion |
| Plugin type, stack tags | Author input | Search and filtering | Until plugin deletion |
| Version number, changelog | Author input / CLI | Version tracking | Indefinite (immutable) |
| Asset content (rules, skills, MCP, hooks) | Author upload | Distribution to users | Until version is yanked |
| Install count | System-tracked | Popularity metrics | Indefinite |
Authentication Data
| Field | Source | Purpose | Retention |
|---|---|---|---|
| Session tokens | Supabase Auth | Authenticated requests | Until logout or expiry |
| API key hashes | System-generated | CLI and MCP authentication | Until key revocation |
| Invitation tokens | System-generated | Team invitations | 7 days or until used |
Behavioral Data
| Field | Source | Purpose | Retention |
|---|---|---|---|
| Plugin installs | User action | Install tracking, upgrade notifications | Until account deletion |
| Plugin favorites | User action | Bookmarking | Until removed by user |
| Search queries | User action | Not stored server-side | N/A |
Data Flow
Loading diagram...
Third-Party Services
| Service | Data Shared | Purpose |
|---|---|---|
| Supabase | All stored data | Database, auth, realtime |
| GitHub | OAuth tokens, published plugin JSON | Authentication, OSS publishing |
| Vercel | HTTP logs | Hosting and deployment |
We do not share data with analytics, advertising, or data-broker services.
Data Deletion
To request deletion of all your personal data:
- Delete your account from Settings in the app.
- Your profile, memberships, install history, and favorites will be removed within 30 days.
- Plugins you authored remain available (attributed to "deleted user") unless you also delete them before removing your account.