Notion AI Custom Agents Privacy Review for Freelancers

If you run a solo consultancy out of Notion, the 3.4 release changes the privacy stakes in a way that is easy to miss. Custom Agents now run on your behalf around the clock, GPT-5.4 and Claude Opus 4.7 are stitched into the workspace, and the Notion AI feature touches almost every page you own. That is a different posture than “press a button, get a paragraph.” It means a portion of your client work flows through third-party large language models on a regular schedule, often without you re-confirming. For freelancers handling NDAs, draft contracts, or client briefs, the question is not whether Notion AI is impressive — it clearly is — but whether the data path is acceptable for paid work. Short verdict at the bottom of this review: use with caution.

What Notion AI does with your data

Notion AI sits inside your workspace and routes prompts to third-party large language models. Per Notion’s AI security and privacy practices page (retrieved 2026-05-12), the company uses LLMs hosted by Anthropic and OpenAI. When you ask the AI to write, edit, or summarize, your prompt and the relevant page context leave Notion’s infrastructure and travel to those vendors over TLS 1.2 or higher.

Retention is where the plan tier matters most. According to Notion’s own documentation (retrieved 2026-05-12), Enterprise workspaces benefit from zero-retention APIs at the LLM provider level — the request is processed and dropped. Free, Plus, and Business workspaces do not get that protection. On those plans, the LLM provider may hold the content for up to 30 days for abuse monitoring before deletion. That is a meaningful gap. Two freelancers can be using the exact same Notion AI feature and end up with very different data exposure profiles, depending solely on which subscription tier they happen to be on.

Notion also generates embeddings for every page in your workspace by calling an OpenAI zero-retention embeddings API. That is how the AI knows the rest of your workspace exists when you ask a question. The embedding itself is not the raw page, but it is a mathematical fingerprint derived from your content. The zero-retention embedding pathway applies across plans for this specific step, which is a meaningful improvement over a generic embedding API.

On training, Notion states it has contractual agreements with its AI subprocessors that prohibit them from training their underlying models on customer data. There is, however, a separate opt-in program (the AI LEAP program) where users may consent to contribute data for product improvement. By default, that program is off, and the user must affirmatively turn it on. This is the right default direction, and it should be verified inside the workspace settings rather than assumed.

The page also confirms HIPAA-enabled processing is available, but only via the zero-retention API path — which, in practice, means Enterprise. The same applies to many of the certifications and assurances buyers ask about: SOC 2, ISO 27001, and similar attestations cover Notion as the controller, but the inbound LLM call is still subject to the subprocessor agreement and the plan-tier retention window.

What this means for solo freelancers

The gap between Enterprise privacy guarantees and the lower tiers is the part that matters for paid client work. A freelancer on the Plus plan and a contractor at a Fortune 500 on the Enterprise plan are not getting the same data path. Both see the same AI features. Only one of them gets zero-retention by default. That is not a hidden detail, but it is rarely surfaced in the AI feature copy or in the upgrade prompts.

Three concrete scenarios where this matters, drawn from how solo workers actually use Notion:

First, the client NDA scenario. If your engagement contract says “vendor must not retain Confidential Information,” and your draft of that contract lives on your Plus-tier Notion workspace, summarizing it with Notion AI sends the text to a third-party LLM with up to a 30-day retention window. Based on the policy as written, this carries an arguable breach-of-contract risk, even though training is prohibited. Retention is not training, but a procurement officer reading your NDA will not necessarily distinguish between the two, and you would be on the back foot trying to explain the difference after the fact.

Second, the EU client scenario. As a controller-processor relationship under European data protection rules, you remain on the hook for sub-processor disclosures. Notion publishes a subprocessor list and a Data Processing Addendum, but Anthropic and OpenAI being on that list means your EU client should know — and ideally has signed off — before you paste their data into a prompt. Based on the policy as written, this does not block use, but it shifts a disclosure obligation onto you. Many freelancers never read the DPA and assume “the vendor handles it.” That assumption does not survive a real audit.

Third, the Custom Agents scenario, new in 3.4. Custom Agents can run on a schedule and call AI on data you may have forgotten about — old meeting notes, archived projects, sensitive scratch pads. The privacy boundary of an agent is the boundary of whatever pages it can see in your workspace. If you mix personal scratch and client work in one workspace, an agent run will mix them in the prompt. The same applies to the new dashboard and presentation modes: those features pull from your databases, and if a database row contains a client’s contact details, those details ride along into any AI summary that touches the dashboard.

