PSA: Anyone with a Link Can View Your Granola Notes by Default

Granola’s default link‑sharing model is a privacy blind spot that many users overlook. While the app markets itself as a secure AI notepad, any shared URL—intentionally or accidentally—can be opened in a private browser without authentication, exposing meeting summaries and partial transcripts. For enterprises that handle confidential negotiations or proprietary strategies, this inadvertent exposure could lead to competitive intelligence leaks or regulatory breaches, prompting IT departments to scrutinize the app’s configuration before adoption.

Beyond link visibility, Granola leverages user‑generated notes to fine‑tune its generative AI, a practice common among SaaS productivity tools. Non‑enterprise users are automatically enrolled in this data‑training loop, meaning every captured bullet point may contribute to model improvements unless the “Use my data to improve models for everyone” toggle is disabled. Compared with rivals like Notion or Evernote, which often require explicit consent for model training, Granola’s opt‑out approach places the onus on users to protect their data, raising questions about informed consent and compliance with emerging data‑privacy regulations such as the CCPA and GDPR.

Granola does employ robust security infrastructure: notes are encrypted at rest and in transit within a US‑hosted Amazon Web Services private cloud, and audio recordings are never stored. However, encryption alone does not mitigate the risk of public link exposure. Users should proactively adjust the default sharing setting to “Private” or “Only my company,” disable AI‑training participation, and regularly audit shared links. As AI‑driven productivity tools proliferate, organizations must balance convenience with stringent governance to safeguard intellectual property and maintain regulatory compliance.