Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Google NotebookLM

Google

CompliantEU: LimitedNo TrainingCustomMulti-region

Status badges are conditional: validate the exact plan, DPA, subprocessors, retention, residency, and feature settings before using the tool with personal or confidential data.

Pricing / Contract Route

Consumer and Workspace/Enterprise pricing varies

Enterprise Features

Workspace/Enterprise routes, CDPA where eligible, admin controls

Last Updated

March 23, 2026

Key Documentation & References

Purpose & Context

This overview evaluates Google NotebookLM for GDPR compliance and data privacy in EU business contexts. NotebookLM is an AI-powered research and note-taking assistant that helps users summarize and extract insights from documents and sources.

Target audience: EU-based procurement, legal, compliance, and IT teams evaluating NotebookLM for processing personal or business-sensitive data.

🏒 Company & Service Overview

Company: Google LLC (Alphabet Inc.)[1]

Headquarters: Mountain View, California, USA with global infrastructure including EU data centers

Key differentiator: NotebookLM under qualifying Google Workspace / Enterprise routes inherits stronger Google commercial privacy controls, including a no-training commitment for uploaded Workspace user data. Treat consumer and Workspace/Enterprise use separately and verify the applicable Google terms for your account.

Service description:

  • AI-powered research and note-taking assistant
  • Upload documents (PDFs, Google Docs, web URLs, audio files)
  • Generate summaries, insights, and Q&A based on sources
  • "Audio Overviews" feature: Podcast-style summaries
  • Powered by Google's Gemini AI models

πŸ“Š Service Tiers Comparison

Feature Free NotebookLM Plus (Workspace) NotebookLM Pro NotebookLM Ultra NotebookLM Enterprise
Availability βœ… Anyone with Google account βœ… Google Workspace (core service since Feb 2025) βœ… Individual subscription βœ… Individual subscription βœ… Google Cloud customers
Pricing Free Included in Workspace (see Workspace pricing) $19.99/month $249.99/month Custom pricing (contact sales)[4]
No Training on Data βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes
CDPA Coverage βœ… Yes (since Dec 2024)[2] βœ… Yes βœ… Yes βœ… Yes βœ… Yes
EU Data Residency 🟑 Via Google infrastructure ⚠️ Note: Workspace data-region settings NOT enforced for NotebookLM 🟑 Global 🟑 Global βœ… Full control
Admin Controls ❌ βœ… Via Workspace admin + Context-Aware Access (CAA) policies ❌ ❌ βœ… Advanced
Compliance Certifications 🟑 Google-level βœ… Full (Workspace DPA) 🟑 Google-level 🟑 Google-level βœ… Full + dedicated support
Source Limits Higher limits (Dec 2024 update)[5] Higher limits Higher limits Highest limits Highest limits
Audio Overviews βœ… Yes βœ… Yes βœ… Yes βœ… Yes βœ… Yes

βœ… GDPR Compliance Assessment

Strengths

🟒 Explicit No-Training Commitment

  • Workspace/Enterprise NotebookLM data is not used to train generative AI models under Google's commercial privacy documentation
  • "Your queries and the model's responses are not logged"[6]
  • Clear privacy-by-design approach
  • Under qualifying Workspace/Enterprise terms, uploads, queries, and responses are not used for model training

🟒 Cloud Data Processing Addendum (CDPA)

  • Extended to NotebookLM on December 13, 2024[2]
  • Covers both free and paid accounts[2]
  • Standard Google Cloud terms for data processing
  • Google commercial data-processing framework where applicable
  • Transparent data retention and deletion policies

🟒 Google Cloud Compliance Ecosystem

  • SOC 2 Type II certified[7]
  • ISO 27001 certified[7]
  • GDPR-supportive controls when used under the relevant Google commercial terms
  • Part of Google Cloud's mature compliance program
  • Regular third-party audits

🟒 EU Data Infrastructure

  • Google Cloud operates multiple EU data centers
  • Data residency options available for Enterprise customers
  • Configurable regional storage
  • Part of Google's global, compliant infrastructure

