Notion

Notion Labs

89/100

Strong disclosure · High confidence

Grade scaleA · 85–100B · 70–84C · 55–69D · 40–54F · 0–39

A no-train-by-default commitment with named encryption, certifications, deletion timelines and SCCs; the cleanest policy in the set.

What the policy says

Training

No-train default, with a contractual ban on AI sub-processors training on customer data; zero retention on Enterprise, 30 days otherwise.

Deletion

Full server deletion 30 days after workspace deletion, with markdown export for portability.

Transfers

Standard Contractual Clauses named for EU and UK transfers, with annual sub-processor reviews.

Security

AES-256 at rest, TLS 1.2+ in transit, SOC 2 Type 2 and ISO 27001, plus a bug-bounty program.

Details

Category: Productivity
Modalities: text
Processes biometrics: No
Policy last updated: 2025-04-10
Region scored: Global / US-default
Assessed: 2026-06-20

Read Notion's privacy policy

Every grade scores what an app discloses about its data governance in its public privacy policy and terms, not its verified behaviour. A strong policy can hide weak practice, and a thin policy can hide good practice.