Do I need to disclose HubSpot in my privacy policy?

Yes. HubSpot collects extensive personal data including email addresses, IP addresses, browsing behavior, and form submissions. Under GDPR, CCPA, and similar regulations, you must disclose all data collection tools and explain how user data is processed. HubSpot's tracking is substantial enough that omission could violate privacy laws.

What specific data does HubSpot collect?

HubSpot collects email addresses, form submission data, pages visited on your website, IP addresses, company information (via enrichment), email open and click tracking, chat messages, and visitor session data. It assigns unique identifiers to visitors to build comprehensive behavioral profiles across multiple sessions and devices.

Does HubSpot require a cookie consent banner?

Yes. HubSpot deploys four persistent marketing cookies (__hssc, __hssrc, __hstc, and hubspotutk) that track visitor behavior. Under GDPR and similar laws, you must obtain explicit prior consent before deploying these cookies. A cookie banner is required to disclose these tracking cookies and obtain user opt-in.

Who processes my data in HubSpot and where is it stored?

HubSpot Inc, based in the United States, is the data processor. Data is transferred to and processed in the U.S. If you have EU or UK users, you must ensure an adequate legal mechanism (like Standard Contractual Clauses) is in place, as the U.S. lacks an adequacy decision under GDPR.

CRM & Marketing

Privacy policy clauses for HubSpot

HubSpot is a cloud-based CRM and marketing automation platform that tracks visitor behavior, manages customer relationships, and automates marketing campaigns. Websites use it to capture leads, monitor user engagement, and nurture prospects through email and personalized content.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data HubSpot collects

Your privacy policy must disclose each of the following data types when you use HubSpot.

Email address

Form submissions

Pages visited

IP address

Company info (via enrichment)

Email open/click tracking

Chat messages

When does HubSpot trigger privacy obligations?

Installation Triggers Immediate Obligations

Common compliance pitfalls

Cookie	Duration	Category	Purpose
__hssc	30 min	marketing	Session tracking
__hssrc	session	marketing	Session reset
__hstc	13 months	marketing	Visitor tracking
hubspotutk	13 months	marketing	Visitor identity

Pitfall 1: Undisclosed Email Tracking

The mistake: Teams deploy HubSpot's email tool (e.g., sales sequences or marketing campaigns) without updating their privacy notice or consent disclosures to cover email open/click tracking.

Why it happens with HubSpot: Email tracking is invisible to the recipient—there is no user interface warning that opens and clicks are monitored. Compliance teams often focus on the website cookie banner but overlook that HubSpot's email tracking pixels are a *separate* data flow requiring *separate* disclosure and, in many jurisdictions, consent.

Consequence: GDPR violation of Article 13 (failure to provide pre-collection transparency). CCPA violation of Section 1798.100(b) (missing required privacy notice disclosures). Regulators (e.g., UK ICO, Irish DPC) treat undisclosed email tracking as high-severity because it involves inference of behavior (read status) without knowledge. Potential fines and mandatory disable of email tracking until remedied.

Pitfall 2: Misconfigured Consent Categories

The mistake: Cookie banners accept 'Analytics' consent but route HubSpot's __hstc and hubspotutk cookies (which HubSpot classifies as marketing cookies for visitor identification and re-targeting) into the analytics category instead of marketing. This creates a consent-category mismatch.

Why it happens with HubSpot: HubSpot documentation groups cookies by purpose (session, visitor ID, marketing) rather than by consent category (analytics vs. marketing). Operators misread "analytics tracking" in HubSpot's cookie descriptions and assume consent for 'analytics' is sufficient.

Consequence: GDPR Article 7(4) violation: marketing cookies require separate, affirmative consent. Auditors flag the mismatch immediately. If a user consents only to analytics, HubSpot's visitor-identity and re-targeting cookies should be blocked. Failure to block results in processing without lawful basis under Article 6.

Pitfall 3: Missing DPA with HubSpot Inc.

The mistake: Operators add HubSpot without signing a Data Processing Addendum (DPA). HubSpot is a data processor (you control *how* it's used; HubSpot processes data on your instructions), so a DPA is legally required under GDPR and CCPA.

Why it happens with HubSpot: HubSpot's standard Terms of Service include processor terms, but teams assume this is sufficient and don't request or review HubSpot's DPA. Smaller teams skip the formal procurement step.

Consequence: GDPR Article 28(3) violation: no documented processor agreement. If audited, regulators view this as a critical gap. Even if HubSpot's terms are adequate, the absence of a signed, specific DPA is itself non-compliant. CCPA Section 1798.140(w) also requires processors to certify they understand CCPA restrictions. Without a DPA, you cannot legally claim HubSpot is a processor under CCPA.

Privacy policy clauses for HubSpot

What data HubSpot collects

When does HubSpot trigger privacy obligations?

Installation Triggers Immediate Obligations

Regulation Triggers by Jurisdiction

Where data goes

Cookies set by HubSpot

Common compliance pitfalls

Pitfall 1: Undisclosed Email Tracking

Pitfall 2: Misconfigured Consent Categories

Pitfall 3: Missing DPA with HubSpot Inc.

Legal note

Sample privacy policy clause

What regulators look for

Audit Priorities

Frequently asked questions

Do I need to disclose HubSpot in my privacy policy?

What specific data does HubSpot collect?

Does HubSpot require a cookie consent banner?

Who processes my data in HubSpot and where is it stored?

Don't ship without Bandit.