Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Notion AI

Notion

CompliantEU: AvailableNo Training30 DaysMulti-region

Business Plan Price

€19.50/user (Business), custom (Enterprise)

Enterprise Features

EU residency (Frankfurt + Ireland backup), zero-retention LLMs, HIPAA, Notion Agents

Last Updated

March 23, 2026

Notion AI (EU) - GDPR & Data Privacy Overview (Mar 2026)

Audience: European clients considering Notion AI for knowledge work, collaboration, and enterprise search.

Date: March 2026

Executive Summary (TL;DR)

  • Enterprise plan with EU Data Residency: Customer Data (page content, uploaded files, search indexes, third-party/bot-generated messages stored in Notion) stored at rest in Frankfurt (EU-Central-1) with Ireland (EU-West-1) backup. Zero-retention LLMs mean prompts/outputs are not stored by AI providers. Customer Data not used to train models by contract. AI processing itself may occur outside the EU even with EU residency enabled. EU residency is confirmed active in Frankfurt (Enterprise only, sales-assisted).
  • Business plan: AI is now bundled exclusively in the Business plan at $18/user/month (no separate AI add-on; the $8/user AI add-on was discontinued in May 2025). Plus plan is $10/user/month. No EU data residency on Business or Plus; LLM providers (OpenAI, Anthropic) retain data for up to 30 days. Free and Plus plans receive a limited AI trial only (~20 responses). Residual GDPR risk for regulated workloads.
  • Notion 3.0 Agents: Launched September 2025 - autonomous agents that can execute multi-step tasks across your workspace.
  • EMEA presence: Notion has opened offices in London, Munich, and Paris, strengthening its European commercial footprint.
  • Permissions & controls: AI respects Notion page/teamspace permissions; cannot surface content users can't access. Enterprise offers web search toggles, custom retention (1 day-10 years), DLP/SIEM integrations, and admin audit logs.
  • Cross-border transfers: Uses SCCs for transfers outside EU; LLM processing may occur outside EU but Enterprise enforces zero-retention at provider level.

Is Business Plan GDPR-Compliant?

Short answer: Both Notion and Notion AI can be operated in a GDPR-compliant way on the Business plan, but many EU customers will only meet their policy/contract requirements on Enterprise.

What applies to all plans:

  • DPA & GDPR program - Notion offers a Data Processing Addendum (DPA) with SCCs that applies whenever Notion processes personal data for you (Business and Enterprise).
  • AI model training - Neither Notion nor its AI subprocessors use Customer Data to train models (contractual prohibition across all plans).

What's plan-dependent:

  • AI retention
    • Enterprise: Zero data retention at LLM providers (nothing stored).
    • Business: LLM providers may retain Customer Data for up to 30 days for operations, then delete.
    • (Embeddings use a zero-retention OpenAI API; embeddings stored by Notion are removed within ~60 days after page/workspace deletion.)
  • EU data residency
    • Enterprise-only: Page content, uploaded files, search indexes, and third-party/bot-generated messages stored at rest in the EU (Frankfurt EU-Central-1 primary, Ireland EU-West-1 backup). User account info, workspace name/billing, membership info, usage analytics, Notion Calendar, and Notion Mail are not covered by EU residency. Migration is sales-assisted; AI processing itself may occur outside the EU.
    • Business/Plus: No EU residency; default hosting remains US (with SCCs/TIA for transfers).
  • Enterprise controls - Custom data-retention windows (1 day-10 years) and certain compliance integrations are Enterprise-only.

What that means in practice:

  • If your DPIA/TIA accepts SCC-based transfers and you're okay with ≤30-day LLM retention, Business can be configured to meet GDPR obligations. Document these residual risks and limit sensitive data accordingly.
  • If you require EU at-rest storage and zero-retention at the LLM layer (common in regulated/public sector), you'll need Enterprise.

Buyer's note: Business = GDPR-capable (with SCCs + ≤30-day LLM retention); Enterprise = GDPR-preferred (EU at-rest + zero-retention).

Tiers at a Glance (EU-centric)

Tier Training on your data? LLM retention EU data residency Security & compliance Typical EU price
Business ✅ No (contractual prohibition with LLM providers) ⚠️ Up to 30 days at LLM providers (OpenAI/Anthropic standard API retention) ❌ No (global infrastructure) SOC 2 Type II, ISO 27001 $18/user/month (AI bundled; no separate add-on since May 2025)
Enterprise ✅ No (contractual prohibition with LLM providers) ✅ Zero retention at LLM providers (Enterprise Plan workspaces) ✅ Yes: Frankfurt (EU-Central-1) + Ireland (EU-West-1) backup for page content, uploaded files, search indexes, third-party/bot messages* SOC 2 Type II, ISO 27001, HIPAA mode, DLP/SIEM integrations, audit logs Custom pricing (sales-assisted)
  • User account info, workspace name/billing, membership info, usage analytics, Notion Calendar, and Notion Mail are not covered by EU residency. AI processing itself may occur outside the EU even with EU residency enabled.

