CursUP 隐私政策

更新日期：2026 年 5 月 20 日 · 生效日期：2026 年 5 月 20 日

欢迎您使用 CursUP（以下简称"本服务"、"平台"或"我们"）。我们深知个人信息对您的重要性，您的信赖对我们非常重要。我们将严格遵循"合法、正当、必要、诚信"原则，按照法律法规要求采取相应的安全保护措施，致力于保护您的个人信息。基于此，CursUP 团队制定本《CursUP 隐私政策》（以下简称"本政策"），帮助您了解我们在您使用本服务的过程中如何收集、使用、共享、存储和保护您的个人信息，以及您可以如何管理您的个人信息。

在您使用本服务前，请您务必先仔细阅读和理解本政策，特别应重点阅读我们以 粗体 标识的条款，确保您充分理解和同意之后再开始使用。除本政策外，在特定场景下，我们还会通过即时告知（含弹窗、页面提示等）、功能更新说明等方式，向您说明对应的信息收集目的、范围及使用方式，这些即时告知及功能更新说明等构成本政策的一部分，并与本政策具有同等效力。

一、适用范围

本政策适用于 CursUP 团队通过 CursUP 网站、控制台（/console）、命令行、MCP Server、应用模板（如 static-web / node-api / python-api）以及随技术发展出现的新形态，向您提供的"AI 驱动应用创建、发布、部署与运行治理"相关服务。

CursUP 不同形态、不同版本提供的功能或服务会有差异，如某些形态、某些版本无相关功能的，则不涉及对应个人信息的收集。

本政策不适用于其他第三方（如我们嵌入的第三方 SDK / 接口、由第三方独立运营的服务）向您提供的服务。第三方在其服务中对个人信息的处理活动及保护措施，应适用该第三方的隐私政策或类似文件。常见的第三方包括：

• 第三方登录服务：Google、Twitter / X、微信开放平台等；
• 第三方大语言模型与 AI 服务：OpenAI、Anthropic、阿里通义等；
• 第三方代码托管、对象存储、CDN、构建与日志服务；
• 您在自有应用中接入或通过 MCP 调用的其他外部服务。

二、信息收集及使用

在您使用本服务时，我们需要或可能需要收集和使用您的个人信息，包括如下两种：

1. 为实现向您提供本服务的基本功能，及履行法律法规规定的义务，您须授权我们收集、使用必要的信息。如您拒绝提供相应信息，您将无法正常使用本服务；
2. 为实现向您提供本服务的附加功能，您可选择单独同意或不同意我们收集、使用相关信息。如您拒绝提供，您将无法正常使用相关附加功能或无法达到我们拟达到的功能效果，但不会影响您使用我们的基本功能。

我们主要通过如下两种方式获取您的信息：（1）您在使用 CursUP 期间主动向我们提供的信息；（2）您使用 CursUP 期间我们会自动收集的相关信息，如操作记录、调用日志或其他系统日志类数据。

（一）注册及登录

当您在 CursUP 创建账号时，您可以选择以下方式之一进行注册或登录：

• 邮箱 + 密码：您需要提供真实有效的邮箱、用户昵称及不少于 8 位的密码。邮箱将用于您的账号身份识别、密码找回、安全提醒以及业务通知（如新功能上线、服务变更、安全告警等）。
• 第三方账号登录：您可使用 Google、Twitter / X、微信等第三方平台账号授权登录。在您授权后，我们将从第三方获取必要的账号信息，包括用户唯一标识（OpenID / Sub）、昵称、头像，以及您在授权范围内主动同意提供的邮箱等信息。第三方账号本身的使用受其各自的服务协议与隐私政策约束。

如果您拒绝提供上述信息，您将无法注册或登录 CursUP 账号。

在完成账号注册和登录后，您可以在控制台中设置昵称、上传头像、绑定 / 解绑第三方账号、修改密码等，进行账号个性化设置与安全管理。

（二）提供 CursUP 相关服务

1、您上传 / 输入的代码、配置、文档、提示词等内容

CursUP 的核心服务依赖您的内容上传 / 输入。在您使用控制台、CLI 或通过 MCP 协议调用平台工具（如创建应用、上传部署、查询状态等）的过程中，我们需要接收并记录您所提供的以下内容，以便为您完成对应的服务：

• 您创建或编辑的应用元数据，包括应用名称、描述、运行时类型（static-web / node-api / python-api 等）、环境标识（dev / test / prod）、版本号、标签等；
• 您上传的应用代码、构建产物与配置文件，例如 platform.app.yaml、依赖清单、构建脚本以及对应的源代码包；
• 您绑定的代码仓库地址及通过 OAuth 授予的访问凭证（如有）；
• 您与平台 AI / Agent 交互时输入的自然语言指令、提示词、上下文文档等信息；
• 您配置的环境变量、密钥、回调地址等运行时参数。

我们会根据您的输入完成应用的校验、构建、部署，并基于生成式人工智能技术为您返回结果。如您拒绝提供上述信息，您将无法使用应用创建、部署、Agent 协作等服务。

为便于您随时查看及管理，我们会记录上述操作及结果，并在控制台中向您展示，包括应用列表、部署历史、构建日志、运行状态等。

2、MCP API Token 与 MCP 调用

为支持 AI Agent（如 Cursor）通过 MCP 协议直接调用本平台能力，您可在控制台「MCP 配置」中生成专属的 API Token。围绕 MCP 调用，我们将处理以下信息：

• Token 元数据：Token 的标识、创建时间、最近一次使用时间、状态（启用 / 已吊销）等。Token 的明文仅在生成时一次性向您展示，我们仅以哈希或加密形式存储，无法再次以明文向您或任何第三方展示；
• 调用日志：每次 MCP 工具调用的工具名称、参数摘要、调用结果摘要、来源 IP、User-Agent、调用耗时与错误信息等，用于安全审计、计量、问题排障和滥用检测；
• 关联的应用与资源：调用所涉及的应用、环境、版本及相关资源标识。

您应将 Token 视同密码妥善保管。如您怀疑 Token 已泄露，您可以随时在控制台中"重新生成"以轮换 Token；旧 Token 将立即失效。

3、应用部署、构建与运行

当您通过 MCP 工具或控制台触发部署后，平台会执行从代码校验、依赖安装、构建打包、部署到分配访问 URL 的完整链路，并形成审计记录。在该过程中，我们会处理：

• 构建过程中的编译输出、构建日志、依赖快照；
• 运行时的实例状态、健康检查、错误堆栈、性能指标（如 CPU / 内存 / 请求量）；
• 由平台分配的应用访问地址（形如 https://<app>-<env>.cursup.dev），以及该地址上的访问日志（请求路径、状态码、来源 IP、User-Agent 等），用于平台运维、计量和安全防护；
• 您配置的访问控制策略（如认证代理、白名单、Basic Auth 等）。

