I am beginning a blog series where I examine the terms and conditions/privacy policies of various GenAI tools.

I use a prompt that examines any attached ToS or Privacy Policies.

The prompt was originally developed by the folks at AI for Non-Techies. I have adapted the prompt for my own use.

Today: Perplexity.

1. Terms of Service — Last updated January 23, 2026
2. Privacy Policy — Effective date February 5, 2026

Both documents are identifiable as belonging to Perplexity AI, an AI-powered search engine product. Both documents appear complete. The Terms of Service explicitly excludes the Perplexity API and Perplexity Pro for Enterprise, which are governed by separate agreements. This analysis covers the standard consumer/Pro tier only. If your business uses the API or Enterprise tier, those documents require separate analysis.

Governing law: California (stated in ToS Section 11.7). Jurisdictional frameworks noted for UK/EU, Australia, and Canada where relevant.

SEVEN-AREA ANALYSIS

6.1 Data Security and Storage 🟡 AMBER

Plain English Perplexity acknowledges it takes "reasonable efforts" to protect your information but explicitly states that no security is impenetrable and that data in transit may not be secure. No specific encryption standards are named. Breach notification procedures are absent from both documents.

Clause References

• Privacy Policy, DATA SECURITY AND RETENTION: "Despite our reasonable efforts to protect your information, no security measures are impenetrable, and we cannot guarantee 'perfect security.' Any information you send to us electronically, while using the Services or otherwise interacting with us, may not be secure while in transit."
• Privacy Policy, DATA TRANSFERS: Servers confirmed in the US. Support, engineering and other teams may access data from the United States.

Sub-question Answers

Where is business data stored and processed? US servers confirmed. Cross-border access by support and engineering teams is acknowledged but not restricted by location.

What security measures and encryption standards are in place? Not specified. "Reasonable efforts" is the only standard stated. No reference to ISO 27001, SOC 2, encryption-at-rest, or TLS in transit.

What are the data breach notification procedures? No clause identified in either document. Absence of breach notification provisions is itself a risk indicator for an AI/ML tool agreement.

Business Impact If a breach occurs, there is no contractual commitment to notify you within any defined timeframe. For businesses operating under GDPR (UK/EU), Australian NDB scheme, or equivalent, your own downstream notification obligations could be triggered without Perplexity providing timely notice.

Recommended Action Seek confirmation from Perplexity of their security certifications and breach notification SLAs before processing any sensitive business data. For UK/EU businesses, confirm whether a Data Processing Agreement (DPA) is available for standard Pro users (note: the Privacy Policy states DPAs apply only to API/Enterprise tier).

6.2 Data Access and Sharing 🔴 RED

Plain English Perplexity shares your data with a wide category of third parties, including advertising partners. The list is broad and the purposes include marketing and behavioural targeting. Your business data — including your queries and generated outputs — sits within "Service Interaction Information," which flows into this sharing framework.

Clause References

• Privacy Policy, DISCLOSURE OF YOUR INFORMATION: "Advertising Partners: Third parties who display advertising information on our Services or otherwise assist with the delivery of ads."
• Privacy Policy, DISCLOSURE OF YOUR INFORMATION: "Service Providers: Vendors or other service providers who help us provide the Services, including for system administration, cloud storage, generative AI and content creation..."
• Privacy Policy, COLLECTION AND USE: "Service Interaction Information may constitute or contain personal information, depending on the substance and how it is associated with your account."
• Privacy Policy, COLLECTION AND USE: "Information we receive from consumer marketing databases or other data enrichment companies, which we use in our legitimate interests to better customize advertising and marketing to you ('Advertising Information')."

Sub-question Answers

Who can access uploaded business data? Perplexity affiliates, service providers (including generative AI vendors), business partners, advertising partners, other users (if you share outputs), professional advisors, and parties in M&A transactions.

What third-party sharing arrangements exist? Broad. Advertising partners are an explicit category. No list of named third parties is provided in the standard privacy policy.

What employee access controls does the provider maintain? Not specified. Support and engineering teams based in the US are acknowledged as having access. No access control policies are described.

Business Impact Your search queries, prompts, and inputs are "Service Interaction Information." This data could flow to advertising partners and data enrichment companies under the current framework. For a business user, this means proprietary queries — about clients, strategy, or operations — may inform third-party advertising and marketing profiling.

Recommended Action Do not submit commercially sensitive, confidential, or client-identifying information via the standard Pro tier. Consider whether the API or Enterprise tier (with a separate DPA and processor-only designation) better suits your needs.

6.3 Data Retention and Deletion 🟡 AMBER

Plain English Retention is indefinite and discretionary. Deletion upon account closure is targeted within 30 days for personal information, but the ToS explicitly states that Perplexity is "not obligated to delete" Your Content on account termination.

Clause References

• Privacy Policy, DATA SECURITY AND RETENTION: "We retain your information for as long as is reasonably necessary for the purposes specified in this Privacy Policy. When determining the length of time to retain your information, we consider various criteria..."
• ToS, Section 11.3: "In the event of Account deletion for any reason, the Company may, but is not obligated to, delete any of Your Content."
• Privacy Policy, YOUR RIGHTS AND CHOICES: "If you delete your account, we aim to delete your personal information from our servers within 30 days."

Sub-question Answers

How long is data kept? No fixed retention period. Determined by Perplexity based on operational criteria including dispute resolution, safety, and product improvement.

What are the deletion policies and procedures? Account deletion can be requested via settings or email. Perplexity "aims" to delete personal information within 30 days but the ToS creates a direct conflict by stating there is no obligation to delete Your Content. See Section 10.4 — this contradiction is flagged as a compound risk below.

What data portability options exist? The Privacy Policy states a Right of Portability under YOUR RIGHTS AND CHOICES. Availability is jurisdiction-dependent ("depending on where you live"). No mechanism or format is specified.

Recommended Action Before adopting for business use, obtain written confirmation from Perplexity of actual content deletion timelines and procedures. Do not assume account deletion triggers complete data removal.

6.4 Business Liability and Responsibility 🔴 RED

Plain English Perplexity's liability is capped at $100 or six months of subscription fees — whichever is higher. All consequential losses, including lost profits, data loss, and business interruption, are excluded. You carry a broad indemnification obligation that runs in Perplexity's favour.

Clause References

• ToS, Section 8.2: "THE COMPANY ENTITIES' TOTAL LIABILITY TO YOU FOR ANY DAMAGES FINALLY AWARDED SHALL NOT EXCEED THE GREATER OF ONE HUNDRED DOLLARS ($100.00), OR THE AMOUNT YOU PAID THE COMPANY ENTITIES, IF ANY, IN THE PAST SIX (6) MONTHS..."
• ToS, Section 8.1: Services provided "AS IS" and "AS AVAILABLE"; company disclaims all warranties including accuracy, security, or reliability of outputs.
• ToS, Section 8.3: "you agree that you shall defend, indemnify and hold the Company Entities harmless...arising out of or in connection with: (a) your violation or breach of any term...,(d) Your Content; or (e) your negligence or wilful misconduct."
• ToS, Section 8.1: "You acknowledge that the Services may generate Output containing incorrect, biased, or incomplete information."

Sub-question Answers

What liability limitations and exclusions apply? Near-total exclusion of consequential, indirect, and punitive damages. Hard cap of $100 or six months' fees. This is weighted heavily in Perplexity's favour and is standard in consumer AI products but exceptionally low for business reliance.

What indemnification clauses are present? You indemnify Perplexity for your content, your use of outputs, and your breach of terms. Perplexity provides no reciprocal indemnity.

What professional liability coverage is referenced? None.

Business Impact If Perplexity produces a faulty output that causes your business to suffer a material loss — for example, in client work, financial decisions, or compliance — your maximum recovery is $100 (or up to six months' fees). Meanwhile, you are personally exposed to indemnify Perplexity if your use of their outputs triggers a third-party claim against them.

Recommended Action Do not rely on Perplexity outputs for decisions that carry material financial, legal, or reputational risk without independent verification. Review your own professional indemnity insurance to confirm it covers AI-assisted work.

6.5 Compliance and Regulatory 🟡 AMBER

Plain English Perplexity has made meaningful GDPR and UK compliance provisions, including a named DPO, EU and UK representative addresses, Standard Contractual Clauses (SCCs) for cross-border transfers, and EU-US Data Privacy Framework certification. However, these provisions explicitly apply to standard consumer users, not API or Enterprise customers where a DPA applies separately.

Clause References

• Privacy Policy: "TrustKeith Ltd, a company registered at 20-22 Wenlock Road, London, is our DPO."
• Privacy Policy, DATA TRANSFERS: "for UK and EEA users, the European Commission's model contracts for the transfer of personal information to third countries (i.e., the standard contractual clauses)..."
• Privacy Policy: "We comply with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. DPF..."
• Privacy Policy: Governing law stated as California (ToS, Section 11.7); EU and UK representative addresses provided in Privacy Policy contact section.

Sub-question Answers

What GDPR and data protection compliance is stated? DPO named, SCCs referenced, Data Privacy Framework certified. Rights enumerated (access, deletion, portability, correction, restriction, objection). This is materially better than many comparable AI tools at the standard tier.

Are industry-specific regulations addressed? No. No mention of HIPAA, financial services regulation, or sector-specific compliance.

What cross-border data transfer rules apply? SCCs and DPF apply for EU/UK users. For Australia and Canada, no equivalent mechanism is named. The policy states generic "applicable safeguards" without specifics for those jurisdictions.

Jurisdictional Notes

UK/EU: SCCs and DPF in place. Adequate provision at standard tier, noting that businesses processing third-party personal data through Perplexity may themselves need a DPA, which is not available at this tier.

Australia: No specific reference to the Privacy Act 1988, Australian Privacy Principles, or the Notifiable Data Breaches scheme. Absence of NDB-specific provisions is a risk indicator for Australian businesses.

Canada: No reference to PIPEDA or Quebec Law 25.

United States: CCPA addressed in detail. No single federal baseline addressed, consistent with the current legal landscape.

Recommended Action Australian and Canadian businesses should seek written confirmation of how Perplexity handles their jurisdiction-specific obligations. UK/EU businesses should confirm that use at the standard tier (versus Enterprise) does not require a formal DPA for their use case.

6.6 Commercial Terms 🟡 AMBER

Plain English Auto-renewal is confirmed. Price changes can occur at any time at Perplexity's sole discretion. Refunds are not available. Free trials auto-convert to paid subscriptions.

Clause References

• ToS, Section 2.3: "your subscription will automatically renew at the subscription period frequency referenced on your subscription page (or if not designated, then monthly) and at the then-current rates..."
• ToS, Section 2.2: "We reserve the right to change our subscription plans or adjust pricing for the paid Services in any manner and at any time as we may determine in our sole and absolute discretion."
• ToS, Section 2.4: "payments for any subscriptions to the Services are nonrefundable and there are no credits for partially used periods."
• ToS, Section 2.5: "Upon expiration of your free trial, you will be charged the then-current subscription price for the applicable Service."

Sub-question Answers

What auto-renewal clauses are present? Monthly auto-renewal by default. Cancellation must occur before the renewal date via account settings or email.

How are price changes communicated? "Reasonable notice" is stated but not defined. No minimum notice period is specified. The right to change pricing is unilateral and absolute.

What are the termination and refund policies? No refunds. Cancellation preserves access until end of the current paid period. Perplexity can terminate your account with or without notice, for any or no reason (Section 11.3).

Business Impact Perplexity can raise prices with undefined "reasonable notice." No refund mechanism exists if you cancel mid-period. Account termination by Perplexity can occur without notice or cause, with no compensation.

Recommended Action Set a calendar reminder before each renewal date. Do not rely on Perplexity as a mission-critical tool without an alternative, given the unilateral termination right.

6.7 Service Changes 🔴 RED

Plain English Perplexity can modify the Terms at any time. Material changes trigger "reasonable efforts" notification, but the updated Terms take effect on posting. Your continued use constitutes acceptance. The company can terminate your account at any time, for any reason, without notice.

Clause References

• ToS, Section 11.2: "We may modify these Terms from time to time...If we make changes that are material, we will use reasonable efforts to attempt to notify you, such as by e-mail and/or by placing a prominent notice on the first page of the Website. However, it is your sole responsibility to review these Terms from time to time to view any such changes. The updated Terms will be effective as of the time of posting..."
• ToS, Section 11.3: "the Company may suspend, disable, or delete your Account and/or the Services (or any part of the foregoing) with or without notice, for any or no reason."

Sub-question Answers

How can the provider modify terms? Unilaterally. No user consent is required. Continued use equals acceptance.

What notice periods apply to changes? None defined. "Reasonable efforts" is the standard, with no minimum notice period.

What service discontinuation policies are stated? Perplexity can discontinue the service at any time without notice. No continuity, data export window, or wind-down period is guaranteed.

Business Impact Any workflow built around Perplexity can be disrupted without notice. Terms governing your data use can change without your active consent. This is a standard risk in consumer AI products but is material if business processes depend on the tool.

Recommended Action Maintain independent copies of any outputs you rely on. Do not build automated or client-facing workflows that depend on continued Perplexity service availability without contingency planning.

AI/ML RISK LAYER

7.1 Training Data Use 🔴 RED

Plain English Your queries, inputs, and outputs are used to improve Perplexity's AI models by default. This is opt-out, not opt-in.

