What can I do about this clause?

{'method': 'EMAIL', 'recipient': 'privacy@hubspot.com', 'difficulty': 'EASY', 'action_type': 'DELETE_DATA', 'instructions': 'EEA or UK users can submit data subject rights requests including access, deletion, or portability by emailing privacy@hubspot.com or using the privacy request form linked in the policy.', 'deadline_days': None, 'deadline_hours': None} {'method': 'EMAIL', 'recipient': 'privacy@hubspot.com', 'difficulty': 'EASY', 'action_type': 'EXPORT_DATA', 'instructions': 'To request a copy of personal data held by HubSpot, email privacy@hubspot.com with a data portability request identifying the categories of data sought.', 'deadline_days': None, 'deadline_hours': None}

Which regulatory agencies enforce this type of clause?

{'agency': 'State_AG', 'reason': 'State attorneys general in states with comprehensive privacy laws may have authority over data rights request compliance for residents of those states.', 'complaint_url': 'https://www.naag.org/find-my-ag/'}

What is the severity of this clause?

ConductAtlas classifies this EU and UK Data Subject Rights clause as medium severity. Severity reflects the magnitude of rights affected, the breadth of users impacted, and the degree of discretion the platform retains.

Do other platforms have similar clauses?

Yes. ConductAtlas has identified similar EU and UK Data Subject Rights clauses across approximately 5 other tracked platforms. You can compare how platforms differ on this clause type in the cross-platform comparison view.

EU and UK Data Subject Rights — HubSpot

Share 𝕏 Share in Share 🔒 PDF

Recent governance activity HubSpot recorded 2 documented changes in the last 30 days.

Start monitoring updates

Monitor governance changes for HubSpot Create a free account to receive the weekly governance digest and monitor one platform for governance changes.

Create free account No credit card required.

Document Record

What it is

The policy states that individuals in the EEA, UK, and Switzerland have rights to access, rectification, erasure, restriction, objection, and portability of their personal data, and the right to lodge complaints with supervisory authorities.

ⓘ

This analysis describes what HubSpot's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology

ConductAtlas Analysis

Why it matters (compliance & governance perspective)

This provision documents HubSpot's acknowledgment of GDPR and UK GDPR data subject rights and the supervisory authority complaint pathway, establishing the operational framework for EU and UK individuals to exercise rights in relation to HubSpot-controlled data.

Consumer impact (what this means for users)

Under this provision, EEA, UK, and Switzerland-based users may submit requests to access, correct, delete, or export their personal data, or object to certain processing activities, by contacting HubSpot's privacy team directly.

What you can do

⚠️ These actions may provide transparency or partial mitigation but may not fully address the underlying issue. Effectiveness varies by jurisdiction and individual circumstances.

Delete Your Data

EEA or UK users can submit data subject rights requests including access, deletion, or portability by emailing privacy@hubspot.com or using the privacy request form linked in the policy.
Export Your Data

To request a copy of personal data held by HubSpot, email privacy@hubspot.com with a data portability request identifying the categories of data sought.

How other platforms handle this

Garmin Medium

If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...

Ledger Medium

At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.

Strava Medium

We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...

See all platforms with this clause type →

Monitoring

HubSpot has changed this document before.

Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.

Start Monitor free trial Or create a free account →

▸ View Original Clause Language DOCUMENT RECORD

"
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have certain rights regarding your personal data, including the right to access, rectify, erase, restrict processing, object to processing, and data portability. You may also have the right to lodge a complaint with your local supervisory authority.

— Excerpt from HubSpot's HubSpot Privacy Policy

ConductAtlas Analysis

Institutional analysis (Compliance & governance intelligence)

1. REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 15 through 22, the UK GDPR equivalent provisions, and the Swiss Federal Act on Data Protection. The Irish DPC is HubSpot's EU lead supervisory authority; the ICO is the UK authority. Data subjects have the right to escalate unresolved complaints to these authorities. 2. GOVERNANCE EXPOSURE: Medium. The provision establishes rights acknowledgment but does not specify response timelines, identity verification procedures, or the process for handling complex or contested requests. Organizations should confirm HubSpot's operational procedures for responding to rights requests within GDPR's one-month timeframe. 3. JURISDICTION FLAGS: EEA and UK users have the most direct rights under this provision. The bifurcation between HubSpot as controller and processor (addressed in a separate provision) means that rights applicable to data held within HubSpot products on behalf of customers must be directed to those customers, not to HubSpot. 4. CONTRACT AND VENDOR IMPLICATIONS: B2B customers using HubSpot should ensure their own privacy programs include procedures for receiving and forwarding data subject rights requests that relate to data processed by HubSpot on their behalf, consistent with their GDPR controller obligations. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should confirm that HubSpot's rights request intake process is functional and responsive, and should document how rights requests are routed internally between HubSpot's controller and processor functions. Response timelines and identity verification procedures should be assessed against GDPR requirements.

Full compliance analysis

Regulatory citations, enforcement risk, and due diligence action items.

Track 1 platform — free Try Monitor free for 14 days

Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.

Applicable agencies

State AG

State attorneys general in states with comprehensive privacy laws may have authority over data rights request compliance for residents of those states.
File a complaint →

Applicable regulations

Connecticut Data Privacy Act Amendments

US-CT

CAN-SPAM

United States Federal

FTC Act Section 5

United States Federal

GDPR

European Union

Indiana Consumer Data Protection Act

US-IN

Kentucky Consumer Data Protection Act

US-KY

Universal Opt-Out Mechanism Expansion 2026

VPPA

United States Federal

Provision details

Document information

Document

HubSpot Privacy Policy

Entity

HubSpot

Document last updated

May 5, 2026

Tracking information

First tracked

May 20, 2026

Last verified

May 20, 2026

Record ID

CA-P-012543

Document ID

CA-D-00208

Evidence Provenance

Source URL

https://legal.hubspot.com/privacy-policy

Wayback Machine

View archived versions →

Content hash (SHA-256)

658f3c0d5276314c83861e8a6d63cf646d152743f91342918596207ab1bce8a0

Analysis generated

May 20, 2026 22:36 UTC

Methodology

summarize_document-v8

Evidence

✓ Snapshot stored ✓ Hash verified

Citation Record

Entity: HubSpot
Document: HubSpot Privacy Policy
Record ID: CA-P-012543
Captured: 2026-05-20 22:36:33 UTC
SHA-256: 658f3c0d5276314c…
URL: https://conductatlas.com/platform/hubspot/hubspot-privacy-policy/eu-and-uk-data-subject-rights/
Accessed: June 8, 2026

Permanent archival reference. Stable identifier suitable for legal filings, compliance documentation, and research citation.

Classification

Severity

Medium

Other risks in this policy

Data Collection Scope medium
Controller vs. Processor Distinction high
Third-Party Data Sharing for Advertising medium
Cross-Border Data Transfers medium
California Privacy Rights medium
Cookies and Tracking Technologies medium

Compliance Governance Intelligence

Need to monitor specific governance provisions?

Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.

Arbitration clauses AI governance Data rights Indemnification Retention policies

Start Compliance free trial

Or start with Monitor →

Built from archived source documents, structured governance mappings, and historical version tracking.

Frequently Asked Questions

What does HubSpot's EU and UK Data Subject Rights clause do?

How does this clause affect you?

How many platforms have this type of clause?

ConductAtlas has identified this type of provision across 5 platforms. See the full comparison.

Is ConductAtlas affiliated with HubSpot?

No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by HubSpot.