What can I do about this clause?

{'method': 'EMAIL', 'recipient': 'privacy@hubspot.com', 'difficulty': 'MODERATE', 'action_type': 'DELETE_DATA', 'instructions': 'Email privacy@hubspot.com identifying yourself and requesting deletion of your Contact data. HubSpot will work with the relevant Customer to action the request.', 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'FTC', 'reason': 'FTC Act Section 5 applies to deceptive data practices; if HubSpot uses Contact data beyond its disclosed processor role, this could constitute an unfair or deceptive practice.', 'complaint_url': 'https://reportfraud.ftc.gov/'}

What is the severity of this clause?

ConductAtlas classifies this Dual Controller-Processor Model for Contact Data clause as high severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Dual Controller-Processor Model for Contact Data — HubSpot

Share 𝕏 Share in Share 🔒 PDF

Monitor governance changes for HubSpot Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

When a business uses HubSpot's software, HubSpot stores and processes that business's customer list (including your email and contact details) on the business's behalf. The business — not HubSpot — is responsible for making sure it had your permission to put your data there.

ⓘ

This analysis describes what HubSpot's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

The clause allocates data governance responsibilities between HubSpot and its customers by defining HubSpot's role as a service provider rather than an independent controller, which determines applicable legal obligations under data protection frameworks and establishes the customer as the entity accountable for lawful basis to process contact data.

Consumer impact (what this means for users)

Your email address, phone number, and interaction history may be stored in HubSpot's CRM by a business you've dealt with, without HubSpot being the entity responsible for obtaining your consent — making it harder to know who to contact if you want your data removed.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

Email privacy@hubspot.com identifying yourself and requesting deletion of your Contact data. HubSpot will work with the relevant Customer to action the request.

How other platforms handle this

DocuSign Medium

When our business customers use certain Services, we generally process and store limited personal information on their behalf as a data processor. For certain products such as Docusign's Contract Lifecycle Management (CLM) and Identity products, we may act as a processor and as a controller in certa...

Signal Medium

Signal can optionally discover which contacts in your address book are Signal users, using a service designed to protect the privacy of your contacts. Information from the contacts on your device may be cryptographically hashed and transmitted to the server in order to determine which of your contac...

Walmart Medium

We collect information about you when you shop in our stores, including through store cameras, loyalty programs, payment processing systems, and other in-store technologies. This information is used to improve store operations, loss prevention, and marketing.

See all platforms with this clause type →

Monitoring

HubSpot has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
Our Customers use our Services to, among other things, run their businesses and, in doing so, they direct us to collect, process and store 'Customer Data,' including information about their own customers and leads ('Contacts'). In these cases, HubSpot is providing services to the Customer as a data processor or service provider... HubSpot's Customers are responsible for ensuring they have the appropriate permissions and consents to process personal information in HubSpot's Services.

— Excerpt from HubSpot's HubSpot Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

(1) REGULATORY FRAMEWORK: This provision implicates GDPR Art. 4(8) (processor definition), Art. 28 (processor obligations and contractual requirements), Art. 29 (processing under controller authority), and Art. 82 (liability). Under CCPA §1798.140(ag), HubSpot functions as a 'service provider,' which limits its liability for onward use only if it contractually restricts its own use of the data. The primary enforcement authorities are EU/EEA national Data Protection Authorities, the UK ICO, and the California Privacy Protection Agency (CPPA). (2)

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

FTC

FTC Act Section 5 applies to deceptive data practices; if HubSpot uses Contact data beyond its disclosed processor role, this could constitute an unfair or deceptive practice.
File a complaint →

Applicable regulations

United States Federal

ePrivacy Directive

European Union

FTC Act Section 5

United States Federal

GDPR

European Union

Provision details

Document information

Document

HubSpot Privacy Policy

Entity

HubSpot

Document last updated

May 5, 2026

Tracking information

First tracked

April 18, 2026

Last verified

April 18, 2026

Record ID

CA-P-002975

Document ID

CA-D-00208

Evidence Provenance

Source URL

https://legal.hubspot.com/privacy-policy

Wayback Machine

View archived versions →

Content hash (SHA-256)

9086069c646a8fb26903326cd813947f9a89ebc0ea991c257cd0694abc31cafb

Analysis generated

April 18, 2026 11:21 UTC

Methodology

summarize_document-v7

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: HubSpot
Document: HubSpot Privacy Policy
Record ID: CA-P-002975
Captured: 2026-04-18 11:21:28 UTC
SHA-256: 9086069c646a8fb2…
URL: https://conductatlas.com/platform/hubspot/hubspot-privacy-policy/dual-controller-processor-model-for-contact-data/
Accessed: June 17, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

High

Other risks in this policy

Related Analysis

What 38 AI Companies Actually Say About Your Data (2026)
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does HubSpot's Dual Controller-Processor Model for Contact Data clause do?

How does this clause affect you?

Is ConductAtlas affiliated with HubSpot?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by HubSpot.