/

Case Studies

Perplexity moved three protections out of its privacy policy

Stani Mihov

Founder & CEO

·

TL;DR

Vendor: Perplexity
Document: Privacy Policy
Date: July 2, 2026
Key change: The AI-training opt-out, the 30-day account-deletion timeline, and the promise to notify users of material changes were removed from the policy text, while the same update expanded what the document says Perplexity can collect, including through the Comet browser, voice, and health and genetic data

Perplexity replaced its privacy policy with a restructured notice. Most of the diff is reorganization, but three protections that used to be written into the document are no longer there. The underlying controls still exist in the product, which is exactly what makes the change easy to miss.

The change

On July 2, 2026, Perplexity replaced its privacy policy with a restructured Privacy Notice. Venpo detected the change and separated the substantive edits from the reorganization.

Most of the diff is reformatting: the document was relabeled from a policy to a notice, sections were reordered, and much of the content was moved into tables. Inside that reshuffle sit three concrete user protections that used to be written in the document and are no longer there.

Perplexity is used daily by a large number of people and teams for research, and its search queries can carry sensitive context. A change to what the privacy document commits to reaches everyone relying on it.

What changed

Three protections left the text of the notice.

  • The AI-training opt-out. The old policy told logged-in users they could stop their search information from being used to improve Perplexity's AI models. The new notice no longer describes this option.

  • The deletion timeline. The old policy said that after account deletion, Perplexity aimed to remove personal information from its servers within 30 days. The new notice replaces this with retention for as long as reasonably necessary, with no stated timeframe.

  • The change-notice promise. The old policy said Perplexity would use reasonable efforts to notify users of material changes, including by email or service notice. The new notice removes that commitment and says new versions are simply posted to the website.

The same update also widened what the document says can be collected:

  • New sections for the Comet browser disclose browsing history tied to a synced account and data stored locally on the device

  • The sensitive-data categories now expressly include voice biometrics, neural data, and health and genetic data

  • Health data can be shared with third-party AI models used to deliver requested features

  • Targeted advertising is stated more explicitly, and commercial and activity data can be shared with advertising partners

For balance, the rewrite also added real protections: clearer opt-out controls for ads and the Comet browser, recognition of Global Privacy Control signals, parental-consent framing up to age 16, and a commitment not to re-identify de-identified data. Venpo scored the update as mixed rather than one-directional.

The controls did not leave the product

This is the part that makes the change easy to miss. The AI-training opt-out still works: the toggle lives in Settings under Preferences, and Perplexity's own help documentation confirms that Free, Pro, and Max users can still turn off whether their data is used for model training. Account deletion still exists as a right.

Nothing was technically taken away. What changed is where the protection lives. A right written into the policy is a commitment the vendor is held to. The same right as a toggle in a settings menu is a control the vendor can change or remove, without editing a single line of the document. The rewrite moved two of these protections from the first category into the second, and dropped the 30-day figure entirely.

Why this matters

A privacy policy is the document where a vendor commits, in writing, to how it handles your data. When a specific protection is described there, it is part of that commitment. When it is only a product setting, it is not. This is the exact category of change covered in our analysis of the hidden risk of vendor legal changes.

The pattern is not unique to Perplexity. It echoes Anthropic narrowing its data retention commitments and sits alongside the wider trend of AI vendors expanding what they collect, visible in cases like Airtable adding a new AI model provider. The written commitments are moving faster than the review cycles built to track them.

Potential impact for SaaS companies

Companies whose teams use Perplexity may want to review whether:

  • internal AI-tool policies still reflect what the current notice commits to, given the removed deletion timeline

  • anyone relying on the previous 30-day deletion promise is aware it is no longer stated

  • the AI-training opt-out is actually enabled for accounts used with sensitive queries, since the notice no longer points to it

  • the expanded collection through the Comet browser, voice, and health data is acceptable under their data handling rules

Keeping this current across a full set of tools is where continuous vendor contract monitoring becomes a structural need rather than a periodic task.

How Venpo detected it

Venpo continuously monitors vendor legal documents and detects changes as they are published. When Perplexity rewrote its privacy policy, Venpo:

  • detected the rewrite and separated the substantive edits from the reorganization

  • identified the three protections removed from the text: the AI-training opt-out, the 30-day deletion timeline, and the change-notice promise

  • flagged the widened collection across the Comet browser, voice, and health and genetic data

  • recorded the added controls as a separate, positive nuance so the update read as mixed, not one-sided

The full redline of the change is public on our live feed: Perplexity Privacy Policy, July 2, 2026. Building continuous vendor risk monitoring into the compliance stack is what makes this kind of detection possible.

Business outcome

Teams that caught this change early were able to:

  • confirm the AI-training opt-out was enabled on accounts used for sensitive work

  • note internally that the 30-day deletion timeline is no longer committed to

  • reassess whether the expanded collection through Comet and health features fits their policies

  • brief the relevant people before the next tool review

Instead of discovering the shift during an incident or an audit, they adapted on their own schedule.

Key takeaway

A privacy right written into the policy is a commitment. The same right as a toggle in settings is a control the vendor can change or remove. Perplexity's rewrite moved three protections out of the document while leaving the underlying controls in the product, which is precisely why the change is easy to miss. The only way to catch it is to be watching the text when it changes. A closer look at why scheduled reviews keep missing this kind of change is in our comparison of manual vs automated vendor monitoring.

The change

On July 2, 2026, Perplexity replaced its privacy policy with a restructured Privacy Notice. Venpo detected the change and separated the substantive edits from the reorganization.

