The notes app is where many people do their most private thinking. It’s where you draft emails you’re not sure about, record things you don’t want to forget, work through difficult decisions, and keep information you’d be embarrassed to have public. For people building a personal knowledge base, journaling practice, or second brain, the app contains years of intimate writing.
The privacy architecture of your notes app determines who can access that content. And across the major apps, those architectures are very different from each other — and very different from what most users assume.
The Core Privacy Question: Who Holds the Keys?
The most important privacy question for any cloud-synced notes service is not whether the data is encrypted. All reputable services encrypt data. The question is who controls the encryption keys.
If the company holds the encryption keys, the company can technically read your notes. That means:
- Their employees could access note content under certain conditions
- A court could compel them to produce your notes in response to a legal order
- A data breach that exposes encrypted data could become readable if the keys are also compromised
- The company could use note content to improve AI features, targeting, or product development
If only you hold the encryption keys — end-to-end encryption — none of those risks apply, because the company has no readable version of your content. But E2EE comes with tradeoffs: no AI features on the server, no full-text search across devices without local indexes, no recovery if you lose your key.
Understanding which model your app uses is the starting point for understanding what it actually knows about you.
Notion
Notion is the most widely used among knowledge management tools. It encrypts data at rest and in transit, but Notion holds the encryption keys. This means Notion can technically read your content.
Notion’s privacy policy, as of early 2026, states that the company does not train AI models on user content for product improvement. This is a meaningful commitment, but it’s a policy commitment, not an architectural one — it’s enforced by the company’s choices, not by technical impossibility.
What Notion does do is use the content of your notes to power its AI features: the AI writing assistant, the Q&A function, semantic search. These features work by sending note content to AI processing infrastructure, either Notion’s own or that of third-party AI providers. When you use an AI feature in Notion, your note content leaves Notion’s servers and enters another company’s AI pipeline, subject to that company’s privacy policy.
Notion is a US-based company and subject to US legal process. If a government authority with the right jurisdiction issued a valid legal order for your Notion workspace, Notion could comply — because it has readable access to your content.
Notion is designed for collaboration. It has strong features for teams. Its privacy model reflects a collaborative product: the content is accessible to the service so that collaborative features, sharing, and AI can work. If you’re using Notion for genuinely private personal writing, you’re using a collaborative tool for a purpose it wasn’t designed to prioritise.
Apple Notes
Apple Notes with default settings stores notes in iCloud, where they’re encrypted at rest and in transit, but Apple holds the keys. Under standard iCloud settings, Apple can respond to legal orders with note content.
However, Apple’s Advanced Data Protection (ADP) — enabled through Settings → [your name] → iCloud → Advanced Data Protection — shifts Apple Notes to end-to-end encryption. With ADP enabled, Apple cannot technically read your notes, and cannot produce them in response to a legal order because they don’t have the readable content.
There are real consequences to enabling ADP:
- Apple cannot recover your data if you lose access to your account. You must set up your own recovery methods (a trusted contact or recovery key).
- Some iCloud features don’t support ADP and are excluded from end-to-end encryption.
- ADP must be explicitly enabled — it’s not the default.
With ADP enabled, Apple Notes becomes a meaningfully private notes service. Without it, it’s a cloud service where Apple holds the keys, the same as most competitors.
Apple’s business model is device and service sales, not advertising. This matters because the incentive structure for using your notes content is different from an advertising-funded service. Apple has no revenue mechanism that benefits from reading your private notes. The risk is legal process, not commercial exploitation.
Obsidian
Obsidian is architecturally different from Notion and Apple Notes. Notes are stored as plain text Markdown files on your local device. There is no Obsidian cloud service required — Obsidian is software that reads files from your filesystem.
This means Obsidian as a company cannot access your notes at all. There’s nothing on Obsidian’s servers, because your notes don’t go to Obsidian’s servers. The privacy guarantee is architectural, not policy-based.
Obsidian Sync is an optional paid add-on that syncs vaults across devices via Obsidian’s servers. According to Obsidian’s documentation, Sync uses end-to-end encryption where the keys are derived from a password you set, and Obsidian cannot read the contents of your synced vault. This is a stronger privacy model than most cloud services.
The tradeoffs for Obsidian:
- No AI features that process content on a server (though local AI plugins exist)
- No web-based access without a separate sync solution
- More setup effort than cloud-native apps
- If you use a third-party sync like Dropbox or iCloud without ADP to sync your vault, the privacy properties of that sync service apply
For the Bitwarden community’s 2026 Data Privacy Week survey, Obsidian ranked as the top privacy recommendation in the notes app category. This reflects what privacy-conscious users have concluded from evaluating the architecture: local-first storage with optional E2EE sync is a structurally stronger privacy model than cloud-first storage with key-holding by the service.
Google Keep and Google Docs
Google’s notes tools — Keep, Docs, and Drive — occupy the lowest-privacy position among major options. Google holds the encryption keys and Google’s business model is built on using user data to improve AI products and advertising relevance.
Google’s privacy policy states that it uses content from its services to improve those services. Google Gemini, which is now integrated with Gmail and Workspace, has been documented analyzing content across Google’s services. With Gemini enabled in Workspace, notes, documents, and other content can be processed by AI that Google has integrated at the infrastructure level.
Google does not sell user content to advertisers directly. But it uses content to improve ad targeting models and AI capabilities in ways that create value Google captures commercially. The notes you write in Google Keep or Docs are processed by a company whose revenue depends on extracting useful signals from that content.
Google is also subject to the broadest law enforcement data request volume of any major tech company, by virtue of having the most users. Google’s transparency reports show hundreds of thousands of legal requests for user data annually.
For notes you’d rather keep private, Google’s tools are the highest-risk option among major services.
Microsoft OneNote
OneNote encrypts data at rest and in transit, with Microsoft holding the keys. Microsoft has historically been one of the more cooperative major tech companies with law enforcement legal process.
Microsoft Copilot, integrated with Microsoft 365 as of 2025, can analyze OneNote content for AI features. If you’re using OneNote within a personal Microsoft account with Copilot enabled, your notes are being processed by Microsoft’s AI infrastructure.
OneNote doesn’t have a compelling structural privacy story. It’s a reasonable tool for notes that don’t require strong privacy, and a poor choice for sensitive personal records.
Notion vs. Apple Notes vs. Obsidian: A Direct Comparison
| Property | Notion | Apple Notes (ADP off) | Apple Notes (ADP on) | Obsidian |
|---|---|---|---|---|
| Who holds keys | Notion | Apple | You | You (local) |
| Legal process compliance | Yes | Yes | No (no readable data) | N/A |
| AI processes your content | Yes (with AI features) | No | No | No (no server) |
| Ad-adjacent revenue model | No | No | No | No |
| Collaboration features | Strong | Limited | Limited | Via plugins |
| Setup complexity | Low | Low | Low | Higher |
This comparison is for the privacy-relevant architecture, not feature completeness. Notion is a richer productivity platform. The tradeoff is that richness requires Notion having readable access to your content.
The Private Notes Problem in Practice
Most notes don’t require strong privacy. A grocery list, a meeting agenda, a book recommendation — these don’t need end-to-end encryption.
But within most people’s notes, there’s content that does: health information, financial details, personal reflections, information about relationships, details about ongoing legal or professional situations. These notes sit in the same app, on the same servers, under the same terms as everything else.
The challenge is that most people don’t sort their notes by sensitivity when choosing an app. They pick one app and use it for everything. If that app is Notion or Google Docs, all of it — including the sensitive parts — is held by a company that can technically read it.
One practical approach is a tiered system: a less-private app for collaborative or non-sensitive notes, and a genuinely private option for sensitive personal content. Obsidian with a local vault handles the latter without requiring trust in a cloud service. Apple Notes with ADP enabled works similarly within Apple’s ecosystem.
Notes vs. Files
Many things people store in notes are not really notes. They’re records: saved documents, receipts, medical information, contract details, important emails. Notes apps have become catch-all repositories for documents that aren’t quite documents.
For this category of content — personal records that need to be stored and retrieved rather than written and developed — a private file storage service offers a different model than a notes app. Files stored in a secure storage service that encrypts at rest, doesn’t process content for AI training, and doesn’t run an ad-dependent business model have a cleaner privacy architecture than the same content stored in a notes app designed around collaboration and AI features.
What the Privacy Policy Actually Tells You
If you want to understand what your notes app does with your content, the privacy policy is the relevant document — not the marketing website.
Specific things to look for:
“We may use your content to improve our services.” This language, which appears in Google’s and others’ policies, is a broad grant to process your notes for AI training and product development.
“We share data with service providers.” This usually means AI processing providers. The question is which ones and under what terms.
“We may comply with legal requests.” The relevant question is whether compliance is possible. If the company holds your keys, compliance is possible. If you hold the keys, it isn’t.
What’s absent. A privacy policy that doesn’t mention AI processing of content, or that doesn’t specify encryption key management, is leaving things unsaid that are worth knowing.
The Default Problem
Across notes apps, the private option is usually not the default. Obsidian is local-first by default, but only because it has no cloud service to default to. Apple Notes defaults to iCloud without ADP. Notion has no privacy mode.
This means the privacy architecture most people are using is determined by the path of least resistance: whatever the app does when you sign up and start writing. For most cloud notes services, that path leads to a model where the company holds the keys.
Choosing privacy requires actively doing something different from the default. That’s true for notes apps the same way it’s true for photo storage, messaging, and email.
The question worth asking of any app that holds your private writing is the same one worth asking of any trusted keeper of sensitive information: not whether they say they’ll protect it, but whether they structurally can’t give it away even if they wanted to.