Notion Sidecar

Privacy Policy

How Notion Sidecar protects your privacy and handles your data. Learn about our privacy-first approach and data security practices.

Effective date: January 15, 2025

Applies to: The Notion Sidecar Chrome extension

1) Who we are

Controller for extension operations: Paytronic LLC

Address: 9304 Ashbourne Dr, Sandy, UT 84094

Email: cory@paytronic.com

This policy describes how the Notion Sidecar extension handles personal data.

2) How Notion Sidecar works

Client only. No vendor servers for data storage.
You create structured entries in your Notion databases through a persistent Chrome side panel.
The extension writes content directly to your Notion workspace via the Notion API.
Authentication uses Notion's OAuth 2.0 flow with secure token management.
We do not collect browsing history. We act only on user actions within the extension.
Local timeline tracks entries created through the extension for your reference only.

3) Roles

Your Notion workspace content: You are the controller.
Notion acts as your processor under Notion's terms of service.
Extension operations and support communications: Paytronic LLC is the controller for minimal account data and support messages.

4) Data we process

4.1 User-provided content

Structured data entries you create (text, numbers, dates, selections, file uploads, etc.).
Database selections and form field values.
Relation entries and linked database content.
Metadata such as timestamps, entry titles, and database references.

Storage location: Your Notion workspace via the Notion API.

4.2 Account identifiers

Notion user ID, name, email, and avatar URL.
Notion workspace ID, name, and icon.

Purpose: Authentication, UI display, and to identify your Notion account.

Storage: Cached locally by Chrome for the active session. Avatar images load from Notion's CDN.

4.3 Local extension data

Extension settings and preferences.
Selected database ID for quick access.
Local timeline of entries created through the extension (entry metadata only, not full content).
Database list cache for improved performance.

Storage: chrome.storage on your device and browser localStorage.

Deletion: Cleared on uninstall or sign out.

4.4 Authentication tokens

OAuth 2.0 access and refresh tokens obtained from Notion.
Tokens are stored securely in Chrome's local storage.
Tokens are automatically refreshed as needed.
On sign out, we revoke tokens with Notion and clear all stored authentication data.

4.5 Device and network data

When the extension calls Notion APIs, your browser sends IP address, user agent, and request headers to Notion's services.
We do not receive or store server logs for these calls.

4.6 Support communications

If you email us, we process your contact details and message contents to respond.

We do not sell data. We do not share data for cross-context behavioral advertising. We do not run analytics, tracking, or ads.

5) Purposes and legal bases

Provide the extension's core functionality for creating Notion entries.
Authenticate with your Notion account.
Cache database information for improved performance.
Maintain local timeline for your reference.
Maintain security and abuse prevention.
Offer user support.

EEA and UK legal bases: performance of a contract, legitimate interests, or consent where required.

6) Chrome and Notion permissions in use

Chrome permissions

storage: Save extension settings, selected database, and local timeline.
sidePanel: Render the extension UI as a persistent side panel.

Host permissions and endpoints

https://api.notion.com/* for Notion API access (databases, pages, users, file uploads).
https://notion.so/* for Notion workspace integration and redirects.
OAuth callback hosted at https://notion-sidecar.vercel.app/oauth/callback for authentication flow.

Notion OAuth scopes

Read access: To fetch your databases, database schemas, relation options, and workspace users for form generation and selection.
Write access: To create new pages and entries in your selected databases, including file uploads and relation creation.

We apply least privilege in practice. All Notion access is triggered by your explicit actions within the extension.

7) Storage, retention, and deletion

Your Notion content: Lives only in your Notion workspace until you delete it there.
Local extension data: Remains until you sign out or uninstall, then it is cleared automatically.
Database cache: Stored in browser localStorage for 24 hours, then refreshed automatically.
Authentication tokens: Cached by Chrome, removed on sign out and revoked with Notion.
Timeline entries: Stored locally for your reference, cleared on sign out or uninstall.
Support emails: Retained as needed to resolve your request, then archived per our retention policy.

You can delete Notion pages, clear the local timeline, or sign out at any time to remove local data.

8) Security

Manifest V3 service worker architecture.
All API calls use HTTPS encryption.
OAuth 2.0 tokens managed securely with automatic refresh.
No remotely hosted executable code is executed by the extension.
Environment variables protect sensitive OAuth credentials.
Production-safe logging prevents sensitive data exposure.
Input sanitization prevents XSS attacks.
We review requested permissions and scopes and keep them minimal for the feature set.

9) Notion API Services and Limited Use

Notion Sidecar's use of Notion user data complies with Notion's API Terms of Service and developer policies.

We use Notion data only to provide the features you request.
We do not sell or transfer Notion user data to third parties.
We do not allow human access to your Notion content except if you explicitly ask for support and grant temporary access.
We do not use Notion user data for advertising or analytics.
We do not store copies of your Notion content on our servers.

10) International data transfers

We do not operate servers that store your content. Your Notion content remains in your Notion workspace and is subject to Notion's data region settings. Notion may process data on servers outside your region as described in its terms.

11) Subprocessors and third-party services

We do not engage subprocessors to store or process your content.

Your browser connects directly to:

Notion API endpoints for database and page operations.
Notion OAuth endpoints for authentication.
Notion CDN for avatar images and file uploads.
Our OAuth callback endpoint hosted on Vercel for authentication flow completion.

These services receive network metadata when requested by your browser.

12) Data subject and consumer rights

You can exercise rights under GDPR, UK GDPR, and US state laws.

Access, correction, deletion. You can access or delete content in your Notion workspace directly. You can also contact us for any account data we hold.
Portability. Export your content from your Notion workspace.
Restriction or objection. Contact us to request restriction or object to processing where applicable.
California. We do not sell or share personal information. You may submit requests to know, delete, or correct. We acknowledge requests within 10 business days and respond within 45 days.
EEA and UK. We respond without undue delay and within one month.

Submit requests to cory@paytronic.com. We will verify your identity before acting.

13) Children

The extension is not directed to children under 13, or under the age required by local law. We do not knowingly collect data from children.

14) Breach notification

If we become aware of a personal data breach affecting data we control, we will notify affected users without undue delay. Where GDPR applies, we will notify the competent supervisory authority within 72 hours when required.

15) Enterprise controls

Administrators can:

Force-install or block the extension using Chrome Enterprise policies.
Control Notion workspace access through Notion admin settings.
Restrict which users can install Chrome extensions.
Monitor extension usage through Chrome Enterprise reporting.

16) Changes to this policy

We will post updates in this document with a new effective date. Material changes will be highlighted and communicated to users through the extension or email where possible.

17) Contact

Privacy contact: cory@paytronic.com

Postal address: Paytronic LLC, 9304 Ashbourne Dr, Sandy, UT 84094

18) California notice at collection

Categories collected

Identifiers. Notion user ID, name, email, avatar URL, workspace information.
Internet or network activity. Requests your browser sends to Notion APIs and our OAuth callback endpoint.
User content. Database entries, form data, file uploads, and metadata that you instruct the extension to write to your Notion workspace.

Sources

Directly from you and from your Notion account after you authenticate.

Business purposes

Provide the extension functionality, authenticate with Notion, create database entries, cache data for performance, show UI elements.

Retention

User content remains in your Notion workspace until you delete it.
Local settings and timeline remain until sign out or uninstall.
Database cache refreshes every 24 hours.
Authentication tokens are cached by Chrome and cleared on sign out.
Support emails are retained as needed to resolve requests.

Sale or sharing for cross-context advertising

No.

19) Definitions

User content: Database entries, form data, files, and metadata you direct the extension to save in your Notion workspace.
Local extension data: Settings, timeline entries, and cached data stored in Chrome on your device.
Notion user data: Data accessed via Notion APIs under the scopes listed above.
Timeline entries: Local metadata about entries created through the extension for your reference (does not include full entry content).

1) Who we are
2) How Notion Sidecar works
3) Roles
4) Data we process
4.1 User-provided content
4.2 Account identifiers
4.3 Local extension data
4.4 Authentication tokens
4.5 Device and network data
4.6 Support communications
5) Purposes and legal bases
6) Chrome and Notion permissions in use
7) Storage, retention, and deletion
8) Security
9) Notion API Services and Limited Use
10) International data transfers
11) Subprocessors and third-party services
12) Data subject and consumer rights
13) Children
14) Breach notification
15) Enterprise controls
16) Changes to this policy
17) Contact
18) California notice at collection
19) Definitions

Contact Us

Email: cory@paytronic.com
Website: Paytronic LLC

Legal terms and conditions for using Notion Sidecar Chrome extension. Learn about your rights, responsibilities, and our service agreement.

Classroom Beacon

Coming soon - An innovative educational tool designed to enhance classroom engagement and learning outcomes. Watch for updates from Paytronic.