What Notion Collects
Table of Contents
- What Notion Collects
- What Microsoft Office365 Collects
- Comparison - What Each Platform Stores
- Privacy Risks in Practice
- What Privacy Alternatives Exist?
- Privacy Comparison - All Options
- Practical Recommendations
- Red Flags - When NOT to Use Cloud Docs
- Checking Your Current Exposure
- Data Deletion - What Actually Happens
Notion’s privacy is worse than Google Docs in some ways.
Content Collection
- Everything: All page content, block structure, metadata
- Workspace structure: How pages are organized, relationships between docs
- Images: Even if encrypted in transit, Notion stores unencrypted
- User sessions: Tracks who accesses what, when, for how long
- Real-time collaboration: Every keystroke during simultaneous editing
Behavioral Tracking
Notion tracks:
- Page view counts
- Feature usage (which integrations you use)
- Time spent on pages
- Click patterns within workspace
Data Retention
Notion privacy policy:
“We may retain information about you that we collect even if you delete your account”
Translation - Even deleted docs may be retained for “legal/business purposes.”
Integration Hell
Notion integrates with hundreds of apps. Each integration leaks:
- Your workspace ID
- Page titles and structure
- User email addresses
- Integration tokens (if stored in Notion’s database)
Using Zapier to auto-populate Notion from form submissions:
- Form data goes to Zapier
- Zapier sends to Notion
- Both Zapier and Notion store data
- Data persists even if you revoke integration
What Microsoft Office365 Collects
Office365 is more transparent than Google/Notion but still aggressive.
Built-in Collection
- Document content: Everything
- Edit timestamps: Every change logged
- Version history: Unlimited restore points
- Commenting/tracking: All collaboration tracked
- AI-powered features: Documents analyzed for “smart” suggestions
- Requires Microsoft to process content through ML models
Microsoft’s AI Training
Office365 documents may be used for:
- Language model training
- Predictive feature development
- “Improving recommendations”
Microsoft’s privacy policy allows this unless you opt out explicitly (buried in settings).
Enterprise Tracking
Office365 for Business includes:
- Microsoft 365 Compliance Center (analyzes all docs)
- Content explorer (Administrators can search all documents)
- Data loss prevention (automatic scanning for sensitive content)
Your administrator can:
- See all documents created
- Read deleted documents
- Monitor activity logs
- Block certain content
Comparison - What Each Platform Stores
| Data Type | Notion | Office365 | |
|---|---|---|---|
| Document content | Encrypted in transit, not at rest | Encrypted in transit, not at rest | Encrypted both |
| Metadata (timestamps, editors) | Full logging | Full logging | Full logging |
| Typing patterns | Collected | Collected | Collected |
| IP/device info | Logged | Logged | Logged |
| Revision history | Unlimited | Unlimited | Limited (can be deleted) |
| Third-party access | Yes (APIs, add-ons) | Yes (integrations) | Yes (integrations) |
| Government access | Complies with requests | Complies with requests | Complies with requests |
| Deleted data retention | Unknown | Explicit (yes) | Unknown |
| Content used for AI training | Unclear (likely yes) | No (explicitly) | Yes |
Privacy Risks in Practice
Scenario 1 - Sensitive Business Information
You’re a startup founder writing pitch deck.
Google Docs:
Doc created - 2026-01-15
Edited by - ceo@startup.com
Content - "Raising $2M Series A at $20M valuation"
Timing - Edited Friday afternoons (pattern = likely working from home)
Shared with - investor@vcfirm.com
Google logs show:
- You work on fundraising (inferred from content)
- Frequent communication with investor (access patterns)
- Specific valuation (competitive intelligence)
- Access from home office (can narrow location to city level)
Privacy leak - Competitors, hostile investors, tax authorities could all benefit from this data.
Scenario 2 - Healthcare Information
You’re a patient advocate documenting health issues for a doctor appointment.
Notion:
Document - "Symptoms and concerns"
Content - Detailed health information
Shared with - only doctor's email
Notion's database permanently stores:
- The document content
- The sharing relationship (patient + doctor linked)
- Access history
- Even if deleted, Notion retains
If Notion is breached or subpoenaed:
- Health information exposed
- Patient-doctor relationship revealed
- Insurance companies can infer costs
Risk - Data breach leaks private health info. Subpoena discloses patient records.
Scenario 3 - Legal/Privileged Communications
You’re documenting a contract dispute with a vendor.
