HubSpot · HubSpot Privacy Policy

Dual Controller-Processor Model for Contact Data

High severity
Share 𝕏 Share in Share 🔒 PDF

What it is

When a business uses HubSpot's software, HubSpot stores and processes that business's customer list (including your email and contact details) on the business's behalf. The business — not HubSpot — is responsible for making sure it had your permission to put your data there.

Consumer impact (what this means for users)

Your email address, phone number, and interaction history may be stored in HubSpot's CRM by a business you've dealt with, without HubSpot being the entity responsible for obtaining your consent — making it harder to know who to contact if you want your data removed.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.
  • Delete Your Data
    Email privacy@hubspot.com identifying yourself and requesting deletion of your Contact data. HubSpot will work with the relevant Customer to action the request.

Cross-platform context

See how other platforms handle Dual Controller-Processor Model for Contact Data and similar clauses.

Compare across platforms →
Need full compliance memos? See Professional →

Why it matters (compliance & risk perspective)

This means your personal data could be inside HubSpot's systems even if you've never directly signed up for HubSpot, and the business that uploaded it is the one legally responsible for having your consent.

View original clause language
Our Customers use our Services to, among other things, run their businesses and, in doing so, they direct us to collect, process and store 'Customer Data,' including information about their own customers and leads ('Contacts'). In these cases, HubSpot is providing services to the Customer as a data processor or service provider... HubSpot's Customers are responsible for ensuring they have the appropriate permissions and consents to process personal information in HubSpot's Services.

Institutional analysis (Compliance & legal intelligence)

(1) REGULATORY FRAMEWORK: This provision implicates GDPR Art. 4(8) (processor definition), Art. 28 (processor obligations and contractual requirements), Art. 29 (processing under controller authority), and Art. 82 (liability). Under CCPA §1798.140(ag), HubSpot functions as a 'service provider,' which limits its liability for onward use only if it contractually restricts its own use of the data. The primary enforcement authorities are EU/EEA national Data Protection Authorities, the UK ICO, and the California Privacy Protection Agency (CPPA). (2)

🔒

Compliance intelligence locked

Regulatory citations, enforcement risk, and due diligence action items.

Watcher $9.99/mo Professional $149/mo

Watcher: regulatory citations. Professional: full compliance memo.

Applicable agencies

  • FTC
    FTC Act Section 5 applies to deceptive data practices; if HubSpot uses Contact data beyond its disclosed processor role, this could constitute an unfair or deceptive practice.
    File a complaint →

Provision details

Document information
Document
HubSpot Privacy Policy
Entity
HubSpot
Document last updated
April 29, 2026
Tracking information
First tracked
April 18, 2026
Last verified
April 18, 2026
Record ID
CA-P-002975
Document ID
CA-D-00208
Evidence Provenance
Source URL
https://legal.hubspot.com/privacy-policy
Wayback Machine
View archived versions →
SHA-256
9086069c646a8fb26903326cd813947f9a89ebc0ea991c257cd0694abc31cafb
Verified
✓ Snapshot stored   ✓ Change verified
How to Cite
ConductAtlas Policy Archive
Entity: HubSpot | Document: HubSpot Privacy Policy | Record: CA-P-002975
Captured: 2026-04-18 11:21:28 UTC | SHA-256: 9086069c646a8fb2…
URL: https://conductatlas.com/platform/hubspot/hubspot-privacy-policy/dual-controller-processor-model-for-contact-data/
Accessed: May 2, 2026
Classification
Severity
High
Categories
Unknown

Other provisions in this document