Book Free Call
Perplexity AI GDPR compliance and data processing agreement for EU businesses
tools

Is Perplexity AI GDPR Compliant? DPA and Data Privacy Guide for Germany

Perplexity AI offers a Data Processing Agreement (DPA) for enterprise customers and uses Standard Contractual Clauses (SCCs) for EU-US data transfers, but stores data in the United States by default. GDPR-compliant use of Perplexity is only possible under the Enterprise plan with a signed DPA — free and standard Pro accounts do not include a DPA and are not suitable for processing personal data under GDPR.

Is Perplexity AI GDPR Compliant?

Perplexity AI can be used in a GDPR-compliant manner, but only under specific conditions. As a US-based AI service, Perplexity stores and processes data on US servers. For EU businesses, this creates data transfer obligations under GDPR Article 46.

The critical requirements for GDPR-compliant Perplexity use are:

  • Enterprise plan required: Only the Perplexity Enterprise plan includes a Data Processing Agreement (DPA), which functions as an Auftragsverarbeitungsvertrag (AVV) under Article 28 DSGVO
  • SCCs required: International data transfers from the EU to Perplexity’s US infrastructure must be covered by Standard Contractual Clauses (Module 2)
  • No DPA for free or Pro users: Standard terms allow Perplexity to use query data for model improvement, making those plans unsuitable for business queries involving personal data

German companies can deploy Perplexity GDPR-compliantly — but only with the Enterprise plan, a signed DPA, confirmed SCCs, and a documented legal basis under Article 6(1) DSGVO.

What Is Perplexity AI?

Perplexity AI is an AI-powered search and research tool that provides answers to queries by combining large language models with real-time web retrieval. Businesses use it for research, competitive intelligence, legal background work, and general productivity.

Perplexity offers consumer plans (free, Pro) and an enterprise plan (Perplexity Enterprise Pro) with enhanced data privacy controls. Unlike a standard search engine, Perplexity processes natural-language queries, generates synthesized responses, and may retain query content depending on account type and settings — which creates GDPR considerations that a traditional keyword search engine does not.

What Data Does Perplexity Process?

Perplexity collects and processes:

  • Search queries: The full text of every query entered — the primary personal data risk for business users
  • Uploaded files: Documents, PDFs, or images submitted as part of queries
  • Account data: Email addresses, usage history, and settings for registered users
  • Usage metadata: Device information, IP addresses, and session data

Enterprise vs. Consumer Data Handling

The GDPR-relevant distinction is between Perplexity’s consumer and enterprise tiers:

Data TypeFree / ProEnterprise
Queries used for model trainingPotentially yesNo (contractually prohibited)
Queries retained long-termYesConfigurable
DPA / AVV availableNoYes
EU-US SCC mechanismNot providedIncluded (Module 2)
Sub-processor disclosureLimitedFull list
GDPR-compliant for personal dataNoYes (with proper setup)
SSO / access managementNoYes

Perplexity’s Data Processing Agreement (DPA)

Does Perplexity Offer a DPA for EU Companies?

Yes — Perplexity provides a Data Processing Agreement for Enterprise customers only. The DPA designates Perplexity as a data processor under Article 28 GDPR, with your organization as the data controller.

Key provisions of the Perplexity Enterprise DPA:

  • No training on Enterprise data: Query data and outputs are not used to train or improve Perplexity’s AI models — a contractually guaranteed difference from consumer plans
  • Processor designation: Perplexity acts strictly as your processor for Enterprise-plan queries and outputs
  • Data retention limits: Enterprise agreements specify retention periods and deletion procedures
  • Sub-processor disclosure: Perplexity discloses all infrastructure and processing sub-processors to Enterprise customers

For free and Pro users: Without a DPA, Perplexity’s standard terms permit use of data to improve services. Processing personal data through these plans — even incidentally — constitutes a GDPR violation for German businesses.

Standard Contractual Clauses for EU Transfers

The Perplexity Enterprise DPA includes Standard Contractual Clauses (SCCs) under Article 46 GDPR, specifically Module 2 (Controller to Processor). This is the legal mechanism permitting EU personal data to be processed on Perplexity’s US infrastructure following the Schrems II ruling, which invalidated the EU-US Privacy Shield.

For formal GDPR compliance, German businesses should also conduct a Transfer Impact Assessment (TIA) to evaluate whether US intelligence surveillance laws — particularly FISA 702 and Executive Order 12333 — present specific risks to the data transferred, and whether the SCCs provide sufficient protection in practice.

Data Storage and Transfers

Perplexity is headquartered in San Francisco, California. There is currently no EU data center option — all queries are processed on US-based infrastructure. For German businesses, this means:

  • Every query submitted to Perplexity constitutes a transfer of personal data to a third country (US) under GDPR Chapter V
  • The Enterprise DPA’s SCCs must be executed before any personal data is processed
  • The Article 30 DSGVO processing register and employee privacy notices must document this international transfer
  • Data minimization applies: queries should be anonymized wherever possible to reduce the scope of personal data transferred

Standard accounts have limited retention controls. Enterprise agreements include contractual data retention and deletion timelines — a meaningful compliance advantage.