There is also a temporal angle worth flagging. Notion’s documentation makes clear that deleted pages remain restorable for 30 days. That is convenient for accidental deletes; it also means a page you “deleted” because it contained sensitive draft content is still recoverable for nearly a month, including by Notion staff under their stated operational policies.

How to use it safely

The settings exist to harden Notion AI substantially, but you have to flip them. Concrete steps for solo workers on non-Enterprise plans:

In Settings and members, navigate to AI settings, and confirm the AI LEAP program is off. By default it should be off, but verify rather than assume — the feature can move between menus across versions.

Separate workspaces by client. Do not run one workspace with twelve clients in it. Create a workspace per long-term client, or at minimum a workspace for client work that excludes your personal pages and scratch drafts. Agents and AI prompts then have a tighter blast radius. This is the single highest-impact change a Plus-tier user can make, and it costs nothing.

Redact identifying client information before pasting. Replace company names and personal names with placeholders (Client A, Contact 1) when you summarize a sensitive document. The 30-day retention window then holds an anonymized version, not a labeled brief. This sounds tedious; in practice, a five-minute find-and-replace pass before a summary saves hours of explanation if the question of retention ever comes up with a client.

Set a hard rule against pasting health, financial, or legal client data into prompts unless you are on Enterprise. For HIPAA-touched material specifically, Notion explicitly conditions HIPAA enablement on zero-retention APIs, which means Enterprise. Do not assume the Plus plan covers you. The same logic applies to anything covered by a Business Associate Agreement, a regulated financial advisory engagement, or a privileged legal communication.

For Custom Agents specifically, audit what pages each agent has access to before scheduling it. Treat agent access like API access — least privilege. If an agent only needs to read your weekly meeting notes, do not grant it workspace-wide read. Notion’s permission model supports this; most users do not use it carefully.

Enable SSO and two-factor authentication on your Notion account. If you can, use a hardware security key. Account compromise is a separate threat from the LLM data path, but a stolen Notion session is also a stolen ticket to every client document the workspace can reach.

Finally, version-control the things that genuinely need it. Long-term client deliverables that should not be lost or accidentally summarized into an LLM belong in a git repository or an encrypted document store, not loose in a Notion workspace. Notion is a great hub; it is not the right primary store for anything you would not want to see in a discovery request.

Privacy-friendlier alternatives

For freelancers who want a productivity-AI stack with less third-party exposure, three combinations are worth considering. Pick the one that matches how you actually work, not the one that sounds most secure on paper. None of these is a drop-in replacement for Notion AI’s breadth of features — that is part of the tradeoff.

Proton stack (Proton Drive plus Proton Mail plus Proton Docs) — End-to-end encrypted document storage, calendar, and email from a Swiss provider operating under Swiss privacy law, which sits outside the US CLOUD Act regime. Proton Docs supports collaborative editing without sending plaintext to a third-party LLM. There is no native AI assistant yet at the depth of Notion AI, but if your work is heavy on confidential drafts and light on AI generation, this swap removes the LLM exposure entirely. Free tier available; paid tiers start around 4 to 8 euros per month per user, and the Business plan adds custom domains and admin controls. Best fit for solo workers in legal, healthcare, or financial advisory contexts, and for freelancers serving EU clients who care about jurisdiction. Direct link: https://proton.me

Obsidian plus local LLM — Obsidian is a local-first markdown notes app. Your notes live on your disk, not on someone’s cloud. Pair it with a local LLM running on Ollama or LM Studio, and you get an AI assistant whose prompts never leave your machine. The setup is steeper than Notion’s one-click experience, and you will need a reasonably modern computer (16 to 32 GB of RAM is comfortable for small-to-medium local models), but the data path is the shortest possible — there is no third party in it at all. Obsidian is free for personal use; optional paid sync runs around 4 to 8 dollars per month. Best fit for technically comfortable freelancers, especially developers, analysts, and writers who already maintain a markdown workflow. Direct link: https://obsidian.md