对于在您部署的应用上由最终用户产生的数据（例如最终用户在您应用中提交的内容），其个人信息处理者为您本人，请见本政策"五、您发布的应用与最终用户"。

4、交互内容评价与反馈

在您使用 CursUP 过程中，您可以对 AI 输出、文档示例或控制台体验进行评价（点赞 / 点踩）或提交问题反馈。在经过去标识化且无法重新识别特定个人的前提下，我们会收集这些评价与反馈，用于改善服务质量与用户体验。

5、分享与协作

当您使用应用分享、邀请协作者、生成访问令牌等功能时，我们可能需要在浏览器中读取或写入剪贴板，以实现链接生成与跳转。如您拒绝授权对应权限，相关分享功能将无法使用。

（三）交互历史查询和管理

为向您提供连续性、一致化的服务体验，保障服务质量，我们会记录您与 CursUP 的操作历史与对话交互记录，包括您输入的文本、上传的文件信息及基于这些信息形成的对话主题、应用版本与发布历史。您可以在控制台与对应的交互界面中查找、复制、导出或删除您尚未删除的历史记录。

（四）为您提供安全保障

为提高服务安全性，保护您或其他用户或公众的人身安全、财产安全、账号安全，更好地预防钓鱼网站、欺诈、网络漏洞、计算机病毒、网络攻击、网络侵入、恶意程序、模型滥用等安全风险，更准确地识别违反法律法规或相关协议、规则的情况，我们会收集以下信息：

• 设备与环境信息：设备类型 / 品牌、硬件型号、操作系统名称及版本、浏览器名称及版本、用户设备时间、服务端时间、语言、IP 地址、网络信息、Cookie 信息以及合理范围内的设备标识符；
• 服务日志信息：登录日志、操作日志、API 调用日志、Token 使用记录、应用运行日志、应用崩溃 / 错误信息、性能数据、来源页面与跳转路径，以保障服务的正常运行和事后审计。

我们可能使用或整合上述信息，综合判断账号风险、进行身份验证、检测及防范安全事件，并依法采取必要的记录、审计、分析、处置措施。如您拒绝我们收集前述安全保障所必需的信息，我们将无法向您提供服务。

（五）运营分析

我们可能会使用服务日志信息（包括您的浏览器信息和类型、您提出请求的日期和时间，以及您如何与 CursUP 网站和控制台互动）、您的使用信息（位置、客户端日期与访问时间、服务端日期与访问时间、设备类型、网络信息）、您的设备信息（操作系统和浏览器类型）、Cookie 等在线分析数据来帮助我们分析用户如何使用本服务，并增强您的服务体验。上述分析在尽可能去标识化与聚合的前提下进行。

（六）向您提供专业客服支持或帮助

您可以通过控制台内的「问题咨询 / 帮助」入口、官方邮箱（[email protected]）等渠道向我们寻求支持。在您发起咨询时，为了保障您的个人信息安全，我们可能会要求您提供必要的身份核验信息；同时，您还需要向我们提供问题描述、相关日志或截图。我们会通过记录、分析这些信息以便更及时响应您的请求，以及用于改进服务。如您拒绝提供前述信息，我们可能无法向您提供相应支持或帮助，但不会影响您使用 CursUP 的基本功能。

（七）基于系统权限为您提供的功能

在您使用 CursUP 过程中，为便利您的使用体验，我们可能会请求浏览器或操作系统层面的若干权限。即便经过授权获得了这些系统权限，CursUP 也不会在相关功能或服务未运行时收集您的信息。您可以选择不同意开启相关权限，不会影响您使用 CursUP 的基本功能，但可能无法享受附加功能带来的额外用户体验。

您可以通过浏览器或系统设置逐项查看、管理上述权限的开启或关闭。请您注意，您选择关闭权限后，我们将不再基于对应权限继续收集和使用相关个人信息，但不影响此前基于授权所进行的信息收集及使用。

（八）收集和使用个人信息的其他规则

您理解并同意，除我们在上述场景中向您明示的需要收集的个人信息外，我们将会通过页面提示、交互设计等方式另行向您明示信息收集的内容、范围和目的并征得您同意。

根据相关法律法规，在以下情况下我们可能会收集、使用您的个人信息而无需征求您的授权同意：

1. 为订立、履行您作为一方当事人的合同所必需；
2. 与我们履行法定职责或者法定义务所必需；
3. 与国家安全、国防安全直接相关的；
4. 与公共安全、公共卫生、重大公共利益直接相关的；
5. 与刑事侦查、起诉、审判和判决执行等直接相关的；
6. 出于维护您或其他个人的生命、财产等重大合法权益但又很难得到本人授权同意的；
7. 依照法律法规的规定在合理的范围内收集您自行公开的个人信息；
8. 依照法律法规的规定在合理的范围内从合法公开披露的信息中收集您的个人信息；
9. 用于维护所提供产品或服务的安全稳定运行所必需的，如发现、处置产品或服务的故障。

三、我们如何使用 Cookie 和同类技术

为确保网站正常运转、为您获得更轻松的访问体验，我们会在您的设备上存储名为 Cookie 的小数据文件。Cookie 通常包含标识符、站点名称以及一些号码和字符。我们只能读取我们提供的 Cookie。借助 Cookie，控制台能够维持您的登录状态、记忆您的偏好设置（如主题、语言、列表展开状态等），并帮助我们识别异常登录、防范盗用与欺诈。

我们使用的 Cookie 主要包括：

• 必要 Cookie：用于会话保持、CSRF 防护、负载均衡与登录态。这类 Cookie 是平台基本功能所必需的，不可关闭；
• 偏好 Cookie：记录您的语言、主题、列表筛选条件等个性化设置；
• 分析 Cookie：用于聚合统计访问情况、性能数据，帮助我们改进控制台。

您可以通过浏览器设置管理或清除 Cookie，但如果您拒绝必要 Cookie，您将无法正常登录或使用控制台。除 Cookie 外，我们还可能使用网站信标、像素标签、本地存储（LocalStorage / IndexedDB）等同类技术，用途与上述一致。我们承诺不会将 Cookie 及同类技术用于本政策所述目的之外的任何其他用途。

管理您的 Cookie 偏好：您可以随时 点击这里 重新打开 Cookie 偏好设置面板,调整您对偏好/分析/营销类 Cookie 的同意状态。修改后立即生效,12 个月内本地保存。

四、我们如何共享、转让、公开披露您的个人信息

（一）数据使用过程中涉及的合作方

1、基本原则

• 合法正当与最小必要原则：数据处理应当具有合法性基础，具有正当的目的，并以实现处理目的最小范围为限。
• 用户知情权与决定权最大化原则：数据处理过程中充分尊重用户对其个人信息处理享有的知情权与决定权。
• 安全保障能力最强化原则：我们将采取必要措施保障所处理个人信息的安全，审慎评估合作方使用数据的目的与安全保障能力，并通过协议要求其遵循相应的安全要求。

2、委托处理

我们可能委托授权我们的关联公司或合作方（统称"授权合作方"）处理您的个人信息，以便其代表我们为您提供某些服务或履行职能。授权合作方只能接触到其履行职责所需信息，且我们将通过协议要求其不得将该等信息用于其他任何超出委托范围的目的。当前，我们委托的授权合作方主要包括：

• 云计算与基础设施服务商：用于服务器托管、对象存储、CDN 加速、数据库与日志服务，是支持您应用部署与平台运行的基础设施；
• 构建与运行时服务商：用于代码构建、镜像管理、容器调度等；
• 第三方大语言模型 / AI 服务商：当您使用涉及 AI 推理的功能时，您的输入及上下文将依据技术需要传输给对应的模型服务商（如 OpenAI、Anthropic、阿里通义等）。该等数据处理受相应第三方的隐私政策约束；
• 客户支持类授权合作方：协助我们响应您的工单、邮件咨询；
• 分析、安全与反欺诈服务商：用于异常检测、滥用拦截、反爬虫与平台健康度分析。

3、共享

原则上，我们不会与其他组织和个人共享您的用户信息，但以下情况除外：

1. 在获取您明确同意的情况下共享：获得您的明确同意后，我们会与其他方共享您的用户信息。
2. 为履行法定义务所必需的共享：我们可能会根据法律法规规定、诉讼、仲裁解决需要，或按行政、司法机关依法提出的要求，对外共享您的用户信息。
3. 为订立、履行您作为一方当事人的合同所必需的共享：平台中的某些具体模块或功能由合作方提供，我们仅会基于合法、正当、必要原则，在为提供服务所必需的范围内向其提供您的个人信息。
4. 为保障服务安全与分析统计的数据使用：为保障账号与平台安全，我们和我们的合作方可能需要使用必要的设备、账号及日志信息；为分析服务使用情况以提升用户体验，我们可能会使用难以与个人身份关联的统计性数据。

（二）转让

我们不会将您的个人信息转让给任何公司、组织和个人，但以下情况除外：

1. 在获取您明确同意的情况下转让；
2. 当 CursUP 服务提供者发生合并、收购或破产清算情形时，如涉及到个人信息转让，我们会要求新的持有您个人信息的公司、组织继续受本政策的约束，否则我们将要求该公司、组织和个人重新向您征求授权同意。

（三）公开披露

我们仅会在以下情况下，公开披露您的个人信息：

1. 获得您明确同意或基于您的主动选择，例如您主动选择将应用、模板或文档对外公开发布；
2. 如果我们确定您出现违反法律法规或严重违反相关协议规则的情况，或为保护服务提供者及其关联公司用户或公众的人身财产安全免遭侵害，我们可能依据法律法规或 CursUP 服务相关协议规则，在征得您同意或法律允许的情况下披露关于您的个人信息，包括相关违规行为以及 CursUP 已对您采取的措施。

（四）停止运营

如果我们停止运营 CursUP 服务，将及时停止继续收集您的个人信息。我们会通过站内消息、邮件或公告等形式向您发送停止运营的告知，并对我们所持有的与已关停服务相关的个人信息进行删除或匿名化处理。

（五）共享、转让、公开披露个人信息时事先征得授权同意的例外

以下情形中，共享、转让、公开披露您的个人信息无需事先征得您的授权同意：

1. 与我们履行法律法规规定的义务或者响应政府部门指示所必需的；
2. 与国家安全、国防安全有关的；
3. 与公共安全、公共卫生、重大公共利益有关的；
4. 与犯罪侦查、起诉、审判和判决执行等有关的；
5. 出于维护您或其他个人的生命、财产等重大合法权益但又很难得到本人同意的；
6. 您自行向社会公众公开的个人信息；
7. 从合法公开披露的信息中收集个人信息的；
8. 为订立、履行您作为一方当事人的合同所必需的。

五、您发布的应用与最终用户

当您通过 CursUP 创建并发布应用、工作流或 MCP 集成，并将访问地址（形如 https://<app>-<env>.cursup.dev）开放给平台内或外部的最终用户使用时，请您注意：

1. 您是相关最终用户个人信息的处理者（数据控制者）：最终用户在您所发布应用中产生的个人信息（包括其在应用内输入的内容、上传的文件、产生的业务数据等），由您依法决定收集与处理的目的、方式与范围。
2. 您应依法向最终用户披露您自己的隐私政策，并就需要单独同意的事项另行获取最终用户授权。
3. 我们仅作为受您委托的处理者：我们仅依据《CursUP 服务条款》及与您之间约定的范围，承担基础设施、运行环境、安全防护、日志审计等技术性数据处理工作，不会将通过您应用收集到的最终用户数据用于本政策范围以外的目的。
4. 如最终用户就其在您应用中产生的个人信息主张权利（如查阅、更正、删除等），原则上由您作为处理者直接响应。我们将在您的合理请求下提供必要的协助。

六、您的权利

按照中华人民共和国相关法律、法规、标准，以及其他国家、地区的通行做法，我们保障您对自己的个人信息行使以下权利。我们会在符合法律法规要求的情形下响应您的请求。

（一）查阅、更正和补充

您有权通过登录账号中心或在控制台对应界面中，查阅、更正和补充您的账号信息、应用信息、Token 元数据等。

（二）复制

您可以登录控制台或在交互界面中复制您所需的信息，例如导出应用配置、下载操作日志摘要等。

（三）删除

您可以登录控制台删除对应应用、Token、配置或交互记录，也可以通过申请注销账户删除您的全部个人信息。

在以下情形中，您可以向我们提出删除个人信息的请求：

1. 如果我们处理个人信息的行为违反法律法规；
2. 如果我们收集、使用您的个人信息，却未征得您的明确同意；
3. 如果我们处理个人信息的行为严重违反了与您的约定；
4. 如果我们的处理目的已实现、无法实现或者为实现处理目的不再必要；
5. 如果我们停止提供服务，或者保存期限已届满。

若我们决定响应您的删除请求，我们还将同时尽可能通知从我们处获得您的个人信息的主体，并要求其及时删除（除非法律法规另有规定，或这些主体已独立获得您的授权）。当您或我们协助您删除相关信息后，因为适用的法律和安全技术限制，我们可能无法立即从备份系统中删除相应的信息，我们将安全地存储您的个人信息并限制对其的任何进一步处理，直到备份可以清除或实现匿名化。

（四）改变授权范围

您可以通过解绑第三方账号、关闭权限、撤回特定授权或联系我们，改变或者撤回您授权我们处理您的个人信息的范围。当您撤回同意后，我们将不再处理相应的个人信息。但您撤回同意的决定，不会影响我们此前基于您的授权而开展的个人信息处理行为。

