⚠ Key Privacy Concerns

Under the Notice, Perplexity processes what you type as User Content, including prompts, queries, and uploads, and lists using data to improve or create services and products, including its AI models. If you use the Comet browser with a synced account, the Notice states that depending on your settings Perplexity records your browsing history and tracks your use and engagement, which makes Comet a much larger collection surface than the chat box alone. Sharing extends to advertising partners for targeted advertising (framed as not a sale for money), and deletion requests are granted only if required by law, with legal, dispute, enforcement, and other business purposes listed as reasons to keep data. Automated assessment, as of July 8, 2026.

What Should I Do? Action Plan

Pick the column that matches you. Settings labels reflect Perplexity's published Notice and product pages as of July 8, 2026; the company relabels screens, so confirm the wording in your own account.

👤 Everyday user

Free or Pro, search and questions
  • Handle the cookie pop-up deliberately: the Notice says you can opt out of website targeted advertising "through the cookie consent pop-up that appears when you visit a Perplexity webpage", and the choice is stored locally, so redo it if you clear your cache or switch browsers.
  • Turn on Global Privacy Control in your browser. Perplexity states it recognizes GPC signals as a valid opt-out where required by law; it does not honor the older Do Not Track signal.
  • Check your account settings for AI data controls. The Notice's Your Choices section does not describe a dedicated AI-training opt-out, so verify what toggles your account actually offers before assuming one exists.
  • Use Incognito for sensitive sessions in the app or on the site; the Notice describes it as not saving your search activity across sessions, not as invisibility.
  • Keep names, account numbers, and health details out of prompts. The Notice itself lists "sensitive information you choose to provide as input or prompt content" among the sensitive data it collects.

💼 Business / professional user

Client data, internal docs, regulated info
  • Do not run client or regulated data through the consumer product. The companion terms review flags that the consumer license is personal and non-commercial only.
  • Use the Enterprise or API channel for work data: the Notice states it does not apply there because Perplexity acts as a service provider or processor for that data, which is the posture you want, in writing, with a DPA.
  • Treat Comet like an employee monitoring question: a synced browser that records browsing history does not belong on machines that touch client matters without a policy decision.
  • If your team handles EU or UK personal data, note the DPF certification and ask for the Standard Contractual Clauses the Notice offers on request.
  • Write an internal AI-use policy: which tools, which tier, and a ban on client PII in consumer AI products.

⚠ Already affected

Data exposed, request denied, account gone
  • Send a written access or deletion request to support@perplexity.ai. Expect identity verification; the Notice says most requests require proving your identity.
  • Denied? The Notice gives you an appeal: contact them again "with the subject line “Appeal.”" Keep copies of everything.
  • Know the limits before you demand: deletion is promised only if required by law, and backups may be kept as permitted by law. Frame requests under a specific statute (CCPA/CPRA, GDPR) when one applies to you.
  • EU or UK resident? The Notice names a DPO arrangement and DPF dispute resolution, and you can complain to your local supervisory authority if unsatisfied.
  • If a denial or exposure caused real harm, a written demand letter citing the applicable privacy statute is often the next lever; document dates and responses first.
The single most reliable control is what you do not type. The Notice's choices are real but bounded: rights are expressly framed as not absolute, deletion has carve-outs, and the ad-tracking opt-out is stored locally and per-browser. Data you never submit cannot be processed, shared, retained, or produced. Automated assessment, as of July 8, 2026.

Want the formal-demand route? See my AI training-data-use demand letter templates and CCPA/CPRA privacy-rights demand letters.

Data They Collect

What the Notice says Perplexity gathers, scored by category. Automated assessment, as of July 8, 2026.

📊 Data Collection Scope (25%) 42/100

What the Notice lists: account details and actions while logged in; prompts, queries, uploads, and generated output (User Content); device data and IP-based general location; voice data if you use speech features; demographics such as age, race, or religion if you choose to upload them; health data through Perplexity Health; Comet browsing history when synced (settings-dependent); and email content if you link the Email Assistant.

👥 Third-Party Sharing (20%) 38/100

Who the Notice says can get your data: the Company Group (affiliates), service providers, business partners (including where you got access through a third-party promotion), professional service providers such as auditors and lawyers, advertising partners (identifiers, commercial information, internet activity, and geolocation appear in the targeted-advertising column of the policy's own table), law enforcement for legal compliance, and an acquirer, including a company that merely "enters negotiations" to acquire the business.

🕐 Retention & Deletion (20%) 42/100

How long: no fixed periods. The Notice keeps data "as long as necessary" for its purposes unless a longer period is required or permitted by law, weighs factors like sensitivity and risk to set retention, allows backup retention, and grants deletion requests only if required by law, with carve-outs for legal obligations, disputes, enforcement, and other business purposes.

☑ User Control & Consent (15%) 45/100

Your control: access and portability, a list of third-party recipients on request, correction, deletion (bounded as above), objection and restriction, consent revocation, cookie pop-up and GPC opt-outs for targeted ads, app-level ad settings, Comet privacy settings, and Incognito. The Notice states the rights are not absolute, and its Your Choices section does not describe a dedicated AI-training opt-out control.

🔒 Security & Breach (10%) 40/100

Security: the Notice commits to reasonable efforts and expressly states it cannot guarantee security, with breach notification made electronically, in writing, or by phone as the law permits. Responsibility for password strength and account access sits with the user. The methodology scores design candor, not incident history.

🔍 Transparency & Access (10%) 38/100

Clarity: the Notice is genuinely detailed on collection contexts and recipient categories, and the DPF certification adds an external accountability layer. What holds the score down: AI training gets one line ("including our AI models") with no detail on what trains, no named vendors or model providers, and no published retention schedule.