Backup Notion ("we", "us") is a service of [COMPANY_LEGAL_NAME], [COMPANY_ADDRESS]. We are the data controller for the personal data described in this policy. You can reach us at hello@backupnotion.to.
The short version: we back up your Notion workspace to storage you own. Your workspace content passes through our systems during a backup and is deleted once your storage confirms delivery. We keep the minimum account and operational data needed to run the service, we use cookieless analytics on this website, and we never sell personal data.
Data we process, and why
Account data
When you sign up we receive your email address and basic profile identity from the sign-in provider you choose. We use it to operate your account, send service emails such as backup failure alerts, and respond to support requests. Legal basis: performance of a contract (GDPR Art. 6(1)(b)).
Workspace content, in transit only
When a backup runs, we read the Notion teamspaces and pages you have shared with us through a read-only connection, convert them to Markdown, and stream the archive to the storage you connected. Our working copy is deleted once your storage confirms the upload. We do not store your workspace content at rest, we do not read it for any purpose other than producing your backup, and we cannot modify it in Notion. Legal basis: performance of a contract.
Connection credentials
OAuth tokens for Notion, Google Drive, and OneDrive, and the credentials you provide for S3 or SFTP storage, are encrypted in a managed vault separate from our application database. They are read only at the moment a backup runs and are deleted when you disconnect the integration. Legal basis: performance of a contract.
Operational metadata
We keep your workspace names, backup schedules, storage settings, and a history of backup runs (timestamps, page counts, archive sizes, outcomes) so you can verify your backups ran and we can debug failures. Legal basis: performance of a contract and our legitimate interest in operating a reliable service (Art. 6(1)(f)).
Billing data
Payments are processed by Stripe. We never see or store your card number; we keep subscription status and invoicing records. Legal basis: performance of a contract and legal obligation (tax and accounting rules, Art. 6(1)(c)).
Website analytics
This website uses PostHog in cookieless mode. No analytics cookies are set, no identifier is stored on your device, and visits are counted using short-lived, non-reversible techniques that cannot follow you across days or websites. Because nothing is stored on your device, no consent banner is required. Legal basis: legitimate interest in understanding how the site is used.
Cookies
The marketing website (backupnotion.to) sets no cookies. The application (app.backupnotion.to) sets strictly necessary cookies only: a session cookie that keeps you signed in and short-lived cookies used to complete OAuth sign-in flows securely. Strictly necessary cookies do not require consent under the ePrivacy rules.
Who we share data with
We use a small number of subprocessors to run the service. Each one processes data on our instructions under a data processing agreement:
| Provider | Purpose | Location |
|---|---|---|
| Vercel | Application hosting | United States |
| Supabase | Database, authentication, job queue | United States |
| Stripe | Payments and billing | United States |
| Resend | Transactional email | United States |
| PostHog | Product analytics (cookieless) | United States |
Your backup storage (Google Drive, Amazon S3, OneDrive, or your own server) receives the backup archive itself. That storage is governed by your own agreement with the provider, not by this policy. We also call the Notion, Google, and Microsoft APIs to perform the backups you configure. We do not sell personal data and we do not share it for advertising.
International transfers
Our subprocessors are located in the United States. Where personal data of people in the EU/EEA, UK, or Switzerland is transferred there, we rely on the providers' Standard Contractual Clauses and, where applicable, their certification under the EU-U.S. Data Privacy Framework.
Retention
- Workspace content: deleted after each backup is delivered; never stored at rest.
- Connection credentials: deleted when you disconnect the integration or delete your account.
- Account data and run history: kept while your account exists and deleted within 30 days of account deletion.
- Billing records: kept as long as tax and accounting law requires.
Backups already delivered to your own storage are yours; deleting your account does not touch them, and we could not delete them if we wanted to.
Your rights
If you are in the EU/EEA, UK, or a jurisdiction with similar rules, you have the right to access, rectify, and erase your personal data, to receive it in a portable format, to restrict or object to processing based on legitimate interest, and to withdraw consent where processing is based on consent. Write to hello@backupnotion.to and we will respond within one month. You also have the right to lodge a complaint with your local supervisory authority.
Security
Access to Notion is read-only. Storage connections use the most restricted scopes the platforms offer. Credentials are encrypted in a managed vault, transfers run over TLS or SSH, and no backup data is kept at rest on our side. The full picture is on our security page.
Children
Backup Notion is not directed at children under 16 and we do not knowingly process their data.
Changes to this policy
If we change this policy in a way that matters, we will update the date at the top and notify account holders by email before the change takes effect.