Privacy Policy
Last Updated: July 10, 2026 · Version 1.0
This Privacy Policy explains how 404bus (“cursor2api,” “we, ” “us”) collects, uses, and protects personal data in connection with the cursor2api desktop application, its local gateway, the website at cursor.404bus.com, and the licensing infrastructure that backs them. The policy is written to satisfy the transparency requirements of the EU/UK General Data Protection Regulation, the California Consumer Privacy Act, and comparable frameworks. It applies to individuals in every jurisdiction where the Service is available.
1. Data Controller
The data controller for personal information processed under this policy is:
404bus
Contact: hello@404bus.com
If you are located in the European Economic Area, the United Kingdom, or Switzerland and have concerns about our processing, you may also lodge a complaint with your local data-protection authority. We would appreciate the chance to address concerns directly before you do so.
2. Personal Information We Collect
2.1 Information you provide directly
- Email address — supplied at checkout to receive your CDK, refund confirmations, and security notices.
- CDK — the licence key we issue you. A CDK is not personal data on its own, but it functions as an identifier that we associate with your email address.
- Support correspondence — the content of any email, chat, or form message you send us.
2.2 Information collected automatically by the desktop app
When you activate or refresh a licence, the desktop application transmits the following to our activation endpoint:
- Hashed machine identifier —
sha256(IOPlatformUUID). The hash cannot be reversed to the original identifier; it is used to distinguish devices for the two-device concurrency limit. - Machine name — the human-readable name that appears in the in-app fleet view, chosen by you.
- Application version — for compatibility enforcement and security patch tracking.
- Anonymous crash counts — an integer counter for unhandled exceptions since the last successful launch, with no stack traces, no file paths, no prompts, and no identifiers.
We do not log your IP address to the database. Incoming request IPs are used only in ephemeral rate-limit and abuse- detection layers and are not persisted alongside your record. We do not embed Google Analytics, Meta Pixel, TikTok Pixel, or any other third-party tracker on the website or in the desktop application.
2.3 Information collected by Waffo Pancake at checkout
Payment information — including cardholder name, card number, expiry, CVV, billing address, and tax identifiers — is collected and processed by Waffo Pancake, our Merchant of Record, under its own privacy policy. Waffo Pancake is PCI-DSS certified. We do not receive or store card data. What we do receive from Waffo is a transaction identifier, the country of billing, the currency of the transaction, and the email address you provided at checkout.
2.4 What stays on your device
The prompts you send, the source code you route through the cursor-proxy sidecar, and the responses returned by upstream AI providers do not touch our servers. The gateway runs on your Mac and connects directly from your machine to the upstream backend you configure (by default the Cursor cloud). We have no visibility into that traffic.
3. How We Use Personal Information
We process personal information for the purposes and legal bases set out below.
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Issue a CDK, deliver receipts, honour refund requests | Email, CDK, transaction identifier | Performance of contract |
| Enforce the two-device concurrency limit | Hashed machine identifier, machine name | Performance of contract |
| Push compatibility and security updates | Application version | Legitimate interest in secure, working software |
| Diagnose and improve stability | Anonymous crash counts | Legitimate interest in service quality |
| Answer support requests | Support correspondence | Performance of contract; legitimate interest |
| Prevent fraud, abuse, and unauthorised use | Ephemeral request IP, CDK usage patterns | Legitimate interest in service integrity |
| Meet tax, accounting, and other legal obligations | Transaction metadata received from Waffo Pancake | Legal obligation |
We do not engage in solely-automated decision-making that produces legal or similarly significant effects concerning you.
4. Cookies and Similar Technologies
The website uses the minimum amount of client-side state necessary to render pages correctly and to remember one preference. We do not set marketing, retargeting, or third-party analytics cookies.
- Strictly necessary — session storage used by Next.js to serve the correct static assets. No persistent identifier.
- Functional — the dark-mode preference is stored in
localStorageunder the keyc2a-theme. It is not a cookie; it never leaves your browser and is not read by our servers. - Marketing — not used.
- Third-party analytics — not used.
The desktop application does not use cookies. Its only persistent state is a small on-disk configuration file under your macOS Application Support directory.
5. Sharing and Disclosure
We do not sell your personal information. We do not share it with advertising networks, data brokers, or any party seeking to build a profile about you. We disclose personal information only in the limited circumstances described below.
- Payment processor — Waffo Pancake. Waffo Pancake is our Merchant of Record and receives the information required to process your payment and remit taxes.
- Server hosting. Our activation endpoint and SQLite database run on virtual servers provided by our infrastructure vendor, which acts as a processor on our behalf and has no independent right to use the data.
- Email delivery. Transactional email (receipt confirmations, refund confirmations, security notices) is sent through a third-party email provider under a data- processing agreement. Address: hello@404bus.com.
- Legal and safety. We may disclose information when required by valid legal process, when necessary to enforce these Terms, or to protect the rights, property, or safety of cursor2api, our users, or the public.
- Business transfer. If cursor2api is acquired or merges with another entity, personal data may transfer as part of that transaction. We will notify you before your data becomes subject to a materially different privacy policy.