GDPR Roles: Controller or Processor?

Under GDPR, the role distinction determines compliance obligations:

Your organization is the data controller. You determine the purposes and means of using Perplexity — business research, legal analysis, competitive intelligence — and are responsible for the lawful basis under Article 6(1) DSGVO, privacy notices, and responding to data subject rights requests.

Perplexity is the data processor. Under the Enterprise DPA, Perplexity processes data strictly according to your instructions and the DPA terms, and cannot use that data for its own purposes (such as model training).

This controller-processor relationship only exists under the Enterprise plan with a signed DPA. Without a DPA, Perplexity operates under its own terms — the role structure is unclear, and the arrangement is non-compliant for business use involving personal data.

Key Privacy Controls for Business Users

Perplexity Enterprise provides several controls relevant to GDPR compliance:

  • No training on your data: The Enterprise plan contractually excludes query data from model training — this protection cannot be waived or changed
  • Data retention configuration: Contractual retention periods replace the default indefinite retention of consumer plans
  • Team admin controls: Enterprise admin dashboards allow user access management, usage monitoring, and policy enforcement
  • SSO integration: Supports enterprise identity providers for centralized access control
  • Sub-processor transparency: Enterprise customers receive a full list of Perplexity’s processing sub-processors

For non-Enterprise users, Perplexity offers a “no history” toggle. This provides weaker guarantees — no contractual backing, no DPA, no SCC mechanism — and is not a substitute for an Enterprise DPA under GDPR.

Perplexity AVV: Steps for German Businesses

If your Perplexity use involves personal data, here is the compliance path:

  1. Upgrade to Perplexity Enterprise: Contact Perplexity’s sales team. Free and Pro plans do not include a DPA.
  2. Sign the Data Processing Agreement: Execute the DPA as the AVV required under Article 28 DSGVO.
  3. Confirm SCCs for EU-US transfers: Verify Module 2 SCCs (Controller to Processor) are included.
  4. Conduct a Transfer Impact Assessment: Evaluate Schrems II risk for your data types.
  5. Update your processing register: Add Perplexity to your Verzeichnis von Verarbeitungstätigkeiten (Article 30 DSGVO).
  6. Update privacy notices: Disclose Perplexity use and the US data transfer in employee-facing Datenschutzhinweise.
  7. Issue usage guidelines: Train employees on which query types may and may not include personal data.
  8. Consult the Betriebsrat: If Perplexity significantly affects employee workflows, works council involvement is required under §87(1) No. 6 BetrVG before company-wide rollout.

Compliance Checklist for German Businesses Using Perplexity

  • Use case assessment: Determined whether queries involve personal data (names, client data, HR data)
  • Enterprise plan: Upgraded to Perplexity Enterprise if personal data is processed
  • DPA / AVV signed: Perplexity Data Processing Agreement executed before processing personal data
  • SCCs confirmed: Standard Contractual Clauses (Module 2) for EU-US transfers included in DPA
  • Processing register updated: Perplexity added to Art. 30 DSGVO register for relevant activities
  • Legal basis documented: Art. 6(1) GDPR basis identified for each use case (typically legitimate interest for business research)
  • Privacy notices updated: Employee-facing notices disclose Perplexity use and US data transfer
  • Sub-processor list reviewed: Perplexity sub-processors checked; notices updated accordingly
  • Usage guidelines issued: Staff trained on which query types may include personal data
  • Data minimization applied: Queries anonymized wherever possible
  • Transfer Impact Assessment: Schrems II analysis completed for EU-US transfers if sensitive data involved
  • AI Act classification: Confirmed no Perplexity use case falls under Annex III high-risk categories
  • Works council consulted: Betriebsrat notified before company-wide rollout under §87 BetrVG

For guidance on AI tool compliance, DPA review, and GDPR risk assessments, see Compound Law compliance services.

Compare AI tool GDPR guides: Claude Enterprise GDPR · Cohere GDPR · AWS Bedrock GDPR · Hugging Face GDPR

Frequently Asked Questions

Does Perplexity have a DPA for EU companies?

Yes. Perplexity provides a Data Processing Agreement for Enterprise plan customers. The DPA functions as the Auftragsverarbeitungsvertrag (AVV) required under Article 28 GDPR, designates Perplexity as a processor, contractually prohibits Enterprise query data from being used for model training, and includes Standard Contractual Clauses (Module 2) for EU-US data transfers. Free and standard Pro accounts do not include a DPA.

Is Perplexity GDPR compliant for business use?

Perplexity can be GDPR compliant for business use if you are on the Enterprise plan with a signed DPA, Standard Contractual Clauses in place for EU-US data transfers, and your Article 30 DSGVO processing register and employee privacy notices updated. Without an Enterprise plan and DPA, processing personal data through Perplexity — even incidentally — is not GDPR compliant.

Where does Perplexity store data?

