Don’t miss out on our latest stories. Add PCMag as a preferred source on Google.
OpenAI generally doesn’t share your ChatGPT conversations with third parties. However, an analytics firm has discovered a way to capture users’ prompts, which can reveal queries about sensitive topics such as prostitution, medical conditions, and immigration status.
New York-based Profound has been selling access to the queries through a service called Prompt Volumes, which launched earlier this year. It can help companies identify what users are asking major chatbot providers, including ChatGPT, Google Gemini, and Anthropic’s Claude, though ChatGPT data dominates.
The data is anonymized and scrubbed of identifying information before it’s licensed to Profound, the company says. However, people tend to reveal more personal information to chatbots than they would during a Google search, for example. And they may not be aware that this data is being shared with third parties. Profound’s Prompt Volumes feature lets you search the archive, and it shows that ChatGPT users have been querying for all kinds of topics, including sex dolls, suicide, and infertility treatments. I signed up for a free trial to see how it works. Here’s what I found.
A View of ChatGPT Prompts From Real Users
Volume Prompt result for the term ‘HIV test.’ (Credit: Profound/PCMag)
Profound has been demoing the feature to customers; some of the prompts it collected include:
How can I hack someone?
What are 15 types of BDSM sex?
Can you suggest me some incest hentai?
I caught my wife cheating on me last week and plan to expose her in front of her family.
Are there any online websites where you can book a brothel?
What is the significance of the HIV test results I received?
Which type of sex doll is best for beginners?
What kind of abortion do you recommend?
What are the implications of being undocumented in the US after TPS termination?
The feature can match the prompt to geographic regions, gender, estimated income level, and age group. New prompts are released on a weekly basis.
Another tab will break down the prompt by gender, age group, income level, and geography. (Credit: Profound/PCMag)
Geography breakdown (Credit: Profound/PCMag)
Lee Dryburgh, a researcher in marketing visibility and founder of his own consultancy, Contestra, has been warning about the privacy implications. “The great majority of users have no awareness [that] their chats are being grabbed off their screen, sent over a network, packaged, and resold,” he tells PCMag.
Profound hasn’t said how it’s gathering chatbot data. Its website merely notes that it “licenses conversations from multiple, double-opt-in consumer panels of real answer [engine] users.”
However, as Dryburgh notes, a separate analytics company, Semrush, published two articles in September that mention supplying user data to Profound. The articles have since been changed to remove any mention of Profound. Here’s what the original said on Search Engine Land:
“Companies like Similarweb or Datos (a Semrush company) offer data capturing genuine user actions, collected through browser extensions, consented panels, app telemetry, and provider networks.
Visibility tools like Semrush’s AIO and Profound are built on this principle, leveraging clickstream data, sequential metrics showing which AI results are seen, engaged with or ignored.”
Profound’s FAQ for Prompt Volume (Credit: Profound)
Semrush’s Datos specializes in licensing data to clients in an “anonymized” fashion. Profound’s website says its data is “anonymized, aggregated, scrubbed of PII [personal identifying information], and compliant with GDPR and CCA. Panels are doubly opted-in and fully compliant with all modern privacy laws.”
We attempted to test this and noticed that Prompt Volumes does, in fact, redact personal information from the Prompt Volumes. For example, we searched for Social Security numbers, addresses, phone numbers, and private keys, but the feature appeared to always remove them. Nevertheless, Prompt Volumes does indicate Profound is collecting sensitive user prompts relating to cryptocurrency wallets, passwords, SSNs, and bank accounts
Using Prompt Volumes to search for ‘social security number.’ (Credit: Profound/PCMag)
(Credit: Profound/PCMag)
Dryburgh says Profound’s business model infringes on user privacy because the data collection process isn’t clearly explained to consumers. He suspects that browser extensions play a key role in data collection because they can be granted permission to view all websites on a browser, enabling services like Semrush to capture ChatGPT interactions.
“AI chats are not short queries—they are deeply personal disclosures. Users never knowingly consent to this level of surveillance,” Dryburgh tells PCMag. He also questions whether the lack of transparency around the data collection violates European and Californian data privacy rules.
Using Prompt Volumes to search for ‘credit card cvv.’ (Credit: Profound/PCMag)
Lena Cohen, Staff Technologist at the Electronic Frontier Foundation (EFF), agrees that “the questions people ask chatbots can reveal exceptionally sensitive information, like their health concerns, financial struggles, and relationship problems.
“People deserve meaningful control over who can access these AI prompts,” she says. “When companies offer vague assurances that people consented to their data being sold or that the data has been ‘anonymized,’ that is not enough to protect people. Companies have claimed that data was anonymized and aggregated before, only to have it traced back to individuals.
