Effective as of April 2024
Overall Score
Risk by Category
Notion's Privacy Policy outlines how Notion, a productivity platform, collects, uses, shares, and protects user data. It covers personal information from account creation, workspace usage, content created in Notion pages, device info, and analytics. Data is used for service provision, improvement, security, and legal compliance. Sharing occurs with affiliates, service providers, and in business transfers. Users have rights under GDPR, CCPA including access, deletion, and portability. Retention is tied to account activity with some indefinite anonymized data.
Collects extensive usage data, content metadata, and device information for analytics.
Anonymized data retained indefinitely for research.
Shares data with numerous service providers globally.
Supports data subject rights including deletion and portability.
Advanced privacy features for paid workspaces like data residency.
Uses encryption and regular audits.
Spotify collects the following categories of personal data. High Risk categories are used for advertising profiling or involve sensitive personal information.
Email, name, payment info.
Pages, blocks, collaboration history.
IP, browser, approximate location.
Your data serves the following purposes. Mandatory purposes cannot be disabled without canceling the service. Opt-out available purposes allow some user control.
Data used to operate and maintain Notion workspaces.
Aggregated data for analytics and AI features.
Limited use for personalized communications with opt-out.
Spotify shares data with several categories of third parties. Sharing with advertising partners is extensive and represents the primary commercial use of your behavioral data.
Cloud hosts like AWS, analytics like Amplitude.
Notion entities for operations.
Sold in M&A.
The following rights may be available to you depending on your region. EU/EEA users have the broadest protections under GDPR. Non-EU users have more limited guarantees.
Users can download data exports.
Account and page deletion with 30-day recovery.
Controls for cookies, emails, and sharing.
Data is retained for different periods depending on category, and security disclosures vary in depth. The policy highlights the following retention and transparency points.
Retention Periods
Data retained while account is active.
30 days for recovery, then deleted except backups.
Indefinite retention.
Security & Transparency
Data encrypted in transit and at rest.
Notifies users of breaches per law.
SOC 2 compliant.
Source Text
We collect account info, content, device data, and logs.
Interpretation
Comprehensive collection justified by SaaS nature but monitor for overreach.
Source Text
Access, correct, delete, export data.
Interpretation
Strong user empowerment aligned with global standards.
Source Text
Shares with vendors, affiliates, legal requests.
Interpretation
Standard but global transfers pose jurisdictional risks.
Source Text
As needed for purposes, indefinite anonymized.
Interpretation
Reasonable but lacks specific timelines for some data.
Source Text
Reasonable safeguards, no guarantees.
Interpretation
Transparent about industry-standard protections.
Account details, content you create, usage analytics, device info.