stackpeek
← back to leaderboard

audit report

Notion

https://notion.so · productivity

warn
scanned 2026-04-16 23:31:26 utc permalink · /audit/notion

Notion's privacy policy accurately reflects the majority of observed third-party services, with explicit disclosures about analytics (Google Analytics, Hotjar, Amplitude), advertising networks (Google Ads, DoubleClick, Facebook Pixel, Twitter Ads), and chat support providers visible in the tech stack. The policy transparently acknowledges data sales/sharing under CCPA and provides user opt-out mechanisms. However, the observed presence of less-common tools (Metadata, TailorHQ, Gist, Sierra, Sprig, Statsig, Clearbit, Transcend) and specialized vendors (Memsource, Podscribe, GRSM, Tapad) significantly exceeds what the policy explicitly names, creating a disclosure gap for vendors not mentioned in the "named_third_parties" list.

claim vs. reality

“we collect information such as your name, email address, password, role within your team or enterprise, and an optional profile photo”

— Notion privacy policy

observed · html 

Hotjar

findings

  1. warn

    Session replay tools detected

    Session replay tools record user interactions. Observed: Hotjar. The policy should clearly disclose this and how recordings are stored.

    
            Hotjar
    how we detected this →
  2. warn

    Observed vendors not named in policy

    The policy names some third parties but omits these observed vendors. Undeclared: Customer.io, Amplitude, Twitter/X, Clearbit, Hotjar, Sprig, US Browser Speed, AppNexus, Twitter/X Ads Pixel, Microsoft Bing, Google DoubleClick, Facebook Pixel, Google Ads, Google AdSense, Google Tag Manager, LinkedIn, Marketo, PartnerStack, Splunk, TikTok, Vercel, GRSM, Hotjar, LI&A, Marketo, Tapad, Userleap.

    
            Customer.io
Amplitude
Twitter/X
    how we detected this →
  3. warn

    Undisclosed third-party vendors exceed named examples

    The privacy policy names only 9 specific third parties (Google Analytics, Google APIs, Network Advertising Initiative, Digital Advertising Alliance) but the site loads 92+ distinct third-party domains. Many high-frequency vendors have no explicit mention: Metadata (8 hits), TailorHQ (8 hits), Gist (6 hits), Sierra (5 hits), Sprig (3 hits), Clearbit (3 hits), Statsig (1 hit), Forethought (2 hits), Vercel (5 hits), Memsource (4 hits), GRSM/Tapad (tracking), and Transcend (1 hit). While the policy uses umbrella language about 'third-party service providers' and 'advertising partners,' this granular level of vendor diversity is not made transparent to users who review the policy.

    
            Policy lists only 9 named third parties under 'named_third_parties'
Observation shows 92+ third-party domains loaded
Metadata.io (8 hits), TailorHQ.ai (8 hits), Gist.build (6 hits), Sierra.chat (5 hits) have no corresponding policy disclosure
    how we detected this →
  4. note

    Customer.io loaded (analytics)

    Observed 5 time(s) on the page.

    
            CSP: https://assets.customer.io
CSP: https://track.customer.io
    how we detected this →
  5. note

    Amplitude loaded (analytics)

    Observed 4 time(s) on the page.

    
            CSP: https://cdn.amplitude.com
CSP: https://api.amplitude.com
    how we detected this →
  6. note

    Twitter/X loaded (social)

    Observed 4 time(s) on the page.

    
            CSP: https://platform.twitter.com
CSP: https://syndication.twitter.com
    how we detected this →
  7. note

    Clearbit loaded (analytics)

    Observed 3 time(s) on the page.

    
            CSP: https://x.clearbitjs.com
CSP: https://app.clearbitjs.com
    how we detected this →
  8. note

    Google Analytics loaded (analytics)

    Observed 3 time(s) on the page.

    
            CSP: https://region1.google-analytics.com
CSP: https://www.google-analytics.com
    how we detected this →
  9. note

    Hotjar loaded (session_replay)

    Observed 3 time(s) on the page.

