Plain-English risk rating: 3 of 5 (Free/Plus/Business) / 1 of 5 (Enterprise with zero-retention APIs)
Notion AI's risk profile is dominated by one fact most users do not understand: when you use Notion AI, your content is sent to third-party LLM providers (Anthropic and OpenAI primarily) for processing. Notion itself does not train on customer data by default — but "Notion doesn't train" and "your data doesn't leave Notion" are different statements. For Free, Plus, and Business plans, AI providers can retain your data for up to 30 days for abuse monitoring. For Enterprise plans, Notion uses zero-retention APIs and data is deleted as soon as the request is processed.
This is the same architectural pattern as Slack AI, Zoom AI Companion, and most other Embedded Productivity AI products: the embedding company provides the workflow, third-party LLMs provide the inference, and the privacy posture depends on the contractual arrangement between the embedding company and the LLM provider plus the customer's plan tier.
Recommended for
- Sole proprietor: Plus or Business with the understanding that AI requests are processed by Anthropic and OpenAI under 30-day retention. Acceptable for general knowledge work; not appropriate for confidential client information without Enterprise tier or a separate workflow.
- Small team (2-10 people): Business tier is acceptable for general team work. Enterprise tier with BAA available for HIPAA-covered workflows.
- Regulated industry: Enterprise tier only, with zero-retention APIs, BAA where applicable, and explicit policy guidance to team members about which content classes belong in Notion vs. dedicated regulated-data systems.
- The honest answer for most 1-10 employee businesses using Notion as their company wiki: The Business tier at $15/user/month is the practical floor. The Enterprise tier upgrade (custom pricing) is the right move if any of your Notion content includes information that would be materially damaging if it sat on Anthropic's or OpenAI's systems for 30 days.
Data retention default
- Free, Plus, Business: AI providers (Anthropic, OpenAI) can retain request data for up to 30 days for abuse monitoring
- Enterprise: Zero-retention APIs — request data deleted as soon as processed
- Notion-side retention: Standard Notion data lifecycle applies regardless of plan; deletion timing per Notion's published retention policy
- AI LEAP Program (opt-in): Customers who join receive front-of-line access to AI improvements in exchange for sharing workspace data for model improvement — default OFF, opt-in only
Training opt-out
TRAINING IS OFF BY DEFAULT across all plan tiers. Notion does not use customer workspace data for training its models, and the contractual agreements with Anthropic and OpenAI prohibit those providers from using Notion customer data for their own model training.
AI LEAP Program is the opt-in alternative — customers who actively choose to participate share workspace data for model improvement in exchange for early-access perks. Off by default; opt-in only.
The training-off-by-default posture is structurally similar to Jasper and meaningfully better than the Slack general-purpose ML default. The 30-day retention on the non-Enterprise tiers is the remaining concern.
Zero Data Retention availability
- Enterprise tier only: Zero-retention API arrangements with both Anthropic and OpenAI, plus the SOC 2 Type 2 certified Turbopuffer vector database for AI Connector embeddings
- HIPAA compliance enabled through zero-retention APIs for Enterprise customers with a Business Associate Agreement
Plan tiers and pricing (as of early 2026)
| Tier | Price (USD) | AI provider retention | Training? | Suitable for |
|---|---|---|---|---|
| Free | $0 | Up to 30 days | No | Personal use; limited AI features |
| Plus | $10/user/month | Up to 30 days | No | Individual professionals |
| Business | $15/user/month | Up to 30 days | No | Small teams; baseline business tier |
| Enterprise | Custom | Zero retention | No | Larger orgs or regulated workflows |
Notion AI features are now bundled into the plan tiers as of the May 2025 "Notion AI for Work" launch — no separate per-user AI add-on at the higher tiers.
Jurisdiction
- Primary processor: Notion Labs, Inc., San Francisco, California, USA
- Cloud infrastructure: AWS primarily
- AI inference: OpenAI for embeddings (zero retention), Anthropic for LLM queries (zero retention for Enterprise; 30-day standard for other tiers)
- Vector database: Turbopuffer (SOC 2 Type 2 certified)
- SOC 2 Type 2, ISO 27001:2022 certified; HIPAA compliant for Enterprise with BAA; GDPR and CCPA compliant
Breach history (public incidents)
No major direct breach of Notion infrastructure publicly disclosed as of May 2026.
Note on third-party processor risk inheritance: Notion AI inherits the breach exposure of its model providers. Both OpenAI (Mixpanel third-party breach November 2025) and Anthropic (Claude Code source code exposure March 2026, AI-orchestrated cyberattack disclosure November 2025) have had publicly disclosed incidents in the past 12 months. These do not appear to have directly affected Notion AI customer data, but they are the threat baseline for any Embedded Productivity AI that uses these providers' models.
Note on the broader prompt-injection class: Notion AI's agentic features (AI Connectors, real-time document analysis, AI search across the workspace) put it in the same category as EchoLeak-affected Microsoft 365 Copilot. We are not aware of a publicly-disclosed Notion-specific zero-click prompt injection equivalent to EchoLeak as of May 2026, but the category-level risk applies. Treat any unexpected behaviour from Notion's AI Connectors (suggesting odd actions, asking unusual questions about content) as potential prompt injection from content inside the workspace.
What this means in plain English for SMB owners
Three honest takeaways:
- Notion AI's training-off-by-default is structurally good news. This is one of the better consumer-tier defaults in this database. The remaining concern is the 30-day retention window on non-Enterprise tiers for AI provider data.
- If you use Notion as your company wiki and it contains client work, internal strategy, or anything you would not want sitting on OpenAI or Anthropic's systems for 30 days, upgrade to Enterprise for the zero-retention APIs. This is the inflection point for any team that handles confidential information in Notion.
- The AI Connectors feature is where the agentic risk surface lives. When Notion AI can read across your entire workspace to answer a question, the same class of prompt injection that affected Microsoft 365 Copilot applies in principle. Notion has not had a publicly-disclosed major incident, but the category risk is real and worth factoring into deployment decisions for sensitive content.
Sources
- Notion AI safety commitment page: https://www.notion.com/help/ai-safety (verified 2026-05-24)
- Notion Enterprise Search security and privacy practices: https://www.notion.com/help/enterprise-search-security-and-privacy-practices (verified 2026-05-24)
- eesel AI: A practical guide to Notion AI security & privacy practices (November 2025)
- Cambridge Analytica project: Notion AI's Enterprise Betrayal critique (February 2026)
- Matthias Frank: Notion AI feature overview (September 2025)
Related on AI Leakage
- Compare all 29 AI tools in the risk directory — see how Notion AI stacks up against the rest, tier by tier.
- Take the 5-minute “Am I Leaking?” check — a personalised view of your business’s AI exposure.
- Check a prompt before you paste it — our free Data-Safe Prompt Rewriter.
- Shadow AI vs AI leakage — why even approved tools like Notion AI can leak data.
- Get plain-English AI Leakage Alerts — we email you when an AI tool you use changes its data policy or has an incident.
- Get the free AI Acceptable Use Policy template — a plain-English policy with the tool-by-tool risk guide built in.