🟒 Data Encryption

  • Encryption in transit (TLS)[8]
  • Encryption at rest on Google servers[8]
  • Industry-standard cryptographic protocols

🟒 User Data Control

  • Uploaded materials stored until user deletes them[9]
  • Manual deletion available anytime
  • Queries not saved/logged[9]
  • Clear data lifecycle management

Transparency & Communication

🟒 Privacy Update (May 2024)

  • Clarified consumer feedback review practices[10]
  • Addressed community concerns about human review
  • Workspace accounts have different (more protective) privacy rules[10]
  • Demonstrates responsiveness to privacy concerns

Minimal Concerns

⚠️ Workspace Data-Region Settings NOT Enforced for NotebookLM

  • Even if Workspace data-region policies are configured, these settings do not apply to NotebookLM processing.
  • Regulated organisations should not rely on data-region controls for NotebookLM compliance.
  • Consider using NotebookLM Enterprise with dedicated data location controls if EU-only processing is required.

🟑 Free Tier Data Residency

  • Free users cannot explicitly control data residency
  • Data stored on Google’s multi-region infrastructure
  • Not a compliance issue but less granular control than Enterprise

🟑 Shared Google Infrastructure

  • Uses broader Google Cloud infrastructure
  • Inherits any Google-wide considerations
  • Subject to Google's privacy policy and terms

πŸ” Data Protection Framework

Legal Basis

  • Google Privacy Policy: Applies to all Google services[11]
  • NotebookLM-specific privacy rules: Additional protections[1]
  • Cloud Data Processing Addendum (CDPA): Since December 2024[2]
  • Google Cloud Terms: For Enterprise customers
  • Privacy update: May 2024[10]

Data Processing

  • Controller: Google LLC (for consumer accounts) / Customer organisation (for Enterprise)
  • Processor role: Google acts as processor for Enterprise customers
  • Sub-processors: Google Cloud infrastructure providers
  • Transfer mechanism: Standard Contractual Clauses (SCCs) for EU-US transfers
  • GDPR basis: CDPA ensures GDPR Article 28 compliance

User Rights (GDPR Articles 15-22)

  • Access: Full access to uploaded sources and notebooks
  • Rectification: Edit or update sources anytime
  • Erasure: Delete notebooks, sources, and audio overviews anytime[9]
  • Data portability: Download sources (native formats)
  • Objection: Contact Google privacy team
  • Automated decision-making: Not applicable (user-driven tool)

🌍 Infrastructure & Data Residency

Google Cloud Infrastructure

  • Global network: 30+ regions worldwide
  • EU regions: Multiple data centers in EU (Germany, Belgium, Finland, Netherlands, etc.)
  • Data residency: Configurable for Enterprise and Workspace customers
  • Redundancy: Multi-zone and multi-region options

NotebookLM-Specific Storage

  • Uploaded sources: Stored until user deletion[9]
  • Saved notes: Stored until user deletion
  • Audio overviews: Stored until user deletion
  • Queries: Not logged/saved[6]
  • Model responses: Not logged/saved[6]

Enterprise Data Control

  • Full admin visibility and control
  • Data location policies configurable
  • Integration with Google Cloud organisation policies
  • Audit logging available

πŸ“ Training Data Policy

Crystal Clear: No Training

βœ… Official commitment:[6]

  • Workspace/Enterprise NotebookLM uploads, queries, and responses are not used for model training under Google's commercial privacy documentation
  • "Your queries and the model's responses are not logged"
  • No user data used for AI model improvement
  • Applies to all tiers (Free, Plus, Enterprise)

βœ… What this means:

  • Uploaded documents: not used for model training under qualifying Workspace/Enterprise terms
  • User queries: NOT logged or used for training
  • AI-generated summaries: NOT logged or used for training
  • Audio overviews: same Workspace/Enterprise no-training posture where applicable
  • All interactions remain private

βœ… Distinction from other Google AI products:

  • NotebookLM has stricter privacy than consumer-facing AI tools
  • Designed for sensitive research and business use
  • Privacy-by-design architecture

πŸ”’ Security & Compliance

Security Features

  • Encryption in transit: TLS 1.3[8]
  • Encryption at rest: AES-256[8]
  • Access controls: Google account authentication
  • SSO/SAML: Available for Workspace/Enterprise (via Google identity)
  • Audit logging: Enterprise tier[7]
  • DLP (Data Loss Prevention): Via Google Workspace/Cloud policies
  • Admin controls: Enterprise tier for organisation management

Compliance Certifications (NotebookLM Enterprise)

βœ… Confirmed certifications:[7]

  • SOC 2 Type II (Security)
  • ISO 27001 (Information Security Management)
  • GDPR (EU data protection)
  • Additional Google Cloud certifications inherit to Enterprise tier

🟑 Free/Plus tier:

  • Benefits from Google Cloud security posture
  • Not independently certified but follows same standards
  • CDPA provides GDPR framework[2]

Security Incidents

βœ… No known security incidents specific to NotebookLM as of March 2026

  • Benefits from Google's global security operations
  • Part of mature, battle-tested infrastructure
  • Google Security Team oversight

βš–οΈ Legal & Regulatory Context

GDPR Alignment

βœ… Cloud Data Processing Addendum (December 2024)[2]

  • Major step toward GDPR compliance
  • Extended to all users (free and paid)
  • Provides clear data processing framework
  • Aligns with GDPR Article 28 requirements
  • Ensures transparency and user empowerment

Google Cloud Heritage

  • NotebookLM Enterprise part of Google Cloud ecosystem
  • Inherits decades of compliance experience
  • Regular regulatory audits and certifications
  • Proactive engagement with EU regulators

Privacy-First Design

  • No training commitment differentiates from consumer AI tools
  • Built for sensitive business and research use
  • Responsive to privacy feedback (May 2024 update)[10]

πŸ’° Pricing for Business Use

Plan Price Access CDPA Best For
Free €0 Google account βœ… Yes (since Dec 2024) Personal research, students, basic use
NotebookLM Plus Included in Google Workspace (core service since Feb 2025) Google Workspace βœ… Yes (Workspace DPA) Business teams using Workspace
NotebookLM Pro $19.99/month Individual Google account βœ… Yes Power users needing more capacity
NotebookLM Ultra $249.99/month Individual Google account βœ… Yes Heavy users; 50% first-year discount via Google One AI Pro
NotebookLM Enterprise Custom pricing (contact sales)[4] Google Cloud organisation βœ… Yes Large enterprises, regulated industries

Pricing notes:

  • NotebookLM Plus is now a Workspace core service (Feb 2025) - covered by standard Workspace DPA.
  • ⚠️ Important: Workspace data-region settings are NOT enforced for NotebookLM even when enabled. Do not rely on data-region controls for NotebookLM in regulated contexts.
  • Context-Aware Access (CAA) policies can be applied via Workspace admin to restrict NotebookLM access by device/location.
  • Google One AI Pro 50% first-year discount applies to NotebookLM Ultra.
  • Enterprise pricing varies by organisation size and requirements

❓ EU Procurement Q&A

Q1: Can we use NotebookLM for processing personal data under GDPR?

A: Yes, across all tiers.

  • Free tier: ⚠️ Review current consumer terms before processing personal data
  • Plus / Workspace tier: βœ… Stronger Google Workspace privacy controls where used under a qualifying Workspace account
  • Enterprise tier: βœ… Dedicated enterprise controls, but still verify data location, DPA scope, and Workspace/Gemini Enterprise configuration

Recommendation: For sensitive personal data, use Plus or Enterprise tiers for added admin controls and organisational visibility.

Q2: Where is our data stored and processed?

