NotionFlow LogoNotionFlow

Privacy Policy

Last updated: January 9, 2026

This Privacy Policy explains how NotionFlow (“we”, “us”, “our”) collects, uses, discloses, and protects information when you use the NotionFlow web application and related services (the “Service”).

Looking for the Terms? See Terms of Use.

1. Who we are

NotionFlow is an AI-assisted productivity tool that helps you transform your documents and selected Notion pages into structured outputs, including summaries and Notion dashboards. The Service is operated by Arthur Renard (the “Operator”).

For purposes of applicable data protection laws (including the GDPR, where applicable), the Operator is the data controller of your personal data processed in connection with the Service.

NotionFlow is an independent tool and is not affiliated with, endorsed by, or sponsored by Notion Labs, Inc.

The Operator can be reached via https://www.arthurenard.me/contact.

2. Information we collect

We collect information in three main ways: (a) information you provide, (b) information from integrations, and (c) technical data from your use of the Service.

2.1 Account and authentication information

  • Account identifiers: We use Firebase Authentication to authenticate users. We receive a unique user identifier and, depending on the sign-in method, your email address.
  • Google sign-in profile data (if you choose Google sign-in): your email address, display name, and profile photo as provided by Google.
  • Passwords: If you use email/password sign-in, your password is handled by Firebase. We do not receive or store your plaintext password.

Google sign-in and Firebase Authentication are provided by Google LLC. For more information about how Google processes personal data, review Google’s Privacy Policy and Firebase’s privacy information.

2.2 Notion integration information (if you connect Notion)

If you connect your Notion account/workspace, we store information needed to operate the integration:

  • Notion OAuth tokens: access tokens (and, if provided by Notion, refresh tokens). We store these tokens encrypted at rest and decrypt them only when we need to call the Notion API on your behalf.
  • Workspace details: workspace ID/name, bot ID, and integration owner metadata returned by Notion during OAuth.
  • Selected Notion pages: page IDs you choose as inputs and/or the target page where outputs are created.

2.3 Content you upload or provide

Depending on how you use the Service, we process and store:

  • Uploaded files: files you upload (e.g., PDFs, images, text/markdown/LaTeX/JSON/CSV). Files are uploaded to and stored with our file storage provider (Cloudinary) and referenced by URL in our database.
  • Derived content: text extracted from PDFs and images extracted from PDFs (which may be uploaded to Cloudinary) to enable AI processing.
  • Project metadata: project names, timestamps, and your optional custom instructions/prompts.
  • Generated outputs: AI-generated summaries and other outputs that are saved to your project or written into Notion (depending on the workflow you choose).

2.4 Technical and usage information

  • Service logs and diagnostics: We may process log data (such as timestamps, request/response metadata, and error details) to operate, secure, and debug the Service.
  • Local storage: The Service stores certain preferences locally in your browser (for example, theme selection) and Firebase may use browser storage mechanisms (such as local storage or indexed storage) to maintain your session.

3. How we use information

We use the information described above to:

  • Provide and operate the Service, including creating projects, uploading files, running processing jobs, and displaying results.
  • Provide the Notion integration, including connecting your Notion workspace, reading the Notion pages you select, and creating/modifying pages and databases in Notion at your direction.
  • Run AI-assisted features, including analyzing your content and generating summaries and structured outputs.
  • Maintain security, prevent abuse, enforce our Terms, and protect users and the Service.
  • Improve and maintain the Service, including troubleshooting and performance monitoring.
  • Comply with legal obligations and respond to lawful requests.

3.1 Legal bases (EEA/UK users)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process personal data under one or more of these legal bases:

  • Contract: to provide the Service you request (for example, authentication, running a job, and writing outputs to Notion).
  • Legitimate interests: to secure, maintain, and improve the Service (balanced against your rights).
  • Consent: where required (for example, when you choose to connect third-party integrations, and for non-essential analytics cookies/technologies).
  • Legal obligation: to comply with applicable law.

4. How we share information

We do not sell your personal information. We share information only as necessary to provide the Service and for the purposes described in this policy:

  • Notion: When you connect Notion and run workflows, we send requests to the Notion API using your authorization to read selected content and to create/modify pages and databases in your workspace. You can review Notion’s privacy policy at https://www.notion.so/privacy.
  • Cloudinary: We use Cloudinary to upload, store, and serve files and derived images (for example, PDFs and images extracted from PDFs). You can review Cloudinary’s privacy policy at https://cloudinary.com/privacy.
  • AI provider (xAI): We send content you submit (including extracted text and, when applicable, image URLs) to our AI provider to generate outputs. See “AI processing” below.
  • Firebase (Google): We use Firebase for authentication and database storage (Firestore).
  • Google Analytics (if enabled): If enabled, we use Google Analytics to measure and understand use of the Service. See “Cookies and analytics”.
  • Hosting and infrastructure providers: We may use hosting and infrastructure providers to run the Service.
  • Legal and safety: We may disclose information if we believe in good faith that disclosure is necessary to comply with law, protect rights and safety, or prevent fraud or abuse.

