HubSpot · HubSpot Privacy Policy

Cross-Border Data Transfers (SCCs and EU-U.S. Data Privacy Framework)

Medium severity
Share 𝕏 Share in Share 🔒 PDF

What it is

When HubSpot moves your data from Europe or the UK to the United States or other countries, it relies on legal mechanisms like Standard Contractual Clauses or the EU-U.S. Data Privacy Framework to make that transfer lawful.

Consumer impact (what this means for users)

Your personal data processed by HubSpot (a U.S.-headquartered company) is transferred to the United States, and the legal mechanism protecting that transfer could be challenged or invalidated, potentially leaving your data with reduced legal protections.

Cross-platform context

See how other platforms handle Cross-Border Data Transfers (SCCs and EU-U.S. Data Privacy Framework) and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

The legal adequacy of cross-border data transfers has been challenged repeatedly (Schrems I and II), and if the EU-U.S. Data Privacy Framework is invalidated again, the lawfulness of your data being held in the U.S. could be called into question.

View original clause language
When we transfer your personal data outside the EEA or UK, we ensure an adequate level of protection is afforded to it by ensuring at least one of the following safeguards is implemented: transfers are to countries that have been deemed to provide an adequate level of protection for personal data; we use specific contracts approved by the European Commission, known as 'standard contractual clauses'; or the organization is registered under a Privacy Shield or Data Privacy Framework program.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: GDPR Art. 44-49 governs cross-border transfers; the EU-U.S. Data Privacy Framework was adopted by European Commission Adequacy Decision of July 10, 2023, but remains subject to challenge (cf. Schrems II, Case C-311/18). Standard Contractual Clauses are governed by EC Implementing Decision 2021/914. UK transfers are governed by UK GDPR and the UK's International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs. The primary enforcement authority for transfer adequacy is the EDPB and national DPAs. (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • State AG
    EU/UK residents should contact their national Data Protection Authority; U.S. state AGs have jurisdiction over deceptive practices related to inadequate transfer safeguards.
    File a complaint →

Provision details

Document information
Document
HubSpot Privacy Policy
Entity
HubSpot
Document last updated
April 29, 2026
Tracking information
First tracked
April 18, 2026
Last verified
April 18, 2026
Record ID
CA-P-002977
Document ID
CA-D-00208
Evidence Provenance
Source URL
https://legal.hubspot.com/privacy-policy
Wayback Machine
View archived versions →
SHA-256
9086069c646a8fb26903326cd813947f9a89ebc0ea991c257cd0694abc31cafb
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: HubSpot | Document: HubSpot Privacy Policy | Record: CA-P-002977
Captured: 2026-04-18 11:21:28 UTC | SHA-256: 9086069c646a8fb2…
URL: https://conductatlas.com/platform/hubspot/hubspot-privacy-policy/cross-border-data-transfers-sccs-and-eu-us-data-privacy-framework/
Accessed: May 2, 2026
Classification
Severity
Medium
Categories
Unknown

Other provisions in this document