Perplexity AI - GDPR & Data Privacy Overview for European Clients

Version: March 2026 - prepared by WAIMAKERS B.V.

1 Purpose

This overview explains how Perplexity AI tiers (Free, Pro, Max, Enterprise Pro, Enterprise Max, Education Pro) handle data in relation to GDPR, with a focus on European customers. Perplexity AI is an AI-powered answer engine that combines real-time web search with generative AI to provide cited, verifiable answers. The company (Perplexity AI, Inc.) is US-based and holds SOC 2 Type II certification with stated GDPR compliance. As of March 2026, Perplexity has relocated its EU legal entity headquarters to Vienna, Austria, and partners with the Prighter Group as its official GDPR representative for the EEA.

2 Comparison of Perplexity AI Tiers (EU focus)

Tier	Training on data?	Custom retention	EU data residency	Admin controls	Compliance	Price
Free (Standard)	⚠️ Default ON (opt-out in settings)	❌ No	❌ US only	❌ No	Basic privacy policy	$0
Pro (Individual)	⚠️ Default ON (opt-out in settings)	❌ No	❌ US only	❌ No	Basic privacy policy	$20/month ($200/year)
Max (Individual)	⚠️ Default ON (opt-out in settings)	❌ No	❌ US only	❌ No	Basic privacy policy	$200/month
Enterprise Pro	✅ No training	✅ Custom policies available	⚠️ Some EU workloads (NVIDIA partnership)	✅ SSO, MFA, admin dashboard	SOC 2 Type II, GDPR, HIPAA (with BAA), DPA with SCCs	$40/seat/month
Enterprise Max	✅ No training	✅ Custom policies available	⚠️ Some EU workloads (NVIDIA partnership)	✅ SSO, MFA, admin dashboard, priority support	SOC 2 Type II, GDPR, HIPAA (with BAA), DPA with SCCs	$325/seat/month
Education Pro	⚠️ Default ON (opt-out in settings)	❌ No	❌ US only	❌ No	Basic privacy policy	$30/seat/month

Notes for Europe

Training opt-out: Free, Pro, Max, and Education Pro (individual) users must manually opt out of AI training in account settings - this is not the default. Enterprise tiers do not train on customer data by default.
EU data residency: Limited availability. Primary infrastructure remains US-based (San Francisco, AWS). Perplexity's sovereign AI partnership with NVIDIA integrates European sovereign AI models (NVIDIA Nemotron, deployed as NIM microservices) supporting 24 EU languages. First models are expected later in 2026. Full EU data residency is not yet generally available.
Sonar API - Zero Data Retention: The Sonar API offers Zero Data Retention, improving compliance posture for API customers.
Infrastructure: Primary data processing on US-based AWS infrastructure with IAM access controls and MFA. Some EU-hosted inference via NVIDIA sovereign AI partnership.
Data retention: Account deletion triggers 30-day removal. Enterprise customers can configure custom thread retention policies and 7-day file retention.
EU AI Act (GPAI): Perplexity AI's underlying models are subject to General Purpose AI (GPAI) obligations under the EU AI Act, which have been active since August 2025.
GDPR compliance: Self-declared. Perplexity's GDPR compliance is not independently audited; relies on stated policies and SOC 2 Type II certification.
EU representative: Perplexity has relocated its EU HQ to Vienna, Austria, and partners with Prighter Group as its official GDPR representative for the EEA.
DPA with SCCs: A Data Processing Addendum including Standard Contractual Clauses is available for Enterprise customers.
Education Pro: Dedicated plan for educational institutions at $30/seat/month.
Pricing: All prices shown in USD; VAT may apply for EU customers. Citation tokens are no longer billed on the Sonar API.

3 Is Perplexity AI GDPR-Compliant?

Short answer: Perplexity states GDPR compliance (self-declared, not independently audited) and holds SOC 2 Type II certification, but Enterprise Pro or Enterprise Max are strongly recommended for EU business use due to lack of default training opt-out and limited EU data residency on consumer tiers.