Clause References

• Privacy Policy, COLLECTION AND USE: "we may use most of the above information to provide you with and improve the Services (including our AI models)"
• Privacy Policy, YOUR RIGHTS AND CHOICES: "You may opt out of information collection for AI (which would prohibit us from using your search information to improve our AI models) in your settings page if you are logged into the Services."

Assessment Training use is on by default. The opt-out exists in settings but requires the user to find and activate it. Any business data entered before opt-out is activated will have been available for model training.

Benchmarking This is less restrictive than ChatGPT Enterprise (where training on customer data is off by default) and broadly comparable to standard ChatGPT or Google Gemini for Workspace free tier, where training use requires proactive opt-out.

7.2 Opt-Out Availability 🟡 AMBER

Plain English An opt-out from model training exists and is accessible via the settings page when logged in. It is not buried in a support request or time-limited. However, it requires the user to actively locate and apply it — it is not presented at onboarding.

Clause Reference

• Privacy Policy, YOUR RIGHTS AND CHOICES: "You may opt out of information collection for AI (which would prohibit us from using your search information to improve our AI models) in your settings page if you are logged into the Services."

Assessment The opt-out is functional and self-service. The limitation is that it is not the default and is not foregrounded during account creation. Any data submitted prior to opt-out activation is not retrievable or excluded retroactively.

Recommended Action Activate the opt-out in your account settings before submitting any business data. Do this before first use, not after.

7.3 Output Ownership 🟡 AMBER

Plain English You retain ownership of your content (inputs). Perplexity does not claim ownership of outputs. However, the company retains ownership of the underlying models and technology that generated the output, and the licence you grant Perplexity over your content is broad, irrevocable, and sublicensable.

Clause References

• ToS, Section 6.4: "As between the Company and you, the Company does not claim any ownership in Your Content; provided that, the Company or its affiliates and their respective licensors own and will continue to own the Services and any and all other software or technology that was used to generate any Output."
• ToS, Section 6.4 (licence grant): "you grant us a license to access, use, host, cache, store, reproduce, transmit, display, publish, distribute, and modify Your Content...royalty free, transferable, sub-licensable, worldwide and irrevocable (for so long as Your Content is stored with us)"
• ToS, Section 1.1: "Your use of the Perplexity Engine, including any Outputs, may also be subject to license and use restrictions set forth in a third-party LLM license, if applicable."

Assessment No direct claim over outputs. However, the irrevocable, sublicensable licence over Your Content is broad. The reference to third-party LLM licence restrictions creates undefined downstream constraints on output use that cannot be assessed without knowing which LLMs are in use.

7.4 Third-Party AI Subprocessors 🔴 RED

Plain English Perplexity openly states it uses third-party large language models (LLMs) as part of the service. It does not name them. No binding obligations on those subprocessors are described in either document.

Clause References

• ToS, Section 7.1: "Third-Party Materials include the open source software or other third-party software, such as third-party large language models, that are included in the artificial intelligence and machine learning models you access or use through the Services."
• ToS, Section 7.1: "We do not warrant or endorse and do not assume and will not have any liability or responsibility to you or any other person for any third-party services, Third-Party Materials or third-party websites..."
• Privacy Policy, DISCLOSURE OF YOUR INFORMATION: Service providers include those providing "generative AI and content creation" services.

Assessment Your business data is processed by unnamed third-party LLMs. The ToS explicitly disclaims all liability for those third parties. No data protection obligations binding on those subprocessors are stated. This is a significant gap.

Benchmarking This is weaker than Microsoft Copilot (which names Azure OpenAI as the subprocessor and maintains EU data residency options) and weaker than Google Gemini for Workspace (which names Google's own infrastructure). ChatGPT Enterprise names OpenAI as the processor with explicit DPA provisions.

Recommended Action Contact Perplexity to request a list of current AI subprocessors and their data handling obligations before submitting business data. This is especially material for UK/EU GDPR compliance, which requires documented subprocessor chains.

7.5 Data Ingestion Scope 🔴 RED

Plain English Perplexity collects a wide range of data beyond what you explicitly input. This includes device identifiers, IP address, approximate location, clickstream data, ad impressions, behavioural interaction data, and information from consumer marketing databases. If you sync email or calendar accounts, Perplexity ingests the content of your emails and calendar entries.