1Password and Bitwarden for credential isolation — Not a Notion replacement, but a critical layer alongside whatever workspace you use. Storing client credentials, API keys, and shared logins in 1Password or Bitwarden — never in a Notion page — keeps the highest-value secrets off the LLM data path entirely. Both have zero-knowledge architecture, meaning the vendor cannot read your vault even in principle. 1Password Business is around 7.99 dollars per user per month; Bitwarden Teams is around 4 dollars per user per month, with a free personal tier that is genuinely usable. Best fit for every freelancer who currently has a passwords file or a credentials page somewhere in their notes. Direct links: https://1password.com or https://bitwarden.com

If you need a hardware security key to lock down your Notion account (or any of the above), a YubiKey 5 NFC is the standard pick and pairs with all three alternatives plus Notion itself. https://www.amazon.com/dp/B07HBD71HL/?tag=aidtaskpro-20

The verdict

Use with caution. Notion AI 3.4 is well-instrumented for a productivity tool — there is a real subprocessor list, a clear retention policy, and a stated training prohibition — but the strongest privacy guarantees are gated behind the Enterprise plan. For freelancers on Plus or Business handling NDA-bound or regulated client data, the 30-day third-party retention window is the dealbreaker for some engagements. Use Notion AI for your own work and lightweight client tasks; do not paste raw NDA-protected, health, or legal data into it unless your client has signed off on the subprocessor chain and the retention posture of your plan tier.

Frequently asked questions

Does Notion AI train on my prompts?

Per Notion’s AI security and privacy practices page (retrieved 2026-05-12), the company states its AI subprocessors are contractually prohibited from using customer data to train their underlying models. There is a separate opt-in AI LEAP program where users may consent to contribute data for product improvement, but it is off by default. Training is distinct from retention — see the retention question below for the practical difference that matters most.

Is Notion AI suitable for EU client work?

Based on the policy as written, Notion publishes a Data Processing Addendum and a subprocessor list, which is what an EU client typically needs to satisfy controller-processor disclosure. The practical issue for freelancers is that Anthropic and OpenAI being subprocessors means your EU client should be informed before their data flows through Notion AI. Whether that disclosure is sufficient depends on your client’s own privacy posture and the terms of your engagement contract.

Can I use Notion AI for HIPAA-protected health data?

Per Notion’s policy (retrieved 2026-05-12), HIPAA-enabled processing is conditioned on zero-retention LLM APIs, which Notion provides only on Enterprise workspaces. On Free, Plus, or Business plans, the policy permits up to 30-day retention at the LLM provider — incompatible with how most HIPAA Business Associate Agreements are written. The honest answer for a solo healthcare consultant: Enterprise or not at all.

What happens to my data if I cancel my Notion plan?

Per Notion’s documentation (retrieved 2026-05-12), deleted pages and workspaces can be restored within 30 days. After the 30-day window, the data — including AI-generated content and embeddings — is deleted and unrecoverable. Account-level data follows the broader retention rules in the privacy policy and is not held indefinitely after closure, but if you have sensitive material you want gone immediately, you must delete it actively and wait out the 30-day window.

Do Custom Agents see all my pages?

Custom Agents inherit the access permissions of the workspace or pages you grant them. They can only act on data they can read. The privacy implication, new with 3.4, is that an agent running on a schedule may touch pages you forgot you shared with it. Audit each agent’s permissions before scheduling, and prefer client-specific workspaces over one monolithic personal workspace.

Is Notion AI safer than ChatGPT for freelance work?

Different tradeoffs. ChatGPT’s free and Plus tiers have their own retention windows and a separate training opt-out toggle. Notion AI bundles the LLM call into a workspace that already holds your client data, which is more convenient but expands the data path. Neither is categorically safer; both require the same posture — separate workspaces, redacted prompts, and an Enterprise-tier contract for sensitive material.

Sources

• Notion AI security and privacy practices — https://www.notion.com/help/notion-ai-security-practices (retrieved 2026-05-12)
• Notion privacy policy — https://www.notion.com/trust/privacy-policy (retrieved 2026-05-12)
• Notion privacy practices help page — https://www.notion.com/help/privacy (retrieved 2026-05-12)
• Notion 3.4 release notes — https://www.notion.com/releases/2026-04-14 (retrieved 2026-05-12)
• Notion 3.4 ProductHunt launch — https://www.producthunt.com/products/notion-3-4 (retrieved 2026-05-12)

Reviewed by Jérémy, founder of AidTaskPro and GreenBudgetHub. Based in central France. Privacy posture sourced from public policies and vendor documentation as of 2026-05-12.