Privacy Policy for Fast Actions for Notion

Last updated: March 2026

1. Controller (Verantwortlicher gem. Art. 4 Nr. 7 DSGVO)

Michal Zolnieruk
Einzelunternehmen / Gewerbe
Email: gierekg@gmail.com

2. Overview

Fast Actions for Notion is an iOS app developed by Michal Zolnieruk. It allows you to capture content — photos, text, numbers, dates, and selections — into your own Notion databases via Notion's official API.

In short: We do not operate backend servers that store your content. All user-created content (photos, text, structured data) goes directly from your device to your Notion workspace. We collect analytics, crash reporting, and payment data to operate and improve the app. We do not sell your data or use it for advertising.

3. Data we collect

3.1 User content (photos, text, structured data)

The app allows you to capture and send the following to your Notion workspace:

• Photos and images (from camera or photo library)
• Text (titles, rich text, URLs, emails, phone numbers)
• Structured data (select/multi-select options, status, dates, checkboxes, numbers)

This content is stored temporarily on your device in a local upload queue and uploaded directly to your Notion workspace via Notion's REST API. Once successfully uploaded, content is removed from the local queue. We do not store, process, inspect, or have access to your content on any server we operate.

Photo metadata (such as EXIF location data or timestamps embedded in images) is sent as-is to Notion and is not extracted or stored by us separately.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR) — processing is necessary to provide the app's core functionality.

3.2 Authentication (Notion OAuth)

You authenticate via Notion's official OAuth 2.0 flow. Our backend is used to securely convert your authorization code into a token. This is necessary because Notion's OAuth requires a server-side token exchange — the client secret cannot be safely embedded in a mobile app.

The resulting OAuth token is stored locally on your device and includes: access token, workspace name, workspace ID, workspace icon URL, user ID, and user display name.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR).

3.3 Analytics (Mixpanel)

We use Mixpanel (EU data residency, api-eu.mixpanel.com) to understand how users interact with the app. Data sent to Mixpanel includes:

• User identifier: Notion user ID
• User profile: Notion display name, workspace name, workspace ID, app version, install date, pro status
• Usage events: screen views, button taps, feature usage (e.g. "capture submitted", "action created"), session duration, upload success/failure counts
• Upload metadata: duration, file size, database ID

We do not send actual user content to Mixpanel — no photos, no text values, no captured field contents. This data is linked to your Notion user ID and may be potentially identifiable.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in understanding feature usage, onboarding completion, and error rates to improve the app.

3.4 Crash and error reporting (Sentry)

We use Sentry (US data residency) to collect crash reports and error logs. Data sent to Sentry includes:

• Crash logs and error stack traces
• Error context: operation type (e.g. "oauth", "upload"), HTTP status codes, error messages
• User identifier: Notion user ID, workspace name

We do not send user content, photos, or captured values to Sentry.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in maintaining app stability and debugging issues.

3.5 Payments and subscriptions (RevenueCat)

We use RevenueCat to manage in-app subscriptions ("Fast Actions Pro"). RevenueCat processes:

• RevenueCat-assigned app user ID
• Subscription/purchase status and entitlements

RevenueCat does not receive any Notion user data, content, or analytics. We do not have access to your payment details (credit card numbers, billing address) — these are handled entirely by Apple via the App Store.

Legal basis: Performance of contract (Art. 6(1)(b) GDPR) — processing is necessary to provide paid features.

3.6 Notion (user's destination)

Notion is the destination you choose for your content — it acts as your service, not our partner. We send whatever content you choose to capture (photos, text, structured data) via your own OAuth token to your own workspace. You explicitly grant access to specific databases during Notion's OAuth flow. We have no access to your Notion data beyond what the OAuth token permits.

4. Technical and device data

In the course of operating the app and its services, we may collect technical data such as:

• IP addresses (e.g. as part of standard HTTP requests to our backend or third-party services)
• Device identifiers and device model information
• Location data derived from IP address (coarse, not precise GPS)
• Operating system version and app version

This data is used solely for operational purposes such as security, abuse prevention, debugging, and service improvement. We do not use it for advertising or cross-app tracking.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in maintaining service security and quality.

We do not collect: contacts or address book data, health or fitness data, browsing history, biometric data, or advertising identifiers (IDFA).

5. Local device storage

The following data is stored locally on your device and is never sent to any server we operate:

• Notion OAuth token (AsyncStorage) — for API authentication
• Action configurations (AsyncStorage + SQLite) — your saved capture workflows
• Database metadata cache (AsyncStorage + SQLite) — offline access to database schemas and select options
• Upload queue (AsyncStorage + SQLite) — pending uploads for offline/retry support
• UI preferences (AsyncStorage) — appearance mode (light/dark)

When you delete the app, all local data is automatically deleted by iOS.

6. Data sharing

We do not sell your data, share data with data brokers, or use data for advertising or cross-app tracking.

Your data may be processed by the following third-party services under their respective data processing agreements:

• Mixpanel (analytics, EU servers) — Privacy Policy
• Sentry (crash reporting, US servers) — Privacy Policy
• RevenueCat (payments) — Privacy Policy
• Notion (user's data destination) — Privacy Policy
• Cloudflare (OAuth proxy) — Privacy Policy

Where providers transfer data to servers outside the EU/EEA (e.g. Sentry), such transfers are safeguarded by Standard Contractual Clauses (SCCs) or equivalent mechanisms as required by the GDPR.

7. Data retention and deletion

• User content: Retained on device only until successfully uploaded to Notion, then deleted from the local queue.
• OAuth token: Stored locally until you sign out; cleared on sign-out.
• Analytics (Mixpanel): Retained per Mixpanel's data retention policy. Can be deleted via Mixpanel's GDPR deletion API upon request.
• Error reports (Sentry): Retained for 90 days per Sentry's default policy. Can be deleted via Sentry's data deletion tools upon request.
• Payments (RevenueCat): Retained per RevenueCat's policy; follows Apple's subscription management.
• On sign-out: OAuth token is cleared from device; Sentry user context is cleared.
• On app deletion: All local data (AsyncStorage, SQLite) is automatically deleted by iOS.

8. Your rights (Art. 15–21 GDPR)

You have the right to:

• Access your personal data (Art. 15)
• Rectification of inaccurate data (Art. 16)
• Erasure of your data (Art. 17)
• Restriction of processing (Art. 18)
• Data portability (Art. 20)
• Object to processing based on legitimate interest (Art. 21)

To exercise any of these rights, contact us at gierekg@gmail.com. We will respond within one month.

You also have the right to lodge a complaint with a supervisory authority (Aufsichtsbehörde), in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

9. Security

• All network communication uses HTTPS/TLS
• OAuth tokens are stored in device-local storage, sandboxed by iOS
• No sensitive data is stored on any server we operate
• OAuth client secret is stored only in the Cloudflare Workers environment, not in the app binary

10. Children

This app is intended for general audiences and follows the age requirements set by Apple's App Store and Google Play Store. We do not knowingly collect personal data from children below the minimum age required by the applicable platform. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. The latest version will always be available at this URL.

12. Contact

If you have questions about this Privacy Policy or your data, contact:
gierekg@gmail.com