Clause References

• Privacy Policy, COLLECTION AND USE, Information Collected Automatically: "Device information, such as device type, operating system, unique device identifier, and internet protocol (IP) address. Location information, such as approximate location. Other information regarding your interaction with the Services, such as browser type, log data, date and time stamps, clickstream data, interactions with marketing emails, and ad impressions."
• Privacy Policy: "Information we receive from consumer marketing databases or other data enrichment companies, which we use in our legitimate interests to better customize advertising and marketing to you."
• Privacy Policy: "you may have the ability to sync your third party email account or calendar (such as Gmail and Google Calendar) with the Services. If you choose to sync these accounts, we will have access to your contacts and information from the email messages and calendar appointments in your email account, including the content of your emails."

Assessment The passive data collection footprint is extensive. The optional email/calendar sync is a material risk: if a business user syncs Gmail or Google Calendar, Perplexity gains access to the full content of emails and calendar entries. While Perplexity states it will not use that data to train AI models, it can still use it to "provide the Services."

Recommended Action Do not sync business email or calendar accounts with Perplexity. Review tracking technology settings and apply opt-outs available via the cookie settings link in the Privacy Policy.

OVERALL BUSINESS RECOMMENDATION

Perplexity AI at the standard consumer/Pro tier carries material risk for business use. The documents are reasonably transparent — more so than many comparable AI products — but the risk profile is driven by structural features of the product tier, not drafting opacity.

Cross-document synthesis

Reading both documents together produces the following compound picture:

1. Your inputs and outputs are "Service Interaction Information" (Privacy Policy) and "Your Content" (ToS). Both documents establish that this data is processed by unnamed third-party LLMs, shared with advertising partners, and used to improve Perplexity's AI models by default.
2. The ToS grants Perplexity an irrevocable, worldwide, sublicensable licence over Your Content. The Privacy Policy simultaneously authorises disclosure of that content to service providers, business partners, and advertising partners. These two clauses together mean your inputs can flow broadly across Perplexity's commercial ecosystem.
3. 🔴 RED CONTRADICTION: The Privacy Policy states that Perplexity "aims to delete your personal information from our servers within 30 days" of account deletion. The ToS states that "the Company may, but is not obligated to, delete any of Your Content" on account deletion. These provisions directly conflict. The ToS obligation standard governs contractually; the Privacy Policy "aim" is aspirational. You cannot rely on deletion of business content when you close your account.

Verdict

Perplexity is suitable for general research, summarisation, and non-sensitive business queries where no confidential, client-identifying, or commercially sensitive information is involved, and only after the AI training opt-out has been activated.

It is not suitable — at the standard Pro tier — for:

• Processing client data or personal data on behalf of clients
• Queries involving commercially sensitive strategy, pricing, or IP
• Regulated industries (healthcare, financial services, legal) without further assessment
• Any workflow requiring guaranteed data deletion or defined breach notification

The API or Enterprise tier, with a separate DPA and processor-only designation, is the appropriate product for business-grade use.

IMMEDIATE ACTION ITEMS

1. Activate the AI training opt-out immediately. Navigate to account settings while logged in and disable AI model training before submitting any business data. (Privacy Policy, YOUR RIGHTS AND CHOICES)
2. Do not sync business email or calendar accounts. The Gmail/Google Calendar integration gives Perplexity access to full email content. Do not connect these accounts for business use. (Privacy Policy, Email Service Information clause)
3. Seek written confirmation of subprocessor identities. Contact Perplexity at support@perplexity.ai to request a current list of third-party LLM subprocessors and their data obligations before processing any business data. (ToS, Section 7.1)
4. Obtain clarity on the deletion contradiction. The ToS and Privacy Policy conflict directly on whether Your Content is deleted on account closure. Request written clarification from Perplexity before relying on deletion as a data management control. (ToS, Section 11.3 vs Privacy Policy, YOUR RIGHTS AND CHOICES)
5. If your business is UK/EU or Australian-based, assess DPA requirements. The standard Pro tier does not include a DPA. Determine whether your use case requires one. If it does, the API or Enterprise tier is the appropriate product. Contact Perplexity's EU representative (Leipziger Platz 16, Berlin) or UK representative (10 Devonshire Square, London EC2M 4YP).
6. Establish an alternative workflow. The unilateral termination and service modification rights (ToS, Section 11.3 and 11.2) mean Perplexity can be withdrawn without notice. Do not build client-facing or mission-critical processes on this platform without a documented contingency.
7. Review your professional indemnity insurance. Confirm that your insurer covers AI-assisted work, given the near-total disclaimer of Perplexity's liability and your broad indemnification obligation. (ToS, Sections 8.1, 8.2, 8.3)

This analysis is provided for informational purposes only and does not constitute legal advice. If you have specific legal concerns about these terms, consult a qualified lawyer or legal advisor in your jurisdiction.