（五）注销账号

您可以在控制台或通过[email protected]提交账号注销申请。注销账号后，您发布的应用将停止运行，访问 URL 将被回收，已生成的 Token 将立即吊销。在您主动注销账号之后，我们将停止为您提供服务，并删除您的个人信息，或对其进行匿名化处理，但法律法规或行业监管规则另有规定的除外。

（六）响应您的权利请求

您或可能的您的监护人、近亲属及其他有权主体向我们提出上述请求，以及主张中华人民共和国法律与其他适用法律规定的您的相关个人信息权利，可以通过[email protected]发起请求。我们将在 15 天内做出答复。

为保障您的账户安全和您的个人信息安全，您向我们提出上述请求时，我们可能会先验证您的身份（如增加账户核验、要求您提供书面请求或其他合理方式），然后再处理您的请求。

对于您合理的请求，我们原则上不收取费用，但对多次重复、超出合理限度的请求，我们将酌情收取一定费用。对于与您的身份不直接关联的信息、无合理理由重复申请的信息，或者需要过多技术手段（如需要开发新系统或从根本上改变现行惯例）、给他人合法权益带来风险或者不切实际的请求，我们可能会予以拒绝。

（七）响应您的权利请求的例外

以下情形中，我们有权不响应您的上述权利请求：

1. 与我们履行法律法规规定的义务相关的；
2. 与国家安全、国防安全直接相关的；
3. 与公共安全、公共卫生、重大公共利益直接相关的；
4. 与刑事侦查、起诉、审判和执行判决等直接相关的；
5. 我们有充分证据表明您或其他个人信息主体存在主观恶意或滥用权利的；
6. 出于维护您或其他个人信息主体的生命、财产等重大合法权益但又很难得到本人授权同意的；
7. 响应您或其他个人信息主体的请求将导致您或其他个人信息主体、组织的合法权益受到严重损害的；
8. 涉及商业秘密的。

七、信息的存储和保护

（一）存储期限

我们只会在达成本政策所述目的所需的期限内保留您的个人信息，除非法律有强制的留存要求。具体而言：

• 账号基本信息：在您账号有效期内持续保存，账号注销后将删除或匿名化处理；
• 应用代码与配置：在您未删除应用前持续保存；删除应用后将进入回收期（最长不超过 30 天）以便您撤回操作，回收期满后将不可恢复地删除；
• 调用日志、构建日志、运行日志：通常保留 90 天，因安全审计或法律法规要求，部分日志可能延长至最长 3 年；
• 计费与交易相关数据：依据《电子商务法》《会计档案管理办法》等法律法规要求保留相应期限。

在超出保留期间后，我们会根据适用法律的要求删除或匿名化处理您的用户信息。

（二）存储位置

我们在中华人民共和国境内产生或收集的个人信息，存储在中国境内的服务器。除非取得您的单独同意，或为了履行与您订立的合同，或为了遵循法律法规规定的义务或其他法律法规规定的情形，我们不会向境外提供您的任何个人信息。

（三）存储安全

1、数据保护技术措施

我们已采取符合业界标准、合理可行的安全防护措施保护您的信息，防止个人信息遭到未经授权访问、公开披露、使用、修改、损坏或丢失。包括但不限于：传输与存储加密（HTTPS / 静态加密）、API Token 与密钥的不可逆哈希存储、严格的访问控制与最小权限、操作审计日志、定期的安全演练与渗透测试。

尽管我们已经按照相关法律法规要求采取了合理有效的安全措施，但由于技术限制和可能存在的恶意手段，我们不能保证百分之百的信息安全。请您了解并理解，我们所提供的系统和通信网络可能会受到我们无法控制的因素影响而出现问题。因此，我们强烈建议您采取积极措施来保护个人信息的安全，例如使用强密码、不向他人透露账号密码、不在公开仓库中提交 Token 等。

2、数据保护管理组织措施

我们建立了以数据为核心、围绕数据生命周期的数据安全管理体系，从组织建设、制度设计、人员管理及技术维度提升个人信息的安全性。我们通过培训课程和考试，不断加强员工对于保护个人信息重要性的认识。

3、个人信息安全事件的响应

如果我们的物理、技术或管理防护设施遭到破坏，导致信息被非授权访问、公开披露、篡改或毁坏，导致您的合法权益受损的，我们会及时启动应急预案，采取合理必要的措施，以尽可能降低对您个人的影响。如发生个人信息安全事件，我们还将按照法律法规的要求向您告知安全事件的基本情况和可能的影响、我们已采取或将要采取的处置措施、您可自主防范和降低风险的建议、对您的补救措施。我们将以站内消息、邮件、电话、推送通知及其他合理渠道告知您；难以逐一告知的，我们会采取合理、有效的方式发布公告。同时，我们还将按照监管部门要求，上报个人信息安全事件的处置情况。

4、账户安全风险的防范

请您妥善保护自己的个人信息，不要通过本服务披露不必要的个人信息。如您担心自己的个人信息尤其是账户、密码或 API Token 发生泄露，请您立即通过控制台轮换 Token、修改密码，并联络我们以采取相应措施。

八、未成年人特别约定

我们主要面向成年开发者和企业用户提供 CursUP 服务。但我们非常重视对未成年人个人信息的保护，如您为未成年人，我们要求您请您的父母或其他监护人仔细阅读本政策的所有内容，并在征得您的父母或其他监护人同意的前提下使用我们的产品或服务以及向我们提供信息。若您是未成年人的父母或其他监护人，请您关注未成年人是否是在取得您的授权同意之后使用本服务。如您对个人信息相关情况有疑问，请与我们联系。

受制于现有技术和商业模式，我们很难在账号注册环节主动识别未成年人的个人信息。如果您是未成年的监护人，且您发现我们存在未经其授权获取未成年人个人信息的情况，您可通过本政策中公示的联系方式联系我们，我们在收到通知后会及时予以核查，并在核查属实后及时删除或匿名化处理相关信息。如我们主动审查发现存在前述情形的，我们也会主动对相关个人信息予以删除或进行匿名化处理。

九、本政策的更新

为给您带来更好的服务体验，我们持续努力改进我们的技术。我们可能会更新本隐私政策，并通过站内通知、邮件或其他适当的方式提醒您更新的内容，以便您及时了解本隐私政策的最新版本。但未经您明确同意，我们不会限制您按照本政策所享有的权利。

对于重大变更（包括但不限于：服务模式发生重大改变、个人信息处理目的发生变化、个人信息共享 / 转让 / 公开披露的主要对象发生变化、您参与个人信息处理方面的权利及其行使方式发生重大变化、个人信息安全相关的责任部门或联络方式发生变化、个人信息安全影响评估报告显示存在高风险时），我们还会提供更为显著的通知（包括我们会通过站内弹窗、邮件等方式进行通知），并根据法律法规的相关要求征得您的同意。

