Notion maintains a comprehensive privacy compliance program and is committed to partnering with its customers and vendors on privacy compliance efforts. This page highlights some of the key aspects of our program.
At Notion, our team is dedicated to developing and implementing data privacy processes and safeguards that meet industry standards and best practices. We conduct ongoing training for our teams to ensure that they are up to speed with developments in legislation and essential privacy and security practices.
Every Notion employee and contractor signs up to non-disclosure terms to maintain the confidentiality and security of your data. Notion also holds any vendors that handle personal data to the same data management, security, and privacy practices and standards to which we hold ourselves.
What is Customer Data?
Notion defines Customer Data as any data that a customer stores in the Notion services. This can include personal information.
What is Account Information?
Account information is the information that our customers provide to us so that we can create and administer their customer accounts.
For example, account information includes names, usernames, passwords, phone numbers, email addresses, Workspace metadata, support communications, billing information, and usage information associated with your Notion account.
Who owns and controls Customer Data?
You own your Customer Data, including any content you submit or upload to the Notion Service.
You control your Customer Data. You determine what content and data will be uploaded to Notion. Once Customer Data is uploaded you manage access to your workspace by allocating user logins to individuals.
You also control the administration of the Customer Data by managing you groups, permissions and the user credentials that are under your control.
How does Notion use my Account Information?
Who should I contact if I have any questions about Notion’s data protection practices?
If you have any questions about our privacy practices, please contact us at:
Notion Labs, Inc. 2300 Harrison Street San Francisco, CA 94110 United States [email protected]
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that governs the collection of and use of personal data of EU residents, and that allows data subjects to exercise control over their data.
As the GDPR is widely considered to be the most stringent global privacy standard, we have mapped our privacy program to the GDPR and other global privacy regulations.
Notion as Processor and Controller
The GDPR and other data protection legislation have two primary classifications related to the collection and processing of personal data: data controller and data processor.
A data controller determines the means and purposes for processing personal data, while a data processor is a party that processes data on behalf of the data controller.
Where our customer is a data controller or data processor, Notion is the data processor of personal data that our customer and their users upload to the Notion service. We process any such personal data at our customer’s direction and on our customer’s behalf. We conduct this processing in accordance with Notion’s Data Processing Addendum.
Cross Border Transfers - Standard Contractual Clauses
We understand and adhere to the rules for international transfers of personal data outside of the European Economic Area and UK.
In order for our customers to be confident of Notion’s data transfer processes our Data Processing Addendum incorporates both the EU and UK Standard Contractual Clauses (SCCs). In response to the Schrems II ruling, our DPA lists the technical and organisational measures we employ to ensure appropriate safeguards are in place when we transfer personal data to countries outside of the EEA and UK.
For more information about our technical security measures, please see our security page.
Transfer Impact Assessment
Notion understands and appreciates the importance of maintaining transfer impact assessments (TIA) as a supplementary measure and as a critical piece of your privacy compliance program.
To assist our customers in completing these assessments, we maintain Transfer Impact Assessment page that includes all of the information about Notion that you need to complete your TIA.
We work with certain companies and tool systems to provide our services to you. All of these companies have been carefully vetted for best-in-class security and data privacy practices. For more information, please see our list of subprocessors.
Data governance relates to the policies and procedures that dictate how data is procured and used throughout its life cycle. From creation and collection to processing, distribution, storage and deletion.
Notion’s commitment to data governance is key to keeping our users data secure, private, accurate, and accessible.
Privacy by Design
At Notion, we believe in privacy by design, which means that privacy considerations are built into every aspect of our products and services from the outset. This includes the development of new products, features, and the selection of vendors.
Notion conducts regular training with our personnel to reinforce the concept that Notion needs to think of user privacy at all stages of the development lifecycle.
Companies generally have a duty to back up their information in multiple places. To help with this Notion offers the option to save any Notion page, database, and non-database page to your computer in various formats. This way our customers can further protect themselves by backing up their information at any time.
Notion’s data import function lets you upload information from external sources and combine it with the data already held in your workspace.
Like most people, you probably have data, documents, and notes scattered across many files and apps. You can centralize your information in one place by moving it all into Notion.
The workspace owner controls the workspace’s Customer Data. This includes all of the content submitted by customers and their users. When users leave a workspace, they may have the right to request that their data is deleted by the workspace owner. When customers terminate their subscription they also have the right to request that their data be deleted by Notion.
When you delete an account, Notion will:
Delete the account associated with that email address
Delete any private workspace(s) in which you are the only member
Delete any shared workspace(s) in which you are the only admin
Remove you from any shared workspace(s) in which you are a member or one of multiple admins
To delete a workspace, you must be a workspace owner of that workspace. When you delete a workspace, Notion will:
Delete all content in that workspace
Return you to another workspace you belong to, or the sign up page for Notion if you don't belong to any others
Notion provides an advanced set of access functionality to help customers effectively protect their information. Notion also uses encryption to protect Customer Data from outside access.To learn more about how data access works at Notion please see our Data Access Consent page.
All Customer Data is stored in the cloud, and we keep per-minute backups of your page content on our server. That said, your data belongs to you, so we've made it easy to create your own backups and keep your information portable. To learn more about this please see Notion’s Back up your Data page.
At Notion we strive to keep all of our agreements up to date with the latest regulations and industry standards. Our Master Subscription Agreement and Data Processing Addendum describe in detail Notion’s data privacy processes, standards, safeguards and our compliance with data protection legislation.
To ensure that our terms track with the GDPR, CCPA and other global privacy standards we continually have our terms assessed by leading privacy experts in multiple jurisdictions.
At Notion we want to be as transparent as possible with our customers about how we collect, process, store, and use their personal data. In order to achieve this Notion maintains comprehensive and detailed policies regarding how we handle your personal information. These policies describe in detail how our users can exercise their rights with regard to their data. To learn more about the policies, please click on the links below.