Recommendation: For GDPR-sensitive workloads, choose Enterprise with EU Data Residency to ensure content at rest in EU and zero-retention LLM processing. Business plan carries residual risk due to 30-day LLM retention and lack of EU residency.

Details by Offering

1) Notion AI (Business Plan)

  • What's included: AI chat, writing assistance, database autofill, meeting notes, Q&A over workspace content, and Notion 3.0 Agents (autonomous multi-step task execution, launched Sept 2025). AI features bundled with Business plan ($18/user/month; separate AI add-on discontinued May 2025). Plus plan is $10/user/month. Free and Plus plans receive a limited trial only (~20 AI responses).
  • Training: Customer Data not used to train models by default; contractual prohibition with LLM providers (OpenAI, Anthropic).
  • LLM retention: Prompts/outputs retained by LLM providers for up to 30 days for operational purposes per OpenAI and Anthropic standard API retention policies, then deleted.
  • Data residency: No EU residency option; data stored on global infrastructure.
  • Embeddings: OpenAI embeddings API is zero-retention at provider side; Notion's stored embeddings deleted within 60 days after page/workspace deletion.
  • Permissions: AI respects page/teamspace permissions; cannot surface content a user can't access.
  • When to use: General productivity, non-regulated workloads, teams comfortable with 30-day LLM retention.
  • When not to use: Regulated industries requiring EU residency and zero-retention (healthcare, finance, public sector with strict data locality requirements).

2) Notion AI (Enterprise Plan)

  • Training: Customer Data not used to train models; contractual prohibition enforced with LLM providers.
  • LLM retention: Zero retention at LLM providers (no storage of prompts/outputs).
  • EU data residency: Confirmed active (sales-assisted setup). Primary region: Frankfurt (EU-Central-1) with Ireland (EU-West-1) backup.
    • Covered: Page content, uploaded files, search indexes, third-party/bot-generated messages stored in Notion.
    • Not covered: User account info, workspace name/billing, membership info, usage analytics, Notion Calendar, Notion Mail, and beta services. AI processing itself may occur outside the EU even with EU residency enabled.
  • Embeddings: OpenAI embeddings API zero-retention at provider; Notion's vector DB entries deleted within 60 days after page/workspace deletion.
  • Migration: Existing workspaces can migrate to EU region; US copies deleted ~30 days after migration completes.
  • Controls:
    • Web search toggle and confirmation prompts for external requests
    • Custom data retention: 1 day to 10 years
    • Auto-delete schedules for AI meeting transcripts
    • IP allowlists, legal holds, SSO/SCIM
    • DLP/SIEM integrations, Admin Audit Log
  • Connectors: Optional AI Connectors (Slack, Jira, GitHub, Microsoft 365, Google Drive) let AI search across connected apps. Data in third-party apps governed by those apps' terms; only Notion-stored data covered by residency scope.
  • Compliance: SOC 2 Type II, ISO 27001; HIPAA mode supported with zero-retention LLM APIs.
  • Pricing: Custom (contact Notion Sales for EU pricing).

How Notion AI Processes Data (Simplified Flow)

User prompt in Notion
  ↓
Notion AI orchestrator
  ├─ (Optional) Workspace retrieval via embeddings
  │   → OpenAI zero-retention API
  │   → Vector DB stores embeddings (deleted within 60d of page/workspace deletion)
  ├─ LLM call (OpenAI / Anthropic)
  │   ├─ Enterprise: zero data retention at LLM
  │   └─ Business: ≤30-day retention at LLM
  ├─ (Optional) Web search / Connectors (Slack, Jira, etc.)
  └─ Response returned
      → Stored as page content in workspace (EU at-rest if enabled)

Permissions: AI cannot access content a user cannot access; respects Notion page/teamspace permissions.

Retention & Deletion

  • LLM retention:
    • Enterprise: 0 days (zero-retention at providers)
    • Business: Up to 30 days for operational purposes per OpenAI and Anthropic standard API retention policies, then deleted
  • Embeddings:
    • Provider side: zero-retention (OpenAI embeddings API)
    • Notion vector DB: entries deleted within 60 days after page or workspace deletion
  • Workspace deletion: Content recoverable for 30 days, then permanently deleted (standard Notion deletion window).
  • Custom retention: Enterprise admins can configure retention policies (1 day to 10 years) and auto-delete AI meeting transcripts.

LLM Providers & Subprocessors

  • LLM providers: Notion uses a mix of first-party orchestration and third-party LLMs, including OpenAI and Anthropic.
  • Subprocessor list: Notion maintains a public subprocessor list and notifies customers of changes; security due diligence conducted.
  • Contractual protections: Notion's contracts with LLM providers include:
    • No training on Customer Data (LLM subprocessors are contractually prohibited from using customer data to train models)
    • Zero-retention for Enterprise Plan workspaces at LLM providers (no storage of prompts/outputs)
    • ≤30-day retention for Business, aligned with OpenAI and Anthropic standard API retention for operational/abuse monitoring purposes

Note: Anthropic's consumer policy changes (opt-out training, longer retention) do not apply to Notion's enterprise contracts. Always validate terms in your DPA.