What applies to all plans:

SOC 2 Type II audited - Independently validated security practices as of April 2025.
GDPR-stated compliance - Privacy policy references GDPR rights (access, deletion, portability, objection).
No data selling - Perplexity does not sell, trade, or share personal information with third parties except as outlined in privacy policy (service providers).
30-day deletion - Account deletion triggers removal of personal information from servers within 30 days.

What's plan-dependent:

Free/Pro/Max/Education Pro: Training on user data is enabled by default; users must manually opt out in account settings. No admin controls or DPA.
Enterprise Pro: No training on customer data. Data Processing Addendum with SCCs available. SSO/MFA, admin controls, custom retention policies, HIPAA BAA available.
Enterprise Max: All Enterprise Pro features plus unlimited usage limits and priority support.

Infrastructure limitations (all plans):

Primarily US data processing - Core infrastructure is US-based (AWS San Francisco region). Some EU-hosted inference workloads available via NVIDIA sovereign AI partnership (NVIDIA Nemotron NIM microservices, first models expected later in 2026), but full EU data residency is not generally available.
Third-party AI models - Perplexity uses OpenAI, Anthropic, and other third-party LLMs; data may be processed by these providers (with stated zero-retention agreements for Enterprise).
GDPR self-declared - Perplexity's GDPR compliance is based on self-declaration, not independent audit. Customers should assess this when evaluating compliance posture.

What that means in practice:

For personal/research use: Free or Pro may be acceptable if training opt-out is manually configured and user is comfortable with US data transfers.
For business use with non-sensitive data: Enterprise Pro provides necessary controls (no training, DPA, admin dashboard, SOC 2).
For healthcare or highly regulated use: Enterprise tier with executed BAA required; conduct DPIA for cross-border transfer risks.

Buyer's note: Enterprise Pro is the minimum viable tier for European business deployment. Free and Pro tiers lack essential GDPR controls (default training opt-out, DPA, admin controls).

4 Details by Offering

Free (Standard)

Unlimited concise searches with limited access to advanced AI models.
Data collection: Search queries, user interactions, account information (if created).
Training: Data used for AI training by default; opt-out available in account settings (user must manually configure).
Retention: 30 days post-account deletion; no custom policies.
Pricing: $0
When to use: Personal research, non-sensitive queries, users comfortable with US transfers and willing to manually opt out of training.
When not to use: Any business or organisational use; processing of personal data of EU residents; GDPR-regulated workflows.

Pro (Individual)

Unlimited Pro queries (multi-step reasoning), 20 research reports/day, access to GPT-4, Claude, and other advanced models.
Important limitation: Still lacks enterprise controls; training opt-out must be manually configured; no DPA or admin dashboard.
Pricing: $20/month or $200/year
When to use: Power users conducting extensive personal research who have manually opted out of training.
When not to use: Organisational deployments; any GDPR-regulated business processing.

Max (Individual)

All Pro features plus expanded usage limits, priority access, and early access to experimental features.
Important limitation: Same as Pro - individual tier; no enterprise controls, no DPA, training opt-out must be manually configured.
Pricing: $200/month
When to use: Heavy individual users requiring maximum throughput on personal research; not for business use.
When not to use: Organisational deployments; any GDPR-regulated business processing.

Enterprise Pro

No training on customer data - Default policy for Enterprise tier.
Admin controls: SSO (via AWS IAM), MFA, user management dashboard, custom retention policies.
Compliance: SOC 2 Type II, stated GDPR compliance, HIPAA-eligible with executed BAA, DPA with SCCs available.
File retention: 7-day default for uploaded files (configurable).
Connectors: Integrate internal knowledge sources (requires permission configuration).
Pricing: $40/seat/month
When to use: European business deployments, cross-functional research teams, integration with internal knowledge bases, healthcare organisations (with BAA).
When not to use: When EU data residency is a hard requirement (not currently available).

