When You Need a Privacy Policy for Notion
Three common scenarios that require privacy compliance.
Scenario 1: Selling Notion Templates
When you sell templates through platforms like Gumroad, Lemonsqueezy, or Notion Marketplace, you collect buyer emails, names, and payment data through your processor. Privacy laws require you to disclose this collection.
- Buyer email addresses and names
- Payment information (via Stripe, PayPal, etc.)
- Download tracking and license keys
Scenario 2: Building Notion Integrations
Notion requires all public integrations to include a privacy policy. When users authorize your integration, they grant access to workspace data through the Notion API.
- Workspace names and user information
- Page content, databases, and comments
- OAuth tokens and API access credentials
Scenario 3: Notion as a Public Website
Using Notion with tools like Super.so, Potion, or Notaku turns your pages into a public website. Any public website collecting visitor data needs a privacy policy.
- Visitor analytics and page view tracking
- Custom domain cookies and session data
- Embedded form submissions and contact data
Notion API Integration Requirements
What Notion expects from developers building public integrations.
When you submit a public integration to Notion, you must provide a privacy policy URL. This is not optional. Notion reviews your integration before approving it, and a missing or inadequate privacy policy will result in rejection.
API scopes disclosure: List every permission scope your integration requests (read content, update content, insert content, read users) and explain why each is needed
Data storage practices: Explain where and how you store workspace data retrieved through the API, including encryption and retention periods
Third-party sharing: Disclose if any workspace data is shared with analytics services, AI providers, or other third parties
Access revocation: Explain how users can disconnect your integration and what happens to their data after revocation
Security measures: Describe how you protect OAuth tokens, API keys, and any cached workspace data
Template Marketplaces: Gumroad, Lemonsqueezy, and Notion Marketplace
Selling Notion templates means you are running an online store, even if it feels informal. Each marketplace has its own data practices, but you are still responsible for your own privacy disclosures.
Gumroad collects buyer emails, names, and payment data on your behalf. You receive customer data and are responsible for disclosing how you use it for support, updates, and marketing.
Lemonsqueezy
Lemonsqueezy acts as Merchant of Record, handling tax and payments. You still access customer data through your dashboard and need to disclose email collection for license delivery and post-purchase communication.
Notion Marketplace
The official Notion template gallery has its own terms, but if you link to external payment pages or collect data outside the marketplace, you need your own privacy policy covering those interactions.
Notion as a Public Website: Super.so, Potion, and Notaku
Tools like Super.so, Potion, and Notaku turn Notion pages into fully functional websites with custom domains, SEO, and analytics. The moment you add a custom domain and analytics tracking, your Notion pages become a website that needs a privacy policy.
Super.so: Adds custom domains, Google Analytics, Fathom, and custom scripts. All of these collect visitor data requiring disclosure.
Potion: Provides custom domains, analytics, and contact forms. Form submissions collect personal data directly from visitors.
Notaku: Offers documentation sites with search analytics, feedback forms, and custom tracking. Each feature has data collection implications.
Data Collected Through Notion
A comprehensive look at what personal data flows through Notion-based projects.
Via the Notion API
- User names, email addresses, and profile photos
- Page content including text, files, and database entries
- Workspace metadata and access permissions
- OAuth tokens and authorization data
Via Template Sales
- Buyer email addresses and names
- Payment and billing information (via processor)
- Download history and license records
- Email list subscriptions for updates
Via Public Notion Pages
- IP addresses and browser information
- Page view analytics and referral sources
- Form submissions and embedded widget data
- Cookies from analytics and custom scripts
Common Mistakes to Avoid
Five errors that Notion creators frequently make with privacy policies.
Using Notion's privacy policy as your own
Notion's policy covers their platform. It does not cover your template store, integration, or the data you collect independently. You need a separate policy for your business.
Ignoring third-party payment processors
If you use Stripe, Gumroad, or Lemonsqueezy, your policy must name these processors and explain what data they collect on your behalf.