    
            CSP: https://static.hotjar.com
CSP: https://script.hotjar.com
CSP: https://*.hotjar.com
    how we detected this →
  10. note

    Sprig loaded (analytics)

    Observed 3 time(s) on the page.

    
            CSP: https://cdn.sprig.com
CSP: https://api.sprig.com
    how we detected this →
  11. note

    US Browser Speed loaded (analytics)

    Observed 3 time(s) on the page.

    
            CSP: https://a.usbrowserspeed.com
CSP: https://*.usbrowserspeed.com
    how we detected this →
  12. note

    AppNexus loaded (advertising)

    Observed 2 time(s) on the page.

    
            CSP: https://acdn.adnxs.com/dmp/up/pixie.js
    how we detected this →
  13. note

    Twitter/X Ads Pixel loaded (advertising)

    Observed 2 time(s) on the page.

    
            CSP: https://static.ads-twitter.com
    how we detected this →
  14. note

    Microsoft Bing loaded (advertising)

    Observed 2 time(s) on the page.

    
            CSP: https://bat.bing.com
    how we detected this →
  15. note

    Google DoubleClick loaded (advertising)

    Observed 2 time(s) on the page.

    
            CSP: https://googleads.g.doubleclick.net
    how we detected this →
  16. note

    Facebook Pixel loaded (advertising)

    Observed 2 time(s) on the page.

    
            CSP: https://connect.facebook.net
    how we detected this →
  17. note

    Google Ads loaded (advertising)

    Observed 2 time(s) on the page.

    
            CSP: https://www.googleadservices.com
    how we detected this →
  18. note

    Google AdSense loaded (advertising)

    Observed 2 time(s) on the page.

    
            CSP: https://pagead2.googlesyndication.com
    how we detected this →
  19. note

    Google Tag Manager loaded (tag_manager)

    Observed 2 time(s) on the page.

    
            CSP: https://www.googletagmanager.com
    how we detected this →
  20. note

    LinkedIn loaded (social)

    Observed 2 time(s) on the page.

    
            CSP: https://px.ads.linkedin.com/
    how we detected this →
  21. note

    Marketo loaded (analytics)

    Observed 2 time(s) on the page.

    
            CSP: https://munchkin.marketo.net
    how we detected this →
  22. note

    PartnerStack loaded (advertising)

    Observed 2 time(s) on the page.

    
            CSP: https://js.partnerstack.com
    how we detected this →
  23. note

    Splunk loaded (analytics)

    Observed 2 time(s) on the page.

    
            CSP: https://http-inputs-notion.splunkcloud.com
    how we detected this →
  24. note

    TikTok loaded (social)

    Observed 2 time(s) on the page.

    
            CSP: https://analytics.tiktok.com/
    how we detected this →
  25. note

    Vercel loaded (analytics)

    Observed 2 time(s) on the page.

    
            CSP: https://vitals.vercel-insights.com
    how we detected this →
  26. note

    GRSM loaded (tracking)

    Observed 1 time(s) on the page.

    
            CSP: https://grsm.io
    how we detected this →
  27. note

    Hotjar loaded (analytics)

    Observed 1 time(s) on the page.

    
            CSP: https://*.hotjar.io
    how we detected this →
  28. note

    LI&A loaded (advertising)

    Observed 1 time(s) on the page.

    
            CSP: https://d-code.liadm.com/
    how we detected this →
  29. note

    Marketo loaded (analytics)

    Observed 1 time(s) on the page.

    
            CSP: https://*.mktoresp.com
    how we detected this →
  30. note

    Tapad loaded (tracking)

    Observed 1 time(s) on the page.

    
            CSP: https://pixel.tapad.com
    how we detected this →
  31. note

    Userleap loaded (analytics)

    Observed 1 time(s) on the page.