Office365:
Document - "Contract dispute - timeline and emails"
Content - Internal discussion of legal strategy
Office365 logs:
- Administrator can read document
- Backup servers contain copies
- IT department has access
- Compliance scanning analyzes content
If litigation holds the document:
- Full edit history discoverable
- Every comment/suggestion visible to opposing counsel
- Metadata shows when you thought about problems
Risk - Attorney-client privilege may be waived. Opposing counsel sees your legal thinking.
What Privacy Alternatives Exist?
CryptPad (Best Overall)
CryptPad is open-source, end-to-end encrypted Google Docs alternative.
How it works:
1. You create document
2. Document encrypted in your browser (before sending to server)
3. Only the encryption key (URL) lets you decrypt
4. Server stores encrypted blob (CryptPad can't read it)
5. Share key via encrypted link
Security properties:
- Server can’t read content
- No metadata about document content
- Only knows: “Blob ABC was accessed 10 times”
- Not: “Blob ABC is about healthcare”
- Document not indexed/searchable by CryptPad
Limitations:
- Slower than Google Docs (encryption overhead)
- Fewer features (no advanced formatting)
- Real-time collaboration works but may lag
- Free tier limits storage
- Smaller environment (fewer integrations)
Pricing:
- Free: 50MB storage
- Pro: €4.17/month, unlimited storage
Standard Notes (Best for Sensitive Notes)
Not a collaborative editor, but for personal/sensitive docs:
- End-to-end encrypted (only you can decrypt)
- No metadata exposure
- Works offline
- Open-source
- Available: web, desktop, mobile
Use case - Personal notes, medical records, financial planning (not collaborative).
Pricing:
- Free: Basic notes
- Plus: €2.99/month, advanced features
Etherpad (Self-Hosted)
Open-source collaborative editor you can host.
How it works:
1. Run Etherpad on your server
2. Employees access Etherpad on company domain
3. No data leaves company network
4. No third-party access
5. You control all data
- Complete privacy (self-hosted)
- No logs shared with third parties
-
Transparent (open-source code)
- Requires technical setup (server management)
- No automatic backups
- No mobile app
- Fewer features than Google Docs
Cost - Free software, only cost is server ($5-50/month).
Matrix Synapse + Element (Encrypted Collaboration)
Matrix is a decentralized protocol (like email but encrypted).
Elements (client) + Synapse (server):
1. Company hosts Matrix Synapse server
2. Employees use Element client
3. Messages encrypted end-to-end
4. Can use for docs via integration
5. Complete control, decentralized
- Fully encrypted
- Decentralized (can federate)
- Open-source
-
Works for chat + documents
- Steep learning curve
- Requires server setup
- Not as polished as Google Docs
- Smaller community
Privacy Comparison - All Options
| Tool | Encryption | Server Sees Content | Self-Hosted | Cost | Features |
|---|---|---|---|---|---|
| Google Docs | Transit only | Yes | No | Free/$14 | Excellent |
| Notion | Transit only | Yes | No | Free/$10 | Very good |
| Office365 | Both | No, indexed | No | $6-30 | Excellent |
| CryptPad | End-to-end | No | Optional | Free/$5 | Good |
| Standard Notes | End-to-end | No | Optional | Free/$3 | Limited |
| Etherpad | None | Yes | Yes | Free | Moderate |
| Matrix Synapse | End-to-end | No | Yes | Free | Good |
Practical Recommendations
For Most Teams - Acceptable Compromise
Use Google Docs/Notion/Office365 with guardrails:
1. Never store truly sensitive data (health, legal, financial)
2. If you must use cloud docs for sensitive work:
- Use code names (not real names, company details)
- Use encrypted external drive for final versions
- Delete docs after project completion
3. Don't share sensitive docs with third-party add-ons
4. Review sharing settings (who can see what)
5. Periodically clear revision history (Office365 only)
Using Google Docs for PR strategy
Bad - "Our strategy is to beat Competitor X by targeting their customers"
Good - "We will focus on features that differentiate vs. Product Y"
Rationale - If leaked, the second statement is less damaging
For Sensitive Work - Use CryptPad
- Medical information
- Legal documents
- Financial planning
- Confidential contracts
CryptPad provides encryption-by-default without requiring technical setup.
Setup:
- Go to cryptpad.fr (no signup needed)
- Click “Create a rich text pad”
- Share link with collaborators (link includes decryption key)
- Encrypt/decrypt in browser
- No account needed (can remain anonymous)
For Truly Sensitive Work - Self-Host
- Government agencies
- Law firms
- Healthcare providers
- Financial institutions
Deploy Etherpad or Matrix on your own servers:
Etherpad setup (simplified)
docker run -d -p 9001:9001 etherpad/etherpad
Access at http://localhost:9001
Documents stored on your servers only
Cost - $50-200/month for hosting + setup time.
