Notion is a popular organizational tool and all-in-one workspace. It operates on the freemium model for individuals, which means it relies on advertising. So, you might be wondering if Notion is safe to use.
Users might feel like they’re getting something for nothing but actually paying in a different currency – their data. Read on to find out exactly what data Notion collects and what it does with it.
User-provided data
Notion’s Privacy Policy states that information collected from you while using its service can include a name, email address, password, role within a team or enterprise, profile photo, phone number, mailing address, and payment information.
You typically provide this data when creating an account, paying for additional services, participating in surveys, or communicating with customer service.
Data collected automatically
Notion also says that it collects data automatically. This includes data about what devices and software you are using, where you are, and what you’re doing online – both before landing on the Notion site and after.
Specifically, the policy says it can collect:
- IP address
- User settings
- MAC address (which is your device’s ID)
- Cookie identifiers
- Mobile carrier
- Mobile advertising and other unique identifiers
- Details about your browser
- Operating system or device
- Location information (including inferred general location based off of your IP address)
- Internet service provider,
- Pages that you visit before, during and after using the Website or Services
- Information about the links you click and how you interact with the Website or Services
Notion says this information is sold to “third-party advertising providers for targeted advertising and related purposes”.
Cookies
Notion relies on advertising revenue to function. Those advertisers, in turn, want to maximize the data they can collect from their adverts. With this in mind, they deposit cookies into users’ browsers. This is possible because the adverts on the Notion site are directly linked to the ad-networks’ web-servers.
Cookies provide the advertiser with analytics about their campaign and can follow the user between sites, sending valuable information back to the advertiser’s server in the process. Notion says this information is used to “serve relevant content and advertising to you as you browse the Internet”.
Notion provides cookie tables listing all the marketing cookies used by the site. These include Facebook, Google, Madison Logic, LinkedIn, TikTok, Tatari, Microsoft, Twitter, and Reddit cookies.
Some, such as those from Braze and Tatari, provide users with “tailored offers”—implying that they collect user data—while others identify the browsers being used to provide advertising. These cookies may sit in your browser for up to two years.
Browsers such as Safari, Firefox, and Brave can stop the types of marketing cookies that revel in collecting and sharing data. If you want to maximize your privacy while using Notion, you might want to consider switching away from Chrome or Edge to one of these more privacy-focused options and/or using anti-tracking browser extensions.
Third-party providers
In order to function, Notion uses a series of third party companies – which it calls “subprocessors”. For example, it uses Amazon AWS for hosting and running its services and Amplitude and Segment for event logging.
Notion says that these subprocessors use cookies to “record certain pieces of information” when users interact with their services via Notion. It also says that its “technology partners” perform cross-device tracking by sharing data “such as your browsing patterns, geo-location and device identifiers”. This enables them to “match the information of the browser and devices that appear to be used by the same person”.
Nine subprocessors manage and provide Notion’s service. These range from OpenAI and Anthropic for large language model functionality to Sentry and Splunk for application monitoring. Notion outsources its customer service and payment processing to providers such as Teleperformance, Zendesk, and Intercom.
The use of subprocessors makes Notion useful for such a wide variety of tasks. However, it also means that your data is constantly being shifted between companies, increasing the risk of exposure. In the last year alone, two of the companies listed as subprocessors—OpenAI and Anthropic—have suffered data breaches.
For its part, Notion says that it “cannot ensure or warrant the security of any information you provide to us” and does “not accept liability for unauthorized disclosure.”
Is Notion private and safe to use?
Of course, the only way to secure your data is never to go online. If your more reasonable aim is to limit how your data is used, then you might like to avoid software like Notion.
The excessive amount of data it gathers can easily form an accurate picture of who you are, where you are, and what you like to do. Worse still, much of this information is concurrently also being gathered by 10+ companies Notion partners with, together with 20+ advertising outfits.
Notion’s Master Subscription Agreement informs users that they have granted “Notion a worldwide, non-exclusive, irrevocable, royalty-free, fully-paid, sublicensable (to Notion’s third-party service providers) license to host, store, transfer, display, perform, reproduce, modify, create derivative works of, and distribute Customer Data”.
Individuals signing up for Notion might accept this as part of the deal to get the software for free. However, commercial users paying for Plus, Business, or Enterprise subscriptions should be less than impressed with Notion and co. harvesting employee data.
How can I limit the data collected by Notion?
In its defense, Notion does a lot to keep your data away from those it doesn’t have business links with. It also provides a few links in its Privacy Policy that assist users in controlling which cookies they receive. Guidance is available to limit your data’s sale to advertisers, too.
If you’re already using Notion, make sure to click the “Do Not Sell or Share My Info” link at the bottom of the Notion website footer at www.notion.so/product. You should also submit a request to opt out of “disclosures of information” by emailing privacy@makenotion.com.
Data Notion doesn’t collect
User’s behavioral and system data aside, Notion says that it takes the security of the actual content entered by users “very seriously”. By content, we mean all the information people enter into Notion’s various services, such as notes they make, new project information and calendar events. The company specifically says that “no user content is exposed to any third-party service”.
However, Notion’s employees may be able to access user-generated content “for the purposes of troubleshooting problems” or for recovery. Users will be asked to grant the support team permission to access their data in either of these two scenarios.
In general, the company uses the principle of Least Privilege for access, whereby access is granted based on “job function, business requirements, and a need-to-know basis”.
Data entered in a workspace is encrypted using AES-256 when on Notion’s internal networks, at rest in Cloud storage, in database tables, and in backups. Data sent between users’ browsers and the Notion platform is encrypted using TLS 1.2.
While this is all well and good, it’s important to note that Notion isn’t using end-to-end encryption for user data (unlike some apps such as Obsidian). This means that Notion has the keys needed to encrypt or decrypt user data, rather than the user. Users must, therefore, trust that Notion (and its employees) will not inappropriately access data. The Notion Mastery site quotes a Notion employee who told it the “platform is not designed for holding information such as legal docs, passwords, bank statements”.
