When a business uses HubSpot's tools to manage contacts or run marketing campaigns, HubSpot is acting on that business's instructions, not as an independent decision-maker over your data. This means if you want to access or delete data a business holds about you in HubSpot, you need to contact that business, not HubSpot.
This analysis describes what HubSpot's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision determines who is responsible for your data and who you can hold accountable. If a company stored your email address in HubSpot without your knowledge, your legal rights run against that company, not HubSpot.
If your personal data (such as your email address, name, or purchase history) is held in a business's HubSpot CRM, your right to access, correct, or delete that data must be exercised with the business, not HubSpot. HubSpot's role in that context is limited to following the business's instructions.
How other platforms handle this
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
At Workday, we believe privacy is a fundamental right, regardless of where you live. When you connect with Workday, we understand you are trusting us to handle your personal information appropriately. That is why we are committed to transparency about how we collect, use, and share that information.
When you visit a website built on Squarespace, Squarespace acts as a service provider or data processor, meaning that we process your information on behalf of the website owner. In this case, the website owner is responsible for the information they collect through their website and you should conta...
Monitoring
HubSpot has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"In providing the Products, HubSpot may process personal data on behalf of Customers. In this context, we are a data processor and the Customer is the data controller. The Customer is responsible for complying with any regulations or laws that require providing notice, disclosure, or obtaining consent prior to using HubSpot to collect this data. We process the data in accordance with our agreements with our Customers.— Excerpt from HubSpot's HubSpot Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 4(7) and 4(8) on controller and processor definitions, and Article 28 on processor obligations, enforced by EU data protection authorities including the Irish DPC as HubSpot's lead supervisory authority. Under CCPA/CPRA, the analogous distinction between business and service provider is relevant, enforced by the California Privacy Protection Agency. Where business customers fail to execute a Data Processing Agreement with HubSpot, this may create regulatory exposure for the business customer under GDPR Article 28(3). GOVERNANCE EXPOSURE: High. The controller/processor split means that business customers (HubSpot's enterprise and SMB clients) bear primary responsibility for lawfulness of processing, consent management, and data subject rights responses for data they upload or collect via HubSpot's tools. Failure by a business customer to establish appropriate legal bases for processing end-user data through HubSpot's platform creates direct regulatory exposure for that customer under GDPR and CCPA, not for HubSpot. JURISDICTION FLAGS: EU/EEA and UK jurisdictions create heightened exposure due to GDPR's explicit Data Processing Agreement requirement. California creates parallel exposure under CCPA's service provider contractual requirements. Business customers in regulated sectors (healthcare, financial services) face additional obligations if personal data processed through HubSpot falls within HIPAA or GLBA scope, which HubSpot's standard DPA may not address. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams must ensure a current, GDPR-compliant DPA with HubSpot is executed before processing EU/UK personal data through HubSpot's platform. The policy states that HubSpot processes data in accordance with its agreements with customers, which places the burden on the customer to ensure those agreements are adequate. Liability for processor non-compliance flows back to the controller under GDPR Article 82 in many circumstances, making DPA terms a material contract risk area. COMPLIANCE CONSIDERATIONS: Legal and compliance teams should audit whether existing HubSpot contracts include appropriate DPAs and SCC addenda. Data mapping exercises should identify all personal data categories flowing into HubSpot's platform from end-user interactions. Privacy notices issued to end users by business customers should accurately reflect HubSpot's role as a sub-processor or processor, as applicable. Regular vendor assessments of HubSpot's security certifications and sub-processor lists are advisable given the processor relationship.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision determines who is responsible for your data and who you can hold accountable. If a company stored your email address in HubSpot without your knowledge, your legal rights run against that company, not HubSpot.
If your personal data (such as your email address, name, or purchase history) is held in a business's HubSpot CRM, your right to access, correct, or delete that data must be exercised with the business, not HubSpot. HubSpot's role in that context is limited to following the business's instructions.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by HubSpot.