Forgetting about email marketing tools
Many template sellers add buyers to Mailchimp, ConvertKit, or Beehiiv. Sending marketing emails without disclosing this in your policy violates GDPR consent requirements.
Not disclosing API data access scopes
Integration developers must list exactly what data their app accesses. Requesting broad permissions without justification will get your integration rejected by Notion.
Skipping the privacy policy link in integration settings
Notion provides a dedicated field for your privacy policy URL in integration settings. Leaving it blank or linking to a generic page signals poor compliance practices.
How to Create a Privacy Policy for Notion (6 Steps)
Step 1: Identify your Notion use case
Determine whether you are selling templates, building integrations, or using Notion as a public-facing website. Each scenario has different data collection points and requirements.
Step 2: Audit data collection points
List all personal data you collect through Notion pages, forms, API calls, and third-party tools like Gumroad or Super.so. Include data collected by payment processors and email services.
Step 3: Document third-party services
Record every external service that receives user data, including payment processors (Stripe, PayPal), analytics tools (Google Analytics, Fathom), and hosting platforms (Super.so, Vercel).
Step 4: Draft your privacy policy sections
Write sections covering data collected, purpose of collection, third-party sharing, user rights under GDPR and CCPA, data retention periods, and contact information.
Step 5: Add platform-specific disclosures
Include details about Notion API scopes you request, template duplication data flows, or Super.so/Potion analytics depending on your specific setup.
Step 6: Publish and link your policy
Host the policy on your website and link to it from your Notion pages, template listings, integration authorization screens, and marketplace profiles.
Frequently Asked Questions
Do I need a privacy policy for selling Notion templates?
Yes. If you sell Notion templates through Gumroad, Lemonsqueezy, or Notion Marketplace, you collect buyer email addresses and payment information through your payment processor. Privacy laws like GDPR and CCPA require you to disclose this data collection in a privacy policy.
Does the Notion API require a privacy policy?
Yes. Notion requires all public integrations to have a privacy policy. When users authorize your integration, they share workspace data with your application. You must disclose what data you access, how you store it, and who you share it with.
Do I need a privacy policy for a Notion website built with Super.so?
Yes. Super.so, Potion, and Notaku sites function as public websites. They use analytics, cookies, and custom domains. Any public website that collects visitor data needs a privacy policy to comply with GDPR, CCPA, and other privacy regulations.
What data does Notion collect from visitors on public pages?
Notion collects basic analytics data on public pages including page views and visitor counts. When you add tools like Super.so Analytics, Google Analytics, or embedded forms, additional data is collected such as IP addresses, browser information, and form submissions.
Can I host my privacy policy on a Notion page?
You can, but it is not ideal. Notion public pages lack custom domains and professional formatting. A better approach is hosting your privacy policy on your own website and linking to it from your Notion pages, template listings, and integration settings.
What should a Notion integration privacy policy include?
Your policy should include the API scopes you request, what workspace data you access, how you store and secure the data, third-party services that receive the data, data retention periods, and how users can revoke access and request deletion.
Is a free Notion template exempt from privacy policy requirements?
Not necessarily. If you collect email addresses before sharing the template, use analytics to track downloads, or embed forms in the template, you are collecting personal data and need a privacy policy regardless of whether the template is free or paid.
Generate Your Notion Privacy Policy
Create a customized, legally compliant privacy policy for your Notion templates, integrations, or public pages in under 60 seconds.
Structured around widely accepted GDPR and CCPA requirements. Not legal advice. Learn more about what happens without a privacy policy.
Related Resources
Privacy Policy for SaaS
SaaS compliance guide
Privacy Policy for Apps
Mobile and web app privacy guide
Privacy Policy for Websites
Website compliance essentials
Privacy Policy for Gumroad
Gumroad seller privacy guide
Online Store Privacy Policy
E-commerce privacy requirements
GDPR Privacy Policy Template
EU compliance guide and template
What Happens Without a Policy
Risks of missing privacy policies
Policy Generator
Create your compliant privacy policy