Perplexity moved three protections out of its privacy policy

Stani Mihov
Founder & CEO
·

TL;DR
Vendor: Perplexity
Document: Privacy Policy
Date: July 2, 2026
Key change: The AI-training opt-out, the 30-day account-deletion timeline, and the promise to notify users of material changes were removed from the policy text, while the same update expanded what the document says Perplexity can collect, including through the Comet browser, voice, and health and genetic data
Perplexity replaced its privacy policy with a restructured notice. Most of the diff is reorganization, but three protections that used to be written into the document are no longer there. The underlying controls still exist in the product, which is exactly what makes the change easy to miss.
The change
On July 2, 2026, Perplexity replaced its privacy policy with a restructured Privacy Notice. Venpo detected the change and separated the substantive edits from the reorganization.
Most of the diff is reformatting: the document was relabeled from a policy to a notice, sections were reordered, and much of the content was moved into tables. Inside that reshuffle sit three concrete user protections that used to be written in the document and are no longer there.
Perplexity is used daily by a large number of people and teams for research, and its search queries can carry sensitive context. A change to what the privacy document commits to reaches everyone relying on it.
What changed
Three protections left the text of the notice.
The AI-training opt-out. The old policy told logged-in users they could stop their search information from being used to improve Perplexity's AI models. The new notice no longer describes this option.
The deletion timeline. The old policy said that after account deletion, Perplexity aimed to remove personal information from its servers within 30 days. The new notice replaces this with retention for as long as reasonably necessary, with no stated timeframe.
The change-notice promise. The old policy said Perplexity would use reasonable efforts to notify users of material changes, including by email or service notice. The new notice removes that commitment and says new versions are simply posted to the website.
The same update also widened what the document says can be collected:
New sections for the Comet browser disclose browsing history tied to a synced account and data stored locally on the device
The sensitive-data categories now expressly include voice biometrics, neural data, and health and genetic data
Health data can be shared with third-party AI models used to deliver requested features
Targeted advertising is stated more explicitly, and commercial and activity data can be shared with advertising partners
For balance, the rewrite also added real protections: clearer opt-out controls for ads and the Comet browser, recognition of Global Privacy Control signals, parental-consent framing up to age 16, and a commitment not to re-identify de-identified data. Venpo scored the update as mixed rather than one-directional.
The controls did not leave the product
This is the part that makes the change easy to miss. The AI-training opt-out still works: the toggle lives in Settings under Preferences, and Perplexity's own help documentation confirms that Free, Pro, and Max users can still turn off whether their data is used for model training. Account deletion still exists as a right.
Nothing was technically taken away. What changed is where the protection lives. A right written into the policy is a commitment the vendor is held to. The same right as a toggle in a settings menu is a control the vendor can change or remove, without editing a single line of the document. The rewrite moved two of these protections from the first category into the second, and dropped the 30-day figure entirely.
Why this matters
A privacy policy is the document where a vendor commits, in writing, to how it handles your data. When a specific protection is described there, it is part of that commitment. When it is only a product setting, it is not. This is the exact category of change covered in our analysis of the hidden risk of vendor legal changes.
The pattern is not unique to Perplexity. It echoes Anthropic narrowing its data retention commitments and sits alongside the wider trend of AI vendors expanding what they collect, visible in cases like Airtable adding a new AI model provider. The written commitments are moving faster than the review cycles built to track them.
Potential impact for SaaS companies
Companies whose teams use Perplexity may want to review whether:
internal AI-tool policies still reflect what the current notice commits to, given the removed deletion timeline
anyone relying on the previous 30-day deletion promise is aware it is no longer stated
the AI-training opt-out is actually enabled for accounts used with sensitive queries, since the notice no longer points to it
the expanded collection through the Comet browser, voice, and health data is acceptable under their data handling rules
Keeping this current across a full set of tools is where continuous vendor contract monitoring becomes a structural need rather than a periodic task.
How Venpo detected it
Venpo continuously monitors vendor legal documents and detects changes as they are published. When Perplexity rewrote its privacy policy, Venpo:
detected the rewrite and separated the substantive edits from the reorganization
identified the three protections removed from the text: the AI-training opt-out, the 30-day deletion timeline, and the change-notice promise
flagged the widened collection across the Comet browser, voice, and health and genetic data
recorded the added controls as a separate, positive nuance so the update read as mixed, not one-sided
The full redline of the change is public on our live feed: Perplexity Privacy Policy, July 2, 2026. Building continuous vendor risk monitoring into the compliance stack is what makes this kind of detection possible.
Business outcome
Teams that caught this change early were able to:
confirm the AI-training opt-out was enabled on accounts used for sensitive work
note internally that the 30-day deletion timeline is no longer committed to
reassess whether the expanded collection through Comet and health features fits their policies
brief the relevant people before the next tool review
Instead of discovering the shift during an incident or an audit, they adapted on their own schedule.
Key takeaway
A privacy right written into the policy is a commitment. The same right as a toggle in settings is a control the vendor can change or remove. Perplexity's rewrite moved three protections out of the document while leaving the underlying controls in the product, which is precisely why the change is easy to miss. The only way to catch it is to be watching the text when it changes. A closer look at why scheduled reviews keep missing this kind of change is in our comparison of manual vs automated vendor monitoring.