十、联系我们

如您对本政策内容有任何疑问、意见或建议，或希望行使您在本政策"六、您的权利"中所述的权利，您可通过以下方式与我们联系：

• 个人信息保护与权利请求：[email protected]
• 一般咨询与产品支持：[email protected]
• 侵权投诉：[email protected]（请提供权利人主体证明、侵权位置、侵权类型与初步证据）

我们将在 15 天内回复您的请求（请您注明与 CursUP 服务有关，并说明具体事实情况）。需注意的是，我们可能不会回复与本政策或您的个人信息权利无关的问题。

如果您对我们的回复不满意，特别是您认为我们的个人信息处理行为损害了您的合法权益，您还可以通过向被告住所地有管辖权的法院提起诉讼来寻求解决方案。

十一、附录：相关定义

• CursUP：指 CursUP 平台及其相关产品和服务，包括官方网站、控制台、CLI、MCP Server、应用模板等。
• 服务提供者 / 我们：指 CursUP 团队及其后续指定的运营主体。
• 关联公司：指 CursUP 服务提供者的关联公司。
• 最终用户：指通过您在 CursUP 上发布的应用、工作流、MCP 集成访问相关服务的自然人或组织。
• 个人信息：以电子或者其他方式记录的与已识别或者可识别的自然人有关的各种信息，不包括匿名化处理后的信息。
• 敏感个人信息：一旦泄露或者非法使用，容易导致自然人的人格尊严受到侵害或者人身、财产安全受到危害的个人信息，包括生物识别、宗教信仰、特定身份、医疗健康、金融账户、行踪轨迹等信息，以及不满十四周岁未成年人的个人信息。
• 儿童：指不满十四周岁的未成年人。
• 去标识化：指个人信息经过处理，使其在不借助额外信息的情况下无法识别特定自然人的过程。
• 匿名化：指个人信息经过处理无法识别特定自然人且不能复原的过程。
• API Token：指您在控制台「MCP 配置」中生成的、用于身份验证的访问凭证；通过该 Token 调用平台 API 所产生的任何操作，均视为您本人或经您授权的行为。
• Cookie：互联网中普遍使用的客户端存储与标识技术。当您使用本服务时，我们可能会向您的设备发送一个或多个 Cookie 或匿名标识符，以收集、标识和存储您访问、使用本产品时的信息。

// 本政策为简体中文版本。如本服务后续提供其他语种版本，在中文与其他语种文本不一致时，以中文版本为准。

CursUP Privacy Policy

Last updated: May 20, 2026 · Effective: May 20, 2026

Welcome to CursUP (the "Service", "Platform", or "we"). We deeply understand the importance of personal information to you and value your trust. We strictly follow the principles of "lawfulness, legitimacy, necessity, and good faith", take corresponding security measures as required by laws and regulations, and are committed to protecting your personal information. Based on this, the CursUP team has prepared this Privacy Policy ("this Policy") to help you understand how we collect, use, share, store and protect your personal information when you use the Service, and how you can manage that information.

Before using the Service, please read and understand this Policy carefully, paying special attention to the items we have bolded. Make sure you fully understand and agree before you start using the Service. In addition to this Policy, we may, in specific scenarios, explain the purpose, scope and method of information collection through real-time notices (popups, page hints) or feature update notes; those notices and notes form part of this Policy with equal effect.

1. Scope

This Policy covers the AI-driven app creation, release, deploy and runtime governance services that the CursUP team provides through the CursUP website, console (/console), CLI, MCP Server, app templates (such as static-web / node-api / python-api), and any new form that may emerge as the technology evolves.

Different forms and versions of CursUP may offer different features; if a feature is not available in a given form/version, the corresponding personal information collection does not apply.

This Policy does not apply to services provided by other third parties (such as third-party SDKs / APIs we embed, or services independently operated by third parties). Personal information processing by such third parties is governed by their own privacy policies. Common third parties include:

• Third-party login providers: Google, Twitter / X, WeChat Open Platform, etc.
• Third-party LLM and AI services: OpenAI, Anthropic, Alibaba Tongyi, etc.
• Third-party code hosting, object storage, CDN, build and log services.
• Other external services you integrate into your own apps or call via MCP.

2. Information we collect and how we use it

When you use the Service, we may need to collect and use your personal information in two categories:

1. To provide the basic features of the Service to you and to fulfill our legal obligations, you must authorize us to collect and use the necessary information. If you refuse, you will not be able to use the Service properly.
2. To provide additional features, you may choose to consent or not to specific information collection. If you refuse, you will not be able to use the corresponding additional features or achieve the intended effect, but it will not affect your use of the basic features.

We obtain your information mainly via two paths: (1) information you actively provide while using CursUP; (2) information automatically collected during your use, such as operation records, call logs, and other system logs.

(1) Registration and login

When you create an account on CursUP, you can register or log in via either of the following:

• Email + password: provide a real, valid email, a display name, and a password of at least 8 characters. Email is used for account identification, password reset, security notifications and business notices (new feature launches, service changes, security alerts, etc.).
• Third-party login: log in via Google, Twitter / X, WeChat or other third-party providers. After authorization, we receive necessary account info from the third party — unique user identifier (OpenID / Sub), display name, avatar, and the email if you actively consented to share it. Use of the third-party account itself is governed by the respective provider's terms and privacy policy.

If you refuse to provide the above, you will not be able to register or log in to a CursUP account.

After signing up, you can set your display name, upload an avatar, link / unlink third-party accounts, and change your password in the console for personalization and security management.

(2) Providing CursUP-related services

1. Code, configuration, docs and prompts you upload or input

The core service relies on what you upload or input. As you use the console, the CLI, or invoke platform tools via MCP (e.g. create app, upload deploy, query status), we need to receive and record the following so that we can deliver the corresponding service:

• App metadata you create or edit: app name, description, runtime type (static-web / node-api / python-api, etc.), environment label (dev / test / prod), version, tags, and so on.
• App code, build artifacts and configuration files you upload, e.g. platform.app.yaml, dependency manifests, build scripts and the source bundle.
• Code repository URL you bind and the OAuth credentials granted (if any).
• Natural-language instructions, prompts, and context documents you input when interacting with the platform AI / agent.
• Environment variables, secrets, and callback URLs you configure as runtime parameters.

Based on your input, we validate, build and deploy the app, and return results powered by generative AI. If you refuse to provide the above, you will not be able to use app creation, deployment, or agent collaboration features.

For your convenience in viewing and management, we record the operations and results and surface them in the console — app list, deploy history, build logs, runtime status, and so on.

