The policy states that EEA and UK users' data is processed on lawful bases including consent, legitimate interests, and contractual necessity, and that cross-border transfers outside the EEA and UK are conducted using appropriate safeguards such as standard contractual clauses.
This analysis describes what Perplexity AI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the legal framework governing EEA and UK user data, including the reliance on standard contractual clauses for international transfers. The adequacy of these safeguards and the validity of the legitimate interest basis for AI training and advertising processing are subject to evaluation by EU supervisory authorities and the UK ICO.
Interpretive note: The policy does not specify whether Transfer Impact Assessments have been conducted for US transfers, and the legitimate interest basis for AI training processing is asserted without detailed documentation of the balancing test applied.
Under this provision, EEA and UK users' personal data may be transferred to the United States and other countries outside the EEA and UK using standard contractual clauses as the stated transfer mechanism. EEA and UK users have rights to access, rectification, erasure, restriction, portability, and objection under applicable data protection law.
How other platforms handle this
Your personal information may be transferred to, stored, and processed in the United States or other countries outside of your country of residence, which may have data protection laws that are different from those in your country.
For individuals in the United States, please also refer to our Notice For Individuals Residing In Certain US States below and the Consumer Health Data Policy.
Depending on your location, you may have certain rights regarding your personal data, including the right to access, correct, delete, or port your data. EU and UK users may also have the right to object to or restrict certain processing. California residents may have the right to know, delete, corre...
Monitoring
Perplexity AI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you are located in the European Economic Area or the United Kingdom, we process your personal information in accordance with applicable data protection laws. We rely on lawful bases including consent, legitimate interests, and contractual necessity. We may transfer your personal information to countries outside the EEA and UK, and we use appropriate safeguards such as standard contractual clauses.— Excerpt from Perplexity AI's Perplexity Privacy Policy
1) REGULATORY LANDSCAPE: This provision engages GDPR Chapter V (international data transfers), Article 6 (lawful bases), Article 21 (right to object to legitimate interest processing), and UK GDPR. Standard contractual clauses must be the current Commission-approved versions (2021 SCCs for EU; IDTA or addendum for UK). The relevant enforcement authorities are EU national supervisory authorities (coordinated by the EDPB for cross-border cases) and the UK ICO. 2) GOVERNANCE EXPOSURE: High. The reliance on legitimate interests as a legal basis for AI training and advertising data use requires a documented legitimate interest assessment (LIA) that balances Perplexity's interests against users' data protection rights. If this assessment has not been conducted or documented, enforcement exposure exists. 3) JURISDICTION FLAGS: All EEA member states and the UK create exposure. Given Perplexity's US-based operations, transfers to the US require current SCC documentation. Transfers to other third countries require separate analysis. Post-Schrems II compliance requires not only SCCs but also transfer impact assessments where surveillance risk exists. 4) CONTRACT AND VENDOR IMPLICATIONS: Sub-processors receiving EEA or UK user data must be identified in a processing register and bound by Article 28 GDPR-compliant data processing agreements. The policy does not disclose a sub-processor list, which may be a gap for enterprise procurement teams. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should verify that current SCC documentation is in place for US and other third-country transfers, that LIAs are documented for legitimate interest processing, that a Record of Processing Activities (RoPA) is maintained, and that data subject rights requests from EEA and UK users can be fulfilled within GDPR timeframes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the legal framework governing EEA and UK user data, including the reliance on standard contractual clauses for international transfers. The adequacy of these safeguards and the validity of the legitimate interest basis for AI training and advertising processing are subject to evaluation by EU supervisory authorities and the UK ICO.
Under this provision, EEA and UK users' personal data may be transferred to the United States and other countries outside the EEA and UK using standard contractual clauses as the stated transfer mechanism. EEA and UK users have rights to access, rectification, erasure, restriction, portability, and objection under applicable data protection law.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Perplexity AI.