Why HubSpot Users Need a Privacy Policy
HubSpot is an all-in-one platform for CRM, marketing, sales, and customer service. From the moment you install the HubSpot tracking code on your website, it begins collecting visitor data. Every form submission, email open, and chat conversation adds personal data to your contact database. This makes you the data controller, and you are legally required to disclose what data is collected and how it is used.
Three separate requirements mandate a privacy policy for HubSpot users:
HubSpot's Terms of Service: HubSpot requires all customers to maintain a privacy policy that discloses the use of their platform and tracking technologies
GDPR (EU visitors and contacts): You must disclose the legal basis for processing, data retention, cookie usage, and contact rights before collecting any data
CCPA (California residents): Requires disclosure of data categories collected, the purpose of collection, and the right to opt out of data sales
Can I just link to HubSpot's privacy policy instead of writing my own?
No. HubSpot's privacy policy covers how they handle data as a company. As the data controller, you need your own policy explaining what data you collect through HubSpot, why you collect it, and how you use HubSpot to process it. Linking to HubSpot's policy does not fulfill your legal obligation.
HubSpot Products and Their Data Collection
Each HubSpot product collects different types of data that must be disclosed in your privacy policy.
| Product | Data Collected | Disclosure Required |
|---|---|---|
| CRM | Contact names, emails, companies, activity history | Contact storage, data retention, third-party sharing |
| Marketing Hub | Email opens, clicks, form submissions, ad interactions | Tracking methods, profiling, lead scoring |
| Sales Hub | Email tracking, meeting bookings, call recordings | One-to-one email tracking, recording consent |
| Service Hub | Ticket data, chat transcripts, feedback surveys | Support data storage, satisfaction tracking |
| CMS Hub | Page views, visitor behavior, form data, A/B testing | Website cookies, analytics, personalization |
| Operations Hub | Synced data from third-party tools, data mappings | Data integration sources, cross-platform sharing |
The more HubSpot products you use, the more data you collect and the more detailed your privacy policy needs to be. For SaaS-specific requirements, see our SaaS privacy policy guide.
HubSpot Tracking Code and Website Analytics
The HubSpot tracking code is a JavaScript snippet installed on every page of your website. It is the foundation of HubSpot's analytics and connects website visitor behavior to contact records in your CRM. Your privacy policy must disclose how this tracking code works.
Page view tracking: The tracking code records every page a visitor views, including the URL, time spent on page, and scroll depth
Visitor identification: HubSpot sets first-party cookies (__hstc, hubspotutk, __hssc) to identify returning visitors and link their browsing history to CRM records
Referral source tracking: The code captures how visitors arrived at your site, including search terms, referring URLs, UTM parameters, and ad campaign data
Device and browser data: Browser type, operating system, screen resolution, and language preferences are collected for analytics and content optimization
Forms and Landing Pages
HubSpot forms are one of the primary ways personal data enters your CRM. Whether embedded on your website or hosted on HubSpot landing pages, each form submission creates or updates a contact record. Your privacy policy must explain what data is collected through forms and how it is used.
Form field data: Every field in your form (name, email, phone, company, job title) is stored in the CRM as a contact property
Hidden fields and metadata: HubSpot automatically captures the submission IP address, timestamp, page URL, and UTM parameters alongside form data
Progressive profiling: HubSpot can show different form fields to returning visitors to gradually collect more information over time. This must be disclosed
Landing page analytics: HubSpot landing pages track views, conversion rates, A/B test variants, and visitor behavior before and after form submission
If you collect email addresses through HubSpot forms, see our guide on privacy policies for collecting emails.
Email Marketing and Tracking
HubSpot's email tools track engagement at both the campaign level and the individual contact level. This data feeds into lead scoring, workflow triggers, and reporting. Your privacy policy must disclose these tracking practices.
Open tracking: HubSpot embeds a tracking pixel in emails to detect when a recipient opens the message, recording their IP address, device, and timestamp
Click tracking: All links in HubSpot emails are routed through redirect URLs that log which contacts clicked, when they clicked, and how many times
One-to-one email tracking: Sales Hub tracks individual emails sent from your inbox, notifying sales reps when a prospect opens or clicks. This applies to personal sales emails, not just marketing campaigns
Lead scoring impact: Email engagement data directly affects contact lead scores, which may trigger automated workflows, sales notifications, or list segmentation
Can I disable email tracking in HubSpot?
Yes. HubSpot allows you to disable open and click tracking for individual emails and at the account level. However, if tracking is enabled (the default for both Marketing Hub and Sales Hub), you must disclose it in your privacy policy. Many businesses keep tracking enabled for lead scoring and reporting purposes.
Chatbot and Live Chat Data
HubSpot's chatbot and live chat tools collect data during every conversation. Chat interactions create or update contact records and are stored as part of the contact timeline. Your privacy policy must address how chat data is handled.
Chat transcripts: Every conversation is saved and linked to the visitor's contact record, including messages, timestamps, and any information shared during the chat
Visitor identification: HubSpot uses cookies to identify returning chat visitors. If a visitor provides their email, the chat history is merged with their existing CRM record
Chatbot data collection: Automated chatbot flows can collect names, emails, phone numbers, and custom qualifying questions before routing to a live agent
Chat routing metadata: HubSpot logs which team member handled the chat, response times, and resolution status for reporting purposes
Contact Database and Segmentation
HubSpot's CRM stores a comprehensive record for every contact, combining data from forms, emails, website visits, chats, and third-party integrations. The way you organize, segment, and use this data has direct privacy implications.
