Spell-check for privacy
Blog
AI data leakage 10 min read

Perplexity feels like search - so people paste like it's private

Perplexity looks and behaves like a smarter Google, so employees treat it like one: typing in client names, internal context, and confidential questions as if it were a private search box. It isn't. It's an AI service that retains data by default - and whose crawlers have been caught ignoring the rules.

Perplexity
How should I phrase a payment reminder to a client who is two invoices behind?
Here is a suggested approach. Review any client details before you share it.
Answers may use sources from the web.

The example above is interactive. Click a highlighted value to see your action options.

Quick answer

Perplexity's main privacy risk is behavioural: because it looks like a search engine, people paste private, identifiable work context into it that they would never email externally. On consumer tiers, queries are used to train models by default and history is retained until deleted; only the Enterprise tier offers no-training, zero data retention, and a processor agreement. The interface invites trust the consumer terms do not earn.

01

Perplexity's search-like feel leads employees to paste confidential context as if it were private

02

Consumer tiers use queries to train models by default; you must turn off the AI data retention setting

03

Only Perplexity Enterprise offers no-training, zero data retention, and a data processing agreement

04

Cloudflare reported Perplexity used stealth crawlers to bypass no-crawl rules; Perplexity disputes the attribution

05

Incognito mode hides history from your account - it does not make queries invisible to the vendor

A new business developer wants to understand a prospect before a call. Instead of a normal search, she opens Perplexity and types the full context: the company name, the contact's name, what she heard about their contract dispute, and the deal size she is hoping to land. Perplexity gives her a crisp, well-sourced briefing.

It felt exactly like Googling. That is the problem. She had just pasted a named individual, commercial-in-confidence details, and her own internal strategy into an AI service that, on her free account, may use her queries to train its models and keeps her history until she deletes it.

Nobody told her she was doing anything different from a web search. The interface certainly did not. And that gap - between how Perplexity feels and what it actually is - is where its privacy risk lives.

Is Perplexity safe for business data?

For general research, it is a useful tool. As a place to put confidential context, the consumer version is not what it appears to be. Perplexity is an "answer engine" that browses the web and composes a response - but unlike a search engine, it ingests your full query as input to an AI system. On Free and Pro tiers, those queries can be used to train its models by default, and your history persists until you remove it.

There is a genuinely different tier: Perplexity Enterprise offers no training on customer data, zero data retention, SOC 2, and a data processing agreement. But most employees are not on it - they are on a personal account, where the search-box feel quietly invites them to paste things they would never send in an email.

The risk is not that Perplexity is uniquely careless. It is that it feels private, and the consumer terms are not.

How Perplexity handles your data

Free / Pro (consumer)Enterprise
Used to train modelsYes, by defaultNo (contractual)
Data retentionUntil you deleteZero data retention available
Data processing agreementNoYes
Processing locationUS infrastructureUS, with EU options to confirm
Admin controlsNoneSSO, history controls, ZDR

Free and Pro accounts are consumer products. Queries may be used to improve models unless you turn off the AI data retention setting, and that opt-out only affects future data. Uploaded files are kept for a period; history stays until deleted. There is no processor agreement standing behind any of it.

Perplexity Enterprise / API is the business product, with contractual no-training, zero data retention, SOC 2, SSO, and a DPA incorporating Standard Contractual Clauses. Default processing is US-centric; EU residency for Enterprise should be confirmed with Perplexity. The difference between the two tiers is not cosmetic - it is the difference between having and not having a lawful basis to process client data.

The biggest privacy risks in Perplexity

1. The search-box illusion

The headline risk. People paste named, confidential context into Perplexity precisely because it feels like a search engine. The same person who would carefully redact an email types a prospect's full situation into the answer box without a second thought.

2. Training on consumer queries by default

On Free and Pro, your queries can feed model training unless you have changed the setting. Most users never open that setting, so the default quietly governs.

