GDPR Compliance and Data Protection Information
Overall Score
Risk by Category
Notion's GDPR page outlines their compliance as both a data controller and processor for EU users. It includes details on Data Processing Addendum (DPA), subprocessors, data subject rights, security measures, international transfers, and contact information for EU representatives. The policy emphasizes transparency, user rights fulfillment, and adherence to GDPR principles like data minimization and accountability.
Notion lists numerous subprocessors for services like cloud hosting, analytics, and support, which may involve data transfers.
As a US company, relies on Standard Contractual Clauses for EU-US data transfers.
Data Processing Addendum is publicly available and signed with EU representatives.
Full list of subprocessors published with update notifications.
Clear processes for access, deletion, portability, and objection requests.
Appointed EU representative for GDPR inquiries.
Spotify collects the following categories of personal data. High Risk categories are used for advertising profiling or involve sensitive personal information.
Email, name, profile info collected for account management.
User-generated content in workspaces, including any personal data.
Logs for performance, security, and analytics.
Your data serves the following purposes. Mandatory purposes cannot be disabled without canceling the service. Opt-out available purposes allow some user control.
Personal data used to provide and improve Notion services like workspace management.
Aggregated data for product analytics and enhancements.
Data used for fraud detection, security, and legal compliance.
Spotify shares data with several categories of third parties. Sharing with advertising partners is extensive and represents the primary commercial use of your behavioral data.
Sharing with cloud providers (AWS), analytics (Amplitude), support tools under DPA.
List includes Google, Stripe, Intercom; updates notified.
No sale of personal data to advertisers.
The following rights may be available to you depending on your region. EU/EEA users have the broadest protections under GDPR. Non-EU users have more limited guarantees.
Users can request confirmation of processing and access to their data via support.
Deletion requests honored, including workspace content.
Export tools available for user data portability.
Options to object to processing for marketing or legitimate interests.
Data is retained for different periods depending on category, and security disclosures vary in depth. The policy highlights the following retention and transparency points.
Retention Periods
Data deleted within 30 days of account deletion or request.
Retained for 7 years for compliance and audits.
Retained indefinitely in anonymized form.
Security & Transparency
Data encrypted at rest (AES-256) and in transit (TLS 1.2+).
Notifies users within 72 hours of breaches as per GDPR.
SOC 2 Type II, ISO 27001 compliant.
Source Text
Publicly available DPA incorporating SCCs.
Interpretation
Ensures processor obligations met for customers.
Source Text
Dedicated process with response in 30 days.
Interpretation
Strong user rights protection.
Source Text
Over 20 listed subprocessors.
Interpretation
Transparent but broad ecosystem.
Source Text
Uses SCCs and adequacy decisions.
Interpretation
GDPR-compliant transfers.
Submit requests via [email protected]; responses within 30 days.