Contact properties: HubSpot stores dozens of default properties (name, email, lifecycle stage, lead score) plus any custom properties you create. All stored data must be disclosed
Activity timeline: Every interaction (page view, email open, form submission, chat, call) is logged on the contact timeline, creating a detailed behavioral profile
List segmentation: Active and static lists segment contacts based on properties and behavior. This constitutes profiling under GDPR and requires disclosure
Data enrichment: HubSpot can enrich contact records with company data, social profiles, and firmographic information from third-party sources
For broader website compliance, see our guide on privacy policies for websites.
Common Mistakes in HubSpot Privacy Policies
Not disclosing the tracking code
Many HubSpot users fail to mention that the tracking code collects page views, IP addresses, and cookie data from every website visitor. This is one of the most common GDPR violations.
Ignoring one-to-one email tracking
Sales Hub tracks individual emails sent from your inbox, not just marketing campaigns. If your sales team uses email tracking, this must be disclosed separately from marketing email practices.
Missing chatbot data disclosure
HubSpot chatbots collect personal data before a human agent is involved. Your privacy policy must address automated data collection through chat, including what data the bot collects and how conversations are stored.
No mention of contact profiling
HubSpot builds detailed behavioral profiles through lead scoring, lifecycle stages, and activity timelines. Under GDPR, this constitutes profiling and must be disclosed with the right to object.
Cookie banner and policy mismatch
Your cookie consent banner must align with your privacy policy. If the banner lists four cookie categories but your policy only mentions two, regulators may consider this a transparency failure.
Wondering what happens if your privacy policy is missing or incomplete? See our guide on what happens without a privacy policy.
How to Write a Privacy Policy for HubSpot
Follow these six steps to create a compliant privacy policy for your HubSpot CRM and marketing activities.
Audit your HubSpot data collection
List every type of data HubSpot collects on your behalf: contact emails, names, company info, IP addresses, page views, form submissions, email engagement, and chat transcripts. Check your contact properties for custom fields.
Document all HubSpot products you use
Identify which HubSpot products you actively use: CRM, Marketing Hub, Sales Hub, Service Hub, CMS Hub, or Operations Hub. Each product collects different types of data and creates separate disclosure requirements.
Disclose tracking code and cookies
Explain that HubSpot's tracking code monitors page views, sessions, referral sources, and visitor behavior. List the specific cookies set (__hstc, hubspotutk, __hssc, __hssrc) and their purposes. Ensure your cookie banner matches.
Address email tracking and marketing
Disclose that HubSpot tracks email opens, link clicks, and engagement metrics through tracking pixels and redirect URLs. Explain how this data is used for lead scoring, segmentation, and campaign optimization.
Cover chatbot and live chat data
If you use HubSpot's chatbot or live chat, disclose what data is collected during conversations including visitor identity, chat transcripts, and any qualifying information gathered by the bot before routing to an agent.
Reference HubSpot as a data processor
Name HubSpot Inc. as a third-party data processor, link to their privacy policy, and reference the Data Processing Agreement (DPA) that governs how HubSpot handles your contacts' data. Note that data is stored on US and EU servers.
For a comparison with other marketing platforms, see our guide on privacy policy for Mailchimp. If you run a small business, our small business privacy policy guide covers additional requirements.
Frequently Asked Questions
Do I need a privacy policy if I use HubSpot?
Yes. HubSpot's Terms of Service require all users to have a privacy policy. Additionally, laws like GDPR and CCPA require you to disclose how you collect, use, and store personal data through HubSpot's tracking code, forms, email tracking, and CRM. Without a privacy policy, you risk both legal penalties and HubSpot account issues.
What data does HubSpot's tracking code collect?
HubSpot's tracking code collects page views, session duration, referral sources, browser and device information, IP addresses, and visitor behavior patterns. It uses first-party cookies to identify returning visitors and associate their activity with contact records in your CRM.
Does HubSpot comply with GDPR?
HubSpot offers GDPR-compliant features including a cookie consent banner, lawful basis tracking for contacts, data deletion tools, and a Data Processing Agreement (DPA). However, you as the data controller are responsible for configuring these features correctly and disclosing them in your privacy policy.
Is HubSpot a data processor or data controller?
HubSpot acts as a data processor on your behalf. You are the data controller responsible for determining how and why contact data is processed. HubSpot provides a Data Processing Agreement (DPA) that formalizes this relationship under GDPR.
Does HubSpot's free CRM still require a privacy policy?
Yes. Even HubSpot's free CRM collects and stores personal data such as contact names, emails, company information, and activity history. The tracking code also collects website visitor data. All of this requires disclosure in a privacy policy regardless of your HubSpot plan.
How does HubSpot handle email tracking?
HubSpot tracks email opens using a tracking pixel and monitors link clicks through redirect URLs. This data is recorded at the contact level and used for lead scoring, engagement reporting, and workflow triggers. You must disclose this tracking in your privacy policy.
What cookies does HubSpot set on my website?
HubSpot sets several first-party cookies including __hstc (visitor tracking), hubspotutk (visitor identity), __hssc (session tracking), and __hssrc (session reset). These cookies track visitor behavior, identify returning visitors, and connect website activity to CRM contact records.
Related Resources
Privacy Policy for Mailchimp
Email marketing compliance guide
Privacy Policy for SaaS
SaaS-specific compliance requirements
Privacy Policy for Websites
Website compliance guide
Privacy Policy for Collecting Emails
Email collection disclosure requirements
Privacy Policy for Small Business
Small business compliance essentials
GDPR Privacy Policy Template
EU compliance guide and template structure
What Happens Without a Privacy Policy
Risks and consequences of non-compliance
Policy Generator
Create your compliant privacy policy