Plus, “the data broker ecosystem is so opaque that people have virtually no way of knowing who is buying and selling their data, or how it might be used against them,” Cohen says. “We need comprehensive privacy legislation and stronger enforcement to ensure that people’s AI prompts remain private by default.”
Profound Sends a Cease and Desist
When asked about the privacy concerns, Profound first noted that Dryburgh is the founder and CEO of a “competitor company,” Contestra.
“This is a clear attempt by Lee to cause brand damage to Profound, and it seems you are (perhaps unknowingly) amplifying his efforts here,” Profound said in an email.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.
Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
“Profound does not collect any data directly—we license opt-in data from well-known, established providers—the same providers that have powered marketing and BI tools for decades. Opt-in consumer panels have existed for over a century—since the era of TV, with Nielsen (in 1923) offering data to help marketers understand consumer behavior. This is no different,” the company added.
(Credit: Profound)
Profound also denied surfacing sensitive topics with the Prompt Volume tool, despite the screenshots we provided. “The handful of prompts we show are not real user prompts, but use LLMs [large language models] to reflect the TYPE of prompts people send around any given topic. Age, income, gender, etc, [are] all based on predictive modelling and not tied to any specific prompts,” the company said, suggesting prompts can be summarized to some extent.
(Credit: Profound/PCMag)
In response, Dryburgh says Contestra only has only employee: Dryburgh. In contrast, Profound has secured over $50 million in funding, has 82 employees, and serves “1000+” enterprise customers.
Dryburgh also takes issue with Profound saying that Prompt Volumes doesn’t surface sensitive topics, as the company’s own website markets the service by saying, “Discover what millions of people ask AI.”
“Buyers are exposed to ‘real user conversations’ or they are not. There is no middle ground. It can’t be both sides of the coin,” Dryburgh said.
However, Profound argues that the complaints are misleading. Dryburgh told us he received a cease-and-desist letter from Profound’s lawyers, demanding he take down his LinkedIn posts criticizing the company. “In the event that You and Contestra fail to provide confirmation and continue with your current course, Profound expressly reserves all rights, including to commence litigation without further notice,” the letter says.
(Credit: Lee Dryburgh )
Examining Browser Extensions
Profound wouldn’t say how users are opting into the prompt data collection, or how they can opt out. As a result, it’s unclear which browser extensions collect data from users.
Recommended by Our Editors
To try and find out, we asked Frank Li, an Assistant Professor of cybersecurity at Georgia Tech. Last year, his team developed an automated system called “Arcanum” that examined all the browser extensions on the Chrome Store and found that over 3,000 of them automatically collect user-specific data, such as URLs. A subset of 200 extensions directly lifted sensitive user data from web pages loaded via the browser.
(Credit: Google)
Li and his team examined whether the Arcanum system could identify any Chrome browser extensions targeting the ChatGPT site and user prompts. However, their analysis only uncovered 17 extensions that did, and only one had over 1,000 users.
“Eight out of the 17 extensions we found were extracting the whole page, while the rest were specifically extracting the ChatGPT prompt, the response, or both,” he said.
Still, Li noted Arcanum faced two restrictions during the analysis. The system didn’t work on 20% of the extensions that might operate on ChatGPT “largely because our system is using an older browser version and some of these extensions must have used an API not available on an older browser,” he told us in an email.
The other issue is Arcanum won’t work on extensions that require manual actions, including logging into a user account—perhaps the key way Datos and other data brokers receive opt-in from the user. “I suspect some popular extensions might collect ChatGPT data upon such actions, which we’ll miss,” Li said.
In the meantime, Dryburgh has been urging users to consider uninstalling browser extensions from providers that have the ability to read and change data on a site. Users can also consider conversing with ChatGPT and other chatbots in incognito or private mode, which can shut down the extension access, he said.
Profound sells access to the Prompt Volumes feature at “custom” pricing through its enterprise plan. It also plans on offering prompt-related data for xAI’s Grok and DeepSeek.
Semrush didn’t respond to a request for comment. However, Datos told us that its data collection is privacy-safe and follows the law, although the company refrained from identifying how users opt in.
“The data we collect and share with our partners is used to identify trends on the internet and
is devoid of all personal information. Datos takes privacy very seriously, and as such Datos does not collect or maintain any personal information. In fact, Datos employs sophisticated systems to prevent personal information from hitting our servers, and leverages outside providers to monitor and ensure there is no personal data,” the company said.
“None of our products would benefit from such data, and no customer has ever asked
us for it. In terms of how the data is collected, our data is always collected with the knowledge and consent of the consumer, and the consumer can opt out at any time,” Datos added.
OpenAI didn’t respond to a request for comment.
Disclosure: Ziff Davis, PCMag’s parent company, filed a lawsuit against OpenAI in April 2025, alleging it infringed Ziff Davis copyrights in training and operating its AI systems.
About Our Expert
Michael Kan
Senior Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
Read Full Bio