Enterprise Max

All Enterprise Pro features plus unlimited research reports, unlimited Perplexity Labs access, priority support, early access to new features (e.g., Comet browser).
Compliance: Same as Enterprise Pro (SOC 2 Type II, GDPR self-declared, HIPAA with BAA, DPA with SCCs).
Pricing: $325/seat/month
When to use: Power users or research-intensive teams requiring unlimited usage; organisations that need priority support and early feature access.
When not to use: Budget-constrained deployments where Enterprise Pro limits are sufficient; when EU data residency is a hard requirement.

Education Pro

All Pro features available for verified educational institutions and eligible students.
Important limitation: Individual-tier data handling applies - training opt-out must be manually configured; no enterprise controls, no DPA.
Pricing: $30/seat/month
When to use: Educational institutions or verified students requiring Pro-tier capabilities at a reduced rate.
When not to use: Any GDPR-regulated processing of student personal data in a business or institutional compliance context.

5 Data Processing Flow

[User submits query]
  ↓
[Perplexity platform (US-based AWS)]
  ├─ Search index query
  ├─ LLM processing (OpenAI/Anthropic/others)
  │   ├─ Enterprise: Zero-retention agreements with LLM providers
  │   └─ Free/Pro: Training opt-out must be manually configured
  └─ Response generation with citations
       ↓
[Result displayed to user]
  ├─ Enterprise: Thread retention per custom policy (7-30+ days configurable)
  └─ Free/Pro: Stored until account deletion (30-day purge)

*Account deletion: 30-day complete removal from servers*
*File uploads (Enterprise): 7-day default retention (configurable)*

6 Recommendations (GDPR-first)

For European business deployment, use Enterprise Pro (minimum) and execute DPA; conduct DPIA for US data transfer assessment.
For healthcare or regulated industries, use Enterprise tier with executed BAA; complete DPIA and document transfer mechanisms (Standard Contractual Clauses).
For personal use, Free or Pro is acceptable only if user manually opts out of training in account settings and is comfortable with US data transfers.
Do not use Free or Pro tiers for processing personal data of EU residents in a business context - lack of DPA, default training opt-in, and no admin controls create significant GDPR compliance gaps.
Monitor Perplexity's NVIDIA sovereign AI partnership progress - NVIDIA Nemotron models (NIM microservices) for 24 EU languages are expected later in 2026, but full EU data residency for all customers is not yet confirmed.
EU AI Act (GPAI): Perplexity's underlying models are subject to GPAI obligations active since August 2025. Organisations in regulated sectors should assess impact.
GDPR compliance is self-declared, not independently audited. Factor this into risk assessments, especially for sensitive data processing.

7 EU Rollout Checklist (Practical)

Select Enterprise Pro or Enterprise Max - Free/Pro tiers lack essential GDPR controls for business use.
Execute Data Processing Addendum (DPA) - Obtain and sign DPA with Standard Contractual Clauses (SCCs) for US transfers via perplexity.ai/hub/legal/dpa or by contacting Perplexity sales.
Conduct Data Protection Impact Assessment (DPIA) - Document US data transfer risks, necessity, and mitigations (encryption, SOC 2, SCCs).
Configure admin controls - Enable SSO/MFA, set custom retention policies, configure connector permissions, restrict file sharing.
Train users on sensitive data handling - Establish internal policy on what data can/cannot be submitted to Perplexity (avoid special category data unless DPIA approves).
Document in privacy notice - Update GDPR privacy notice to disclose Perplexity usage, US data transfers, and data subject rights.
For healthcare: Execute Business Associate Agreement (BAA) before processing any protected health information.

8 Procurement Quick Answers (EU)

Is EU data residency available?

Partially. Primary infrastructure remains US-based (AWS San Francisco). Through the NVIDIA sovereign AI partnership, Perplexity is integrating European sovereign AI models (NVIDIA Nemotron, deployed as NIM microservices) supporting 24 EU languages. First models are expected later in 2026. Full EU data residency is not yet generally available; confirm with Perplexity sales for specific use cases.

Does Perplexity train AI models on our data?

