HubSpot and Data Protection – What Website Operators Need to Know

If a website operator uses HubSpot, it processes visitor, contact and interaction data for the purposes of customer relationship management (CRM), marketing automation and website analytics on the basis of consent (for tracking), legitimate interests (for forms) or contract performance (for customer relationships) under the GDPR. This information is based on provider information and publicly available sources.

A. Purpose and Function of HubSpot

HubSpot is a comprehensive CRM and marketing automation platform from US-based HubSpot Inc. with EU branch HubSpot Ireland Ltd. It enables website operators to:

1. Website tracking: A tracking pixel (HubSpot Analytics Code) collects visitor data (page view, clicks, dwell time)
2. Form management: HubSpot forms on the website collect contact data (name, email, phone, etc.)
3. Chat and live support: A chat widget enables real-time communication with visitors
4. Email marketing: Automated email campaigns to contacts
5. CRM database: Central system for managing customer data, deals and interaction history
6. Personalization: Content and offers are adapted based on visitor profile

Technical integration: The website operator embeds the HubSpot tracking code (an asynchronous JavaScript snippet) in the <head> or <body> area of its website. In addition, HubSpot forms and chat widgets can be inserted. The tracking code sets a cookie on the visitor's device on loading and sends data to HubSpot's servers.

B. Mandatory Disclosures in the Privacy Policy regarding HubSpot

The GDPR requires website operators to transparently explain the following points:

• Processing purposes (Art. 13(1)(c)): Why is data processed?
• Legal bases (Art. 13(1)(c)): On which legal basis does the processing take place?
• Legitimate interests (Art. 13(1)(d)): If legitimized via legitimate interests
• Recipients or categories of recipients (Art. 13(1)(e)): To whom is data shared?
• Third-country transfers (Art. 13(1)(f)): Is data transferred to countries outside the EU/EEA?
• Retention period (Art. 13(2)(a)): How long is data stored?
• Data subject rights (Art. 13(2)(b) and (c)): Rights of access, erasure and objection

Common error: Many website operators use HubSpot's standard data protection text directly in their statement. This contradicts Art. 12(1) GDPR (clarity and intelligibility). A topic-oriented approach is better: structure by processing purposes (e.g. "Website analytics", "CRM and marketing"), not by individual tools.

C. Provider of HubSpot: HubSpot Inc. / HubSpot Ireland Ltd.

Note: HubSpot has an EU branch in Ireland and is DPF-certified, which ensures the legal compliance of data transfers to the USA.

D. Data Processing by HubSpot – Process

E. Data Collected when Using HubSpot

HubSpot collects a broad spectrum of data:

Tracking data (via Analytics Code):

• IP address
• Cookie ID (HubSpot cookie: hubspotutk)
• Visited URLs and referrer
• Page view time and dwell time
• Clicks and clicked links/buttons
• Scroll depth and engagement metadata
• Browser, operating system, device type
• Time zone and coarse location data
• Session information

Form data:

• Name, email address, phone number
• Company name
• Job title
• Custom form fields (depending on configuration)

Chat data:

• Chat messages and timestamps
• IP address and browser info
• Visitor identification

CRM data (added externally):

• Customer data from external systems
• Purchase history
• Customer interaction history
• Contract information

This data can be classified into the following standardized data type categories:

• Web server log data: IP address, date/time/time zone, URL, referrer, browser/OS/device, technical metadata
• Click paths: Visited pages incl. referrer, clicked links/buttons with date/time
• End-device data: Device type, operating system, screen resolution/size, orientation
• Browser information: Browser name, browser version, installed extensions
• Coarse location data: IP-based coarse location at city/municipality level
• User account data: Username/identifier, email address, name, phone
• Interaction data: Chat messages, form entries, engagements (email opens, link clicks)
• Conversion events: Form submissions, chat initiation, download, offer request
• Technical telemetry data: Error rates, loading times, session information

F. Purposes of Use when Using HubSpot

HubSpot processes data for the following purposes:

