Privacy Policy

Last updated: April 22, 2026

This Privacy Policy explains how NotionGate collects and processes personal data when you use our website, desktop application, and related services.

1. Controller and Scope

This Privacy Policy applies to NotionGate ("NotionGate", "we", "us", "our") and describes how we process personal data when you use notiongate.app, our desktop application, account features, and support channels.

For privacy requests, contact: support [at] notiongate [dot] app.

2. Data We Collect

We process account and identity data you provide directly, including email address, username, and authentication data needed for sign-up, login, account management, and password reset.

We process licensing and security data required to run the product, including plan/license status and a device identifier (HWID-derived) used to enforce device limits and prevent abuse.

If you submit a bug report or contact support, we process the information you provide, such as email address, message text, and optional context needed to investigate your issue.

We do not run broad behavioral ad tracking and we do not sell personal information. We also do not maintain routine centralized usage logs for normal product activity; the main remote diagnostic data we receive is error-reporting data sent via Sentry when enabled.

To protect our infrastructure and users, we maintain automated security logs (Threat Intelligence). When you interact with our website or services, our edge infrastructure and application firewalls may temporarily log request metadata, including your IP address, User-Agent, request paths, and timestamps. This is strictly separated from product analytics and solely used to detect, analyze, and block unauthorized access, vulnerability scanners, and malicious bots.

3. How We Collect Data

We collect data (a) directly from you, (b) from service actions in the app (for example authentication and license checks), and (c) from processors used to run key infrastructure features such as error reporting, hosting/CDN, and API integrations.

4. Why We Use Personal Data

We process personal data to provide and secure the service, including account authentication, license/device enforcement, Notion integration workflows, support handling, and error investigation.

We also process data to comply with legal obligations, enforce our terms, and protect users, our systems, and third parties from fraud, misuse, or security incidents.

5. Legal Bases for Processing

Where required by law (including GDPR), our legal bases include: contract performance (Art. 6(1)(b) GDPR), legitimate interests in secure and reliable service operation (Art. 6(1)(f) GDPR), legal obligations (Art. 6(1)(c) GDPR), and consent where applicable (Art. 6(1)(a) GDPR).

If processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect processing that occurred before withdrawal and does not affect processing based on other legal grounds.

6. Processors and Recipients

We share personal data only where needed to operate and secure the service, and only for defined purposes. Main processors and recipients include:

Supabase (authentication/database): account data, auth/session metadata, and licensing records. Our production Supabase project region is West EU (Ireland).

Notion (API integration): data needed to perform user-requested Notion sync operations.

Sentry (error reporting): We use Sentry to capture runtime exceptions and technical crash context to improve app stability. To protect your privacy, crash reporting is entirely optional and can be managed within the app settings. Furthermore, we have explicitly configured the Sentry SDK to strip Personally Identifiable Information (PII) by default (e.g., send_default_pii=False), ensuring your IP address, local machine username, or device identifying details are not automatically logged. If you choose to submit manual bug feedback, we process the specific details you provide (such as your email or comments).

Cloudflare (website/CDN and edge services): delivery, security, and reliability of notiongate.app, including bot and abuse protection via Cloudflare Turnstile. Our public stats section also requests an installation counter via a Cloudflare Worker endpoint.

We may disclose data when required by law or valid legal process, or when necessary to protect rights, safety, and system security. We do not sell personal information and do not use cross-context behavioral advertising.

7. International Transfers and Safeguards

Some processors are based outside your country. Where required, we rely on appropriate safeguards for international transfers, including contractual safeguards such as Standard Contractual Clauses and other mechanisms recognized by applicable law.

8. Data Retention

When data is no longer required for these purposes, we delete, anonymize, or securely isolate it according to our operational and legal obligations.

Operationally, account profile and auth-linked metadata are kept while your account is active. After a verified account deletion request, we target deletion within 7 calendar days and complete it no later than 30 calendar days unless legal obligations require longer retention.

Local desktop config files and local cache data on your own device remain under your control until you remove them.

Infrastructure and security logs (such as those containing IP addresses and request metadata used for threat analysis) are retained for a maximum of 30 days, after which they are automatically deleted or irreversibly anonymized, unless required longer for an ongoing security investigation.

9. Security

We implement reasonable technical and organizational safeguards to protect personal data, including access controls, authentication protections, and secure handling practices for account credentials and service communications. No security system is perfect, and we cannot guarantee absolute security against every threat, but we continuously review and improve our safeguards.

10. Your Privacy Rights

Depending on where you live, you may have rights to access, correct, delete, restrict, object to, or port personal data, and to withdraw consent where consent is the legal basis.

California residents may have additional rights under applicable state law. We do not sell personal information.

To exercise rights, contact support [at] notiongate [dot] app. We may ask for information needed to verify identity before completing certain requests.

11. Children

Our services are not directed to children under 13, and we do not knowingly collect personal data from children under 13. If you believe a child has provided personal data to us, contact us and we will take reasonable steps to investigate and delete the data where required.

12. Cookies and Similar Technologies

We use cookies and local storage primarily for essential service operation, security, and authentication. We do not use ad-tech cookies and we do not run cross-site behavioral advertising.

Key technologies currently used include:

Cloudflare security cookies (as applicable by traffic and security rules), which may include names such as __cf_bm, cf_clearance, and _cfuvid. These are used to protect the site from abuse and automated attacks.

Cloudflare Turnstile challenge state cookies may be set when bot checks are triggered during authentication or suspicious traffic flows.

Authentication state storage for Supabase web sessions is stored by the client SDK in browser storage when using the client-side flow (for example local storage keys like sb-<project-ref>-auth-token), which we treat as strictly necessary to keep users signed in.

Cloudflare states these security cookies are strictly necessary for security services. Depending on configuration, cookie-related processing may involve U.S. data-center infrastructure. We use processor safeguards described in this policy for cross-border processing.

You can manage browser-level cookie and storage preferences through your browser settings. If disabled, some sign-in and protection flows may not function correctly.

For a dedicated breakdown of cookie categories, legal basis, and user controls, see our Cookie Policy.

13. Third-Party Links

Our website and documentation may contain links to third-party websites or services. This Privacy Policy applies to NotionGate services only. If you visit external services, you should review their privacy policies because we do not control their processing practices.

14. Business Transfers

If NotionGate is involved in a merger, acquisition, financing due diligence, reorganization, sale of assets, or transition of service operations, personal data may be transferred as part of that transaction, subject to applicable legal safeguards.

15. Complaints

If you believe your data has been processed unlawfully, you may have the right to lodge a complaint with a competent supervisory authority.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect legal, operational, or product changes. When we make updates, we will publish the revised version on this page and update the "Last updated" date. Material changes become effective when posted unless a different effective date is stated.

17. Contact

If you have questions about this Privacy Policy or want to exercise applicable privacy rights, contact us at support [at] notiongate [dot] app.

This document is provided for transparency and product operations. It is not legal advice. If you need legal advice for your specific situation, consult qualified legal counsel.