When a business uses HubSpot's tools to manage contacts or run marketing campaigns, HubSpot is acting on that business's instructions, not as an independent decision-maker over your data. This means if you want to access or delete data a business holds about you in HubSpot, you need to contact that business, not HubSpot.
This analysis describes what HubSpot's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision determines who is responsible for your data and who you can hold accountable. If a company stored your email address in HubSpot without your knowledge, your legal rights run against that company, not HubSpot.
Simplified and clarified the controller-processor relationship, removing references to 'Customer Data' and 'Contacts' terminology in favor of more standardized 'personal data' language, and emphasized regulatory compliance responsibility.
View full change record →If your personal data (such as your email address, name, or purchase history) is held in a business's HubSpot CRM, your right to access, correct, or delete that data must be exercised with the business, not HubSpot. HubSpot's role in that context is limited to following the business's instructions.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
HubSpot has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"In providing the Products, HubSpot may process personal data on behalf of Customers. In this context, we are a data processor and the Customer is the data controller. The Customer is responsible for complying with any regulations or laws that require providing notice, disclosure, or obtaining consent prior to using HubSpot to collect this data. We process the data in accordance with our agreements with our Customers.— Excerpt from HubSpot's HubSpot Privacy Policy
REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 4(7) and 4(8) on controller and processor definitions, and Article 28 on processor obligations, enforced by EU data protection authorities including the Irish DPC as HubSpot's lead supervisory authority. Under CCPA/CPRA, the analogous distinction between business and service provider is relevant, enforced by the California Privacy Protection Agency. Where business customers fail to execute a Data Processing Agreement with HubSpot, this may create regulatory exposure for the business customer under GDPR Article 28(3). GOVERNANCE EXPOSURE: High. The controller/processor split means that business customers (HubSpot's enterprise and SMB clients) bear primary responsibility for lawfulness of processing, consent management, and data subject rights responses for data they upload or collect via HubSpot's tools. Failure by a business customer to establish appropriate legal bases for processing end-user data through HubSpot's platform creates direct regulatory exposure for that customer under GDPR and CCPA, not for HubSpot. JURISDICTION FLAGS: EU/EEA and UK jurisdictions create heightened exposure due to GDPR's explicit Data Processing Agreement requirement. California creates parallel exposure under CCPA's service provider contractual requirements. Business customers in regulated sectors (healthcare, financial services) face additional obligations if personal data processed through HubSpot falls within HIPAA or GLBA scope, which HubSpot's standard DPA may not address. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams must ensure a current, GDPR-compliant DPA with HubSpot is executed before processing EU/UK personal data through HubSpot's platform. The policy states that HubSpot processes data in accordance with its agreements with customers, which places the burden on the customer to ensure those agreements are adequate. Liability for processor non-compliance flows back to the controller under GDPR Article 82 in many circumstances, making DPA terms a material contract risk area. COMPLIANCE CONSIDERATIONS: Legal and compliance teams should audit whether existing HubSpot contracts include appropriate DPAs and SCC addenda. Data mapping exercises should identify all personal data categories flowing into HubSpot's platform from end-user interactions. Privacy notices issued to end users by business customers should accurately reflect HubSpot's role as a sub-processor or processor, as applicable. Regular vendor assessments of HubSpot's security certifications and sub-processor lists are advisable given the processor relationship.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision determines who is responsible for your data and who you can hold accountable. If a company stored your email address in HubSpot without your knowledge, your legal rights run against that company, not HubSpot.
If your personal data (such as your email address, name, or purchase history) is held in a business's HubSpot CRM, your right to access, correct, or delete that data must be exercised with the business, not HubSpot. HubSpot's role in that context is limited to following the business's instructions.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by HubSpot.