What are the institutional and regulatory implications of this document?

1. REGULATORY LANDSCAPE: This policy engages the GDPR (EU) and UK GDPR, the California Consumer Privacy Act as amended by the CPRA, and references Brazil's LGPD, Canada's PIPEDA, and other regional frameworks. Enforcement authorities include the Irish Data Protection Commission as HubSpot's EU lead supervisory authority, the UK Information Commissioner's Office, and the California Privacy Protection Agency. The policy's reliance on legitimate interests as a legal basis for marketing and analyti…

How does HubSpot's HubSpot Privacy Policy affect users?

The agreement establishes that HubSpot collects identifiers, device data, usage activity, geolocation, and billing information from website visitors and product users, and authorizes sharing this data with advertising, analytics, social media, and reseller partners. Under these terms, EU and UK residents may exercise rights of access, rectification, erasure, restriction, and portability, while California residents may request disclosure of data categories collected and opt out of certain data s…

How often is HubSpot's HubSpot Privacy Policy updated?

ConductAtlas monitors this document daily and captures every version with cryptographic hashing and timestamp verification. Update frequency varies — see the change timeline on this page for complete version history.

Can I get alerted when HubSpot updates this document?

Yes. Monitor subscribers ($19/month) can add HubSpot to their watchlist and receive same-day email alerts whenever this document or any other HubSpot document changes.

CA-D-000208

HubSpot Privacy Policy

HubSpot

Last change detected May 14, 2026 Privacy policy

SHA-256: 2525c6c32c56bd1111f… 5 versions captured 4 changes documented

Create free account

Track 1 platform and get the weekly governance digest. No credit card required.

View original document at HubSpot ↗

This page describes what the document states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability may vary by jurisdiction. Methodology

10 Total

1 High severity

7 Medium severity

2 Low severity

Summary

This is HubSpot's privacy policy covering how the company collects and uses personal data from visitors to its websites, users of its software products, and contacts of HubSpot customers. The policy authorizes HubSpot to collect identifiers, usage activity, device data, location information, and billing details, and to share this data with service providers, advertising platforms, analytics vendors, social media partners, and resellers for purposes including marketing, product improvement, and fraud prevention. The policy also discloses that HubSpot acts as a data processor for data submitted by its business customers into HubSpot products, meaning data subject rights requests related to that data must be directed to the relevant HubSpot customer rather than to HubSpot directly.

Technical / Legal Breakdown

This document is HubSpot's privacy policy governing the collection, use, storage, and disclosure of personal data across HubSpot's websites, products, and services, with legal bases including consent, legitimate interests, and contractual necessity as described in the policy. The policy states that HubSpot collects identifiers (name, email address, phone number), company information, billing data, device and browser information, IP addresses, geolocation data, usage and activity data, and content submitted by users, and the terms authorize use of this data for product delivery, marketing communications, analytics, fraud prevention, and legal compliance. The policy discloses data sharing with service providers, advertising partners, social media platforms, resellers, and affiliates, and authorizes cross-border transfers of personal data outside the EEA using mechanisms including Standard Contractual Clauses. The policy engages GDPR for EU and EEA residents, the UK GDPR for UK residents, CCPA and CPRA for California residents, and references additional regional privacy frameworks; the document distinguishes between HubSpot acting as a data controller for visitor and prospect data and as a data processor for customer-submitted data processed within HubSpot's products. Material compliance considerations include the dual controller-processor role, which affects where data subject rights requests are directed, and the scope of marketing data shared with advertising and social media partners, which may require evaluation under GDPR consent and legitimate interest standards.

Institutional Analysis

Institutional analysis available with Compliance

Regulatory exposure by statute, material risk assessment, vendor due diligence action items, and enforcement precedent. Available on Compliance.

Start Compliance free trial

4 important changes detected

5 versions captured · Last updated: May 2026

May 14, 2026

low

What changed HubSpot's privacy policy footer navigation was updated on May 14, 2026 to include two new product references ('HubSpot AEO' and 'AEO Sensor') and one new navigation link ('Sustainability'), while also reorganizing some product menu items. These are navigation and menu updates in the footer of the policy document, not changes to substantive privacy terms, data practices, or user rights.

Why this matters This change affects the navigation and product references displayed in the footer of HubSpot's privacy policy document. No substantive privacy terms, data collection practices, rights, or obligations were modified. The updates add navigation links to new products and company information without altering how HubSpot collects, uses, or protects user data.

View full change record →

April 29, 2026

low

What changed HubSpot removed 'Privacy Policy' from the navigation submenu under 'Legal Center for Customers' and added it instead under the 'Legal Center for Everyone' submenu on April 29, 2026. This is a navigation and organizational change with no modification to the actual privacy policy text or terms. The substantive privacy commitments and disclosures remain unchanged.

Why this matters This change is a navigation reorganization with no impact on HubSpot's privacy terms, data practices, or consumer rights. The Privacy Policy content remains identical; it has simply been moved to a different location in the Legal Center menu structure. No consumer action is required.

View full change record →

April 23, 2026 low

HubSpot's privacy policy footer was updated on April 23, 2026, with minor removals from the navigation menu that appears at the bottom of their website. Specifically, references to 'Website Grader', …

View change record →

April 22, 2026 low

HubSpot's privacy policy document structure was updated on April 22, 2026, with minor changes to the legal center navigation menu. Specifically, the navigation reorganized where the Privacy Policy link appears …

View change record →

High — 1 provision

Controller vs. Processor Distinction Compare →

The policy states that HubSpot acts as a data controller for visitor and user data but as a data processor for data that business customers submit into HubSpot products, directing data subject inquiries about that second category to the relevant HubSpot customer rather than to HubSpot.

Added May 20, 2026 Standard Seen across 284 platforms

Medium — 7 provisions

Data Collection Scope Compare →

The policy states that HubSpot collects personal data that users directly provide, data generated through use of the services, and data received from third-party websites, services, and partners.

Added May 8, 2026 Standard Seen across 284 platforms
Third-Party Data Sharing for Advertising Compare →

The policy authorizes HubSpot to share user data with advertising vendors who use cookies, web beacons, and similar tracking technologies to deliver targeted advertisements on third-party websites and services.

Added May 20, 2026 Standard Seen across 284 platforms
Cross-Border Data Transfers Compare →

The policy discloses that personal data may be transferred internationally, including to the United States, and states that HubSpot uses Standard Contractual Clauses as a transfer mechanism for EU data.

Added May 20, 2026 Standard Seen across 284 platforms
EU and UK Data Subject Rights Compare →

The policy states that individuals in the EEA, UK, and Switzerland have rights to access, rectification, erasure, restriction, objection, and portability of their personal data, and the right to lodge complaints with supervisory authorities.

Added May 20, 2026 Standard Seen across 284 platforms
California Privacy Rights Compare →

The policy states that California residents have rights under the CCPA and CPRA to know, delete, and opt out of the sale or sharing of their personal information, and have a right to non-discrimination for exercising these rights.

Added May 20, 2026 Standard Seen across 284 platforms
Cookies and Tracking Technologies Compare →

The policy states that HubSpot uses cookies, web beacons, and similar tracking technologies to monitor user activity and store information, and discloses that refusing cookies may limit access to certain service features.

Added April 18, 2026 Standard Seen across 284 platforms
Data Retention Compare →

The policy states that personal data is retained for as long as there is a legitimate business need, including service delivery and legal, tax, or accounting compliance obligations, without specifying fixed retention periods for individual data categories.

Added April 18, 2026 Standard Seen across 284 platforms

Low — 2 provisions

Marketing Communications and Opt-Out Compare →

The policy states that HubSpot may send marketing communications about third-party products and services using personal information, and provides opt-out by unsubscribe link or email to privacy@hubspot.com.

Added May 20, 2026 Standard Seen across 284 platforms
Policy Update and Notification Procedure Compare →

The policy states that HubSpot may update the privacy policy at any time, with notification via webpage posting and, where appropriate, by email or other means, and advises users to review the policy periodically.

Added May 20, 2026 Standard Seen across 284 platforms

Monitoring

HubSpot has updated this document before.

Monitor includes same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

Compliance Governance Intelligence

Need provision-level monitoring and regulatory mapping?

Compliance includes governance timelines, compliance memos, audit-ready analysis, and full provision tracking.

Start Compliance free trial

Cross-platform context

See how other platforms handle Controller vs. Processor Distinction and similar clauses.

Compare across platforms →

Archival ProvenanceSource & Archival Record

Last Captured May 14, 2026 00:23 UTC

Capture Method Automated scheduled archival capture

Document ID CA-D-000208

Version ID CA-V-002573

Source URL https://legal.hubspot.com/privacy-policy

Wayback Machine View external archival references →

SHA-256 2525c6c32c56bd1111ff6be890d05a9a33878ff1657f79020724f2e744e49ea2

✓ Snapshot stored ✓ Text extracted ✓ Change verified ✓ Hash verified

HubSpot Privacy Policy

May 14, 2026

April 29, 2026

Monitor governance changes across the platforms you rely on.