• Functional provision: Website analytics, contact management, chat support, email marketing
• CRM and customer relationship management: Central place to manage all customer interactions
• Marketing automation: Automated email campaigns, lead scoring, personalization
• General marketing: Targeting of email campaigns, success measurement, A/B testing
• User profile creation: Creation of contact profiles, segmentation, personalization
• User-individual marketing: Personalized website content, dynamic landing pages
• Communication: Support via chat, email campaigns, lead nurturing
• General product improvement: Optimization of the HubSpot platform based on usage data

G. Legal Bases for HubSpot

HubSpot is a large tool with multiple functions and therefore multiple potential legal bases:

1. Website tracking (Analytics Code):

• Legal basis: Consent under Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG
• Consent required: Yes, before the tracking code is loaded
• Cookie banner needed: Yes, with explicit opt-in option for HubSpot

2. Forms (name, email address):

• Legal basis: Art. 6(1)(b) GDPR (contract performance / contract initiation) or Art. 6(1)(a) GDPR (consent)
• Consent required: Generally not – the user implicitly consents by submitting the form
• Cookie banner: Not required for storage in the CRM

3. Chat widget:

• Legal basis: Art. 6(1)(a) GDPR (consent) or Art. 6(1)(f) GDPR (legitimate interests, if it only serves functionality)
• Consent required: Depending on configuration – if data is also used for marketing purposes: yes

4. Email marketing:

• Legal basis: Art. 6(1)(a) GDPR (consent) + § 7(2) No. 1 UWG (opt-in for email advertising)
• Consent required: Yes, specific consent to receive marketing emails
• Double opt-in recommended: Standard for email marketing

Blanket statement: In individual cases, the legal basis should be examined with a lawyer, as it depends on the exact configuration.

H. Special Features and Notes regarding HubSpot

• DPF certification: HubSpot is DPF-certified, which ensures the legal compliance of data transfers to the USA. The certification should be reviewed regularly.
• EU data centers: HubSpot has EU data centers but also US servers. The operator can configure EU data storage in the HubSpot settings.
• Processor: HubSpot acts as a processor (Art. 28 GDPR) for website integration. A DPA (Data Processing Agreement) is available at https://legal.hubspot.com/dpa and should be signed.
• Standard Contractual Clauses (SCCs): HubSpot uses SCCs for data transfers to the USA (in addition to DPF certification).
• Sub-processors: HubSpot uses sub-processors (e.g. AWS for hosting, Slack for integrations). A current list is available on the HubSpot website.
• Privacy notices: HubSpot provides privacy notices that can be integrated into the website. These should be reviewed.
• Data subject rights: Users have rights of access, rectification, erasure and objection. HubSpot has tools for processing these requests.
• Marketing compliance: For email marketing, laws such as UWG § 7 must be observed (double opt-in, unsubscribe possible).
• Data protection contact: HubSpot's data protection officer can be reached via https://legal.hubspot.com/.

I. FAQ regarding HubSpot

J. Conclusion and Recommendation regarding HubSpot

Summary: HubSpot is an extensive CRM and marketing tool with multiple data protection requirements depending on the functions used. With correct configuration and documentation, HubSpot is GDPR-compliant.

Why text blocks are problematic: The privacy policy should not simply copy HubSpot's standard text. This contradicts Art. 12(1) GDPR. Users should understand which data is processed for which purposes – not be confused by technical documentation.

Recommended approach: A topic-oriented privacy policy with a clear structure is better:

1. Website analytics: Explain that HubSpot collects visitor data
2. CRM and marketing: Explain that contact data is stored and marketing is automated
3. Email marketing: Specific information about email campaigns and opt-out
4. Recipient annex: Name HubSpot and other recipients

Recommendations for operators:

• Sign DPA at https://legal.hubspot.com/dpa
• Implement cookie banner with specific opt-in for HubSpot
• Configure EU data centers in HubSpot (if possible)
• Regularly review DPF certification status
• Document data subject rights requests