3. "Incognito" that isn't private from the vendor

Incognito keeps a chat out of your library and expires it, but it does not make the query invisible to Perplexity or stop vendor-side processing. Employees who use it for sensitive questions, believing it is private, are mistaken.

4. Agentic browsing risk (Comet)

Perplexity's Comet browser introduced a new exposure: security researchers showed it could be hijacked by hidden instructions on a web page (indirect prompt injection), potentially acting in the user's logged-in accounts. An agent that browses on your behalf is a larger attack surface than a chatbot.

5. The crawler trust question

In 2025, Cloudflare reported Perplexity used stealth crawlers to bypass sites' no-crawl rules; Perplexity disputed the attribution. For a business, the relevant signal is reputational: a tool whose data-collection practices are publicly contested is one to scope carefully.

Each of these is amplified by the fact that nothing about Perplexity signals "this is an AI service, not a search bar."

What is actually at stake: consequences

Under GDPR, pasting an identifiable person's data - a prospect's name tied to commercial details, a client's situation, an employee's record - into a consumer AI account with no processor agreement is processing without a lawful basis on the employer's side. If the data is sensitive and ends up retained or used for training, that is a reportable exposure.

Fines reach EUR 20 million or 4% of global annual turnover, whichever is higher, and the liability sits with the organisation as controller. The quieter cost is competitive: pasting your own deal strategy and a prospect's confidential details into a tool that retains queries is a commercial risk as much as a compliance one.

Industry surveys consistently find a large share of employees enter confidential information into AI tools, often through personal accounts outside any company control. Perplexity's search-like framing makes it one of the easiest places for that to happen without anyone noticing.

Verified incidents

The BBC sent Perplexity a legal threat - reportedly its first against an AI company - alleging its model was trained on BBC content and reproduced it, sometimes inaccurately. Perplexity rejected the characterisation. Source: Deadline, June 2025.

August 2025 - Cloudflare reports stealth crawling

Cloudflare published research alleging Perplexity used undeclared crawlers with rotating identities to access content from sites that had blocked it, demonstrated using secret test domains, and de-listed Perplexity as a verified bot. Perplexity disputed the findings, attributing traffic to a third-party service. Source: Cloudflare, August 2025.

August 2025 - Comet prompt injection

Brave's security team disclosed that Perplexity's Comet browser could be manipulated by hidden instructions embedded in web pages, executing them as commands when a user asked it to summarise a page - a route to acting in the user's logged-in accounts. Source: Brave, August 2025.

March 2026 - Amazon wins injunction against Comet

A US court granted Amazon a preliminary injunction against Perplexity's Comet shopping agent, finding strong evidence it accessed Amazon accounts while disguising itself as a human browser. Source: CNBC, March 2026.

The thread is not one breach. It is a pattern of a tool moving fast across boundaries - publishers', browsers', and users' own sense of what is private.

Settings that help

1. Turn off AI data retention (consumer) In Settings, switch off "AI data retention" so your queries are not used to train models going forward. Note it affects future data only and can reset during account changes - re-check it.

2. Use Enterprise for any business use If Perplexity is genuinely useful for work, adopt Perplexity Enterprise, which provides no-training, zero data retention, SSO, and a data processing agreement. Personal accounts should not carry client data.

3. Don't rely on incognito for confidentiality Use incognito to keep a chat out of your history, but never as a way to keep a query private from the vendor.

4. Be cautious with Comet and agentic features Treat AI browsers that act in your logged-in sessions as high-risk; restrict them from sensitive accounts until prompt-injection defences are proven.

5. Set policy on personal-account use The most effective control is organisational: make clear that confidential context does not go into personal Perplexity accounts, and provide an approved alternative.

Verified against Perplexity's documentation current to early 2026; the UI and setting labels change often, so confirm live.

What settings do not solve

A data retention toggle changes what Perplexity does with your queries. It does not change the instinct that makes someone treat an answer engine like a private notebook.