    
            CSP: https://cdn.userleap.com
    how we detected this →
  32. note

    Session replay and behavioral analytics less prominent than other tools but present

    Hotjar (session_replay, 3 hits) and Sprig (analytics, 3 hits) are loaded but neither is explicitly named in the policy's third-party list. The policy does not specifically mention session replay, heatmaps, or in-page behavioral recording tools, only generic 'cookies' and 'pixels.' This is a notable omission given session replay tools can capture user inputs and mouse movements.

    
            hotjar.com and hotjar.io detected (3 hits total)
sprig.com detected (3 hits)
Policy mentions 'cookies, pixel tags, local storage' but does not name Hotjar or Sprig
    how we detected this →
  33. note

    Cross-device tracking acknowledgment lacks vendor specificity

    The policy states 'Your browsing activity may be tracked across different websites and different devices or apps' and mentions 'match your browsing activity on your mobile device with your browsing activity on your laptop,' but does not name the vendors enabling this (Tapad and GRSM detected on site, neither mentioned in policy).

    
            Policy claim: 'Your browsing activity may be tracked across different websites and different devices'
tapad.com and grsm.io (tracking vendors) observed in tech stack
Policy does not identify these vendors by name
    how we detected this →
  34. info

    Google Analytics: disclosed in policy

    The policy names this vendor explicitly, matching what was observed.

    how we detected this →
  35. info

    Notion's own multi-domain embedding increases surface area

    Notion embeds assets from notion.so, notion.co, notion.site, and notionusercontent.com (17 hits combined), suggesting heavy use of embeds and user-generated content displays. Policy mentions workspace collaboration and information being 'displayed to other users' but does not explicitly address the privacy implications of embedded Notion pages being loaded externally or how Notion tracks users across its own domain network.

    
            notion.so (8 hits), notion.co (4 hits), notion.site (2 hits), notionusercontent.com (2 hits)
Policy notes: 'When you submit information in a workspace that can be accessed by others, such information may be displayed to other users'
No explicit discussion of Notion's own cross-domain tracking or embed behaviors
    how we detected this →