A:

  • Storage: Google Cloud infrastructure, multi-region by default
  • EU options: Available for Workspace/Enterprise customers via data residency policies
  • Processing: On Google infrastructure, can be configured for EU-only processing (Enterprise)
  • Uploaded sources: Stored until you delete them[9]
  • Queries/responses: Not stored/logged[6]

Q3: Is there a Data Processing Agreement?

A: Yes - Cloud Data Processing Addendum (CDPA).[2]

  • Extended to NotebookLM December 13, 2024
  • Covers all users (free, Plus, Enterprise)
  • Standard Google Cloud data processing terms
  • GDPR Article 28 compliant
  • Includes Standard Contractual Clauses (SCCs)

Q4: Will our documents be used to train AI models?

A: Absolutely not.[6]

  • Explicit no-training commitment for Workspace/Enterprise NotebookLM data
  • Consumer/free use should not be treated as equivalent to a DPA-backed Workspace or Enterprise deployment
  • No queries logged
  • No responses logged
  • Complete privacy for uploaded sources

Q5: How does NotebookLM compare to ChatGPT for GDPR?

A:

  • NotebookLM advantages:
    • βœ… No training on Workspace/Enterprise NotebookLM data
    • βœ… Covered by Workspace agreement/CDPA for qualifying Workspace routes
    • βœ… Part of Google Cloud compliance ecosystem
    • βœ… Queries not logged
    • βœ… Built for business/research from day one
  • ChatGPT advantages:
    • βœ… More mature enterprise features (longer track record)
    • βœ… ChatGPT Enterprise has comparable compliance
  • Verdict: NotebookLM is strongest for GDPR-sensitive use under qualifying Workspace or Enterprise terms; avoid treating the free consumer route as equivalent to a commercial DPA-backed deployment.

Q6: What about human review of data?

A: Clarified in May 2024 privacy update:[10]

  • Consumer accounts (free): Limited human review for feedback/abuse only
  • Workspace accounts: Stronger privacy protections, no routine human review
  • Enterprise accounts: Full organisational control
  • Transparent about review practices after community feedback

βœ… EU Business Rollout Checklist

Before Deployment

  • Choose appropriate tier (Plus for teams, Enterprise for large orgs)
  • Review Cloud Data Processing Addendum (CDPA)[2]
  • Configure data residency (if Workspace/Enterprise)
  • Set up Google Workspace/Cloud organisation (if needed)
  • Conduct DPIA if processing special category data
  • Review Google Cloud compliance documentation[7]
  • Configure admin controls (Enterprise tier)
  • Enable audit logging (Enterprise tier)
  • Train users on data handling and deletion practices

During Deployment

  • Set data upload guidelines (what can/cannot be uploaded)
  • Configure SSO (if Workspace/Enterprise)
  • Test data deletion (verify sources/notebooks removed)
  • Document data flows for GDPR Article 30 records
  • Establish retention policy (when to delete notebooks/sources)
  • Create user guidance on privacy features

Post-Deployment

  • Regular compliance review (quarterly)
  • Monitor Google compliance updates (certifications, features)
  • User training refresh (annually)
  • Audit notebook usage (what data is being uploaded)
  • Review and delete old notebooks (data minimisation)
  • Stay informed on NotebookLM updates and privacy changes

πŸ”„ Recommended Alternatives

If NotebookLM doesn't meet specific requirements:

For Similar AI Note-Taking Tools

  1. Microsoft Copilot in OneNote - Microsoft 365 ecosystem, EU data residency
  2. Notion AI - DPA-backed business/enterprise options, with EU hosting on eligible enterprise configurations
  3. Obsidian with local AI plugins - Full local control, zero cloud dependency

For Document Q&A with Strict EU Requirements

  1. Aleph Alpha (Germany) - German AI company, explicit EU sovereignty
  2. Mistral AI (France) - French AI, EU-based infrastructure
  3. Self-hosted RAG solutions - OpenSource on EU cloud (e.g., Langchain + EU servers)

For Enterprise Document Intelligence

  1. Google Vertex AI Search - Full Google Cloud enterprise control
  2. Azure OpenAI Service - Microsoft enterprise offering, EU regions
  3. AWS Bedrock - Amazon enterprise AI, EU regions available

Note: NotebookLM's combination of Workspace/Enterprise privacy controls and no-training commitments makes it highly competitive for EU use when deployed under the right Google commercial terms.