We do not use your personal information or content for advertising, including personalized or interest-based advertising.

5. Cookies and analytics

We and our service providers may use cookies and similar technologies (such as local storage, pixels, SDKs, and device identifiers) to provide and secure the Service, remember your preferences, and (when enabled) help us understand how the Service is used.

5.1 Types of cookies and similar technologies

  • Strictly necessary: used to provide core functionality and security (for example, authentication/session handling via Firebase and protecting the Service from abuse).
  • Preferences: used to remember your choices (for example, theme selection via browser storage).
  • Analytics (if enabled): used to understand usage and improve the Service. We may use Google Analytics (including Google Analytics for Firebase) for this purpose.

5.2 Google Analytics (if enabled)

If we enable Google Analytics, it may collect information about your device and your use of the Service (for example, pages viewed, approximate location, referrer information, and interaction data) and may use cookies or similar technologies to do so. Google may process this information on our behalf as a service provider. Learn more at Google’s Privacy Policy.

Consent where required: Where required by applicable law (for example, in the EEA/UK), we will request your consent before using non-essential analytics cookies/technologies. You can also control cookies through your browser settings and, where available, Google’s opt-out mechanisms (such as the Google Analytics opt-out browser add-on).

6. AI processing

The Service includes AI features that analyze user-provided content. When you use these features, we transmit relevant content to our AI provider (xAI) for processing and output generation.

  • What may be sent: text you upload, text extracted from PDFs, and (when applicable) image URLs for images you upload or that are extracted from PDFs.
  • Why: to generate summaries and structured outputs, and to operate the Notion agent workflow that builds Notion pages/databases.

Because AI processing involves third-party services, their handling of data is also governed by their own policies and terms. We recommend reviewing your providers’ policies if you have questions about their practices.

We do not use your content to train our own AI models. xAI’s handling of API inputs/outputs is governed by their terms and policies and may include limited retention for safety and debugging. See xAI’s API security FAQ at https://docs.x.ai/docs/resources/faq-api/security.

xAI’s privacy policy is available at https://x.ai/legal/privacy-policy.

7. Data retention

We retain information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements.

  • Notion tokens: stored until you disconnect Notion (disconnecting removes the Notion token data from your user profile in our database).
  • Projects and generated outputs: retained while your account remains active or until you request deletion.
  • Uploaded files: stored with our file storage provider until they are deleted or you request deletion.

If you would like your account or content deleted, contact us (see “Contact”). We may need to verify your identity before fulfilling deletion requests.

8. Security and breach notification

We use commercially reasonable technical and organizational measures designed to protect information. For example, Notion OAuth tokens are stored encrypted at rest. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

8.1 Incident response and breach notification

We maintain procedures designed to detect, investigate, and respond to suspected security incidents. If we become aware of a personal data breach, we will take reasonable steps to contain and remediate the incident and will notify affected individuals and/or relevant regulators when and as required by applicable law.

For example, where the GDPR applies, we may be required to notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach, and to notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms.

9. Your choices and rights

9.1 Account controls

  • Disconnect Notion: You can disconnect Notion from within the Service (which removes Notion token data from your user profile in our database).
  • Access and delete: You can request access to or deletion of your personal data by contacting us.

9.2 EEA/UK rights (GDPR)

If you are located in the EEA/UK, you may have the right to request access, correction, deletion, portability, restriction, or objection to our processing of your personal data, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local data protection authority.

9.3 California rights

If you are a California resident, you may have rights under applicable California privacy laws, including the right to know, access, delete, or correct certain personal information, and the right to opt out of certain disclosures. We do not sell personal information.

10. International transfers

We and our service providers may process and store information in countries other than your own. Where required, we rely on appropriate safeguards for cross-border transfers (such as contractual protections).

11. Children

The Service is not directed to children under 13 (or under 16 where a higher age threshold applies). If you believe a child has provided us personal information, please contact us so we can take appropriate action.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will update the “Last updated” date above and, where appropriate, provide additional notice.

13. Governing law and jurisdiction

This Privacy Policy and any dispute arising out of or relating to it is governed by the laws of Switzerland, without regard to conflict of law rules. Where permitted by applicable law, the courts of Lausanne, Switzerland shall have jurisdiction over such disputes. If you are a consumer, this section does not limit any mandatory rights you may have under the laws of your country of residence.

14. Contact

For questions or requests regarding this Privacy Policy or your personal information, contact the Operator at https://www.arthurenard.me/contact.