2. MCP API Token and MCP calls

To let AI agents (such as Cursor) directly invoke platform capabilities over MCP, you can generate a personal API token under "MCP configuration" in the console. Around MCP calls we process:

• Token metadata: token ID, creation time, last-used time, status (active / revoked). The plaintext token is shown only once at generation time; we store it only as a hash or encrypted value and cannot reveal the plaintext to you or any third party again.
• Call logs: tool name, parameter summary, result summary, source IP, User-Agent, latency, and error info for each MCP tool call — used for security audit, metering, troubleshooting and abuse detection.
• Linked apps and resources: the apps, environments, versions and related resource identifiers involved in the call.

Treat the token like a password. If you suspect the token has leaked, you can rotate it at any time with "Regenerate" in the console; the old token is invalidated immediately.

3. App deploy, build and runtime

When you trigger a deploy via MCP tools or the console, the platform runs the full chain — code validation, dependency install, build, deploy, and access URL provisioning — and produces audit records. In this process we handle:

• Compile output, build logs, and dependency snapshots from the build process.
• Instance status, health checks, error stacks, and performance metrics at runtime (CPU / memory / request volume).
• The access URL assigned by the platform (in the form https://<app>-<env>.cursup.dev) and access logs on that URL (request path, status code, source IP, User-Agent, etc.) for platform operations, metering and security defense.
• Access control policies you configure (auth proxy, allowlist, Basic Auth, etc.).

For data produced by end users on apps you deploy (e.g. content end users submit through your app), the personal information controller is you. See Section 5 below.

4. Interaction feedback

While using CursUP, you can rate AI output, doc samples, or console UX (thumbs up / down) and submit issue reports. Provided the data is de-identified and cannot be re-identified to a specific individual, we collect such feedback to improve service quality and user experience.

5. Sharing and collaboration

When you use app sharing, invite collaborators, or generate access tokens, we may need to read from or write to the browser clipboard for link generation and redirects. If you decline the corresponding permission, the related sharing features will be unavailable.

(3) Interaction history viewing and management

To deliver a continuous and consistent experience and ensure service quality, we record your operation history and dialogue interactions with CursUP, including text you input, info about files you uploaded, and the dialogue topics, app versions and release history derived from them. You can find, copy, export or delete history items you have not yet deleted in the console and the corresponding interaction surface.

(4) Security

To improve service security, protect the personal and property safety of you, other users or the public, and the security of accounts, and to better prevent phishing, fraud, network vulnerabilities, computer viruses, network attacks, intrusions, malicious programs, model abuse, and to more accurately detect violations of laws or our terms, we collect:

• Device and environment info: device type / brand, hardware model, OS name and version, browser name and version, client time, server time, language, IP address, network info, cookies, and reasonable device identifiers.
• Service logs: login logs, operation logs, API call logs, token usage, app runtime logs, app crash / error info, performance data, source pages and redirect paths — used to ensure normal operation and post-event auditing.

We may use or combine the above information to assess account risk, perform identity verification, detect and prevent security incidents, and take necessary recording, auditing, analysis and disposition measures in accordance with the law. If you refuse to provide the information necessary for the above security purposes, we cannot provide the Service to you.

(5) Operations analysis

We may use service log info (your browser info and type, the date/time of your requests, and how you interact with the CursUP website and console), usage info (location, client date and access time, server date and access time, device type, network info), device info (operating system and browser type), cookies and other online analytics data to help us analyze how users use the Service and improve your experience. This analysis is done with as much de-identification and aggregation as possible.

(6) Customer support

You can request support via the in-console "Help / Contact" entry, the official email ([email protected]), and similar channels. To protect your personal information, we may ask you to provide identity verification information when you start an inquiry; you may also need to provide a problem description and relevant logs or screenshots. We record and analyze this information to respond promptly and to improve the Service. If you refuse to provide the above, we may not be able to provide support, but it will not affect your use of CursUP's basic features.

(7) Features that rely on system permissions

While using CursUP, we may request browser- or OS-level permissions for your convenience. Even after you grant such permissions, CursUP will not collect the corresponding info while the related feature or service is not in use. You may choose not to grant the permission; this will not affect basic features but you may miss the additional UX benefits.

You can review and manage these permissions in your browser or system settings. After you turn off a permission, we will stop collecting and using the corresponding personal information based on it, but this does not affect collection and use already performed under prior authorization.

(8) Other rules of collection and use

You understand and agree that, in addition to information whose collection we explicitly disclose in the scenarios above, we will, when applicable, separately make the content, scope and purpose of collection clear via page hints and interactive design and obtain your consent.

According to applicable law, we may collect and use your personal information without your consent in the following situations:

1. where necessary to enter into or perform a contract to which you are a party;
2. where necessary for us to perform statutory duties or obligations;
3. where directly related to national security or national defense;
4. where directly related to public security, public health, or major public interest;
5. where directly related to criminal investigation, prosecution, trial, or judgment enforcement;
6. to protect your or another individual's life, property, or other major lawful interests where consent is hard to obtain;
7. to collect, within reasonable limits, personal information that you have made public yourself, in accordance with the law;
8. to collect, within reasonable limits, personal information from lawfully and publicly disclosed sources, in accordance with the law;
9. where necessary to maintain the safe and stable operation of the products or services, e.g. detecting and handling product or service failures.

3. Cookies and similar technologies

To keep the website running and give you a smoother experience, we store small data files called cookies on your device. Cookies typically contain identifiers, the site name, and some numbers and characters. We can only read cookies we serve. With cookies, the console maintains your login state, remembers your preferences (theme, language, list expansion, etc.), and helps detect abnormal logins to defend against account theft and fraud.

The cookies we use mainly include:

• Strictly necessary cookies: for session, CSRF protection, load balancing, and login. Required for basic features and cannot be turned off.
• Preference cookies: record your language, theme, list filters and other personalization.
• Analytics cookies: aggregate access and performance data to help us improve the console.

You can manage or clear cookies via your browser settings, but if you reject strictly necessary cookies you will not be able to log in or use the console properly. Apart from cookies, we may use web beacons, pixel tags, local storage (LocalStorage / IndexedDB) and similar technologies for the purposes above. We pledge not to use cookies or similar technologies for any purpose other than those described in this Policy.

Manage your cookie preferences: you can click here anytime to reopen the cookie preferences panel and adjust your consent for preference / analytics / marketing cookies. Changes take effect immediately and are stored locally for 12 months.

4. Sharing, transfer and public disclosure

(1) Partners involved in data use

1. Basic principles

• Lawful, legitimate, and minimum-necessary: data processing must have a lawful basis and a legitimate purpose, and must be limited to the minimum scope needed to achieve that purpose.
• Maximum user knowledge and choice: we fully respect users' right to know and to decide how their personal information is processed.
• Strongest possible security guarantees: we take necessary measures to protect the personal information we process, carefully evaluate partners' purpose of use and security capabilities, and require them by contract to follow comparable security requirements.

