Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Notion is a connected workspace that combines docs, wiki, projects, databases and lightweight CRM features. Notion can be embedded in a public website (notion.site or notion.so iframe) or queried through the Notion API. Notion Labs Inc. is established in the United States and the platform sets multiple analytics, security and session cookies on the visitor browser when public Notion pages are loaded.
Notion is a connected workspace where teams write documents, build wikis, track projects, design databases and run light CRM and HR workflows. While most Notion usage happens behind authentication at notion.so, public Notion pages can also be shared via notion.site and embedded inside a public website through an iframe or fetched server side via the Notion API. Some teams use Notion as a lightweight headless CMS for help centres, changelogs, recruiting pages and roadmaps.
Loading a Notion page in the browser sets multiple cookies: session cookies (token_v2, notion_user_id), CSRF and security cookies (notion_check_cookie_consent), product analytics cookies based on Segment and Amplitude (ajs_anonymous_id, ajs_user_id, _amp_id), feature flag cookies and locale preferences (NEXT_LOCALE). Notion also collects request metadata (IP address, User Agent, geolocation), workspace activity, search queries and any content typed by editors.
Notion is a third party SaaS that sets analytics and product cookies that go beyond strict necessity, so it triggers the ePrivacy consent rule when public Notion pages are embedded in a website with EU visitors. Consent under Article 6(1)(a) GDPR is required before the embed loads, in particular for analytics and product cookies. For employees and contractors using Notion in the workspace, the lawful basis is the performance of a contract under Article 6(1)(b) GDPR and legitimate interest for security logs.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Notion runs primarily on AWS in the United States. Enterprise customers can opt in to the EU data residency option, which stores workspace content in AWS Frankfurt while keeping account, billing and support in the United States. Transfers rely on the Notion Data Processing Addendum, the EU Standard Contractual Clauses under Article 46(2)(c) GDPR and the EU US Data Privacy Framework, with TLS 1.3 in transit, encryption at rest, SOC 2 Type II and ISO 27001 controls.
Sign the Notion Data Processing Addendum, enable EU data residency on the Enterprise plan when EU customers require it, configure SAML SSO, granular permissions and audit logs for the workspace, and define retention rules for archived content. If you embed Notion in a public website, gate the iframe behind a consent management platform so that the analytics cookies only load after the visitor accepts. Document Notion as a processor in your record of processing activities and mention it in the privacy notice.
Websites using Notion must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Notion stores employee, customer or supplier personal data at scale, when it is used in regulated sectors (financial services, health, public sector), when AI Connectors send personal data to third parties or when significant volumes of EU minors interact with Notion through embedded forms.
Sample consent text
We embed content powered by Notion (Notion Labs Inc., USA). Loading the Notion content sets analytics, security and session cookies (NEXT_LOCALE, notion_check_cookie_consent, ajs_anonymous_id) and transfers your IP address and request metadata to Notion servers, including in the United States. By accepting, you allow this processing under EU Standard Contractual Clauses and the EU US Data Privacy Framework.
Third-party domains contacted
notion.sonotion.sitenotion.comnotion-static.comamplitude.comsegment.ioCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| token_v2 | Strictly necessary | 1 year | Stores the Notion authentication token for users logged in to a workspace. |
| notion_user_id | Strictly necessary | 1 year | Stores the Notion user identifier of the currently signed in account, used to scope content access. |
| notion_check_cookie_consent | Strictly necessary (security) | 1 year | Used by Notion to detect whether the browser accepts third party cookies, in order to fall back gracefully on the embed flow. |
| ajs_anonymous_id | Analytics | 1 year | Segment based product analytics cookie that assigns a pseudonymous identifier to the visitor. Used to track Notion product usage across sessions. |
| ajs_user_id | Analytics | 1 year | Segment based product analytics cookie that stores the authenticated user identifier for cross device analytics inside Notion. |
| NEXT_LOCALE | Functional | 1 year | Stores the preferred language and region settings for the Notion interface. |
Notion collects user analytics data — you legally need a consent banner. Try FlowConsent free.
Loading a notion.site or notion.so iframe sets session cookies (token_v2, notion_user_id), security cookies (notion_check_cookie_consent), Segment analytics cookies (ajs_anonymous_id, ajs_user_id), Amplitude product cookies (_amp_id) and locale cookies (NEXT_LOCALE). The exact list evolves as Notion updates its analytics stack.
Yes. The Notion embed sets analytics and product cookies that go beyond strictly necessary, which triggers the ePrivacy consent rule. Consent under Article 6(1)(a) GDPR must be obtained before the embed is loaded, typically through a consent management platform that lazy loads the iframe once the visitor has accepted.
For employees and contractors using the Notion workspace, the legal basis is the performance of a contract under Article 6(1)(b) GDPR for routine collaboration features, complemented by legitimate interest under Article 6(1)(f) GDPR for security logs and abuse prevention.
Notion signs the EU Standard Contractual Clauses under Article 46(2)(c) GDPR via its Data Processing Addendum and confirms participation in the EU US Data Privacy Framework. Enterprise customers can additionally enable EU data residency in AWS Frankfurt. Supplementary measures include TLS 1.3, encryption at rest, SOC 2 Type II and ISO 27001 controls.
A DPIA is recommended when Notion holds significant volumes of HR, customer or supplier personal data, when it powers HR or recruitment workflows for EU staff, when it integrates with Notion AI Connectors that send personal data to third parties or when it is used in regulated sectors such as health, financial services or public administration.
Sign the Notion Data Processing Addendum, enable EU data residency on the Enterprise plan if needed, configure SAML SSO and SCIM, define granular permissions and external sharing rules, restrict the use of Notion AI on confidential pages, gate any public embed behind a consent management platform and document Notion as a processor in your record of processing activities.
Alternatives with EU hosting include Coda (US but offers EU options), Confluence Cloud (Atlassian, EU data residency on enterprise plans), Outline (open source, self hostable in EU), Affine (open source, self hostable), Logseq (local first, open source), Anytype (local first, EU project) and Nuclino (Germany).
List Notion Labs Inc. as the processor for the Notion embed, describe the categories of cookies set by Notion (session, security, analytics, product), state that data including IP addresses may be transferred to the United States under SCCs and the EU US Data Privacy Framework, link to the Notion Privacy Notice and explain how to withdraw consent through your CMP.