For Personal/Private Notes - Use Standard Notes
- Medical journal
- Financial records
- Personal thoughts
- Sensitive contact info
All encrypted, no signup (optional), no ads.
Red Flags - When NOT to Use Cloud Docs
Don’t use Google Docs, Notion, or Office365 for:
- Health information: HIPAA violation if patient-identifiable
- Financial records: Tax info, passwords, investment strategy
- Legal documents: Attorney-client privilege waived
- Trade secrets: Competitive intelligence stolen
- Personal identification: SSN, passport, driver’s license
- Confidential contracts: Before signatures
- Government security: Classified information
If you work with any of these, use:
- CryptPad (encrypted, no signup)
- Standard Notes (encrypted, personal)
- Self-hosted Etherpad (complete control)
Checking Your Current Exposure
Audit Your Google Drive
1. Go to myactivity.google.com
2. Filter by "Google Docs"
3. See every document accessed, when, from where
4. Review "Downloads & add-ons" for third-party access
Example output:
"Opened document 'Budget 2026' from 203.0.113.42 (San Francisco, CA)
on 2026-03-21 at 2:30 PM from Chrome on macOS"
This is what Google logs about your usage.
Check Notion Integrations
1. Open Notion workspace
2. Go to "Settings" → "Integrations"
3. See all apps with access to your workspace
4. Review permissions (what data can they access)
Zapier integration
- Can read all pages
- Can create new pages
- Can see revision history
This means Zapier sees everything.
Check Office365 Sharing
1. Open Office.com
2. Click "File" → "Share"
3. See who has access to documents
4. Review their permissions
Danger - If admin has "manage permissions", they can:
- See the document
- Revoke your access
- Delete it
Data Deletion - What Actually Happens
Google Docs
You delete a document:
- Document removed from your Drive
- Google may retain for 30 days in Trash
- After 30 days, permanently deleted
- EXCEPT: Revision history may be retained longer
- Google reserves right to keep anonymized data
Reality - Google likely keeps encrypted backup for months.
Notion
You delete a document:
- Moved to Notion Trash
- Trash cleared after 30 days
- EXCEPT: Notion explicitly states “may retain” deleted data
Reality - Notion keeps deleted data indefinitely (per their policy).
Office365
You delete a document:
- Moved to Recycle Bin
- Retention depends on admin policy (often 93 days)
- Enterprise can configure longer retention
- Compliance holds prevent deletion
Reality - Enterprise administrators can prevent any deletion.
Key point - Deletion doesn’t mean destruction. Assume data persists even after you delete.
Google Docs for - Team collaborations, public projects
CryptPad for - Sensitive content, before finalization
Local encrypted files for - Final sensitive versions
Don’t assume cloud docs are private. Assume they’re logged, analyzed, and retained.
Frequently Asked Questions
Who is this article written for?
This article is written for developers, technical professionals, and power users who want practical guidance. Whether you are evaluating options or implementing a solution, the information here focuses on real-world applicability rather than theoretical overviews.
How current is the information in this article?
We update articles regularly to reflect the latest changes. However, tools and platforms evolve quickly. Always verify specific feature availability and pricing directly on the official website before making purchasing decisions.
Does Go offer a free tier?
Most major tools offer some form of free tier or trial period. Check Go’s current pricing page for the latest free tier details, as these change frequently. Free tiers typically have usage limits that work for evaluation but may not be sufficient for daily professional use.
Can I trust these tools with sensitive data?
Review each tool’s privacy policy, data handling practices, and security certifications before using it with sensitive data. Look for SOC 2 compliance, encryption in transit and at rest, and clear data retention policies. Enterprise tiers often include stronger privacy guarantees.
What is the learning curve like?
Most tools discussed here can be used productively within a few hours. Mastering advanced features takes 1-2 weeks of regular use. Focus on the 20% of features that cover 80% of your needs first, then explore advanced capabilities as specific needs arise.
Related Articles
- Secure Document Collaboration Alternatives to Google
- How to Delete Your Google Activity History Completely
- Android Google Account Privacy Settings: Complete Guide to
- Google Nest Hub Data Collection
- Use Android Without Google Play Services
- Gemini in Google Docs Not Showing Up? Fixes for 2026 Built by theluckystrike. More at zovo.one