2. Entrusted processing

We may entrust authorized affiliates or partners (collectively "authorized partners") to process your personal information on our behalf to provide certain services or functions for you. Authorized partners can only access information necessary to perform their duties; we require them by contract not to use such information for any purpose beyond the entrustment. Currently, our authorized partners primarily include:

• Cloud and infrastructure providers: server hosting, object storage, CDN acceleration, database and log services — the infrastructure that supports your app deployment and platform operation.
• Build and runtime providers: code build, image management, container scheduling, and similar.
• Third-party LLM / AI providers: when you use features that involve AI inference, your input and context will be transmitted to the corresponding model provider (e.g. OpenAI, Anthropic, Alibaba Tongyi) as required by the technology. Such data processing is governed by the third party's own privacy policy.
• Customer-support partners: assist us in responding to your tickets and email inquiries.
• Analytics, security, and anti-fraud providers: anomaly detection, abuse interception, anti-bot, and platform health analysis.

3. Sharing

In principle, we will not share your user information with other organizations or individuals, except in the following situations:

1. With your explicit consent: we will share your user information with others after obtaining your explicit consent.
2. Sharing necessary to fulfill statutory obligations: we may share your user information externally pursuant to laws, litigation, arbitration, or lawful requests from administrative or judicial authorities.
3. Sharing necessary to enter into or perform a contract to which you are a party: certain modules or features of the platform are provided by partners. We will, on lawful, legitimate, and necessary basis, provide them only the personal information needed to deliver the service.
4. Use for security and analytics: to safeguard accounts and the platform, we and our partners may need to use necessary device, account and log info; for service usage analysis and UX improvement, we may use statistical data that is hard to associate with an individual identity.

(2) Transfer

We will not transfer your personal information to any company, organization or individual, except:

1. with your explicit consent;
2. where the CursUP service provider undergoes a merger, acquisition, or bankruptcy liquidation that involves the transfer of personal information, in which case we will require the new holder to remain bound by this Policy; otherwise we will require that company, organization or individual to seek your authorization again.

(3) Public disclosure

We will only publicly disclose your personal information in the following situations:

1. with your explicit consent or based on your active choice — for example, you choose to publicly publish your app, template or documentation;
2. where we determine that you have violated laws or seriously violated CursUP terms or rules, or to protect the personal and property safety of the service provider, its affiliates' users, or the public from harm, we may, subject to your consent or where permitted by law, disclose your personal information per applicable laws or CursUP service rules, including the violations and the measures CursUP has taken against you.

(4) Service shutdown

If we cease operating the CursUP service, we will promptly stop further collection of your personal information. We will notify you of the shutdown via in-product messages, email or announcements, and delete or anonymize the personal information we hold related to the service being shut down.

(5) Exceptions to consent for sharing, transfer, or public disclosure

In the following situations, sharing, transferring, or publicly disclosing your personal information does not require your prior consent:

1. where necessary for our performance of statutory duties or to respond to instructions of government authorities;
2. where related to national security or national defense;
3. where related to public security, public health, or major public interest;
4. where related to criminal investigation, prosecution, trial, or judgment enforcement;
5. to protect your or another individual's life, property, or other major lawful interests where consent is hard to obtain;
6. personal information you have made public yourself;
7. collected from lawfully and publicly disclosed sources;
8. where necessary to enter into or perform a contract to which you are a party.

5. Apps you publish and end users

When you create and publish an app, workflow, or MCP integration through CursUP and open its access URL (e.g. https://<app>-<env>.cursup.dev) to platform-internal or external end users, please note:

1. You are the personal information controller / data controller for the relevant end users: personal information generated by end users in your published app (content they enter, files they upload, business data, etc.) is processed at your discretion as to purpose, method, and scope, in accordance with the law.
2. You shall publish your own privacy policy to end users in accordance with the law, and separately obtain end-user authorization for items that require separate consent.
3. We act only as your entrusted processor: we perform technical data-processing work — infrastructure, runtime, security defense, audit logging — within the scope of the CursUP Terms and the contract with you. We will not use end-user data collected through your app for purposes outside this Policy.
4. If end users assert rights regarding personal information generated in your app (e.g. access, correction, deletion), in principle you, as the controller, respond directly. We will provide reasonable assistance upon your reasonable request.

6. Your rights

In accordance with the laws and standards of the People's Republic of China and common practice in other jurisdictions, we safeguard your rights over your personal information as follows. We will respond to your requests to the extent required by law.

(1) Access, correction, and supplementation

You may, by signing in to the account center or in the corresponding console screen, view, correct, and supplement your account information, app information, token metadata, and similar.

(2) Copy

You can sign in to the console or use the interaction surface to copy information you need — for example, export app config or download an operation log summary.

(3) Deletion

You can sign in to the console to delete the corresponding apps, tokens, configuration, or interaction history, or apply for account deactivation to delete all of your personal information.

You may request deletion of your personal information in the following situations:

1. our processing violates laws or regulations;
2. we collected or used your personal information without your explicit consent;
3. our processing materially breached our agreement with you;
4. the processing purpose has been achieved, can no longer be achieved, or is no longer necessary to achieve;
5. we cease providing the Service, or the retention period has expired.

If we decide to honor your deletion request, we will also, as far as possible, notify entities that obtained your personal information from us and ask them to delete it promptly (unless laws require otherwise or those entities obtained your authorization independently). After we or you delete the relevant info, applicable law and security technology may prevent immediate deletion from backup systems; we will store the personal information securely and limit any further processing until backups can be cleared or anonymized.

(4) Changing the scope of authorization

You may change or withdraw the scope of your authorization for us to process your personal information by unlinking third-party accounts, turning off permissions, withdrawing specific authorizations, or contacting us. After you withdraw consent, we will stop processing the corresponding personal information. However, your withdrawal of consent does not affect personal information processing already performed under prior authorization.

(5) Account deactivation

You can submit an account deactivation request in the console or via [email protected]. After deactivation, apps you published will stop running, access URLs will be reclaimed, and tokens already issued will be revoked immediately. After you actively deactivate your account, we will stop providing the Service to you and delete or anonymize your personal information, except where laws or industry rules require otherwise.

(6) Responding to your rights requests

You, your guardian (where applicable), close relatives, or other authorized parties may submit the requests above and assert your personal information rights under the laws of the People's Republic of China and other applicable laws via [email protected]. We will respond within 15 days.

To safeguard the security of your account and personal information, we may verify your identity (e.g. with extra account checks, written request, or other reasonable means) before processing your request.

For reasonable requests, we generally do not charge a fee, but for repeated requests beyond reasonable limits we may charge a reasonable fee. We may decline requests that are unrelated to your identity, are repeated without reasonable cause, require excessive technical effort (such as developing new systems or fundamentally changing existing practices), pose a risk to others' lawful rights, or are impractical.