third parties observed

vendor domain category hits disclosure
Amplitude amplitude.com analytics 4 not named
AppNexus adnxs.com advertising 2 not named
Clearbit clearbitjs.com analytics 3 not named
Customer.io customer.io analytics 5 not named
Facebook Pixel facebook.net advertising 2 not named
GRSM grsm.io tracking 1 not named
Google AdSense googlesyndication.com advertising 2 not named
Google Ads googleadservices.com advertising 2 not named
Google Analytics google-analytics.com analytics 3 named
Google DoubleClick doubleclick.net advertising 2 not named
Google Tag Manager googletagmanager.com tag_manager 2 not named
Hotjar hotjar.com session_replay 3 not named
Hotjar hotjar.io analytics 1 not named
LI&A liadm.com advertising 1 not named
LinkedIn linkedin.com social 2 not named
Marketo marketo.net analytics 2 not named
Marketo mktoresp.com analytics 1 not named
Microsoft Bing bing.com advertising 2 not named
PartnerStack partnerstack.com advertising 2 not named
Splunk splunkcloud.com analytics 2 not named
Sprig sprig.com analytics 3 not named
Tapad tapad.com tracking 1 not named
TikTok tiktok.com social 2 not named
Twitter/X twitter.com social 4 not named
Twitter/X Ads Pixel ads-twitter.com advertising 2 not named
US Browser Speed usbrowserspeed.com analytics 3 not named
Userleap userleap.com analytics 1 not named
Vercel vercel-insights.com analytics 2 not named
AWS amazonaws.com hosting 1 not named
AWS CloudFront cloudfront.net cdn 12 not named
Adora adora-cdn.com cdn 4 not named
Box boxcdn.net cdn 3 not named
Box box.com hosting 1 not named
Bynder bynder.com hosting 1 not named
Cal cal.com embed 1 not named
Chili Piper chilipiper.com chat_support 4 not named
Cloudflare cloudflare.com cdn 4 not named
Contentful contentful.com api 2 not named
Contentful CDN ctfassets.net cdn 25 not named
Cr-Relay cr-relay.com other 2 not named
Decagon decagon.ai other 1 not named
Embedly embed.ly embed 1 not named
Forethought forethought.ai chat_support 2 not named
Giphy giphy.com embed 13 not named
Gist gist.build chat_support 6 not named
GitHub github.com hosting 1 not named
GitHub githubassets.com cdn 1 not named
Google google.com other 11 not named
Google APIs googleapis.com api 6 not named
Google Static gstatic.com cdn 2 not named
Greenhouse greenhouse.io other 1 not named
LinkedIn CDN licdn.com cdn 2 not named
Memsource memsource.com other 4 not named
Metadata metadata.io other 8 not named
Mux mux.com video 3 not named
Naver naver.com other 2 not named
Naver naver.net cdn 1 not named
Naver pstatic.net cdn 1 not named
Notion notion.so embed 8 not named
Notion notion.co embed 4 not named
Notion notion.site embed 2 not named
Notion notionusercontent.com cdn 2 not named
PartnerLinks partnerlinks.io other 2 not named
Podscribe pdscrb.com other 2 not named
Podscribe podscribe.com other 2 not named
Reddit redditstatic.com cdn 2 not named
Sentry sentry.io error_tracking 2 not named
Sentry sentry-cdn.com cdn 1 not named
Sierra sierra.chat chat_support 5 not named
Smooch smooch.io chat_support 2 not named
Statsig statsig.com feature_flags 1 not named
Statsig statsigapi.net feature_flags 1 not named
Stripe stripe.com payments 4 not named
TailorHQ tailorhq.ai other 8 not named
Transcend transcend-cdn.com cdn 3 not named
Transcend transcend.io other 1 not named
Twitter twimg.com cdn 4 not named
Typeform typeform.com embed 2 not named
Unsplash unsplash.com cdn 1 not named
Vector vector.co other 2 not named
Vercel vercel-scripts.com hosting 2 not named
Vercel vercel.live hosting 2 not named
Versatiles versatiles.org other 1 not named
Vimeo vimeo.com video 4 not named
Yahoo yimg.jp cdn 2 not named
YouTube youtube.com video 6 not named
YouTube youtube-nocookie.com video 2 not named
Zendesk zdassets.com chat_support 2 not named
Zendesk zendesk.com chat_support 2 not named
hCaptcha hcaptcha.com auth 8 not named
jsDelivr jsdelivr.net cdn 2 not named
unpkg unpkg.com cdn 7 not named

policy claims

source · https://www.notion.com/trust/privacy-policy#california

collects pii
yes
shares 3p
yes
sells data
yes
cookies
yes
analytics
yes
advertising
yes

named third parties (9)

Google Analytics, Google Contacts, Google People API, Gmail API, Directory API, Workspace API, Calendar API, Network Advertising Initiative, Digital Advertising Alliance

retention

Data is stored as long as you use the Services or as necessary to fulfill the purpose for which it was collected, provide Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce agreements, and comply with applicable laws.

user rights

Users have rights to access, correct, delete, and request restriction or object to processing of their information. California residents can opt out of sale/sharing of personal information and opt out of online disclosure through "Do Not Sell or Share My Info" link. Users can also opt out of email communications, push notifications, and targeted advertising.

response headers

hsts
yes
csp
yes
server
cloudflare

run this yourself

Every audit on this site is reproducible. Install stackpeek and run the same check against https://notion.so from your own machine — the tool is MIT-licensed and runs locally. 

pip install stackpeek
stackpeek audit https://notion.so

source on GitHub · methodology · cli docs

provenance

This audit was generated by running stackpeek against https://notion.so from a public IP, using only HTTP GET and standard browser headers. The findings compare the observed HTML against the extracted privacy policy using the public methodology. Re-scans append new findings at new permalinks and never overwrite the historical record.