Notion Privacy Leak Exposes User Metadata in Public Pages A recent investigation has revealed a privacy risk in Notion, the widely used productivity platform with tens of millions of users. Cybersecurity researchers found that publicly shared pages may inadvertently expose personal metadata of collaborators, including usernames, profile images, and email addresses. The issue stems from Notion’s design when users publish pages without restrictions, the platform includes internal metadata alongside visible content. While this behavior is intentional, researchers argue that its privacy implications are often overlooked by users, who may not realize they are exposing sensitive details. The vulnerability affects both individual users and organizations that rely on Notion for public documentation, knowledge bases, or shared repositories. Any unrestricted page could potentially leak contributor data, raising concerns about unintended exposure. Notion initially defended its practices, stating that users were warned about metadata exposure during publishing. However, researchers demonstrated that these warnings were not consistently displayed in the interface. Following public backlash, the company acknowledged the issue, with spokesperson Max Schoening calling the current behavior "unacceptable." Notion is now exploring solutions, such as removing personal identifiers from public API responses or implementing email masking, similar to GitHub’s approach. While the company works on a fix, the incident highlights the broader risks of metadata exposure in collaborative platforms.

Workplace Apps Collect Extensive User Data, Raising Privacy and Security Concerns A recent study by Incogni, analyzing data from the Google Play Store as of March 20, 2026, reveals that ten widely used workplace apps including Gmail, Microsoft Teams, Zoom Workplace, Slack, and Notion collect an average of 19 data points per app, with some sharing sensitive information with third parties. These apps, cumulatively downloaded over 12.5 billion times, are integral to U.S. corporate operations but pose significant privacy and security risks. Data Collection and Sharing Practices Gmail leads in data harvesting, collecting 26 distinct data types, including approximate location, app interactions, and user IDs for advertising. Microsoft Teams and Zoom Workplace follow closely, with 25 and 23 data types, respectively both uniquely gathering precise location data. Six of the ten apps, including Slack, Notion, and Zoom Workplace, use collected data for marketing, with Slack, Todoist, and Notion specifically harvesting employee email addresses for this purpose. Notion stands out for its outbound data flow, sharing eight data types such as email addresses, names, and device IDs with third parties, including advertising partners. The app’s privacy policy permits tracking tools on user browsers, raising concerns over the exposure of sensitive workspace content like HR records and client data. Regulatory scrutiny has intensified, particularly after the EU’s Data Protection Board tightened GDPR requirements in December 2024 regarding personal data use in AI training, directly impacting Notion’s third-party model integrations. Security Vulnerabilities and Breach History Most apps in the study have a history of breaches. In January 2026, a 96-gigabyte database containing 149 million login credentials 48 million tied to Gmail was exposed, attributed to infostealer malware on user devices. Slack suffered a November 2025 breach where attackers used stolen credentials to access accounts of over 17,000 Nikkei employees, exposing names, emails, and chat histories. Trello, Zoom, and Microsoft products have also faced incidents, with Trello data appearing for sale in January 2024. Workday is the only app in the analysis without a user data deletion option, despite holding employment records and payroll details. In August 2025, the platform confirmed two breaches linked to its Salesforce CRM, where attackers obtained business contact information as part of a ShinyHunters social engineering campaign. BYOD Risks and Platform Disparities Many employees install these apps on personal devices, exposing contact details, financial data, and location information to advertising networks or corporate administrators. Slack, for example, lacks end-to-end encryption, allowing workspace owners to access direct messages and private channels. While the study focuses on Google Play data, Incogni notes that iOS disclosures may differ, though past comparisons suggest similar privacy practices across platforms. The findings highlight the trade-offs between workplace productivity and data exposure, with recurring breaches and extensive tracking underscoring the risks of integrating these tools into daily operations.