Free/Pro: Yes, by default (manual opt-out required in settings). Enterprise Pro/Max: No, customer data is not used for training.

Is a DPA available?

Yes, for Enterprise tiers. A Data Processing Addendum with Standard Contractual Clauses is available at perplexity.ai/hub/legal/dpa or by contacting Perplexity sales.

What certifications does Perplexity hold?

SOC 2 Type II (as of April 2025), stated GDPR compliance, HIPAA-eligible (Enterprise tier with BAA), PCI DSS.

What third-party AI providers does Perplexity use?

OpenAI (GPT-4, GPT-4o), Anthropic (Claude), and others. Enterprise tier includes zero-retention agreements with these providers.

Can we use Perplexity for healthcare data?

Only on Enterprise Pro/Max tier with an executed Business Associate Agreement (BAA). Contact Perplexity to arrange BAA before processing any PHI.

What happens to our data if we cancel?

Account deletion triggers removal of personal information from servers within 30 days. Enterprise customers can export data before cancellation.

Does Perplexity share data with third parties?

No selling or trading of personal data. Data may be shared with service providers (hosting, analytics) and third-party LLM providers (with zero-retention for Enterprise).

9 Notes & Caveats

US data transfer risk: All processing occurs in US; relies on SCCs and SOC 2 certification. Organisations must conduct DPIA to assess adequacy of safeguards post-Schrems II.
Training opt-out not default on Free/Pro: Critical gap for GDPR compliance - users must manually navigate to account settings to disable training. Not suitable for business use.
Third-party LLM dependencies: Perplexity relies on OpenAI, Anthropic, and other providers; data flows through these systems (with stated zero-retention for Enterprise).
Partial EU data residency: NVIDIA sovereign AI partnership will integrate European sovereign AI models (NVIDIA Nemotron NIM microservices) for 24 EU languages, with first models expected later in 2026. Full EU data residency for all processing is not yet confirmed. Verify with Perplexity sales for your specific use case.
Sonar API - Zero Data Retention: API customers benefit from zero data retention (previously 30 days). Citation tokens are no longer billed on the API.
GDPR self-declared, not audited: Perplexity's GDPR compliance is self-declared and has not been independently audited. Organisations should factor this limitation into their compliance assessments.
EU AI Act (GPAI) obligations active August 2025: General Purpose AI model obligations under the EU AI Act apply to Perplexity's underlying models. This creates obligations for the provider and may affect enterprise customers.
File retention policies: Enterprise 7-day default for uploaded files is aggressive; may require adjustment for document-heavy workflows.
HIPAA requires BAA: Even on Enterprise tier, healthcare organisations must execute separate BAA before processing PHI.
Education plan: 12-month free Pro plan available for eligible students.

10 Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Perplexity AI in production environments - especially when processing personal data, special category data, or protected health information. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - March 2026.

References

https://www.perplexity.ai/privacy - Perplexity AI Privacy Policy
https://www.perplexity.ai/hub/blog/how-perplexity-enterprise-pro-keeps-your-data-secure - How Perplexity Enterprise Pro Keeps Your Data Secure (SOC 2 Type II, GDPR compliance)
https://www.perplexity.ai/hub/faq/data-retention-and-privacy-for-enterprise-organizations-and-users - Data Retention and Privacy for Enterprise Organisations
https://docs.perplexity.ai/ - Perplexity API Documentation
https://www.perplexity.ai/hub/pricing - Perplexity Pricing (Pro $20/month, Enterprise Pro $40/seat/month)
https://perplexity.ai/help-center/en/articles/11564568-gdpr-compliance-at-perplexity - GDPR Compliance at Perplexity (Help Centre)
https://perplexity.ai/hub/legal/dpa - Perplexity Data Processing Addendum (DPA with SCCs)
https://perplexity.ai/hub/blog/bringing-european-ai-models-to-global-audiences - Bringing European AI Models to Global Audiences (NVIDIA Nemotron partnership)

Perplexity AI

Need help navigating AI?

Perplexity AI

Need help navigating AI?