Perplexity stores and processes data on US-based infrastructure. There is currently no EU data center option. Queries submitted by EU users are transferred to US servers. Under the Enterprise DPA, Standard Contractual Clauses (Module 2) cover this EU-US transfer. German businesses must document this transfer in their Article 30 processing register and conduct a Transfer Impact Assessment for sensitive data categories.

Can I use Perplexity in Germany under GDPR?

Yes — but only with an Enterprise plan and signed DPA. Using Perplexity for business queries that include personal data on a free or Pro account violates GDPR. If your queries do not involve personal data — purely topic-based research with no individual names or identifying information — the absence of a DPA may be acceptable. However, most business use cases carry some risk of incidental personal data inclusion, and the Enterprise plan with a signed DPA is the only reliably compliant path for systematic business deployment in Germany.

Does Perplexity train on my queries?

For free and standard Pro accounts, Perplexity may use query data to improve its models under its standard terms. For Enterprise accounts, the DPA contractually prohibits using query data or outputs for model training or improvement. This is one of the most significant GDPR-relevant differences between Perplexity’s consumer and enterprise plans — and a core reason why the Enterprise plan is required for business use involving personal data.

Related Tool Guides

Claude Team vs Enterprise plan comparison table for German businesses
tools

Claude Team vs Enterprise: Plan Comparison for German Businesses

Claude Team (~€25/user/month) vs Claude Enterprise: features, GDPR compliance, and which plan fits your business in Germany.
Anthropic Standard Contractual Clauses SCC Module 2 Module 3 GDPR data transfer
tools

Anthropic SCCs: GDPR Data Transfer Guide for Module 2 and 3

Anthropic's EU SCCs (Module 2 and 3) are included in their DPA automatically. Find out which module applies and what else is required for GDPR compliance.
Claude Zero Data Retention ZDR enterprise API guide for GDPR compliance in Germany
tools

Claude Zero Data Retention (ZDR): Enterprise API Guide

Claude's Zero Data Retention agreement: Anthropic won't store your API inputs or outputs. Eligibility, exceptions, and GDPR implications for Germany.
Claude Enterprise used by law firms and legal teams for contract review
tools

Claude Enterprise for Law Firms and Legal Teams

Claude Enterprise for law firms and legal teams: contract review, due diligence, and compliance drafting with GDPR and bar association considerations.
Zapier GDPR 2026 Germany — DPA, Article 28, SCCs and EU data transfers for German companies
tools

Zapier GDPR 2026: DPA, Article 28 & EU Data Transfer Guide

Is Zapier GDPR compliant? DPA under GDPR Article 28, SCCs, EU data residency, and US data transfer compliance for German businesses — 2026 guide.
Anthropic Data Processing Addendum GDPR Article 28 compliance review guide
tools

Anthropic Data Processing Addendum (DPA) — GDPR Analysis

Does Anthropic's DPA satisfy GDPR Article 28? Breakdown: SCC coverage, subprocessor controls, gaps, and what enterprises must verify before deploying Claude.

Browse More AI Tools

Frequently asked questions

Does Perplexity have a DPA for EU companies?

Yes. Perplexity provides a Data Processing Agreement for Enterprise plan customers. The DPA functions as the Auftragsverarbeitungsvertrag (AVV) required under Article 28 GDPR, designates Perplexity as a processor, contractually prohibits Enterprise query data from being used for model training, and includes Standard Contractual Clauses (Module 2) for EU-US data transfers. Free and standard Pro accounts do not include a DPA.

Is Perplexity GDPR compliant for business use?

Perplexity can be GDPR compliant for business use if you are on the Enterprise plan with a signed DPA, Standard Contractual Clauses in place for EU-US data transfers, and your Article 30 DSGVO processing register and employee privacy notices updated. Without an Enterprise plan and DPA, processing personal data through Perplexity — even incidentally — is not GDPR compliant.

Where does Perplexity store data?

Perplexity stores and processes data on US-based infrastructure. There is currently no EU data center option. Queries submitted by EU users are transferred to US servers. Under the Enterprise DPA, Standard Contractual Clauses (Module 2) cover this EU-US transfer. German businesses must document this transfer in their Article 30 processing register and conduct a Transfer Impact Assessment for sensitive data categories.

Can I use Perplexity in Germany under GDPR?

Yes — but only with an Enterprise plan and signed DPA. Using Perplexity for business queries that include personal data on a free or Pro account violates GDPR. If your queries do not involve personal data — purely topic-based research with no individual names or identifying information — the absence of a DPA may be acceptable. However, most business use cases carry some risk of incidental personal data inclusion, and the Enterprise plan with a signed DPA is the only reliably compliant path for systematic business deployment in Germany.

Does Perplexity train on my queries?

For free and standard Pro accounts, Perplexity may use query data to improve its models under its standard terms. For Enterprise accounts, the DPA contractually prohibits using query data or outputs for model training or improvement. This is one of the most significant GDPR-relevant differences between Perplexity's consumer and enterprise plans — and a core reason why the Enterprise plan is required for business use involving personal data.

Book Free Call