Privacy & Data

Privacy & Data Settings

Configure aggregation thresholds, data collection sources, individual opt-outs, and audit log access.

3 min read

Cursus is built on an aggregation-first design. Individual-level behavioral data is architecturally prevented from surfacing in any view, API response, or AI output. This page explains the settings that control privacy behavior.

What "aggregation-first" means

Every metric in Cursus — readiness scores, change load, network centrality, organizational climate — is computed at the group level, not the individual level. Before any score is calculated and displayed, the platform checks that the underlying group meets the minimum size threshold.

Groups below the threshold show "Insufficient data" rather than a score. This applies in the UI, in API responses, and in Lumen AI outputs. There is no admin override that bypasses this check.

Aggregation threshold

The default threshold is 5 people. This means no metric is computed or displayed for any group with fewer than 5 members.

Administrators can increase this threshold in Settings → Privacy & Data → Aggregation Settings. The threshold cannot be set below 5. Increasing it strengthens privacy protection at the cost of coverage for smaller teams.

If your organization has compliance requirements (GDPR, CCPA, SOC 2) that require a higher threshold, configure it here before connecting any data sources.

Configuring data collection sources

Each ambient data source must be explicitly enabled. Go to Settings → Privacy & Data → Data Sources:

  • HRIS — Organizational structure (always required)
  • Email metadata — Frequency and direction of communication, never content
  • Teams/Slack metadata — Channel activity patterns, never message content
  • Calendar metadata — Meeting frequency and patterns, never meeting content or attendees
  • ERP telemetry — Login frequency and feature usage, never transaction data

Each source has an independent on/off toggle. Enabling a source does not collect content — metadata only, unless the organization has separately configured a content opt-in (a distinct, higher-friction process).

Individual opt-out

Every employee can opt out of ambient data collection independently. Opt-out is self-service via their profile settings or the "What Cursus knows about me" view at /settings/privacy/my-data.

Opt-out is immediate and complete:

  • The employee is excluded from all future ambient signal collection
  • Historical ambient signals attributed to that employee are removed from computations
  • Survey participation remains voluntary and separate from ambient opt-out

Opted-out employees do not appear as a distinct signal in group scores — their absence is not detectable from aggregate views.

"What Cursus knows about me"

All employees (not just Cursus users) can access this view. It shows:

  • What structural data is held (job title, department, reporting line from HRIS)
  • Which ambient signal sources have collected data
  • A summary of survey participation (yes/no — not response content)

From this view, employees can submit a data export request (GDPR Art. 15) or initiate data deletion (GDPR Art. 17). Both are self-service and rate-limited.

Audit log

Administrators can access the full audit log in Settings → Privacy & Data → Audit Log. The log is append-only and records:

  • All data source enable/disable events
  • All threshold changes
  • All data export and deletion requests
  • All user role changes

The audit log cannot be edited or deleted by any user, including admins.

All docsHave a question? Contact us →