(7) Exceptions to responding to your rights requests

We may decline your rights requests above in the following situations:

1. related to our performance of statutory duties;
2. directly related to national security or national defense;
3. directly related to public security, public health, or major public interest;
4. directly related to criminal investigation, prosecution, trial, or judgment enforcement;
5. where we have sufficient evidence that you or another data subject acts maliciously or abuses your rights;
6. to protect your or another individual's life, property, or other major lawful interests where consent is hard to obtain;
7. where responding would seriously damage your, another data subject's, or an organization's lawful rights and interests;
8. where it involves trade secrets.

7. Storage and security

(1) Retention period

We will only retain your personal information for the period necessary to fulfill the purposes described in this Policy, unless laws require longer retention. Specifically:

• Basic account information: kept while your account is valid; deleted or anonymized after account deactivation.
• App code and configuration: kept until you delete the app; after deletion the app enters a recycle period (no longer than 30 days) so you can undo, after which it is irreversibly deleted.
• Call logs, build logs, runtime logs: typically retained for 90 days; for security audit or legal requirements, some logs may be retained for up to 3 years.
• Billing and transaction data: retained for the period required by laws such as the E-Commerce Law and the Accounting Archives Management Measures.

After the retention period, we will delete or anonymize your user information as required by applicable law.

(2) Storage location

Personal information generated or collected within the People's Republic of China is stored on servers within China. Unless we obtain your separate consent, or it is necessary to perform a contract with you, or comply with legal obligations or other situations stipulated by law, we will not provide any of your personal information overseas.

(3) Storage security

1. Technical data-protection measures

We have adopted industry-standard, reasonably feasible security measures to protect your information from unauthorized access, public disclosure, use, modification, damage, or loss. These include but are not limited to: encryption in transit and at rest (HTTPS / encryption at rest), irreversible hashed storage of API tokens and secrets, strict access control with the principle of least privilege, audit logs of operations, and regular security drills and penetration testing.

Although we have taken reasonable and effective security measures as required by laws and regulations, due to technical limitations and the existence of malicious means, we cannot guarantee 100% information security. Please understand that the systems and communication networks we provide may experience issues caused by factors beyond our control. We therefore strongly encourage you to take active measures to protect your personal information — use strong passwords, do not disclose your account password to others, do not commit tokens to public repositories, and so on.

2. Organizational data-protection measures

We have established a data security management system centered on data and the data lifecycle, raising the security of personal information from organizational, institutional, personnel, and technical dimensions. We continually strengthen employees' awareness of the importance of protecting personal information through training and exams.

3. Incident response

If our physical, technical, or managerial protections are compromised and information is accessed, disclosed, altered, or destroyed without authorization, harming your lawful rights, we will activate our incident response plan promptly and take reasonable, necessary measures to minimize the impact on you. In the event of a personal information security incident, we will inform you of the basic situation and possible impact, the disposition measures we have taken or will take, suggestions for self-defense and risk mitigation, and remedies available to you, in accordance with laws. We will inform you via in-product messages, email, phone, push notifications and other reasonable channels; where individual notification is hard to achieve, we will issue an announcement via reasonable and effective means. We will also report the disposition of the incident to regulators as required.

4. Account security risk prevention

Please safeguard your personal information; do not disclose unnecessary personal information through the Service. If you are concerned that your personal information — especially your account, password, or API token — has leaked, please immediately rotate the token via the console, change your password, and contact us for further measures.

8. Minors

We primarily provide CursUP services to adult developers and enterprise users. Nevertheless, we attach great importance to the protection of minors' personal information. If you are a minor, we ask that your parents or other guardians read this Policy carefully and that you use the products or services and provide information to us only with their consent. If you are a parent or other guardian, please pay attention to whether the minor is using the Service with your authorization. Contact us if you have questions about personal information.

Limited by current technology and business practices, it is hard for us to actively identify minors' personal information at registration. If you are the guardian of a minor and discover that we have obtained the minor's personal information without authorization, please contact us via the channels in this Policy. We will verify upon receipt of notice and, if confirmed, delete or anonymize the relevant information promptly. If we discover such situations during our own review, we will also proactively delete or anonymize the relevant personal information.

9. Updates to this Policy

To deliver a better service experience, we continually improve our technology. We may update this Privacy Policy and notify you of the updated content via in-product notices, email, or other appropriate means so you can stay informed of the latest version. However, without your explicit consent we will not restrict the rights you enjoy under this Policy.

For material changes (including but not limited to: a material change in service mode, a change in the purpose of personal information processing, a change in the principal recipients of sharing / transfer / public disclosure, a material change in your rights of participation in personal information processing and how to exercise them, a change in the personal information security responsible department or contact, or where the personal information security impact assessment indicates high risk), we will provide more conspicuous notification (including via in-product popup, email, etc.) and obtain your consent in accordance with applicable laws.

10. Contact us

If you have questions, comments, or suggestions about the content of this Policy, or wish to exercise the rights described in Section 6, contact us via:

• Personal information protection and rights requests: [email protected]
• General inquiries and product support: [email protected]
• IP / abuse complaints: [email protected] (please provide proof of rights ownership, the location and type of the alleged infringement, and preliminary evidence)

We will respond to your request within 15 days (please note that the request relates to the CursUP service and describe the specifics). Note: we may not reply to questions that are unrelated to this Policy or your personal information rights.

If you are dissatisfied with our reply, especially if you believe our personal information processing has harmed your lawful rights, you may also seek resolution by bringing an action before a competent court at the location of the defendant.

11. Appendix: definitions

• CursUP: the CursUP platform and its related products and services, including the official website, console, CLI, MCP Server, app templates, and similar.
• Service provider / we: the CursUP team and its subsequently designated operating entities.
• Affiliates: affiliates of the CursUP service provider.
• End user: a natural person or organization who accesses related services through an app, workflow, or MCP integration you publish on CursUP.
• Personal information: any information related to an identified or identifiable natural person, recorded electronically or otherwise, excluding anonymized information.
• Sensitive personal information: personal information that, once leaked or used unlawfully, may readily harm a natural person's dignity or jeopardize personal or property safety, including biometrics, religious beliefs, specific identity, medical and health, financial accounts, location and trajectory, and personal information of minors under 14.
• Children: minors under the age of 14.
• De-identification: the process of processing personal information so that it cannot identify a specific natural person without additional information.
• Anonymization: the process of processing personal information so that it cannot identify a specific natural person and cannot be restored.
• API Token: an access credential generated under "MCP configuration" in the console for authentication; any operation performed using this token is treated as your own action or one authorized by you.
• Cookie: a client-side storage and identification technology widely used on the internet. While you use the Service, we may send one or more cookies or anonymous identifiers to your device to collect, identify, and store information about your use of our products.

// This is the English translation. In case of any discrepancy with the Simplified Chinese text, the Chinese version shall prevail.