IP & Content Ownership

  • Inputs and outputs: Treated as Customer Data; Notion does not claim ownership.
  • Rights: Customers retain full rights over AI inputs and outputs per Notion AI Supplementary Terms.

EU Rollout Checklist (Practical)

  1. Choose Enterprise and enable EU Data Residency
    • Sales-assisted setup for Frankfurt (EU-Central-1) primary / Ireland (EU-West-1) backup
    • Confirm scope: page content, uploaded files, search indexes, and third-party/bot messages covered; user account info, workspace name/billing, membership info, usage analytics, Calendar/Mail, and beta services are outside scope. Note that AI processing itself may occur outside the EU.
  2. Contractuals & DPA
    • Execute MSA + DPA with SCCs for cross-border transfers
    • Add explicit no-training clause and zero-retention rider for LLM providers
    • Subscribe to subprocessor change notifications
  3. Configure controls
    • Disable web search by default; require confirmation for external requests
    • Set custom data retention (e.g., 90 days) and enable auto-delete for AI meeting transcripts
    • Integrate DLP/SIEM and monitor Admin Audit Log
  4. Access hygiene
    • Use SSO/SCIM for centralised identity management
    • Configure private teamspaces and granular database permissions
    • Restrict external guest access; use IP allowlists
  5. Data mapping & Transfer Impact Assessment (TIA)
    • Document data flows: workspace → LLM → response
    • Record reliance on SCCs for transfers outside EU
    • Note exceptions: metadata, connectors, Calendar/Mail
  6. Sensitive data handling
    • For special categories (GDPR Art. 9) or PHI:
      • Confirm zero-retention LLM path (Enterprise only)
      • Limit exposure via private teamspaces, labels, and access controls
    • Enable HIPAA mode if processing health data

Procurement Quick Answers (EU)

Is Notion AI data used to train models?

No by default; contractual prohibition with LLM providers. Enterprise + zero-retention enforced.

Can we keep EU data at rest in the EU?

Yes (Enterprise only). Page content, uploaded files, search indexes, and third-party/bot-generated messages stored in Frankfurt (EU-Central-1) with Ireland (EU-West-1) backup. User account info, workspace name/billing, membership info, usage analytics, Notion Calendar, and Notion Mail are not covered. AI processing itself may still occur outside the EU.

Do AI features respect permissions?

Yes. AI cannot access content a user cannot access; respects Notion page and teamspace permissions.

How long do LLMs keep our prompts?

  • Enterprise: 0 days (zero-retention)
  • Business: Up to 30 days (based on OpenAI and Anthropic standard API retention policies for operational/abuse monitoring)

What about embeddings?

Provider side (OpenAI): zero-retention. Notion's vector DB: entries deleted within 60 days after page/workspace deletion.

What compliance standards?

SOC 2 Type II, ISO 27001. HIPAA mode supported with zero-retention LLM APIs (Enterprise).

How are cross-border transfers handled?

Notion uses Standard Contractual Clauses (SCCs) for transfers outside EU. Conduct a Transfer Impact Assessment (TIA) and include SCCs in your DPA.

Notes & Caveats

  • Calendar/Mail scope: Notion Calendar and Notion Mail are outside data residency scope; may be stored outside EU region.
  • Beta services: New/beta features may not be covered by EU residency initially; confirm with Notion before enabling.
  • LLM processing location: AI processing itself may occur outside the EU even with EU residency enabled; Enterprise enforces zero-retention at provider level (no storage).
  • Connector data: Data in third-party apps (Slack, Jira, etc.) remains governed by those apps' terms; only data stored in Notion is covered by Notion's residency scope.
  • Metadata & excluded data: User account info, workspace name/billing, membership info, and usage analytics reside outside the EU region regardless of residency setting.

Sources (Quick Links)

  • https://www.notion.com/help/notion-ai-security-and-privacy - Notion AI Security & Privacy
  • https://www.notion.com/help/security-practices - Notion Security Practices
  • https://www.notion.com/help/privacy-practices - Notion Privacy Practices
  • https://www.notion.com/help/gdpr - GDPR at Notion
  • https://privacycenter.notion.so - Notion Privacy Center & Privacy Policy
  • https://www.notion.com/help/data-residency - Notion Data Residency (EU Frankfurt option)

Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Notion AI in production environments - especially when personal data, proprietary knowledge bases, or confidential information are processed. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - March 2026.

Always verify latest regional availability, pricing, and terms with Notion Sales before contracting.

Prepared by: WAIMAKERS - Privacy & Safety Enablement

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique · Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast ↗

© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy