The policy states that HubSpot acts as a data controller for visitor and user data but as a data processor for data that business customers submit into HubSpot products, directing data subject inquiries about that second category to the relevant HubSpot customer rather than to HubSpot.
This analysis describes what HubSpot's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes a bifurcated data governance structure in which data subject rights requests for customer-submitted data must be directed to HubSpot's business customers, not to HubSpot directly, which affects how data subjects can exercise GDPR and CCPA rights depending on the category of data at issue.
Under this provision, individuals whose data has been submitted into HubSpot by a business (such as a contact in a company's CRM) must direct access, deletion, or portability requests to that business rather than to HubSpot, as HubSpot acts only as a data processor for that data.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
HubSpot has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"HubSpot is the data controller for information we collect about visitors, customers, and users. For information that our customers submit to our Services (including information submitted about their own contacts and leads), HubSpot is the data processor and our customers are the data controllers. If you have questions about the personal information that a HubSpot customer has submitted to our Services, please direct your questions to that customer.— Excerpt from HubSpot's HubSpot Privacy Policy
1. REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 4, 24, and 28, which define the obligations of controllers and processors and require documented data processing agreements between them. The CCPA similarly distinguishes between businesses and service providers. The Irish DPC and relevant EU member state supervisory authorities have jurisdiction over GDPR compliance. 2. GOVERNANCE EXPOSURE: High. Organizations using HubSpot as a CRM or marketing automation platform are the data controllers for contact data submitted into HubSpot, and must ensure their own privacy notices, data processing agreements with HubSpot, and data subject rights processes account for this structure. 3. JURISDICTION FLAGS: EU and EEA organizations face the highest exposure given GDPR processor agreement requirements. UK organizations must comply with UK GDPR equivalent obligations. California-based organizations should assess whether their use of HubSpot as a service provider is documented consistent with CCPA service provider definitions. 4. CONTRACT AND VENDOR IMPLICATIONS: The policy's processor assertion requires that organizations using HubSpot have a compliant Data Processing Agreement (DPA) in place. Teams should confirm that HubSpot's current DPA covers all relevant processing activities, sub-processor disclosures, and breach notification timelines required under GDPR Article 28. 5. COMPLIANCE CONSIDERATIONS: Legal teams should review whether their organization's privacy notice adequately describes HubSpot as a processor of contact and lead data, and should ensure internal data subject rights workflows route requests appropriately based on whether HubSpot is acting as controller or processor in the relevant context.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes a bifurcated data governance structure in which data subject rights requests for customer-submitted data must be directed to HubSpot's business customers, not to HubSpot directly, which affects how data subjects can exercise GDPR and CCPA rights depending on the category of data at issue.
Under this provision, individuals whose data has been submitted into HubSpot by a business (such as a contact in a company's CRM) must direct access, deletion, or portability requests to that business rather than to HubSpot, as HubSpot acts only as a data processor for that data.
ConductAtlas has identified this type of provision across 2 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by HubSpot.