The change
On July 2, 2026, Perplexity replaced its privacy policy with a restructured Privacy Notice. Venpo detected the change and separated the substantive edits from the reorganization.
Most of the diff is reformatting: the document was relabeled from a policy to a notice, sections were reordered, and much of the content was moved into tables. Inside that reshuffle sit three concrete user protections that used to be written in the document and are no longer there.
Perplexity is used daily by a large number of people and teams for research, and its search queries can carry sensitive context. A change to what the privacy document commits to reaches everyone relying on it.
What changed
Three protections left the text of the notice.
The AI-training opt-out. The old policy told logged-in users they could stop their search information from being used to improve Perplexity's AI models. The new notice no longer describes this option.
The deletion timeline. The old policy said that after account deletion, Perplexity aimed to remove personal information from its servers within 30 days. The new notice replaces this with retention for as long as reasonably necessary, with no stated timeframe.
The change-notice promise. The old policy said Perplexity would use reasonable efforts to notify users of material changes, including by email or service notice. The new notice removes that commitment and says new versions are simply posted to the website.
The same update also widened what the document says can be collected:
New sections for the Comet browser disclose browsing history tied to a synced account and data stored locally on the device
The sensitive-data categories now expressly include voice biometrics, neural data, and health and genetic data
Health data can be shared with third-party AI models used to deliver requested features
Targeted advertising is stated more explicitly, and commercial and activity data can be shared with advertising partners
For balance, the rewrite also added real protections: clearer opt-out controls for ads and the Comet browser, recognition of Global Privacy Control signals, parental-consent framing up to age 16, and a commitment not to re-identify de-identified data. Venpo scored the update as mixed rather than one-directional.
The controls did not leave the product
This is the part that makes the change easy to miss. The AI-training opt-out still works: the toggle lives in Settings under Preferences, and Perplexity's own help documentation confirms that Free, Pro, and Max users can still turn off whether their data is used for model training. Account deletion still exists as a right.
Nothing was technically taken away. What changed is where the protection lives. A right written into the policy is a commitment the vendor is held to. The same right as a toggle in a settings menu is a control the vendor can change or remove, without editing a single line of the document. The rewrite moved two of these protections from the first category into the second, and dropped the 30-day figure entirely.
Why this matters
A privacy policy is the document where a vendor commits, in writing, to how it handles your data. When a specific protection is described there, it is part of that commitment. When it is only a product setting, it is not. This is the exact category of change covered in our analysis of the hidden risk of vendor legal changes.
The pattern is not unique to Perplexity. It echoes Anthropic narrowing its data retention commitments and sits alongside the wider trend of AI vendors expanding what they collect, visible in cases like Airtable adding a new AI model provider. The written commitments are moving faster than the review cycles built to track them.
Potential impact for SaaS companies
Companies whose teams use Perplexity may want to review whether:
internal AI-tool policies still reflect what the current notice commits to, given the removed deletion timeline
anyone relying on the previous 30-day deletion promise is aware it is no longer stated
the AI-training opt-out is actually enabled for accounts used with sensitive queries, since the notice no longer points to it
the expanded collection through the Comet browser, voice, and health data is acceptable under their data handling rules
Keeping this current across a full set of tools is where continuous vendor contract monitoring becomes a structural need rather than a periodic task.
How Venpo detected it
Venpo continuously monitors vendor legal documents and detects changes as they are published. When Perplexity rewrote its privacy policy, Venpo:
detected the rewrite and separated the substantive edits from the reorganization
identified the three protections removed from the text: the AI-training opt-out, the 30-day deletion timeline, and the change-notice promise
flagged the widened collection across the Comet browser, voice, and health and genetic data
recorded the added controls as a separate, positive nuance so the update read as mixed, not one-sided
The full redline of the change is public on our live feed: Perplexity Privacy Policy, July 2, 2026. Building continuous vendor risk monitoring into the compliance stack is what makes this kind of detection possible.
Business outcome
Teams that caught this change early were able to:
confirm the AI-training opt-out was enabled on accounts used for sensitive work
note internally that the 30-day deletion timeline is no longer committed to
reassess whether the expanded collection through Comet and health features fits their policies
brief the relevant people before the next tool review
Instead of discovering the shift during an incident or an audit, they adapted on their own schedule.
Key takeaway
A privacy right written into the policy is a commitment. The same right as a toggle in settings is a control the vendor can change or remove. Perplexity's rewrite moved three protections out of the document while leaving the underlying controls in the product, which is precisely why the change is easy to miss. The only way to catch it is to be watching the text when it changes. A closer look at why scheduled reviews keep missing this kind of change is in our comparison of manual vs automated vendor monitoring.
Real-time change notifications
Stay ahead of every legal change
Get updates, product news and expert tips on navigating legal changes
Dispute resolution clause now requires mandatory arbitration in all regions
Data retention period extended from 2 years to 5 years for all services
New restrictions on AI-generated content in product descriptions
Third-party data sharing expanded to include analytics partners
Real-time change notifications
Stay ahead of every legal change
Get updates, product news and expert tips on navigating legal changes
Dispute resolution clause now requires mandatory arbitration in all regions
Data retention period extended from 2 years to 5 years for all services
New restrictions on AI-generated content in product descriptions
Third-party data sharing expanded to include analytics partners