πŸ“š Key Documentation & References

Official NotebookLM Resources

  • https://support.google.com/notebooklm/answer/15724963?hl=en - Learn How NotebookLM Protects Your Data (Google Official)
  • https://notebooklm.in/google-privacy-data-security-policies-for-notebooklm/ - Google Privacy and Data Security Policies for NotebookLM
  • https://notebooklm.in/deleting-data-from-google-notebooklm/ - Cloud Data Processing Addendum Extended to NotebookLM (December 2024)
  • https://cloud.google.com/terms/data-processing-addendum - Google Cloud Data Processing Addendum

Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Google NotebookLM in production environments - especially when personal data or sensitive research materials are processed. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - March 2026.

  • https://gospech.com/2024/12/26/securing-data-with-notebooklm-a-detailed-exploration-of-privacy-measures/ - Securing Data with NotebookLM Privacy Measures

πŸ“‹ Verdict Summary

Overall GDPR Rating: βœ… Compliant

Best for:

  • βœ… Research teams needing document analysis with strong privacy
  • βœ… EU businesses requiring a DPA-backed note-taking/AI assistant under Google commercial terms
  • βœ… Organisations already using Google Workspace
  • βœ… Teams wanting explicit "no training" guarantees
  • βœ… Projects requiring document summarisation with documented EU compliance controls
  • βœ… Budget-conscious teams (free tier has CDPA coverage!)

Potentially not ideal for:

  • ⚠️ Organisations requiring EU-only infrastructure on the free tier (use Enterprise and verify the selected region and limitations)
  • ⚠️ Teams needing on-premises deployment (cloud-only service)
  • ⚠️ Use cases requiring integration with non-Google ecosystems

Key Decision Factors

Factor Status Impact
DPA/CDPA Availability βœ… Yes (all tiers) High
No Training Commitment βœ… Explicit High
EU Data Residency βœ… Available (Workspace/Enterprise) High
Compliance Certifications βœ… SOC 2, ISO 27001 High
Queries Not Logged βœ… Yes High
Data Deletion Control βœ… User-controlled Medium
Free Tier GDPR Coverage βœ… CDPA included Medium
Security Incident History βœ… None known Low

Final Recommendation

For EU business use:

  1. NotebookLM Plus (Workspace): βœ… Recommended for Google Workspace teams (core service since Feb 2025)
  2. NotebookLM Enterprise: βœ… Highly recommended for large organisations and regulated industries
  3. NotebookLM Pro ($19.99/mo): βœ… Good for individual power users needing more capacity
  4. NotebookLM Ultra ($249.99/mo): βœ… For heavy users; 50% first-year Google One AI Pro discount available
  5. NotebookLM Free: βœ… Acceptable even for personal business data (CDPA coverage since Dec 2024)
  6. ⚠️ Reminder: Workspace data-region settings are not enforced for NotebookLM - verify processing location via Enterprise controls.

What Sets NotebookLM Apart

🌟 Unique strengths:

  1. Workspace/Enterprise protection - Commercial routes are covered by Google Workspace or Google Cloud terms
  2. Explicit no-training commitment - Strong for qualifying Workspace/Enterprise NotebookLM data
  3. Queries not logged - True privacy by design
  4. Part of Google Cloud - Mature compliance ecosystem
  5. Recent privacy responsiveness - May 2024 update shows user feedback matters

Bottom line: NotebookLM is a strong option for EU business use when deployed through qualifying Workspace or Enterprise routes. Do not treat the free consumer route as equivalent to a commercial DPA-backed deployment for sensitive business data.

Last updated: March 2026

Next review: May 2026 (quarterly)

Document owner: Wouter van Haaften | WAIMAKERS B.V.

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique Β· Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast β†—

Β© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy