A new business developer wants to understand a prospect before a call. Instead of a normal search, she opens Perplexity and types the full context: the company name, the contact's name, what she heard about their contract dispute, and the deal size she is hoping to land. Perplexity gives her a crisp, well-sourced briefing.
It felt exactly like Googling. That is the problem. She had just pasted a named individual, commercial-in-confidence details, and her own internal strategy into an AI service that, on her free account, may use her queries to train its models and keeps her history until she deletes it.
Nobody told her she was doing anything different from a web search. The interface certainly did not. And that gap - between how Perplexity feels and what it actually is - is where its privacy risk lives.
Is Perplexity safe for business data?
For general research, it is a useful tool. As a place to put confidential context, the consumer version is not what it appears to be. Perplexity is an "answer engine" that browses the web and composes a response - but unlike a search engine, it ingests your full query as input to an AI system. On Free and Pro tiers, those queries can be used to train its models by default, and your history persists until you remove it.
There is a genuinely different tier: Perplexity Enterprise offers no training on customer data, zero data retention, SOC 2, and a data processing agreement. But most employees are not on it - they are on a personal account, where the search-box feel quietly invites them to paste things they would never send in an email.
The risk is not that Perplexity is uniquely careless. It is that it feels private, and the consumer terms are not.
How Perplexity handles your data
| Free / Pro (consumer) | Enterprise | |
|---|---|---|
| Used to train models | Yes, by default | No (contractual) |
| Data retention | Until you delete | Zero data retention available |
| Data processing agreement | No | Yes |
| Processing location | US infrastructure | US, with EU options to confirm |
| Admin controls | None | SSO, history controls, ZDR |
Free and Pro accounts are consumer products. Queries may be used to improve models unless you turn off the AI data retention setting, and that opt-out only affects future data. Uploaded files are kept for a period; history stays until deleted. There is no processor agreement standing behind any of it.
Perplexity Enterprise / API is the business product, with contractual no-training, zero data retention, SOC 2, SSO, and a DPA incorporating Standard Contractual Clauses. Default processing is US-centric; EU residency for Enterprise should be confirmed with Perplexity. The difference between the two tiers is not cosmetic - it is the difference between having and not having a lawful basis to process client data.
The biggest privacy risks in Perplexity
1. The search-box illusion
The headline risk. People paste named, confidential context into Perplexity precisely because it feels like a search engine. The same person who would carefully redact an email types a prospect's full situation into the answer box without a second thought.
2. Training on consumer queries by default
On Free and Pro, your queries can feed model training unless you have changed the setting. Most users never open that setting, so the default quietly governs.
3. "Incognito" that isn't private from the vendor
Incognito keeps a chat out of your library and expires it, but it does not make the query invisible to Perplexity or stop vendor-side processing. Employees who use it for sensitive questions, believing it is private, are mistaken.
4. Agentic browsing risk (Comet)
Perplexity's Comet browser introduced a new exposure: security researchers showed it could be hijacked by hidden instructions on a web page (indirect prompt injection), potentially acting in the user's logged-in accounts. An agent that browses on your behalf is a larger attack surface than a chatbot.
5. The crawler trust question
In 2025, Cloudflare reported Perplexity used stealth crawlers to bypass sites' no-crawl rules; Perplexity disputed the attribution. For a business, the relevant signal is reputational: a tool whose data-collection practices are publicly contested is one to scope carefully.
Each of these is amplified by the fact that nothing about Perplexity signals "this is an AI service, not a search bar."
What is actually at stake: consequences
Under GDPR, pasting an identifiable person's data - a prospect's name tied to commercial details, a client's situation, an employee's record - into a consumer AI account with no processor agreement is processing without a lawful basis on the employer's side. If the data is sensitive and ends up retained or used for training, that is a reportable exposure.
Fines reach EUR 20 million or 4% of global annual turnover, whichever is higher, and the liability sits with the organisation as controller. The quieter cost is competitive: pasting your own deal strategy and a prospect's confidential details into a tool that retains queries is a commercial risk as much as a compliance one.
Industry surveys consistently find a large share of employees enter confidential information into AI tools, often through personal accounts outside any company control. Perplexity's search-like framing makes it one of the easiest places for that to happen without anyone noticing.
Verified incidents
June 2025 - BBC legal threat over scraping
The BBC sent Perplexity a legal threat - reportedly its first against an AI company - alleging its model was trained on BBC content and reproduced it, sometimes inaccurately. Perplexity rejected the characterisation. Source: Deadline, June 2025.
August 2025 - Cloudflare reports stealth crawling
Cloudflare published research alleging Perplexity used undeclared crawlers with rotating identities to access content from sites that had blocked it, demonstrated using secret test domains, and de-listed Perplexity as a verified bot. Perplexity disputed the findings, attributing traffic to a third-party service. Source: Cloudflare, August 2025.
August 2025 - Comet prompt injection
Brave's security team disclosed that Perplexity's Comet browser could be manipulated by hidden instructions embedded in web pages, executing them as commands when a user asked it to summarise a page - a route to acting in the user's logged-in accounts. Source: Brave, August 2025.
March 2026 - Amazon wins injunction against Comet
A US court granted Amazon a preliminary injunction against Perplexity's Comet shopping agent, finding strong evidence it accessed Amazon accounts while disguising itself as a human browser. Source: CNBC, March 2026.
The thread is not one breach. It is a pattern of a tool moving fast across boundaries - publishers', browsers', and users' own sense of what is private.
Settings that help
1. Turn off AI data retention (consumer) In Settings, switch off "AI data retention" so your queries are not used to train models going forward. Note it affects future data only and can reset during account changes - re-check it.
2. Use Enterprise for any business use If Perplexity is genuinely useful for work, adopt Perplexity Enterprise, which provides no-training, zero data retention, SSO, and a data processing agreement. Personal accounts should not carry client data.
3. Don't rely on incognito for confidentiality Use incognito to keep a chat out of your history, but never as a way to keep a query private from the vendor.
4. Be cautious with Comet and agentic features Treat AI browsers that act in your logged-in sessions as high-risk; restrict them from sensitive accounts until prompt-injection defences are proven.
5. Set policy on personal-account use The most effective control is organisational: make clear that confidential context does not go into personal Perplexity accounts, and provide an approved alternative.
Verified against Perplexity's documentation current to early 2026; the UI and setting labels change often, so confirm live.
What settings do not solve
A data retention toggle changes what Perplexity does with your queries. It does not change the instinct that makes someone treat an answer engine like a private notebook.
No setting un-pastes the prospect's name and deal size already typed into a free account. No incognito mode retrieves a confidential question once it has been processed. The core risk - a person pasting identifiable, sensitive context because the interface feels like search - is a human moment a configuration screen cannot reach.
That is the gap between what Perplexity is and what it feels like.
How BeeSensible helps before you send
BeeSensible checks personal data in browser text fields - including the Perplexity question box - as you type. Through the desktop app, detection runs entirely on the device and no text leaves the machine. For browser-only use, the extension sends the text to BeeSensible's EU detection service, where analysis runs in working memory and the text is discarded after detection. When sensitive content appears in a query, BeeSensible marks it inline so the user can see exactly what they are about to share - and delete it, replace it with a placeholder, or mask it before sending.
Perplexity