6. Data Security
We take administrative, technical, and organisational measures appropriate to the sensitivity of the data we hold. In particular:
- all traffic to our activation endpoint is served over TLS with modern cipher suites and HSTS, and non-TLS requests are redirected;
- licence tokens are issued as short-lived, server-signed
Ed25519signatures — we never store user-facing passwords and there is no long-lived bearer token to steal; - our SQLite database file lives on an encrypted volume; backups are encrypted at rest with a separately managed key;
- access to the production database is restricted to named operators on a least-privilege basis, gated by SSH keys and two-factor authentication;
- we log administrative access and review the log periodically;
- software dependencies are updated on a schedule, with critical security patches applied out of band;
- in the event of a personal-data breach with a likely risk to individuals we will notify affected users and, where required, the competent supervisory authority within seventy-two (72) hours of becoming aware.
No system is perfectly secure. If you discover a vulnerability, please report it responsibly to hello@404bus.com before public disclosure. We commit to acknowledging good-faith vulnerability reports within five (5) business days and to coordinating a disclosure timeline with the reporter.
7. Data Retention
- Activation records (email, CDK, hashed machine identifier, machine name, application version) — retained for as long as the CDK is active, plus up to ninety (90) days after account deletion or CDK revocation, then purged from the primary database and from backups on the normal rotation.
- Transaction records received from Waffo Pancake — retained for up to seven (7) years to satisfy tax, VAT/GST, and accounting obligations.
- Support correspondence — retained for up to two (2) years so we can follow up on repeat issues, then deleted or anonymised.
- Crash counts — retained in aggregated form only; not linked to your identity.
8. Your Data Rights
Depending on where you live, you may have the following rights under the GDPR, UK GDPR, or comparable laws:
- Right of access — obtain a copy of the personal data we hold about you.
- Right to rectification — correct inaccurate data.
- Right to erasure — request deletion, subject to legal retention obligations.
- Right to restriction — ask us to pause processing while a dispute is resolved.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on our legitimate interests.
- Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of processing before withdrawal.
- Right to lodge a complaint — with your local data-protection authority.
If you are a California resident, the CCPA and CPRA additionally give you the right to know what categories of personal information we collect, the right to delete, the right to correct, and the right to opt out of any sale or sharing of personal information for cross-context behavioural advertising. As noted above, we do not sell or share personal information for such purposes, so this opt-out is effectively pre-exercised for all users.
To exercise any right, send a request from the email address on your account to hello@404bus.com. To protect against fraudulent requests we may ask you to confirm your purchase reference, the approximate purchase date, or the machine name shown in your in-app fleet view; we will never ask for your full CDK, payment details, or password over email. We aim to acknowledge every request within five (5) business days and to resolve it within thirty (30) days. If a request is complex we may extend that period once by a further sixty (60) days, in which case we will explain the reason. We will not discriminate against you for exercising a right and we do not charge a fee for the first request in any twelve-month period.
If you would like an authorised agent to act on your behalf under the CCPA, we require a signed permission from you and independent verification of your identity. Agents acting on behalf of a business or a minor should contact us in advance so that we can agree an appropriate procedure.
9. Marketing and Opt-Out
We do not run a marketing programme. We do not send newsletters, promotional emails, upsell campaigns, or third-party marketing on behalf of others. The only email you will receive from us is:
- a receipt and CDK when you purchase;
- a refund confirmation when applicable;
- security or compatibility notices that materially affect the software you have licensed (for example, a mandatory update to fix a vulnerability);
- a direct reply to a support message you have sent us.
Because these messages are transactional and service-related, they are sent under our legitimate interest and, where applicable, our legal obligation to communicate about a product you have purchased. You may still ask us to stop sending them by writing to us; note that opting out of security notices may affect the safety of your installation.
9a. Website Visitor Data
The public marketing pages at cursor.404bus.com are statically generated and served through Cloudflare’s edge network. Cloudflare processes request metadata (IP address, user agent, requested URL, timestamp) transiently in order to route traffic, apply rate limits, and mitigate denial-of-service attacks. This processing is governed by our contract with Cloudflare and by Cloudflare’s own privacy policy. We do not retain a website-visitor log on our servers; there is no analytics database keyed on visitor identity.
10. International Data Transfers
Your activation data may be transferred across borders to reach our activation endpoint and support desk. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that does not have an adequacy decision, we rely on the European Commission’s Standard Contractual Clauses (module 2, processor onward transfer where applicable), supplemented by the technical safeguards described in Section 6.
The following vendors process personal data on our behalf across borders:
- Waffo Pancake — payment processing (Merchant of Record).
- Cloudflare, Inc. — edge protection, TLS termination, and DNS for the website and activation endpoint.
11. Children’s Privacy
The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us at hello@404bus.com and we will delete it.
12. Third-Party Links
The website and documentation link to third-party resources, including GitHub repositories, editor and IDE vendors, and upstream AI providers such as Cursor. Those third parties operate under their own privacy policies, which we do not control. We recommend you review their policies before providing them with personal information.
13. Changes to This Policy
We may revise this Privacy Policy from time to time. Material changes — for example, adding a new category of recipient, using data for a new purpose, or extending retention — will be announced on the website at least fifteen (15) days before they take effect, and, where reasonably possible, notified to licence holders by email. The date at the top of this policy indicates the latest revision.
14. Contact
Privacy questions, data-rights requests, and complaints can be addressed to:
404bus
hello@404bus.com
Payments. Payments are processed by Waffo Pancake (Merchant of Record). Waffo handles PCI-DSS compliance, VAT/GST/sales-tax collection, and remittance in supported jurisdictions.
This document is provided as-is. Consult a qualified attorney for advice specific to your jurisdiction.