Most of the diff is reformatting: the document was relabeled from a policy to a notice, sections were reordered, and much of the content was moved into tables. Inside that reshuffle sit three concrete user protections that used to be written in the document and are no longer there.

Perplexity is used daily by a large number of people and teams for research, and its search queries can carry sensitive context. A change to what the privacy document commits to reaches everyone relying on it.

What changed

Three protections left the text of the notice.

  • The AI-training opt-out. The old policy told logged-in users they could stop their search information from being used to improve Perplexity's AI models. The new notice no longer describes this option.

  • The deletion timeline. The old policy said that after account deletion, Perplexity aimed to remove personal information from its servers within 30 days. The new notice replaces this with retention for as long as reasonably necessary, with no stated timeframe.

  • The change-notice promise. The old policy said Perplexity would use reasonable efforts to notify users of material changes, including by email or service notice. The new notice removes that commitment and says new versions are simply posted to the website.

The same update also widened what the document says can be collected:

  • New sections for the Comet browser disclose browsing history tied to a synced account and data stored locally on the device

  • The sensitive-data categories now expressly include voice biometrics, neural data, and health and genetic data

  • Health data can be shared with third-party AI models used to deliver requested features

  • Targeted advertising is stated more explicitly, and commercial and activity data can be shared with advertising partners

For balance, the rewrite also added real protections: clearer opt-out controls for ads and the Comet browser, recognition of Global Privacy Control signals, parental-consent framing up to age 16, and a commitment not to re-identify de-identified data. Venpo scored the update as mixed rather than one-directional.

The controls did not leave the product

This is the part that makes the change easy to miss. The AI-training opt-out still works: the toggle lives in Settings under Preferences, and Perplexity's own help documentation confirms that Free, Pro, and Max users can still turn off whether their data is used for model training. Account deletion still exists as a right.

Nothing was technically taken away. What changed is where the protection lives. A right written into the policy is a commitment the vendor is held to. The same right as a toggle in a settings menu is a control the vendor can change or remove, without editing a single line of the document. The rewrite moved two of these protections from the first category into the second, and dropped the 30-day figure entirely.

Why this matters

A privacy policy is the document where a vendor commits, in writing, to how it handles your data. When a specific protection is described there, it is part of that commitment. When it is only a product setting, it is not. This is the exact category of change covered in our analysis of the hidden risk of vendor legal changes.

The pattern is not unique to Perplexity. It echoes Anthropic narrowing its data retention commitments and sits alongside the wider trend of AI vendors expanding what they collect, visible in cases like Airtable adding a new AI model provider. The written commitments are moving faster than the review cycles built to track them.

Potential impact for SaaS companies

Companies whose teams use Perplexity may want to review whether:

  • internal AI-tool policies still reflect what the current notice commits to, given the removed deletion timeline

  • anyone relying on the previous 30-day deletion promise is aware it is no longer stated

  • the AI-training opt-out is actually enabled for accounts used with sensitive queries, since the notice no longer points to it

  • the expanded collection through the Comet browser, voice, and health data is acceptable under their data handling rules

Keeping this current across a full set of tools is where continuous vendor contract monitoring becomes a structural need rather than a periodic task.

How Venpo detected it

Venpo continuously monitors vendor legal documents and detects changes as they are published. When Perplexity rewrote its privacy policy, Venpo:

  • detected the rewrite and separated the substantive edits from the reorganization

  • identified the three protections removed from the text: the AI-training opt-out, the 30-day deletion timeline, and the change-notice promise

  • flagged the widened collection across the Comet browser, voice, and health and genetic data

  • recorded the added controls as a separate, positive nuance so the update read as mixed, not one-sided

The full redline of the change is public on our live feed: Perplexity Privacy Policy, July 2, 2026. Building continuous vendor risk monitoring into the compliance stack is what makes this kind of detection possible.

Business outcome

Teams that caught this change early were able to:

  • confirm the AI-training opt-out was enabled on accounts used for sensitive work

  • note internally that the 30-day deletion timeline is no longer committed to

  • reassess whether the expanded collection through Comet and health features fits their policies

  • brief the relevant people before the next tool review

Instead of discovering the shift during an incident or an audit, they adapted on their own schedule.

Key takeaway

A privacy right written into the policy is a commitment. The same right as a toggle in settings is a control the vendor can change or remove. Perplexity's rewrite moved three protections out of the document while leaving the underlying controls in the product, which is precisely why the change is easy to miss. The only way to catch it is to be watching the text when it changes. A closer look at why scheduled reviews keep missing this kind of change is in our comparison of manual vs automated vendor monitoring.

Real-time change notifications

Stay ahead of every legal change

Get updates, product news and expert tips on navigating legal changes

Stripe updated Terms of Service

Dispute resolution clause now requires mandatory arbitration in all regions

High Impact2 hours ago
AWS modified Privacy Policy

Data retention period extended from 2 years to 5 years for all services

Medium Impact5 hours ago
Shopify revised Acceptable Use Policy

New restrictions on AI-generated content in product descriptions

Review1 day ago
Slack changed Data Processing Agreement

Third-party data sharing expanded to include analytics partners

High Impact1 day ago

Real-time change notifications

Stay ahead of every legal change

Get updates, product news and expert tips on navigating legal changes

Stripe updated Terms of Service

Dispute resolution clause now requires mandatory arbitration in all regions

High Impact2 hours ago
AWS modified Privacy Policy

Data retention period extended from 2 years to 5 years for all services

Medium Impact5 hours ago
Shopify revised Acceptable Use Policy

New restrictions on AI-generated content in product descriptions

Review1 day ago
Slack changed Data Processing Agreement

Third-party data sharing expanded to include analytics partners

High Impact1 day ago