Notion + Data Loss / Privacy - Should you be worried about losing or leaking your notes?

For the past couple months I've been hopping between Notion and Obsidian for note taking. You can find my reasons for trying out Obsidian and then moving back to Notion here:

• Notion to Obsidian
• Back to Notion

A recent post went semi-viral in r/notion about data loss and privacy, titled NOTION WILL BAN YOUR ACCOUNT FOR NO REASON AND KEEP YOUR DATA which is related to some of the concerns I had about cloud vs local-first note-taking apps so I thought I'd write up my findings and share them out.

What happened with this Notion take-down?

First we should get the facts straight about what happened here so we can discuss the implications.

• The user was building a public page that allows people to directly "sell" airline miles / rewards to other people - this is likely a violation of Notion ToS and airline / rewards ToS
• They were also potentially mishandling PII which is likely also a violation of Notion ToS

So bottom line is they were doing some shady stuff with Notion's public page feature, Notion found out and shut it down.

What does this mean for you and your notes?

It means a few things:

• Data Privacy - Notion can and will look at data in your notes.
• Data Loss - Notion can and will action on the data in your notes, including removing access to and deleting your data.

Caveat that this was a public note that led to these actions but there's potential they could do this for private notes as well.

If I had to guess, I would say they do have automatic detection for bad things in notes that are illegal everywhere (think bad images, videos) to avoid being a host for these things so they don't get embroiled in large lawsuits. This kind of auto detection is common across basically any internet service as a way to follow the law and avoid lawsuits.

Should you be worried about this?

Yes. Your notes can be snooped on and you could lose your data forever.

But you should also keep this in perspective. The same thing could happen in most other solutions you use so you should consider whether the risk prevention is worth the effort.

Some examples:

Each note service has its own data privacy risks

• Any backup service you use for your notes / data will have its own ToS and likely its own autodetection for bad things. So if you choose a local-first note taking app but then proceed to back it up to GitHub, Dropbox, GDrive, etc then you're likely falling back into the same data privacy issues.
• Local-first tools like Obsidian have their own problems in the form of plugins. Your computer is probably not (yet) snooping on all the files you create but each plugin you use adds another vector of supply chain risk where a compromise could lead to silent data exfiltration.

Each note service has its own data loss risks

• Any backup service you use for your notes / data could incur catastrophic failure and lose data. It's unlikely but it could happen. Big cloud (Google, Dropbox, Microsoft, etc) typically have great, redundant backups but they're not infallible and there could always be corruption with merging changes from multiple devices. Built-in backups have the same problems - I've seen corruption reports from those backing up Obsidian with both the built-in sync and syncthing and those using Anytype's built-in sync.
• Offline backups have their own risks. Your computer may die, corrupting the drive. Your backups may get corrupted / lost. Same outcome, different path for getting there.

What can you do about it?

There are a few things I've thought about doing in response to this incident.

• Use a different app - I tried Obsidian for 6 weeks but ultimately concluded that Notion's ergonomics outweighed these data risks, particularly if I implemented a few mitigations.
• Backup your data regularly - If you're worried about data loss, you can implement a regular backup system. If you're really paranoid you can backup to multiple providers - though this increases your privacy risk. I'm going to start doing a quarterly backup so I get peace of mind without overindexing on a rare outcome.
• Don't put sensitive data in the cloud - No cloud service, no matter how secure, is infallible. There's always a chance a bug or hack ends up leaking stuff or a rogue agent in the company snoops on data they shouldn't. So if it's really sensitive, consider not uploading or digitizing it at all. Even local files have a risk if you download a virus or there's a supply chain attack or the latest AI decides to turn into a data vacuum. Always ask yourself if it would be okay for this data to leak in a data breach, if not consider leaving it offline.
• Don't do sketchy things - Avoid being under the spotlight of Notion's (or your service of choice's) ToS team. Don't host sketchy files or run weird businesses on Notion. Do that somewhere else - like your own servers (though most hosting providers have similar ToS). Better yet, don't do the sketchy thing - if you think it might come under scrutiny, it's likely partially illegal anyway.

Next

I've decided the risks don't outweigh the benefits for my notes so I'm continuing on with Notion.

If you liked this post you might also like:

• Why I'm Moving Back to Notion from Obsidian for Personal Notes
• My Simple Daily Todolist as a Software Engineer - Maximize Productivity, Minimize Waste
• What's the Best Value VPS Provider? Price to Performance Ratio