No setting un-pastes the prospect's name and deal size already typed into a free account. No incognito mode retrieves a confidential question once it has been processed. The core risk - a person pasting identifiable, sensitive context because the interface feels like search - is a human moment a configuration screen cannot reach.

That is the gap between what Perplexity is and what it feels like.

How BeeSensible helps before you send

BeeSensible checks personal data in browser text fields - including the Perplexity question box - as you type. Through the desktop app, detection runs entirely on the device and no text leaves the machine. For browser-only use, the extension sends the text to BeeSensible's EU detection service, where analysis runs in working memory and the text is discarded after detection. When sensitive content appears in a query, BeeSensible marks it inline so the user can see exactly what they are about to share - and delete it, replace it with a placeholder, or mask it before sending.

Perplexity
How should I phrase a payment reminder to a client who is two invoices behind?
Here is a suggested approach. Review any client details before you share it.
Answers may use sources from the web.
Hover or tap a highlighted value to replace, mask, or delete it - before the draft reaches anyone.

Message content is not stored. The user makes every decision.

For Perplexity, this directly counters the search-box illusion: at the moment a prospect's name or a client's account number lands in the question box, it is marked - turning an automatic paste into a visible decision. It does not replace adopting Enterprise or setting policy; those are the structural moves. It puts a moment of awareness exactly where the interface removes it.

Perplexity is fast and genuinely useful. But it is an AI service wearing the clothes of a search engine, and people share accordingly. The fix is partly a better tier and a clear policy - and partly making sure that, in the second before someone treats it like Google, the sensitive part of their question is visible to them.

FAQ

Common questions

Is Perplexity safe to use for work?

Perplexity can be used safely for general research, but the consumer tiers are not a private search box: queries are used to train models by default and history is retained until you delete it. Pasting client names, internal documents, or confidential questions into it is the real risk. For business use with data protection, Perplexity Enterprise offers no-training, zero data retention, and a data processing agreement - the free and Pro tiers do not.

Does Perplexity train on my searches?

On consumer tiers (Free, Pro), Perplexity may use your queries to train and improve its models by default. You can turn this off with the AI data retention setting, but that applies to future data only. Enterprise users are excluded from training by contract. Treat the consumer version as a tool that learns from what you type unless you have changed the setting.

Is it true Perplexity ignores robots.txt?

In August 2025 Cloudflare reported that Perplexity used undeclared 'stealth' crawlers - rotating user agents and IP addresses - to access content from sites that had blocked crawling, demonstrated with secret test domains. Perplexity disputed this, attributing the traffic to a third-party browsing service. The dispute is partly about attribution; what is not seriously contested is that publishers raised the alarm and Cloudflare de-listed Perplexity as a verified bot.

Is Perplexity's incognito mode private?

Incognito mode keeps a conversation out of your visible history and expires it after about a day, but it does not make your query invisible to Perplexity. The service can still process and retain data for a period for safety purposes, and it does not remove vendor-side analytics. Treat incognito as 'not saved to my library', not as 'private from the company'.

Is Perplexity GDPR-compliant for EU businesses?

Perplexity offers a data processing agreement and Standard Contractual Clauses for its Enterprise and API tiers, with default processing on US infrastructure. Consumer Free and Pro accounts do not get that processor relationship - so an employee pasting client data into a personal Perplexity account leaves the employer, as controller, with no lawful processor agreement covering it. EU data residency options for Enterprise should be confirmed with Perplexity directly.

What should employees not paste into Perplexity?

Treat it like any public AI tool: no client or patient names, account numbers, contracts, internal strategy, credentials, or anything identifying a person. The danger with Perplexity specifically is that its search-like interface makes this feel harmless. If the question genuinely needs confidential context, use an approved enterprise tool with a data processing agreement, not a personal account.

See how BeeSensible works

Detect sensitive data before it leaves your team, in any app, in real time.