Depending on where you live, you may have legal rights to see, correct, delete, or export the personal data HubSpot holds about you, and you can submit these requests by emailing privacy@hubspot.com.
This analysis describes what HubSpot's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
These rights are a core privacy protection, but they apply only to data for which HubSpot is the controller. If your data is in a business customer's HubSpot account, you must contact that business instead.
Direct HubSpot users and website visitors can contact HubSpot to access or delete their personal data, but individuals whose data is stored in a business customer's HubSpot CRM must direct these requests to that business, not HubSpot. The rights available also vary by jurisdiction.
Cross-platform context
See how other platforms handle Data Subject Rights Request Process and similar clauses.
Compare across platforms →Monitoring
HubSpot has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Depending on your location and subject to applicable law, you may have the following rights with regard to your personal data: The right to access personal data we hold about you; The right to correct inaccurate personal data; The right to request deletion of your personal data; The right to object to or restrict processing of your personal data; The right to data portability; The right to withdraw consent. To exercise any of these rights, please contact us at privacy@hubspot.com.— Excerpt from HubSpot's HubSpot Privacy Policy
REGULATORY LANDSCAPE: This provision engages GDPR Articles 15 through 22 (data subject rights), which are enforced by EU supervisory authorities including the Irish DPC. CCPA/CPRA grants California residents rights to know, delete, correct, and opt out of sale, enforced by the California Privacy Protection Agency. UK GDPR and Brazil's LGPD include analogous rights. Response time obligations under GDPR (one month, extendable) and CCPA (45 days, extendable) apply to HubSpot as controller for directly collected data. GOVERNANCE EXPOSURE: Medium. The scope of HubSpot's rights obligations as controller is limited by the controller/processor distinction. However, HubSpot must maintain operationally sound processes for verifying identity and responding to requests within statutory deadlines. Failure to respond within GDPR or CCPA timeframes creates direct regulatory exposure. JURISDICTION FLAGS: EU/EEA and UK users have the broadest statutory rights under GDPR. California residents have CCPA/CPRA rights including the right to opt out of data sale. Brazil's LGPD and Canada's PIPEDA create analogous rights for users in those jurisdictions. Jurisdictions without comprehensive privacy laws may have fewer enforceable rights, and the policy acknowledges applicability depends on location. CONTRACT AND VENDOR IMPLICATIONS: Business customers should ensure their own privacy notices accurately describe where end-user data subject requests should be directed (to the business, not HubSpot) and must have processes in place to fulfill requests for data held in HubSpot's systems, including the ability to instruct HubSpot to delete or export data on behalf of a data subject. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that HubSpot's data subject request intake process is operational and that response tracking is in place to meet statutory deadlines. Data mapping should confirm which personal data categories are held by HubSpot as controller versus processor to correctly route incoming requests. Business customers should test their ability to action deletion or export requests for data held in HubSpot accounts within applicable timeframes.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
These rights are a core privacy protection, but they apply only to data for which HubSpot is the controller. If your data is in a business customer's HubSpot account, you must contact that business instead.
Direct HubSpot users and website visitors can contact HubSpot to access or delete their personal data, but individuals whose data is stored in a business customer's HubSpot CRM must direct these requests to that business, not HubSpot. The rights available also vary by jurisdiction.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by HubSpot.